diff --git a/crypto/heimdal/Makefile b/crypto/heimdal/Makefile deleted file mode 100644 index e6b423214a6a..000000000000 --- a/crypto/heimdal/Makefile +++ /dev/null @@ -1,688 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = . - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = . - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc tools - -ACLOCAL_AMFLAGS = -I cf - -EXTRA_DIST = Makefile.am.common krb5.conf -subdir = . -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = - -RECURSIVE_TARGETS = info-recursive dvi-recursive install-info-recursive \ - uninstall-info-recursive all-recursive install-data-recursive \ - install-exec-recursive installdirs-recursive install-recursive \ - uninstall-recursive check-recursive installcheck-recursive -DIST_COMMON = README ChangeLog Makefile.am Makefile.in NEWS TODO \ - acinclude.m4 aclocal.m4 compile config.guess config.sub \ - configure configure.in install-sh ltconfig ltmain.sh missing \ - mkinstalldirs -DIST_SUBDIRS = $(SUBDIRS) -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c - -am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ - configure.lineno -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe) - -$(top_builddir)/config.status: $(srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - $(SHELL) ./config.status --recheck -$(srcdir)/configure: $(srcdir)/configure.in $(ACLOCAL_M4) $(CONFIGURE_DEPENDENCIES) - cd $(srcdir) && $(AUTOCONF) - -$(ACLOCAL_M4): configure.in acinclude.m4 cf/aix.m4 cf/auth-modules.m4 cf/broken-getaddrinfo.m4 cf/broken-getnameinfo.m4 cf/broken-glob.m4 cf/broken-realloc.m4 cf/broken-snprintf.m4 cf/broken.m4 cf/broken2.m4 cf/c-attribute.m4 cf/c-function.m4 cf/capabilities.m4 cf/check-compile-et.m4 cf/check-declaration.m4 cf/check-getpwnam_r-posix.m4 cf/check-man.m4 cf/check-netinet-ip-and-tcp.m4 cf/check-type-extra.m4 cf/check-var.m4 cf/check-x.m4 cf/check-xau.m4 cf/crypto.m4 cf/db.m4 cf/destdirs.m4 cf/dlopen.m4 cf/find-func-no-libs.m4 cf/find-func-no-libs2.m4 cf/find-func.m4 cf/find-if-not-broken.m4 cf/have-pragma-weak.m4 cf/have-struct-field.m4 cf/have-type.m4 cf/have-types.m4 cf/irix.m4 cf/krb-bigendian.m4 cf/krb-func-getcwd-broken.m4 cf/krb-func-getlogin.m4 cf/krb-ipv6.m4 cf/krb-prog-ln-s.m4 cf/krb-prog-ranlib.m4 cf/krb-prog-yacc.m4 cf/krb-readline.m4 cf/krb-struct-spwd.m4 cf/krb-struct-winsize.m4 cf/krb-sys-aix.m4 cf/krb-sys-nextstep.m4 cf/krb-version.m4 cf/mips-abi.m4 cf/misc.m4 cf/need-proto.m4 cf/osfc2.m4 cf/otp.m4 cf/proto-compat.m4 cf/retsigtype.m4 cf/roken-frag.m4 cf/roken.m4 cf/sunos.m4 cf/telnet.m4 cf/test-package.m4 cf/wflags.m4 cf/with-all.m4 - cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = . -distdir = $(PACKAGE)-$(VERSION) - -am__remove_distdir = \ - { test ! -d $(distdir) \ - || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \ - && rm -fr $(distdir); }; } - -GZIP_ENV = --best -distcleancheck_listfiles = find . -type f -print - -distdir: $(DISTFILES) - $(am__remove_distdir) - mkdir $(distdir) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d $(distdir)/$$subdir \ - || mkdir $(distdir)/$$subdir \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" \ - distdir=../$(distdir)/$$subdir \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook - -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \ - ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ - ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ - ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \ - || chmod -R a+r $(distdir) -dist-gzip: distdir - $(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz - $(am__remove_distdir) - -dist dist-all: distdir - $(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz - $(am__remove_distdir) - -# This target untars the dist file and tries a VPATH configuration. Then -# it guarantees that the distribution is self-contained by making another -# tarfile. -distcheck: dist - $(am__remove_distdir) - GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(AMTAR) xf - - chmod -R a-w $(distdir); chmod a+w $(distdir) - mkdir $(distdir)/=build - mkdir $(distdir)/=inst - chmod a-w $(distdir) - dc_install_base=`$(am__cd) $(distdir)/=inst && pwd` \ - && cd $(distdir)/=build \ - && ../configure --srcdir=.. --prefix=$$dc_install_base \ - $(DISTCHECK_CONFIGURE_FLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ - && $(MAKE) $(AM_MAKEFLAGS) check \ - && $(MAKE) $(AM_MAKEFLAGS) install \ - && $(MAKE) $(AM_MAKEFLAGS) installcheck \ - && $(MAKE) $(AM_MAKEFLAGS) uninstall \ - && (test `find $$dc_install_base -type f -print | wc -l` -le 1 \ - || { echo "ERROR: files left after uninstall:" ; \ - find $$dc_install_base -type f -print ; \ - exit 1; } >&2 ) \ - && $(MAKE) $(AM_MAKEFLAGS) dist-gzip \ - && rm -f $(distdir).tar.gz \ - && $(MAKE) $(AM_MAKEFLAGS) distcleancheck - $(am__remove_distdir) - @echo "$(distdir).tar.gz is ready for distribution" | \ - sed 'h;s/./=/g;p;x;p;x' -distcleancheck: distclean - if test '$(srcdir)' = . ; then \ - echo "ERROR: distcleancheck can only run from a VPATH build" ; \ - exit 1 ; \ - fi - test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ - || { echo "ERROR: files left after distclean:" ; \ - $(distcleancheck_listfiles) ; \ - exit 1; } >&2 -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: - -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -rm -f $(am__CONFIG_DISTCLEAN_FILES) -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -info: info-recursive - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -rm -f $(am__CONFIG_DISTCLEAN_FILES) - -rm -rf autom4te.cache -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) GTAGS all all-am all-local check check-am \ - check-local clean clean-generic clean-libtool clean-recursive \ - dist dist-all dist-gzip distcheck distclean distclean-generic \ - distclean-libtool distclean-recursive distclean-tags \ - distcleancheck distdir dvi dvi-am dvi-recursive info info-am \ - info-recursive install install-am install-data install-data-am \ - install-data-local install-data-recursive install-exec \ - install-exec-am install-exec-recursive install-info \ - install-info-am install-info-recursive install-man \ - install-recursive install-strip installcheck installcheck-am \ - installdirs installdirs-am installdirs-recursive \ - maintainer-clean maintainer-clean-generic \ - maintainer-clean-recursive mostlyclean mostlyclean-generic \ - mostlyclean-libtool mostlyclean-recursive tags tags-recursive \ - uninstall uninstall-am uninstall-info-am \ - uninstall-info-recursive uninstall-recursive - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/TODO b/crypto/heimdal/TODO deleted file mode 100644 index adef74a15d7b..000000000000 --- a/crypto/heimdal/TODO +++ /dev/null @@ -1,85 +0,0 @@ --*- indented-text -*- - -$Id: TODO,v 1.66 2001/08/09 08:43:42 assar Exp $ - -* configure - -handle readline hiding in readline/readline.h - -* appl - -** appl/popper - -Implement RFC1731 and 1734, pop over GSS-API - -* doc - -* kdc - -* kadmin - -make it happy with reading and parsing kdc.conf - -is in need of a major cleanup - -* kpasswdd - -figure out what's the deal with do_sequence and the MIT client - -* lib - -** lib/asn1 - -prepend a prefix on all generated symbols - -** lib/auth - -** lib/auth/sia - -PAM - -** lib/com_err - -write a man-page - -** lib/des - -make everything work with openssl and make prototypes compatible - -** lib/gssapi - -process_context_token, add_cred, inquire_cred_by_mech, -inquire_names_for_mech, and -inquire_mechs_for_name not implemented. - -set minor_status in all functions - -anonymous credentials not implemented - -add rc4 - -** lib/hdb - -** lib/kadm5 - -add policies? - -fix to use rpc? - -** lib/krb5 - -the replay cache is, in its current state, not very useful - -OTP? - -make checksum/encryption type configuration more realm-specific. make -some simple way of handling the w2k situtation - -crypto: allow scatter/gather creation of checksums - -verify_user: handle non-secure verification failing because of -host->realm mapping - -config_file: do it in case-sensitive and/or insensitive - -** lib/roken diff --git a/crypto/heimdal/Xconfig.h b/crypto/heimdal/Xconfig.h deleted file mode 100644 index 07f8101c29b5..000000000000 --- a/crypto/heimdal/Xconfig.h +++ /dev/null @@ -1,335 +0,0 @@ -#ifndef RCSID -#define RCSID(msg) \ -static const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } -#endif -#define MaxHostNameLen (64+4) -#define MaxPathLen (1024+4) -#define AUTHENTICATION 1 -#define BINDIR "/usr/heimdal/bin" -#define DES_ENCRYPTION 1 -#define DIAGNOSTICS 1 -#define ENCRYPTION 1 -#define ENDIANESS_IN_SYS_PARAM_H 1 -#define GETHOSTBYNAME_PROTO_COMPATIBLE 1 -#define GETSERVBYNAME_PROTO_COMPATIBLE 1 -#define GETSOCKNAME_PROTO_COMPATIBLE 1 -#define HAVE_ARPA_FTP_H 1 -#define HAVE_ARPA_INET_H 1 -#define HAVE_ARPA_NAMESER_H 1 -#define HAVE_ARPA_TELNET_H 1 -#define HAVE_ASPRINTF 1 -#define HAVE_ATEXIT 1 -#define HAVE_CGETENT 1 -#define HAVE_CHOWN 1 -#define HAVE_CRYPT 1 -#define HAVE_CURSES_H 1 -#define HAVE_DAEMON 1 -#define HAVE_DB1 1 -#define HAVE_DBM_FIRSTKEY 1 -#define HAVE_DBOPEN 1 -#define HAVE_DB_H 1 -#define HAVE_DIRENT_H 1 -#define HAVE_DLFCN_H 1 -#define HAVE_DLOPEN 1 -#define HAVE_DN_EXPAND 1 -#define HAVE_EL_INIT 1 -#define HAVE_ERR 1 -#define HAVE_ERRNO_H 1 -#define HAVE_ERRX 1 -#define HAVE_ERR_H 1 -#define HAVE_FCHOWN 1 -#define HAVE_FCNTL 1 -#define HAVE_FCNTL_H 1 -#define HAVE_FLOCK 1 -#define HAVE_FNMATCH 1 -#define HAVE_FNMATCH_H 1 -#define HAVE_FOUR_VALUED_EL_INIT 1 -#define HAVE_FREEADDRINFO 1 -#define HAVE_FREEHOSTENT 1 -#define HAVE_GAI_STRERROR 1 -#define HAVE_GETADDRINFO 1 -#define HAVE_GETCWD 1 -#define HAVE_GETDTABLESIZE 1 -#define HAVE_GETEGID 1 -#define HAVE_GETEUID 1 -#define HAVE_GETGID 1 -#define HAVE_GETHOSTBYNAME 1 -#define HAVE_GETHOSTBYNAME2 1 -#define HAVE_GETHOSTNAME 1 -#define HAVE_GETIFADDRS 1 -#define HAVE_GETIPNODEBYADDR 1 -#define HAVE_GETIPNODEBYNAME 1 -#define HAVE_GETLOGIN 1 -#define HAVE_GETNAMEINFO 1 -#define HAVE_GETOPT 1 -#define HAVE_GETPROGNAME 1 -#define HAVE_GETRLIMIT 1 -#define HAVE_GETSOCKOPT 1 -#define HAVE_GETTIMEOFDAY 1 -#define HAVE_GETUID 1 -#define HAVE_GETUSERSHELL 1 -#define HAVE_GLOB 1 -#define HAVE_GRP_H 1 -#define HAVE_HSTRERROR 1 -#define HAVE_H_ERRLIST 1 -#define HAVE_H_ERRNO 1 -#define HAVE_H_ERRNO_DECLARATION 1 -#define HAVE_H_NERR 1 -#define HAVE_IFADDRS_H 1 -#define HAVE_IN6ADDR_LOOPBACK 1 -#define HAVE_INET_ATON 1 -#define HAVE_INET_NTOP 1 -#define HAVE_INET_PTON 1 -#define HAVE_INITGROUPS 1 -#define HAVE_INITSTATE 1 -#define HAVE_INNETGR 1 -#define HAVE_INT16_T 1 -#define HAVE_INT32_T 1 -#define HAVE_INT64_T 1 -#define HAVE_INT8_T 1 -#define HAVE_INTTYPES_H 1 -#define HAVE_IPV6 1 -#define HAVE_IRUSEROK 1 -#define HAVE_ISSETUGID 1 -#define HAVE_LIBUTIL_H 1 -#define HAVE_LIMITS_H 1 -#define HAVE_LOCALTIME_R 1 -#define HAVE_LOGOUT 1 -#define HAVE_LOGWTMP 1 -#define HAVE_LONG_LONG 1 -#define HAVE_LSTAT 1 -#define HAVE_MEMMOVE 1 -#define HAVE_MEMORY_H 1 -#define HAVE_MKSTEMP 1 -#define HAVE_MKTIME 1 -#define HAVE_NDBM 1 -#define HAVE_NDBM_H 1 -#define HAVE_NETDB_H 1 -#define HAVE_NETINET6_IN6_VAR_H 1 -#define HAVE_NETINET_IN_H 1 -#define HAVE_NETINET_IN_SYSTM_H 1 -#define HAVE_NETINET_IP_H 1 -#define HAVE_NETINET_TCP_H 1 -#define HAVE_NET_IF_H 1 -#define HAVE_NEW_DB 1 -#define HAVE_OPENPTY 1 -#define HAVE_OPENSSL 1 -#define HAVE_OPTARG_DECLARATION 1 -#define HAVE_OPTERR_DECLARATION 1 -#define HAVE_OPTIND_DECLARATION 1 -#define HAVE_OPTOPT_DECLARATION 1 -#define HAVE_PATHS_H 1 -#define HAVE_PTHREAD_H 1 -#define HAVE_PUTENV 1 -#define HAVE_PWD_H 1 -#define HAVE_RAND 1 -#define HAVE_RANDOM 1 -#define HAVE_RCMD 1 -#define HAVE_READLINE 1 -#define HAVE_READV 1 -#define HAVE_RECVMSG 1 -#define HAVE_RESOLV_H 1 -#define HAVE_RES_SEARCH 1 -#define HAVE_REVOKE 1 -#define HAVE_RPCSVC_YPCLNT_H 1 -#define HAVE_SA_FAMILY_T 1 -#define HAVE_SECURITY_PAM_MODULES_H 1 -#define HAVE_SELECT 1 -#define HAVE_SENDMSG 1 -#define HAVE_SETEGID 1 -#define HAVE_SETENV 1 -#define HAVE_SETEUID 1 -#define HAVE_SETITIMER 1 -#define HAVE_SETLOGIN 1 -#define HAVE_SETPGID 1 -#define HAVE_SETPROCTITLE 1 -#define HAVE_SETPROGNAME 1 -#define HAVE_SETREGID 1 -#define HAVE_SETRESGID 1 -#define HAVE_SETRESUID 1 -#define HAVE_SETREUID 1 -#define HAVE_SETSID 1 -#define HAVE_SETSOCKOPT 1 -#define HAVE_SETSTATE 1 -#define HAVE_SGTTY_H 1 -#define HAVE_SIGACTION 1 -#define HAVE_SIGNAL_H 1 -#define HAVE_SNPRINTF 1 -#define HAVE_SOCKET 1 -#define HAVE_SOCKLEN_T 1 -#define HAVE_SSIZE_T 1 -#define HAVE_STDINT_H 1 -#define HAVE_STDLIB_H 1 -#define HAVE_STRCASECMP 1 -#define HAVE_STRDUP 1 -#define HAVE_STRERROR 1 -#define HAVE_STRFTIME 1 -#define HAVE_STRINGS_H 1 -#define HAVE_STRING_H 1 -#define HAVE_STRLCAT 1 -#define HAVE_STRLCPY 1 -#define HAVE_STRNCASECMP 1 -#define HAVE_STRPTIME 1 -#define HAVE_STRSEP 1 -#define HAVE_STRSTR 1 -#define HAVE_STRTOK_R 1 -#define HAVE_STRUCT_ADDRINFO 1 -#define HAVE_STRUCT_IFADDRS 1 -#define HAVE_STRUCT_IOVEC 1 -#define HAVE_STRUCT_MSGHDR 1 -#define HAVE_STRUCT_SOCKADDR 1 -#define HAVE_STRUCT_SOCKADDR_SA_LEN 1 -#define HAVE_STRUCT_SOCKADDR_STORAGE 1 -#define HAVE_STRUCT_TM_TM_GMTOFF 1 -#define HAVE_STRUCT_TM_TM_ZONE 1 -#define HAVE_STRUCT_WINSIZE 1 -#define HAVE_STRUNVIS 1 -#define HAVE_STRVIS 1 -#define HAVE_STRVISX 1 -#define HAVE_SWAB 1 -#define HAVE_SYSCONF 1 -#define HAVE_SYSCTL 1 -#define HAVE_SYSLOG 1 -#define HAVE_SYSLOG_H 1 -#define HAVE_SYS_CAPABILITY_H 1 -#define HAVE_SYS_FILE_H 1 -#define HAVE_SYS_FILIO_H 1 -#define HAVE_SYS_IOCCOM_H 1 -#define HAVE_SYS_IOCTL_H 1 -#define HAVE_SYS_PARAM_H 1 -#define HAVE_SYS_PROC_H 1 -#define HAVE_SYS_RESOURCE_H 1 -#define HAVE_SYS_SELECT_H 1 -#define HAVE_SYS_SOCKET_H 1 -#define HAVE_SYS_SOCKIO_H 1 -#define HAVE_SYS_STAT_H 1 -#define HAVE_SYS_SYSCALL_H 1 -#define HAVE_SYS_SYSCTL_H 1 -#define HAVE_SYS_TIMEB_H 1 -#define HAVE_SYS_TIMES_H 1 -#define HAVE_SYS_TIME_H 1 -#define HAVE_SYS_TTY_H 1 -#define HAVE_SYS_TYPES_H 1 -#define HAVE_SYS_UIO_H 1 -#define HAVE_SYS_UN_H 1 -#define HAVE_SYS_UTSNAME_H 1 -#define HAVE_SYS_WAIT_H 1 -#define HAVE_TERMCAP_H 1 -#define HAVE_TERMIOS_H 1 -#define HAVE_TERM_H 1 -#define HAVE_TGETENT 1 -#define HAVE_TIMEGM 1 -#define HAVE_TIMEZONE 1 -#define HAVE_TIMEZONE_DECLARATION 1 -#define HAVE_TIME_H 1 -#define HAVE_TTYNAME 1 -#define HAVE_TTYSLOT 1 -#define HAVE_UINT16_T 1 -#define HAVE_UINT32_T 1 -#define HAVE_UINT64_T 1 -#define HAVE_UINT8_T 1 -#define HAVE_UMASK 1 -#define HAVE_UNAME 1 -#define HAVE_UNISTD_H 1 -#define HAVE_UNSETENV 1 -#define HAVE_UNVIS 1 -#define HAVE_UTMP_H 1 -#define HAVE_U_INT16_T 1 -#define HAVE_U_INT32_T 1 -#define HAVE_U_INT64_T 1 -#define HAVE_U_INT8_T 1 -#define HAVE_VASPRINTF 1 -#define HAVE_VERR 1 -#define HAVE_VERRX 1 -#define HAVE_VIS 1 -#define HAVE_VIS_H 1 -#define HAVE_VSNPRINTF 1 -#define HAVE_VSYSLOG 1 -#define HAVE_VWARN 1 -#define HAVE_VWARNX 1 -#define HAVE_WARN 1 -#define HAVE_WARNX 1 -#define HAVE_WRITEV 1 -#define HAVE_WS_XPIXEL 1 -#define HAVE_WS_YPIXEL 1 -#define HAVE_XAUFILENAME 1 -#define HAVE_XAUREADAUTH 1 -#define HAVE_XAUWRITEAUTH 1 -#define HAVE_YP_GET_DEFAULT_DOMAIN 1 -#define HAVE__RES 1 -#define HAVE__RES_DECLARATION 1 -#define HAVE___ATTRIBUTE__ 1 -#define HAVE___PROGNAME 1 -#define KRB5 1 -#define LIBDIR "/usr/heimdal/lib" -#define LIBEXECDIR "/usr/heimdal/libexec" -#define LOCALSTATEDIR "/var/heimdal" -#define NEED_ASNPRINTF_PROTO 1 -#define NEED_STRNDUP_PROTO 1 -#define NEED_STRSVIS_PROTO 1 -#define NEED_SVIS_PROTO 1 -#define NEED_VASNPRINTF_PROTO 1 -#define OLD_ENVIRON 1 -#define OPENLOG_PROTO_COMPATIBLE 1 -#define OTP 1 -#define PACKAGE "heimdal" -#define PACKAGE_BUGREPORT "heimdal-bugs@pdc.kth.se" -#define PACKAGE_NAME "Heimdal" -#define PACKAGE_STRING "Heimdal 0.4f" -#define PACKAGE_TARNAME "heimdal" -#define PACKAGE_VERSION "0.4f" -#define RETSIGTYPE void -#define SBINDIR "/usr/heimdal/sbin" -#define STDC_HEADERS 1 -#define SYSCONFDIR "/etc" -#define TIME_WITH_SYS_TIME 1 -#define VERSION "0.4f" -#define VOID_RETSIGTYPE 1 -#define YYTEXT_POINTER 1 -#define _GNU_SOURCE 1 -#if defined(ENCRYPTION) && !defined(AUTHENTICATION) -#define AUTHENTICATION 1 -#endif -#ifndef LOGIN_PATH -#define LOGIN_PATH BINDIR "/login" -#endif -#ifdef ROKEN_RENAME -#include "roken_rename.h" -#endif -#ifdef VOID_RETSIGTYPE -#define SIGRETURN(x) return -#else -#define SIGRETURN(x) return (RETSIGTYPE)(x) -#endif -#ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) -#endif -#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4) -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S)) -#else -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S)) -#endif -#ifndef HAVE_KRB_KDCTIMEOFDAY -#define krb_kdctimeofday(X) gettimeofday((X), NULL) -#endif -#ifndef HAVE_KRB_GET_KDC_TIME_DIFF -#define krb_get_kdc_time_diff() (0) -#endif -#if ENDIANESS_IN_SYS_PARAM_H -# include -# include -# if BYTE_ORDER == BIG_ENDIAN -# define WORDS_BIGENDIAN 1 -# endif -#endif -#if _AIX -#define _ALL_SOURCE -struct ether_addr; -struct sockaddr; -struct sockaddr_dl; -struct sockaddr_in; -#endif -#if IRIX == 4 && !defined(__STDC__) -#define __STDC__ 0 -#endif diff --git a/crypto/heimdal/acconfig.h b/crypto/heimdal/acconfig.h deleted file mode 100644 index 9dabe370e340..000000000000 --- a/crypto/heimdal/acconfig.h +++ /dev/null @@ -1,96 +0,0 @@ -@BOTTOM@ - -#undef BINDIR -#undef LIBDIR -#undef LIBEXECDIR -#undef SBINDIR - -#undef HAVE_INT8_T -#undef HAVE_INT16_T -#undef HAVE_INT32_T -#undef HAVE_INT64_T -#undef HAVE_U_INT8_T -#undef HAVE_U_INT16_T -#undef HAVE_U_INT32_T -#undef HAVE_U_INT64_T -#undef HAVE_UINT8_T -#undef HAVE_UINT16_T -#undef HAVE_UINT32_T -#undef HAVE_UINT64_T - -#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4) -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S)) -#else -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S)) -#endif - -#ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) -#endif - -#ifdef VOID_RETSIGTYPE -#define SIGRETURN(x) return -#else -#define SIGRETURN(x) return (RETSIGTYPE)(x) -#endif - -#define RCSID(msg) \ -static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } - -#undef PROTOTYPES - -/* Maximum values on all known systems */ -#define MaxHostNameLen (64+4) -#define MaxPathLen (1024+4) - -#if defined(HAVE_SGTTY_H) && defined(__NeXT__) -#define SGTTY -#endif - -/* telnet stuff ----------------------------------------------- */ - -#if defined(ENCRYPTION) && !defined(AUTHENTICATION) -#define AUTHENTICATION 1 -#endif - -/* Set this to the default system lead string for telnetd - * can contain %-escapes: %s=sysname, %m=machine, %r=os-release - * %v=os-version, %t=tty, %h=hostname, %d=date and time - */ -#undef USE_IM - -/* Used with login -p */ -#undef LOGIN_ARGS - -/* set this to a sensible login */ -#ifndef LOGIN_PATH -#define LOGIN_PATH BINDIR "/login" -#endif - -/* random defines */ - -/* - * Defining this enables lots of useful (and used) extensions on - * glibc-based systems such as Linux - */ - -#define _GNU_SOURCE - -/* - * this assumes that KRB_C_BIGENDIAN is used. - * if we can find out endianess at compile-time, do so, - * otherwise WORDS_BIGENDIAN should already have been defined - */ - -#if ENDIANESS_IN_SYS_PARAM_H -# include -# include -# if BYTE_ORDER == BIG_ENDIAN -# define WORDS_BIGENDIAN 1 -# endif -#endif - -#ifdef ROKEN_RENAME -#include "roken_rename.h" -#endif diff --git a/crypto/heimdal/acinclude.m4 b/crypto/heimdal/acinclude.m4 deleted file mode 100644 index ff8704275cfb..000000000000 --- a/crypto/heimdal/acinclude.m4 +++ /dev/null @@ -1,9 +0,0 @@ -dnl $Id: acinclude.m4,v 1.15 1998/05/23 14:54:53 joda Exp $ -dnl -dnl Only put things that for some reason can't live in the `cf' -dnl directory in this file. -dnl - -dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $ -dnl -define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl diff --git a/crypto/heimdal/admin/Makefile b/crypto/heimdal/admin/Makefile deleted file mode 100644 index b59509365adc..000000000000 --- a/crypto/heimdal/admin/Makefile +++ /dev/null @@ -1,661 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# admin/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.35 2001/08/28 08:31:19 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_des) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -man_MANS = ktutil.8 - -sbin_PROGRAMS = ktutil - -ktutil_SOURCES = \ - add.c \ - change.c \ - copy.c \ - get.c \ - ktutil.c \ - list.c \ - purge.c \ - remove.c \ - rename.c - - -LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(top_builddir)/lib/sl/libsl.la \ - $(LIB_readline) \ - $(LIB_roken) - -subdir = admin -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -sbin_PROGRAMS = ktutil$(EXEEXT) -PROGRAMS = $(sbin_PROGRAMS) - -am_ktutil_OBJECTS = add.$(OBJEXT) change.$(OBJEXT) copy.$(OBJEXT) \ - get.$(OBJEXT) ktutil.$(OBJEXT) list.$(OBJEXT) purge.$(OBJEXT) \ - remove.$(OBJEXT) rename.$(OBJEXT) -ktutil_OBJECTS = $(am_ktutil_OBJECTS) -ktutil_LDADD = $(LDADD) -ktutil_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(top_builddir)/lib/sl/libsl.la -ktutil_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(ktutil_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(ktutil_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign admin/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(sbindir) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f; \ - else :; fi; \ - done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \ - rm -f $(DESTDIR)$(sbindir)/$$f; \ - done - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -ktutil$(EXEEXT): $(ktutil_OBJECTS) $(ktutil_DEPENDENCIES) - @rm -f ktutil$(EXEEXT) - $(LINK) $(ktutil_LDFLAGS) $(ktutil_OBJECTS) $(ktutil_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(sbindir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-sbinPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-sbinPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-man uninstall-sbinPROGRAMS - -uninstall-man: uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool clean-sbinPROGRAMS distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-man install-man8 install-sbinPROGRAMS install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-info-am uninstall-man uninstall-man8 \ - uninstall-sbinPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/admin/ktutil.cat8 b/crypto/heimdal/admin/ktutil.cat8 deleted file mode 100644 index 8cfd85619a0d..000000000000 --- a/crypto/heimdal/admin/ktutil.cat8 +++ /dev/null @@ -1,81 +0,0 @@ -KTUTIL(8) NetBSD System Manager's Manual KTUTIL(8) - -NNAAMMEE - kkttuuttiill - manage Kerberos keytabs - -SSYYNNOOPPSSIISS - kkttuuttiill [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--vv | ----vveerrbboossee] [----vveerrssiioonn] [--hh | - ----hheellpp] _c_o_m_m_a_n_d [_a_r_g_s] - -DDEESSCCRRIIPPTTIIOONN - kkttuuttiill is a program for managing keytabs. _c_o_m_m_a_n_d can be one of the fol- - lowing: - - add [--pp _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--VV _k_v_n_o] [----kkvvnnoo==_k_v_n_o] [--ee - _e_n_c_y_p_e] [----eennccttyyppee==_e_n_c_t_y_p_e] [--ww _p_a_s_s_w_o_r_d] - [----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--rr] [----rraannddoomm] [--ss] [----nnoo--ssaalltt] - Adds a key to the keytab. Options that are not specified will - be prompted for. This requires that you know the password of - the principal to add; if what you really want is to add a new - principal to the keytab, you should consider the _g_e_t command, - which talks to the kadmin server. - - change [--rr _r_e_a_l_m] [----rreeaallmm==_r_e_a_l_m] [----aa _h_o_s_t] [----aaddmmiinn--sseerrvveerr==_h_o_s_t] [----ss - _p_o_r_t] [----sseerrvveerr--ppoorrtt==_p_o_r_t] - Update one or several keys to new versions. By default, use - the admin server for the realm of an keytab entry. Otherwise - it will use the values specified by the options. - - If no principals are given, all the ones in the keytab are - updated. - - copy _k_e_y_t_a_b_-_s_r_c _k_e_y_t_a_b_-_d_e_s_t - Copies all the entries from _k_e_y_t_a_b_-_s_r_c to _k_e_y_t_a_b_-_d_e_s_t. - - get [--pp _a_d_m_i_n _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_a_d_m_i_n _p_r_i_n_c_i_p_a_l] [--ee _e_n_c_t_y_p_e] - [----eennccttyyppeess==_e_n_c_t_y_p_e] [--rr _r_e_a_l_m] [----rreeaallmm==_r_e_a_l_m] [--aa _a_d_m_i_n - _s_e_r_v_e_r] [----aaddmmiinn--sseerrvveerr==_a_d_m_i_n _s_e_r_v_e_r] [--ss _s_e_r_v_e_r _p_o_r_t] - [----sseerrvveerr--ppoorrtt==_s_e_r_v_e_r _p_o_r_t] _p_r_i_n_c_i_p_a_l _._._. - For each _p_r_i_n_c_i_p_a_l, generate a new key for it (creating it if - it doesn't already exist), and put that key in the keytab. - - If no _r_e_a_l_m is specified, the realm to operate on is taken - from the first principal. - - list [----kkeeyyss] [----ttiimmeessttaammpp] - List the keys stored in the keytab. - - remove [--pp _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--VV --kkvvnnoo] [----kkvvnnoo==_k_v_n_o] - [--ee --eennccttyyppee] [----eennccttyyppee==_e_n_c_t_y_p_e] - Removes the specified key or keys. Not specifying a _k_v_n_o re- - moves keys with any version number. Not specifying a _e_n_c_t_y_p_e - removes keys of any type. - - rename _f_r_o_m_-_p_r_i_n_c_i_p_a_l _t_o_-_p_r_i_n_c_i_p_a_l - Renames all entries in the keytab that match the _f_r_o_m_- - _p_r_i_n_c_i_p_a_l to _t_o_-_p_r_i_n_c_i_p_a_l. - - purge [----aaggee==_a_g_e] - Removes all old entries (for which there is a newer version) - that are older than _a_g_e (default one week). - - srvconvert - - srv2keytab [--ss _s_r_v_t_a_b] [----ssrrvvttaabb==_s_r_v_t_a_b] - Converts the version 4 srvtab in _s_r_v_t_a_b to a version 5 keytab - and stores it in _k_e_y_t_a_b. Identical to: - - ktutil copy krb4:_s_r_v_t_a_b _k_e_y_t_a_b - - srvcreate - - key2srvtab [--ss _s_r_v_t_a_b] [----ssrrvvttaabb==_s_r_v_t_a_b] - Converts the version 5 keytab in _k_e_y_t_a_b to a version 4 srvtab - and stores it in _s_r_v_t_a_b. Identical to: - - ktutil copy _k_e_y_t_a_b krb4:_s_r_v_t_a_b - -SSEEEE AALLSSOO - kadmin(8) - - HEIMDAL December 16, 2000 2 diff --git a/crypto/heimdal/admin/srvconvert.c b/crypto/heimdal/admin/srvconvert.c deleted file mode 100644 index e4a2b1104204..000000000000 --- a/crypto/heimdal/admin/srvconvert.c +++ /dev/null @@ -1,181 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: srvconvert.c,v 1.11 2000/01/02 03:56:21 assar Exp $"); - -/* convert a version 4 srvtab to a version 5 keytab */ - -#ifndef KEYFILE -#define KEYFILE "/etc/srvtab" -#endif - -static char *srvtab = KEYFILE; -static int help_flag; -static int verbose; - -static struct getargs args[] = { - { "srvtab", 's', arg_string, &srvtab, "srvtab to convert", "file" }, - { "help", 'h', arg_flag, &help_flag }, - { "verbose", 'v', arg_flag, &verbose }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -int -srvconv(int argc, char **argv) -{ - krb5_error_code ret; - int optind = 0; - int fd; - krb5_storage *sp; - - if(getarg(args, num_args, argc, argv, &optind)){ - arg_printusage(args, num_args, "ktutil srvconvert", ""); - return 1; - } - if(help_flag){ - arg_printusage(args, num_args, "ktutil srvconvert", ""); - return 0; - } - - argc -= optind; - argv += optind; - - if (argc != 0) { - arg_printusage(args, num_args, "ktutil srvconvert", ""); - return 1; - } - - fd = open(srvtab, O_RDONLY); - if(fd < 0){ - krb5_warn(context, errno, "%s", srvtab); - return 1; - } - sp = krb5_storage_from_fd(fd); - if(sp == NULL){ - close(fd); - return 1; - } - while(1){ - char *service, *instance, *realm; - int8_t kvno; - des_cblock key; - krb5_keytab_entry entry; - - ret = krb5_ret_stringz(sp, &service); - if(ret == KRB5_CC_END) { - ret = 0; - break; - } - if(ret) { - krb5_warn(context, ret, "reading service"); - break; - } - ret = krb5_ret_stringz(sp, &instance); - if(ret) { - krb5_warn(context, ret, "reading instance"); - free(service); - break; - } - ret = krb5_ret_stringz(sp, &realm); - if(ret) { - krb5_warn(context, ret, "reading realm"); - free(service); - free(instance); - break; - } - ret = krb5_425_conv_principal(context, service, instance, realm, - &entry.principal); - free(service); - free(instance); - free(realm); - if (ret) { - krb5_warn(context, ret, "krb5_425_conv_principal (%s.%s@%s)", - service, instance, realm); - break; - } - - ret = krb5_ret_int8(sp, &kvno); - if(ret) { - krb5_warn(context, ret, "reading kvno"); - krb5_free_principal(context, entry.principal); - break; - } - ret = sp->fetch(sp, key, 8); - if(ret < 0){ - krb5_warn(context, errno, "reading key"); - krb5_free_principal(context, entry.principal); - break; - } - if(ret < 8) { - krb5_warn(context, errno, "end of file while reading key"); - krb5_free_principal(context, entry.principal); - break; - } - - entry.vno = kvno; - entry.timestamp = time (NULL); - entry.keyblock.keyvalue.data = key; - entry.keyblock.keyvalue.length = 8; - - if(verbose){ - char *p; - ret = krb5_unparse_name(context, entry.principal, &p); - if(ret){ - krb5_warn(context, ret, "krb5_unparse_name"); - krb5_free_principal(context, entry.principal); - break; - } else{ - fprintf(stderr, "Storing keytab for %s\n", p); - free(p); - } - - } - entry.keyblock.keytype = ETYPE_DES_CBC_MD5; - ret = krb5_kt_add_entry(context, keytab, &entry); - entry.keyblock.keytype = ETYPE_DES_CBC_MD4; - ret = krb5_kt_add_entry(context, keytab, &entry); - entry.keyblock.keytype = ETYPE_DES_CBC_CRC; - ret = krb5_kt_add_entry(context, keytab, &entry); - krb5_free_principal(context, entry.principal); - if(ret) { - krb5_warn(context, ret, "krb5_kt_add_entry"); - break; - } - } - krb5_storage_free(sp); - close(fd); - return ret; -} diff --git a/crypto/heimdal/admin/srvcreate.c b/crypto/heimdal/admin/srvcreate.c deleted file mode 100644 index bc86bc89aa3b..000000000000 --- a/crypto/heimdal/admin/srvcreate.c +++ /dev/null @@ -1,124 +0,0 @@ -/* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "ktutil_locl.h" - -RCSID("$Id: srvcreate.c,v 1.3 1999/12/02 17:04:53 joda Exp $"); - -/* convert a version 5 keytab to a version 4 srvtab */ - -#ifndef KEYFILE -#define KEYFILE "/etc/srvtab" -#endif - -static char *srvtab = KEYFILE; -static int help_flag; -static int verbose; - -static struct getargs args[] = { - { "srvtab", 's', arg_string, &srvtab, "srvtab to create", "file" }, - { "help", 'h', arg_flag, &help_flag }, - { "verbose", 'v', arg_flag, &verbose }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -int -srvcreate(int argc, char **argv) -{ - krb5_error_code ret; - int optind = 0; - int fd; - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - char service[100], instance[100], realm[100]; - int8_t kvno; - - if(getarg(args, num_args, argc, argv, &optind)){ - arg_printusage(args, num_args, "ktutil srvcreate", ""); - return 1; - } - if(help_flag){ - arg_printusage(args, num_args, "ktutil srvcreate", ""); - return 0; - } - - argc -= optind; - argv += optind; - - if (argc != 0) { - arg_printusage(args, num_args, "ktutil srvcreate", ""); - return 1; - } - - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if(ret){ - krb5_warn(context, ret, "krb5_kt_start_seq_get"); - return 1; - } - - fd = open(srvtab, O_WRONLY |O_APPEND |O_CREAT, 0600); - if(fd < 0){ - krb5_warn(context, errno, "%s", srvtab); - return 1; - } - - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ - ret = krb5_524_conv_principal(context, entry.principal, - service, instance, realm); - if(ret) { - krb5_warn(context, ret, "krb5_524_conv_principal"); - close(fd); - return 1; - } - if ( (entry.keyblock.keyvalue.length == 8) && - (entry.keyblock.keytype == ETYPE_DES_CBC_MD5) ) { - if (verbose) { - printf ("%s.%s@%s vno %d\n", service, instance, realm, - entry.vno); - } - - write(fd, service, strlen(service)+1); - write(fd, instance, strlen(instance)+1); - write(fd, realm, strlen(realm)+1); - kvno = entry.vno; - write(fd, &kvno, sizeof(kvno)); - write(fd, entry.keyblock. keyvalue.data, 8); - } - krb5_kt_free_entry(context, &entry); - } - - close(fd); - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - return ret; -} diff --git a/crypto/heimdal/appl/Makefile b/crypto/heimdal/appl/Makefile deleted file mode 100644 index e4babbc39cd2..000000000000 --- a/crypto/heimdal/appl/Makefile +++ /dev/null @@ -1,624 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -dir_otp = otp -#dir_dce = dceutils -SUBDIRS = \ - afsutil \ - ftp \ - login \ - $(dir_otp) \ - popper \ - push \ - rsh \ - rcp \ - su \ - xnlock \ - telnet \ - test \ - kx \ - kf \ - $(dir_dce) - -subdir = appl -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = - -RECURSIVE_TARGETS = info-recursive dvi-recursive install-info-recursive \ - uninstall-info-recursive all-recursive install-data-recursive \ - install-exec-recursive installdirs-recursive install-recursive \ - uninstall-recursive check-recursive installcheck-recursive -DIST_COMMON = Makefile.am Makefile.in -DIST_SUBDIRS = afsutil ftp login otp popper push rsh rcp su xnlock \ - telnet test kx kf dceutils -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d $(distdir)/$$subdir \ - || mkdir $(distdir)/$$subdir \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" \ - distdir=../$(distdir)/$$subdir \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: - -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -info: info-recursive - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) GTAGS all all-am all-local check check-am \ - check-local clean clean-generic clean-libtool clean-recursive \ - distclean distclean-generic distclean-libtool \ - distclean-recursive distclean-tags distdir dvi dvi-am \ - dvi-recursive info info-am info-recursive install install-am \ - install-data install-data-am install-data-local \ - install-data-recursive install-exec install-exec-am \ - install-exec-recursive install-info install-info-am \ - install-info-recursive install-man install-recursive \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am installdirs-recursive maintainer-clean \ - maintainer-clean-generic maintainer-clean-recursive mostlyclean \ - mostlyclean-generic mostlyclean-libtool mostlyclean-recursive \ - tags tags-recursive uninstall uninstall-am uninstall-info-am \ - uninstall-info-recursive uninstall-recursive - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/afsutil/Makefile b/crypto/heimdal/appl/afsutil/Makefile deleted file mode 100644 index 1cc65e8960ce..000000000000 --- a/crypto/heimdal/appl/afsutil/Makefile +++ /dev/null @@ -1,615 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/afsutil/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.12 2000/11/15 22:51:07 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -#AFSPROGS = afslog pagsh -bin_PROGRAMS = $(AFSPROGS) - -afslog_SOURCES = afslog.c - -pagsh_SOURCES = pagsh.c - -LDADD = $(LIB_kafs) \ - $(LIB_krb4) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) - -subdir = appl/afsutil -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -#bin_PROGRAMS = afslog$(EXEEXT) pagsh$(EXEEXT) -bin_PROGRAMS = -PROGRAMS = $(bin_PROGRAMS) - -am_afslog_OBJECTS = afslog.$(OBJEXT) -afslog_OBJECTS = $(am_afslog_OBJECTS) -afslog_LDADD = $(LDADD) -#afslog_DEPENDENCIES = $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -afslog_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -afslog_LDFLAGS = -am_pagsh_OBJECTS = pagsh.$(OBJEXT) -pagsh_OBJECTS = $(am_pagsh_OBJECTS) -pagsh_LDADD = $(LDADD) -#pagsh_DEPENDENCIES = $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -pagsh_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -pagsh_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/afsutil/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -afslog$(EXEEXT): $(afslog_OBJECTS) $(afslog_DEPENDENCIES) - @rm -f afslog$(EXEEXT) - $(LINK) $(afslog_LDFLAGS) $(afslog_OBJECTS) $(afslog_LDADD) $(LIBS) -pagsh$(EXEEXT): $(pagsh_OBJECTS) $(pagsh_DEPENDENCIES) - @rm -f pagsh$(EXEEXT) - $(LINK) $(pagsh_LDFLAGS) $(pagsh_OBJECTS) $(pagsh_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/dceutils/ChangeLog b/crypto/heimdal/appl/dceutils/ChangeLog deleted file mode 100644 index f8925c86ec36..000000000000 --- a/crypto/heimdal/appl/dceutils/ChangeLog +++ /dev/null @@ -1,27 +0,0 @@ -2002-08-12 Johan Danielsson - - * Makefile.am: rename dpagaix_LDFLAGS etc to appease automake - -2001-08-24 Assar Westerlund - - * Makefile.am (dpagaix): make sure of using $(EXEEXT) just to - please automake (this is aix-only code) - -2001-02-07 Assar Westerlund - - * Makefile.am (dpagaix): needs to be linked with ld, add an - explicit command for it. from Ake Sandgren - -2000-10-02 Assar Westerlund - - * Makefile.am: link with roken on everything except irix, where - apperently it fails. reported by Ake Sandgren - -2000-07-17 Johan Danielsson - - * Makefile.am: set compiler flags - -2000-07-01 Assar Westerlund - - * imported stuff from Ake Sandgren - diff --git a/crypto/heimdal/appl/dceutils/Makefile b/crypto/heimdal/appl/dceutils/Makefile deleted file mode 100644 index d24aba226fd6..000000000000 --- a/crypto/heimdal/appl/dceutils/Makefile +++ /dev/null @@ -1,620 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/dceutils/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.8 2002/08/12 15:03:43 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -DFSPROGS = k5dcecon -#AIX_DFSPROGS = dpagaix - -libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS) - -dpagaix_CFLAGS = $(dpagaix_cflags) -dpagaix_LDFLAGS = $(dpagaix_ldflags) -dpagaix_LDADD = $(dpagaix_ldadd) - -LIB_dce = -ldce - -k5dcecon_SOURCES = k5dcecon.c k5dce.h - -dpagaix_SOURCES = dpagaix.c - -#LDADD = $(LIB_dce) -LDADD = $(LIB_roken) $(LIB_dce) -subdir = appl/dceutils -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -#libexec_PROGRAMS = k5dcecon$(EXEEXT) dpagaix$(EXEEXT) -libexec_PROGRAMS = k5dcecon$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) - -am_dpagaix_OBJECTS = dpagaix-dpagaix.$(OBJEXT) -dpagaix_OBJECTS = $(am_dpagaix_OBJECTS) -dpagaix_DEPENDENCIES = -am_k5dcecon_OBJECTS = k5dcecon.$(OBJEXT) -k5dcecon_OBJECTS = $(am_k5dcecon_OBJECTS) -k5dcecon_LDADD = $(LDADD) -#k5dcecon_DEPENDENCIES = -k5dcecon_DEPENDENCIES = -k5dcecon_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/dceutils/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -dpagaix-dpagaix.$(OBJEXT): dpagaix.c -k5dcecon$(EXEEXT): $(k5dcecon_OBJECTS) $(k5dcecon_DEPENDENCIES) - @rm -f k5dcecon$(EXEEXT) - $(LINK) $(k5dcecon_LDFLAGS) $(k5dcecon_OBJECTS) $(k5dcecon_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -dpagaix-dpagaix.o: dpagaix.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.o `test -f 'dpagaix.c' || echo '$(srcdir)/'`dpagaix.c - -dpagaix-dpagaix.obj: dpagaix.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.obj `cygpath -w dpagaix.c` - -dpagaix-dpagaix.lo: dpagaix.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.lo `test -f 'dpagaix.c' || echo '$(srcdir)/'`dpagaix.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libexecPROGRAMS clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-info-am uninstall-libexecPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -dpagaix$(EXEEXT): $(dpagaix_OBJECTS) - ld -edpagaix -o dpagaix$(EXEEXT) $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/dceutils/Makefile.am b/crypto/heimdal/appl/dceutils/Makefile.am deleted file mode 100644 index bf795204b2dd..000000000000 --- a/crypto/heimdal/appl/dceutils/Makefile.am +++ /dev/null @@ -1,30 +0,0 @@ -# $Id: Makefile.am,v 1.8 2002/08/12 15:03:43 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - - -DFSPROGS = k5dcecon -if AIX -AIX_DFSPROGS = dpagaix -endif - -libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS) - -dpagaix_CFLAGS = $(dpagaix_cflags) -dpagaix_LDFLAGS = $(dpagaix_ldflags) -dpagaix_LDADD = $(dpagaix_ldadd) - -dpagaix$(EXEEXT): $(dpagaix_OBJECTS) - ld -edpagaix -o dpagaix$(EXEEXT) $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp - -LIB_dce = -ldce - -k5dcecon_SOURCES = k5dcecon.c k5dce.h - -dpagaix_SOURCES = dpagaix.c - -if IRIX -LDADD = $(LIB_dce) -else -LDADD = $(LIB_roken) $(LIB_dce) -endif diff --git a/crypto/heimdal/appl/dceutils/Makefile.in b/crypto/heimdal/appl/dceutils/Makefile.in deleted file mode 100644 index 5da1f32fc651..000000000000 --- a/crypto/heimdal/appl/dceutils/Makefile.in +++ /dev/null @@ -1,620 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# @configure_input@ - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.8 2002/08/12 15:03:43 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AMTAR = @AMTAR@ -AS = @AS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ -ECHO = @ECHO@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = @INCLUDE_des@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LEX = @LEX@ - -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -DFSPROGS = k5dcecon -@AIX_TRUE@AIX_DFSPROGS = dpagaix - -libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS) - -dpagaix_CFLAGS = $(dpagaix_cflags) -dpagaix_LDFLAGS = $(dpagaix_ldflags) -dpagaix_LDADD = $(dpagaix_ldadd) - -LIB_dce = -ldce - -k5dcecon_SOURCES = k5dcecon.c k5dce.h - -dpagaix_SOURCES = dpagaix.c - -@IRIX_TRUE@LDADD = $(LIB_dce) -@IRIX_FALSE@LDADD = $(LIB_roken) $(LIB_dce) -subdir = appl/dceutils -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -@AIX_TRUE@libexec_PROGRAMS = k5dcecon$(EXEEXT) dpagaix$(EXEEXT) -@AIX_FALSE@libexec_PROGRAMS = k5dcecon$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) - -am_dpagaix_OBJECTS = dpagaix-dpagaix.$(OBJEXT) -dpagaix_OBJECTS = $(am_dpagaix_OBJECTS) -dpagaix_DEPENDENCIES = -am_k5dcecon_OBJECTS = k5dcecon.$(OBJEXT) -k5dcecon_OBJECTS = $(am_k5dcecon_OBJECTS) -k5dcecon_LDADD = $(LDADD) -@IRIX_TRUE@k5dcecon_DEPENDENCIES = -@IRIX_FALSE@k5dcecon_DEPENDENCIES = -k5dcecon_LDFLAGS = - -DEFS = @DEFS@ -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/dceutils/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -dpagaix-dpagaix.$(OBJEXT): dpagaix.c -k5dcecon$(EXEEXT): $(k5dcecon_OBJECTS) $(k5dcecon_DEPENDENCIES) - @rm -f k5dcecon$(EXEEXT) - $(LINK) $(k5dcecon_LDFLAGS) $(k5dcecon_OBJECTS) $(k5dcecon_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -dpagaix-dpagaix.o: dpagaix.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.o `test -f 'dpagaix.c' || echo '$(srcdir)/'`dpagaix.c - -dpagaix-dpagaix.obj: dpagaix.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.obj `cygpath -w dpagaix.c` - -dpagaix-dpagaix.lo: dpagaix.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.lo `test -f 'dpagaix.c' || echo '$(srcdir)/'`dpagaix.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libexecPROGRAMS clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-info-am uninstall-libexecPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -dpagaix$(EXEEXT): $(dpagaix_OBJECTS) - ld -edpagaix -o dpagaix$(EXEEXT) $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/dceutils/README.dcedfs b/crypto/heimdal/appl/dceutils/README.dcedfs deleted file mode 100644 index 80a06fec9ab0..000000000000 --- a/crypto/heimdal/appl/dceutils/README.dcedfs +++ /dev/null @@ -1,59 +0,0 @@ -This is a set of patches and files to get a DFS ticket from a k5 ticket. -This code comes from Doug Engert, Argonne Nat. Lab (See dce/README.original -for more info) - -The files in dce are; -testpag: for testing if this is at all possible. -k5dfspag: included in libkrb5 -k5dcecon: Creates (or searches for) the actual DFSPAG ticketfile. -dpagaix: An AIX syscall stub. -README.original: Original README file from Doug Engert - - -Certain applications (rshd/telnetd) have been patched to call the -functions in k5dfspag when the situation is right. They are ifdef -with DCE. The patches are also originally from Doug but they -where against MIT krb5 code and have been merged into heimdal by me. -I will try to fix ftpd soon... - -There is also an ifdefs for DCE && AIX that can be used to make AIX -use DCE for getting group/passwd entries. This is needed if one is running -with a bare bones passwd/group file and AUTHSTATE set to DCE (This will be -more or less clear to people doing this...) I have forced this on for now. - -k5dfspag.c is in lib/krb5 -k5dfspag.c is dependent on DCE only. -It is also POSIX systems only. There are defines for the location of -k5dcecon and dpagaix that needs a correct configure setting. - -k5dcecon needs no special things for the compile except whatever is needed -on the target system to compile dce programs. -(On aix the dce compile flags are: -D_THREAD_SAFE -D_AIX32_THREADS=1 -D_AIX41 -D_AES_SOURCE or one can use xlc_r4 if it is version 3.6.4 or later) - -k5dcecon wants the following libs (on aix 4.3): --ldce (and setenv from somewhere) - -dpagaix is only needed on AIX (see k5dfspag.c). -dpagaix needs dfspag.exp and is linked with -ld -edpagaix -o dpagaix dpagaix.o dfspag.exp - - -Hope to get this into heimdal soon :-) although I know that you will have to -change some things to get it cleanly into configure. Since I don't know the -structure of the code (heimdal), nor enough of configure, good enough I -just won't try it myself. - -One more thing, to get this to work one has to put fcache_version = x in -krb5.conf where x = whatever the DCE implementation understands, (usually -1 or 2). -Thanks for adding that... - - -Åke Sandgren (ake@hpc2n.umu.se) -HPC2N -Umeå University -Sweden - -PS -I have now added patches for configure.in and some Makefile.am's to get this -all cleanly (I hope) into heimdal. diff --git a/crypto/heimdal/appl/dceutils/README.original b/crypto/heimdal/appl/dceutils/README.original deleted file mode 100644 index 088702307a38..000000000000 --- a/crypto/heimdal/appl/dceutils/README.original +++ /dev/null @@ -1,335 +0,0 @@ -KERBEROS and DCE INTEROPERABILITY ROUTINES - -WHAT'S NEW - -When k5dcecon was examining the ticket caches looking to -update one with a newer TGT, it might update the wrong -one for the correct user. This problem was reported by PNNL, -and is now fixed. - -Any Kerberized application can now use a forwarded TGT to establish a -DCE context, or can use a previously established DCE context. This is -both a functional improvement and a performance improvement. - -BACKGROUND - -The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a -number of ways. This is possible because: - - o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4 - or so, with additional changes. - - o The DCE security server can act as a K5 KDC, as defined in RFC 1510 - and responds on port 88. - - o On the clients, DCE and Kerberos use the same format for the ticket - cache, and then can share it. The KRB5CCNAME environment variable points - at the cache. - - o On the clients, DCE and Kerberos use the same format for the srvtab - file. DCE refers to is a /krb5/v5srvtab and Kerberos as - /etc/krb5.keytab. They can be symlinked. - - o MIT has added many options to the krb5.conf configuration file - which allows newer features of Release 1.0 to be turned off to match - the earlier version of Kerberos upon which DCE is based. - - o DCE will accept a externally obtained Kerberos TGT in place of a - password when establishing a DCE context. - -There are some areas where they differ, including the following: - - o Administration of the database and the keytab files is done by the - DCE routines, rather the the Kerberos kadmin. - - o User password changes must be done using the DCE commands. Kpasswd - does not work. (But there are mods to Kerberos to use the v5passwd - with DCE. - - o DCE goes beyond authentication only, and provides authorization via - the PAC, and the dce-ptgt tickets stored in the cache. Thus a - Kerberos KDC can not act as a DCE security server. - - o A DCE cell and Kerberos realm can cross-realm authenticate, but - there can be no intermediate realms. (There are other problems - in this area as well. But directly connected realms/cells do work.) - - o You can't link a module with the DCE library and the Kerberos - library. They have conflicting routines, static data and structures. - -One of the main features of DCE is the Distributed File System -DFS. Access to DFS requires authentication and authorization, and when -one uses a Kerberized network utility such as telnet, a forwarded -Kerberos ticket can be used to establish the DCE context to allow -access to DFS. - - -NEW TO THIS RELEASE - -This release introduces sharing of a DCE context, and PAG, and allows -any Kerberized application to establish or share the context. This is -made possible by using an undocumented feature of DCE which is on at -least the Transarc and IBM releases of DCE 1.1. - -I am in the process of trying to get this contributed to the general -DCE 1.2.2 release as a patch, so it could be included in other vendors -products. HP has expressed interest in doing this, as well as the -OpenGroup if the modification is contributed. You can help by -requesting Transarc and/or IBM to submit this modification to the -OpenGroup and ask your vendor to adopt this modification. - -The feature is a modification to the setpag() system call which will -allow an authorized process to set the PAG to a specific value, and -thus allow unrelated processes to share the same PAG. - -This then allows the Kerberized daemons such as kshd, to exec a DCE -module which established the DCE context. Kshd then sets the -KRB5CCNAME environment variable and then issues the setpag() to use -this context. This solves the linking problem. This is done via the -k5dfspag.c routine. - -The k5dfspag.c code is compiled with the lib/krb5/os routines and -included in the libkrb5. A daemon calls krb5_dfs_pag after the -krb5_kuserok has determined that the Kerberos principal and local -userid pair are acceptable. This should be done early so as to give -the daemon access to the home directory which may be located on DFS. -If the .k5login file is used by krb5_kuserok it will need to be -accessed by the daemon and will need special ACL handling. - -The krb5_dfs_pag routine will exec the k5dcecon module to do all the -real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set -the PAG for the current process to the returned PAG value. It will -also set the KRB5CCNAME environment as well. Under DCE the PAG value -is the nnnnnnn part of the name of the cache: -FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn. - -The k5dcecon routine will attempt to use TGT which may have been -forwarded, to convert it to a DCE context. If there is no TGT, an -attempt will be made to join an existing PAG for the local userid, and -Kerberos principal. If there are existing PAGs, and a forwarded TGT, -k5dcecon will check the lifetime of the forwarded TGT, and if it is -less than the lifetime of the PAG, it will just join the PAG. If it -is greater, it will refresh the PAG using the forwarded TGT. -This approach has the advantage of not requiring many new tickets from -having to be obtained, and allows one to refresh a DCE context, or use -an already established context. - -If the system also has AFS, the AFS krb5_afs_pag should be called -after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may -have changed, such as if a DFS PAG has been joined. The AFS code does -not have the capability to join an existing AFS PAG, but can use the -same cache which might already had a -afsx/@ service ticket. - - -WHAT'S IN THIS RELEASE - -The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to -be slipped in between telnetd or klogind and login.krb5. They would -use a forwarded Kerberos ticket to establish a DCE context. They are -the older programs which are included here. They work on all DCE -platforms, and don't take advantage of the undocumented setpag -feature. (A version of k5dcelogin is being included with DCE 1.2.2) - -K5dcecon is the new program which can be used to create, update or -join a DCE context. k5dcecon returns KRB5CCNAME string which contains -the PAG. - -k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel -1 and added to the libkrb5. It will exec k5dcecon and upon return set -the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd, -ftpd are available to use the k5dfspag. - -Testpag.c is a test programs to see if the PAG can be set. - -The cpwkey.c routine can be used to change a key in the DCE registry, -by adding the key directly, or by setting the salt/pepper and password -or by providing the key and the pepper. This could be useful when -coping keys from a K4 or AFS database to DCE. It can also be used when -setting a DCE to K5 cross-cell key. This program is a test program -For mass inserts, it should be rewritten to read from stdin. - -K5dcelogin can also be called directly, much like dce_login. -I use the following commands in effect do the same thing as dce_login -and get a forwardable ticket, DCE context and an AFS token: - - #!/bin/csh - # simulate a dce_login using krb5 kinit and k5dcelogin - # - setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$ - /krb5/bin/kinit -f - exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh - #exec /krb5/sbin/k5dcelogin /bin/csh - -This could be useful in a mixed cell where "AS_REQ" messages are -handled by a K5 KDC, but DCE RPCs are handled by the DCE security -server. - -TESTING THE SETPAG - -The krb5_dfs_pag routine relies on an undocumented feature which is -in the AIX and Transarc Solaris ports of DCE and has been recently -added to the SGI version. To test if this feature is present -on some other DFS implementation use the testpag routine. - -The testpag routine attempts to set a PAG value to one you supply. It -uses the afs_syscall with the afs_setpag, and passes the supplied -PAG value as the next parameter. On an unmodifed system, this -will be ignored, and a new will be set. You should also check that -if run as a user, you cannot join a PAG owned by another user. -When run as root, any PAG should be usable. - -On a machine with DFS running, do a dce_login to get a DCE context and -PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It -should look like an 8 char hex value, which may be 41ffxxxx on some -systems. - -Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where -nnnnnnnn is the PAG obtained for the above name. - -It should look like this example on an AIX 4.1.4 system: - - pembroke# ./testpag -n 63dc9997 - calling k5dcepag newpag=63dc9997 - PAG returned = 63dc9997 - -You will be running under a new shell with the PAG and KRB5CCNAME set. -If the PAG returned is the same as the newpag, then it worked. You can -further verify this by doing a DCE klist, cd to DFS and a DCE klist -again. The klist should show some tickets for DFS servers. - -If the PAG returned is not the same, and repeated attempts show a -returned PAG decremented by 1 from the previous returned PAG, then -this system does not have the modification For example: - - # ./testpag -n 41fffff9 - calling k5dcepag newpag=41fffff9 - PAG returned = 41fffff8 - # ./testpag -n 41fffff9 - calling k5dcepag newpag=41fffff9 - PAG returned = 41fffff7 - -In this case the syscall is ignoring the newpag parameter. - -Running it with -n 0 should get the next PAG value with or without -this modification. - -If the DFS kernel extensions are not installed, you would get -something like this: - - caliban.ctd.anl.gov% ./testpag -n 012345678 - calling k5dcepag newpag=012345678 - Setpag failed with a system error - PAG returned = ffffffff - Not a good pag value - -If you DFS implementation does not have this modification, you could -attempt to install it yourself. But this requires source and requires -modifications to the kernel extensions. At the end of this note is an -untested sample using the DCE 1.2.2 source code. You can also contact -your system vendor and ask for this modification. - -UNICOS has a similar function setppag(newpag) which can be used to set -the PAG of the parent. Contact me if you are interested. - -HOW TO INSTALL - -Examine the k5dfspag.c file to make sure the DFS syscalls are correct -for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h -on Solaris for example. - -You should build the testpag routine and make sure it works before -adding all the other mods. If it fails you can still use the klogind -and telnetd with the k5prelogin and k5dcelogin code. - -If you intend to install with a prefix other than /krb5, change: -DPAGAIX and K5DCECON in k5dfspag.c; the three references in -k5prelogin.c; and the DESTDIR in the Makefile. - -Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG -and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE -related changes and the calls to krb5_dfs_pag. - -Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory. - -Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration. - -Configure and Build the Kerberos v5. - -Modify the k5dce Makefile for your system. - -Build the k5dcecon and related programs. - -Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX. - -The makefile can also build k5dcelogin and k5prelogin. The install -can install k5dcelogin, k5prelogin and update the links for login.krb5 --> k5prelogin and moving login.krb5 to login.k5. If you will be using -the k5dcecon/k5dfspag with the Kerberos mods, you don't need -k5prelogin, or the links changed, and may not need k5dcelogin. - -Note that Transarc has obfuscated the entries to the lib, and -the 1.0.3a is different from the 1.1. You may need to build two -versions of the k5dcelogin and/or k5dcecon one for each. - -AIX ONLY - -The dpagaix routine is needed for AIX because of the way they do the -syscalls. - -The following fix.aix.libdce.mk is not needed if dce 2.1.0.21 -has been installed. This PTF exposed the needed entrypoints. - -The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required -external entry points to the libdce.a. These are needed by k5dcecon -and k5dcelogin. A bug report was submitted to IBM on this, and it was -rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not -be needed with 1.2.2 - -Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the -makefile to its own directory. It will create a new libdce.a which you -need to copy back to /usr/lib/libdce.a You will need to reboot the -machine. See the /usr/lpp/dce/examples/inst/README.AIX for a similar -procedure. IBM was not responsive in a request to have these added. - -UNTESTED KERNEL EXTENSION FOR SETPAG - -*** src/file/osi/,osi_pag.c Wed Oct 2 13:03:05 1996 ---- src/file/osi/osi_pag.c Mon Jul 28 13:53:13 1997 -*************** -*** 293,298 **** ---- 293,302 ---- - int code; - - osi_MakePreemptionRight(); -+ /* allow sharing of a PAG by non child processes DEE- 6/6/97 */ -+ if (unused && osi_GetUID(osi_getucred()) == 0) { -+ newpag = unused; -+ } else { - osi_mutex_enter(&osi_pagLock); - now = osi_Time(); - soonest = osi_firstPagTime + -*************** -*** 309,314 **** ---- 313,319 ---- - } - osi_mutex_exit(&osi_pagLock); - newpag = osi_genpag(); -+ } - osi_pcred_lock(p); - credp = crcopy(osi_getucred()); - code = osi_SetPagInCred(credp, newpag); - -Created 07/08/96 -Modified 09/30/96 -Modified 11/19/96 -Modified 12/19/96 -Modified 06/20/97 -Modified 07/28/97 -Modified 02/18/98 - - Douglas E. Engert - Argonne National Laboratory - 9700 South Cass Avenue - Argonne, Illinois 60439 - (630) 252-5444 diff --git a/crypto/heimdal/appl/dceutils/compile b/crypto/heimdal/appl/dceutils/compile deleted file mode 100755 index d4a34aa0ef97..000000000000 --- a/crypto/heimdal/appl/dceutils/compile +++ /dev/null @@ -1,82 +0,0 @@ -#! /bin/sh - -# Wrapper for compilers which do not understand `-c -o'. - -# Copyright 1999, 2000 Free Software Foundation, Inc. -# Written by Tom Tromey . -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -# Usage: -# compile PROGRAM [ARGS]... -# `-o FOO.o' is removed from the args passed to the actual compile. - -prog=$1 -shift - -ofile= -cfile= -args= -while test $# -gt 0; do - case "$1" in - -o) - ofile=$2 - shift - ;; - *.c) - cfile=$1 - args="$args $1" - ;; - *) - args="$args $1" - ;; - esac - shift -done - -test -z "$ofile" && { - echo "compile: no \`-o' option seen" 1>&2 - exit 1 -} - -test -z "$cfile" && { - echo "compile: no \`.c' file seen" 1>&2 - exit 1 -} - -# Name of file we expect compiler to create. -cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'` - -# Create the lock directory. -lockdir=`echo $ofile | sed -e 's|/|_|g'` -while true; do - if mkdir $lockdir > /dev/null 2>&1; then - break - fi - sleep 1 -done -# FIXME: race condition here if user kills between mkdir and trap. -trap "rmdir $lockdir; exit 1" 1 2 15 - -# Run the compile. -"$prog" $args -status=$? - -if test -f "$cofile"; then - mv "$cofile" "$ofile" -fi - -rmdir $lockdir -exit $status diff --git a/crypto/heimdal/appl/dceutils/dfspag.exp b/crypto/heimdal/appl/dceutils/dfspag.exp deleted file mode 100644 index ed39788d5ed0..000000000000 --- a/crypto/heimdal/appl/dceutils/dfspag.exp +++ /dev/null @@ -1,3 +0,0 @@ -#!/unix -* kernel extentions used to get the pag -kafs_syscall syscall diff --git a/crypto/heimdal/appl/dceutils/dpagaix.c b/crypto/heimdal/appl/dceutils/dpagaix.c deleted file mode 100644 index cbc23cb880f7..000000000000 --- a/crypto/heimdal/appl/dceutils/dpagaix.c +++ /dev/null @@ -1,23 +0,0 @@ -/* - * dpagaix.c - * On AIX we need to get the kernel extentions - * with the DFS kafs_syscall in it. - * We might be running on a system - * where DFS is not active. - * So we use this dummy routine which - * might not load to do the dirty work - * - * DCE does this with the /usr/lib/drivers/dfsloadobj - * - */ - - int dpagaix(parm1, parm2, parm3, parm4, parm5, parm6) - int parm1; - int parm2; - int parm3; - int parm4; - int parm5; - int parm6; - { - return(kafs_syscall(parm1, parm2, parm3, parm4, parm5, parm6)); - } diff --git a/crypto/heimdal/appl/dceutils/k5dce.h b/crypto/heimdal/appl/dceutils/k5dce.h deleted file mode 100644 index 424ebdc0da98..000000000000 --- a/crypto/heimdal/appl/dceutils/k5dce.h +++ /dev/null @@ -1,165 +0,0 @@ -/* dummy K5 routines which are needed to get this to - * compile without having access ti the DCE versions - * of the header files. - * Thiis is very crude, and OSF needs to expose the K5 - * API. - */ - -#ifdef sun -/* Transarc obfascates these routines */ -#ifdef DCE_1_1 - -#define krb5_init_ets _dce_PkjKqOaklP -#define krb5_copy_creds _dce_LuFxPiITzD -#define krb5_unparse_name _dce_LWHtAuNgRV -#define krb5_get_default_realm _dce_vDruhprWGh -#define krb5_build_principal _dce_qwAalSzTtF -#define krb5_build_principal_ext _dce_vhafIQlejW -#define krb5_build_principal_va _dce_alsqToMmuJ -#define krb5_cc_default _dce_KZRshhTXhE -#define krb5_cc_default_name _dce_bzJVAjHXVQ -#define sec_login_krb5_add_cred _dce_ePDtOJTZvU - -#else /* DCE 1.0.3a */ - -#define krb5_init_ets _dce_BmLRpOVsBo -#define krb5_copy_creds _dce_VGwSEBNwaf -#define krb5_unparse_name _dce_PgAOkJoMXA -#define krb5_get_default_realm _dce_plVOzStKyK -#define krb5_build_principal _dce_uAKSsluIFy -#define krb5_build_principal_ext _dce_tRMpPiRada -#define krb5_build_principal_va _dce_SxnLejZemH -#define krb5_cc_default _dce_SeKosWFnsv -#define krb5_cc_default_name _dce_qJeaphJWVc -#define sec_login_krb5_add_cred _dce_uHwRasumsN - -#endif -#endif - -/* Define the bare minimum k5 structures which are needed - * by this program. Since the krb5 includes are not supplied - * with DCE, these were based on the MIT Kerberos 5 beta 3 - * which should match the DCE as of 1.0.3 at least. - * The tricky one is the krb5_creds, since one is allocated - * by this program, and it needs access to the client principal - * in it. - * Note that there are no function prototypes, so there is no - * compile time checking. - * DEE 07/11/95 - */ -#define NPROTOTYPE(x) () -typedef int krb5_int32; /* assuming all DCE systems are 32 bit */ -typedef short krb5short; /* assuming short is 16 bit */ -typedef krb5_int32 krb5_error_code; -typedef unsigned char krb5_octet; -typedef krb5_octet krb5_boolean; -typedef krb5short krb5_keytype; /* in k5.2 it's a short */ -typedef krb5_int32 krb5_flags; -typedef krb5_int32 krb5_timestamp; - -typedef char * krb5_pointer; /* pointer to unexposed data */ - -typedef struct _krb5_ccache { - struct _krb5_cc_ops *ops; - krb5_pointer data; -} *krb5_ccache; - -typedef struct _krb5_cc_ops { - char *prefix; - char *(*get_name) NPROTOTYPE((krb5_ccache)); - krb5_error_code (*resolve) NPROTOTYPE((krb5_ccache *, char *)); - krb5_error_code (*gen_new) NPROTOTYPE((krb5_ccache *)); - krb5_error_code (*init) NPROTOTYPE((krb5_ccache, krb5_principal)); - krb5_error_code (*destroy) NPROTOTYPE((krb5_ccache)); - krb5_error_code (*close) NPROTOTYPE((krb5_ccache)); - krb5_error_code (*store) NPROTOTYPE((krb5_ccache, krb5_creds *)); - krb5_error_code (*retrieve) NPROTOTYPE((krb5_ccache, krb5_flags, - krb5_creds *, krb5_creds *)); - krb5_error_code (*get_princ) NPROTOTYPE((krb5_ccache, - krb5_principal *)); - krb5_error_code (*get_first) NPROTOTYPE((krb5_ccache, - krb5_cc_cursor *)); - krb5_error_code (*get_next) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *, - krb5_creds *)); - krb5_error_code (*end_get) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *)); - krb5_error_code (*remove_cred) NPROTOTYPE((krb5_ccache, krb5_flags, - krb5_creds *)); - krb5_error_code (*set_flags) NPROTOTYPE((krb5_ccache, krb5_flags)); -} krb5_cc_ops; - -typedef struct _krb5_keyblock { - krb5_keytype keytype; - int length; - krb5_octet *contents; -} krb5_keyblock; - -typedef struct _krb5_ticket_times { - krb5_timestamp authtime; - krb5_timestamp starttime; - krb5_timestamp endtime; - krb5_timestamp renew_till; -} krb5_ticket_times; - -typedef krb5_pointer krb5_cc_cursor; - -typedef struct _krb5_data { - int length; - char *data; -} krb5_data; - -typedef struct _krb5_authdata { - int ad_type; - int length; - krb5_octet *contents; -} krb5_authdata; - -typedef struct _krb5_creds { - krb5_pointer client; - krb5_pointer server; - krb5_keyblock keyblock; - krb5_ticket_times times; - krb5_boolean is_skey; - krb5_flags ticket_flags; - krb5_pointer **addresses; - krb5_data ticket; - krb5_data second_ticket; - krb5_pointer **authdata; -} krb5_creds; - -typedef krb5_pointer krb5_principal; - -#define KRB5_CC_END 336760974 -#define KRB5_TC_OPENCLOSE 0x00000001 - -/* Ticket flags */ -/* flags are 32 bits; each host is responsible to put the 4 bytes - representing these bits into net order before transmission */ -/* #define TKT_FLG_RESERVED 0x80000000 */ -#define TKT_FLG_FORWARDABLE 0x40000000 -#define TKT_FLG_FORWARDED 0x20000000 -#define TKT_FLG_PROXIABLE 0x10000000 -#define TKT_FLG_PROXY 0x08000000 -#define TKT_FLG_MAY_POSTDATE 0x04000000 -#define TKT_FLG_POSTDATED 0x02000000 -#define TKT_FLG_INVALID 0x01000000 -#define TKT_FLG_RENEWABLE 0x00800000 -#define TKT_FLG_INITIAL 0x00400000 -#define TKT_FLG_PRE_AUTH 0x00200000 -#define TKT_FLG_HW_AUTH 0x00100000 -#ifdef PK_INIT -#define TKT_FLG_PUBKEY_PREAUTH 0x00080000 -#define TKT_FLG_DIGSIGN_PREAUTH 0x00040000 -#define TKT_FLG_PRIVKEY_PREAUTH 0x00020000 -#endif - - -#define krb5_cc_get_principal(cache, principal) (*(cache)->ops->get_princ)(cache, principal) -#define krb5_cc_set_flags(cache, flags) (*(cache)->ops->set_flags)(cache, flags) -#define krb5_cc_get_name(cache) (*(cache)->ops->get_name)(cache) -#define krb5_cc_start_seq_get(cache, cursor) (*(cache)->ops->get_first)(cache, cursor) -#define krb5_cc_next_cred(cache, cursor, creds) (*(cache)->ops->get_next)(cache, cursor, creds) -#define krb5_cc_destroy(cache) (*(cache)->ops->destroy)(cache) -#define krb5_cc_end_seq_get(cache, cursor) (*(cache)->ops->end_get)(cache, cursor) - -/* end of k5 dummy typedefs */ - diff --git a/crypto/heimdal/appl/dceutils/k5dcecon.c b/crypto/heimdal/appl/dceutils/k5dcecon.c deleted file mode 100644 index 99310bb34c4c..000000000000 --- a/crypto/heimdal/appl/dceutils/k5dcecon.c +++ /dev/null @@ -1,791 +0,0 @@ -/* - * (c) Copyright 1995 HEWLETT-PACKARD COMPANY - * - * To anyone who acknowledges that this file is provided - * "AS IS" without any express or implied warranty: - * permission to use, copy, modify, and distribute this - * file for any purpose is hereby granted without fee, - * provided that the above copyright notice and this - * notice appears in all copies, and that the name of - * Hewlett-Packard Company not be used in advertising or - * publicity pertaining to distribution of the software - * without specific, written prior permission. Hewlett- - * Packard Company makes no representations about the - * suitability of this software for any purpose. - * - */ -/* - * k5dcecon - Program to convert a K5 TGT to a DCE context, - * for use with DFS and its PAG. - * - * The program is designed to be called as a sub process, - * and return via stdout the name of the cache which implies - * the PAG which should be used. This program itself does not - * use the cache or PAG itself, so the PAG in the kernel for - * this program may not be set. - * - * The calling program can then use the name of the cache - * to set the KRB5CCNAME and PAG for its self and its children. - * - * If no ticket was passed, an attemplt to join an existing - * PAG will be made. - * - * If a forwarded K5 TGT is passed in, either a new DCE - * context will be created, or an existing one will be updated. - * If the same ticket was already used to create an existing - * context, it will be joined instead. - * - * Parts of this program are based on k5dceauth,c which was - * given to me by HP and by the k5dcelogin.c which I developed. - * A slightly different version of k5dcelogin.c, was added to - * DCE 1.2.2 - * - * D. E. Engert 6/17/97 ANL - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include "k5dce.h" - -#include -#include -#include - -/* #define DEBUG */ -#if defined(DEBUG) -#define DEEDEBUG(A) fprintf(stderr,A); fflush(stderr) -#define DEEDEBUG2(A,B) fprintf(stderr,A,B); fflush(stderr) -#else -#define DEEDEBUG(A) -#define DEEDEBUG2(A,B) -#endif - -#ifdef __hpux -#define seteuid(A) setresuid(-1,A,-1); -#endif - - -int k5dcecreate (uid_t, char *, char*, krb5_creds **); -int k5dcecon (uid_t, char *, char *); -int k5dcegettgt (krb5_ccache *, char *, char *, krb5_creds **); -int k5dcematch (uid_t, char *, char *, off_t *, krb5_creds **); -int k5dcesession (uid_t, char *, krb5_creds **, int *,krb5_flags); - - -char *progname = "k5dcecon"; -static time_t now; - -#ifdef notdef -#ifdef _AIX -/*---------------------------------------------*/ - /* AIX with DCE 1.1 does not have the com_err in the libdce.a - * do a half hearted job of substituting for it. - */ -void com_err(char *p1, int code, ...) -{ - int lst; - dce_error_string_t err_string; - dce_error_inq_text(code, err_string, &lst); - fprintf(stderr,"Error %d in %s: %s\n", code, p1, err_string ); -} - -/*---------------------------------------------*/ -void krb5_init_ets() -{ - -} -#endif -#endif - - -/*------------------------------------------------*/ -/* find a cache to use for our new pag */ -/* Since there is no simple way to determine which - * caches are associated with a pag, we will have - * do look around and see what makes most sense on - * different systems. - * on a Solaris system, and in the DCE source, - * the pags always start with a 41. - * this is not true on the IBM, where there does not - * appear to be any pattern. - * - * But since we are always certifing our creds when - * they are received, we can us that fact, and look - * at the first word of the associated data file - * to see that it has a "5". If not don't use. - */ - -int k5dcesession(luid, pname, tgt, ppag, tflags) - uid_t luid; - char *pname; - krb5_creds **tgt; - int *ppag; - krb5_flags tflags; -{ - DIR *dirp; - struct dirent *direntp; - off_t size; - krb5_timestamp endtime; - int better = 0; - krb5_creds *xtgt; - - char prev_name[17] = ""; - krb5_timestamp prev_endtime; - off_t prev_size; - u_long prev_pag = 0; - - char ccname[64] = "FILE:/opt/dcelocal/var/security/creds/"; - - error_status_t st; - sec_login_handle_t lcontext = 0; - dce_error_string_t err_string; - int lst; - - DEEDEBUG2("k5dcesession looking for flags %8.8x\n",tflags); - - dirp = opendir("/opt/dcelocal/var/security/creds/"); - if (dirp == NULL) { - return 1; - } - - while ( (direntp = readdir( dirp )) != NULL ) { - -/* - * (but root has the ffffffff which we are not interested in) - */ - if (!strncmp(direntp->d_name,"dcecred_",8) - && (strlen(direntp->d_name) == 16)) { - - /* looks like a cache name, lets do the stat, etc */ - - strcpy(ccname+38,direntp->d_name); - if (!k5dcematch(luid, pname, ccname, &size, &xtgt)) { - - /* its one of our caches, see if it is better - * i.e. the endtime is farther, and if the endtimes - * are the same, take the larger, as he who has the - * most tickets wins. - * it must also had the same set of flags at least - * i.e. if the forwarded TGT is forwardable, this one must - * be as well. - */ - - DEEDEBUG2("Cache:%s",direntp->d_name); - DEEDEBUG2(" size:%d",size); - DEEDEBUG2(" flags:%8.8x",xtgt->ticket_flags); - DEEDEBUG2(" %s",ctime((time_t *)&xtgt->times.endtime)); - - if ((xtgt->ticket_flags & tflags) == tflags ) { - if (prev_name[0]) { - if (xtgt->times.endtime > prev_endtime) { - better = 1; - } else if ((xtgt->times.endtime = prev_endtime) - && (size > prev_size)){ - better = 1; - } - } else { /* the first */ - if (xtgt->times.endtime >= now) { - better = 1; - } - } - if (better) { - strcpy(prev_name, direntp->d_name); - prev_endtime = xtgt->times.endtime; - prev_size = size; - sscanf(prev_name+8,"%8X",&prev_pag); - *tgt = xtgt; - better = 0; - } - } - } - } - } - (void)closedir( dirp ); - - if (!prev_name[0]) - return 1; /* failed to find one */ - - DEEDEBUG2("Best: %s\n",prev_name); - - if (ppag) - *ppag = prev_pag; - - strcpy(ccname+38,prev_name); - setenv("KRB5CCNAME",ccname,1); - - return(0); -} - - -/*----------------------------------------------*/ -/* see if this cache is for this this principal */ - -int k5dcematch(luid, pname, ccname, sizep, tgt) - uid_t luid; - char *pname; - char *ccname; - off_t *sizep; /* size of the file */ - krb5_creds **tgt; -{ - - krb5_ccache cache; - struct stat stbuf; - char ccdata[256]; - int fd; - int status; - - /* DEEDEBUG2("k5dcematch called: cache=%s\n",ccname+38); */ - - if (!strncmp(ccname,"FILE:",5)) { - - strcpy(ccdata,ccname+5); - strcat(ccdata,".data"); - - /* DEEDEBUG2("Checking the .data file for %s\n",ccdata); */ - - if (stat(ccdata, &stbuf)) - return(1); - - if (stbuf.st_uid != luid) - return(1); - - if ((fd = open(ccdata,O_RDONLY)) == -1) - return(1); - - if ((read(fd,&status,4)) != 4) { - close(fd); - return(1); - } - - /* DEEDEBUG2(".data file status = %d\n", status); */ - - if (status != 5) - return(1); - - if (stat(ccname+5, &stbuf)) - return(1); - - if (stbuf.st_uid != luid) - return(1); - - *sizep = stbuf.st_size; - } - - return(k5dcegettgt(&cache, ccname, pname, tgt)); -} - - -/*----------------------------------------*/ -/* k5dcegettgt - get the tgt from a cache */ - -int k5dcegettgt(pcache, ccname, pname, tgt) - krb5_ccache *pcache; - char *ccname; - char *pname; - krb5_creds **tgt; - -{ - krb5_ccache cache; - krb5_cc_cursor cur; - krb5_creds creds; - int code; - int found = 1; - krb5_principal princ; - char *kusername; - krb5_flags flags; - char *sname, *realm, *tgtname = NULL; - - /* Since DCE does not expose much of the Kerberos interface, - * we will have to use what we can. This means setting the - * KRB5CCNAME for each file we want to test - * We will also not worry about freeing extra cache structures - * as this this routine is also not exposed, and this should not - * effect this module. - * We should also free the creds contents, but that is not exposed - * either. - */ - - setenv("KRB5CCNAME",ccname,1); - cache = NULL; - *tgt = NULL; - - if (code = krb5_cc_default(pcache)) { - com_err(progname, code, "while getting ccache"); - goto return2; - } - - DEEDEBUG("Got cache\n"); - flags = 0; - if (code = krb5_cc_set_flags(*pcache, flags)) { - com_err(progname, code,"While setting flags"); - goto return2; - } - DEEDEBUG("Set flags\n"); - if (code = krb5_cc_get_principal(*pcache, &princ)) { - com_err(progname, code, "While getting princ"); - goto return1; - } - DEEDEBUG("Got principal\n"); - if (code = krb5_unparse_name(princ, &kusername)) { - com_err(progname, code, "While unparsing principal"); - goto return1; - } - - DEEDEBUG2("Unparsed to \"%s\"\n", kusername); - DEEDEBUG2("pname is \"%s\"\n", pname); - if (strcmp(kusername, pname)) { - DEEDEBUG("Principals not equal\n"); - goto return1; - } - DEEDEBUG("Principals equal\n"); - - realm = strchr(pname,'@'); - realm++; - - if ((tgtname = malloc(9 + 2 * strlen(realm))) == 0) { - fprintf(stderr,"Malloc failed for tgtname\n"); - goto return1; - } - - strcpy(tgtname,"krbtgt/"); - strcat(tgtname,realm); - strcat(tgtname,"@"); - strcat(tgtname,realm); - - DEEDEBUG2("Getting tgt %s\n", tgtname); - if (code = krb5_cc_start_seq_get(*pcache, &cur)) { - com_err(progname, code, "while starting to retrieve tickets"); - goto return1; - } - - while (!(code = krb5_cc_next_cred(*pcache, &cur, &creds))) { - krb5_creds *cred = &creds; - - if (code = krb5_unparse_name(cred->server, &sname)) { - com_err(progname, code, "while unparsing server name"); - continue; - } - - if (strncmp(sname, tgtname, strlen(tgtname)) == 0) { - DEEDEBUG("FOUND\n"); - if (code = krb5_copy_creds(&creds, tgt)) { - com_err(progname, code, "while copying TGT"); - goto return1; - } - found = 0; - break; - } - /* we should do a krb5_free_cred_contents(creds); */ - } - - if (code = krb5_cc_end_seq_get(*pcache, &cur)) { - com_err(progname, code, "while finishing retrieval"); - goto return2; - } - -return1: - flags = KRB5_TC_OPENCLOSE; - krb5_cc_set_flags(*pcache, flags); /* force a close */ - -return2: - if (tgtname) - free(tgtname); - - return(found); -} - - -/*------------------------------------------*/ -/* Convert a forwarded TGT to a DCE context */ -int k5dcecon(luid, luser, pname) - uid_t luid; - char *luser; - char *pname; -{ - - krb5_creds *ftgt = NULL; - krb5_creds *tgt = NULL; - unsigned32 dfspag; - boolean32 reset_passwd = 0; - int lst; - dce_error_string_t err_string; - char *shell_prog; - krb5_ccache fcache; - char *ccname; - char *kusername; - char *urealm; - char *cp; - int pag; - int code; - krb5_timestamp endtime; - - - /* If there is no cache to be converted, we should not be here */ - - if ((ccname = getenv("KRB5CCNAME")) == NULL) { - DEEDEBUG("No KRB5CCNAME\n"); - return(1); - } - - if (k5dcegettgt(&fcache, ccname, pname, &ftgt)) { - fprintf(stderr, "%s: Did not find TGT\n", progname); - return(1); - } - - - DEEDEBUG2("flags=%x\n",ftgt->ticket_flags); - if (!(ftgt->ticket_flags & TKT_FLG_FORWARDABLE)){ - fprintf(stderr,"Ticket not forwardable\n"); - return(0); /* but OK to continue */ - } - - setenv("KRB5CCNAME","",1); - -#define TKT_ACCEPTABLE (TKT_FLG_FORWARDABLE | TKT_FLG_PROXIABLE \ - | TKT_FLG_MAY_POSTDATE | TKT_FLG_RENEWABLE | TKT_FLG_HW_AUTH \ - | TKT_FLG_PRE_AUTH) - - if (!k5dcesession(luid, pname, &tgt, &pag, - (ftgt->ticket_flags & TKT_ACCEPTABLE))) { - if (ftgt->times.endtime > tgt->times.endtime) { - DEEDEBUG("Updating existing cache\n"); - return(k5dceupdate(&ftgt, pag)); - } else { - DEEDEBUG("Using existing cache\n"); - return(0); /* use the original one */ - } - } - /* see if the tgts match up */ - - if ((code = k5dcecreate(luid, luser, pname, &ftgt))) { - return (code); - } - - /* - * Destroy the Kerberos5 cred cache file. - * but dont care aout the return code. - */ - - DEEDEBUG("Destroying the old cache\n"); - if ((code = krb5_cc_destroy(fcache))) { - com_err(progname, code, "while destroying Kerberos5 ccache"); - } - return (0); -} - - -/*--------------------------------------------------*/ -/* k5dceupdate - update the cache with a new TGT */ -/* Assumed that the KRB5CCNAME has been set */ - -int k5dceupdate(krbtgt, pag) - krb5_creds **krbtgt; - int pag; -{ - - krb5_ccache ccache; - int code; - - if (code = krb5_cc_default(&ccache)) { - com_err(progname, code, "while opening cache for update"); - return(2); - } - - if (code = ccache->ops->init(ccache,(*krbtgt)->client)) { - com_err(progname, code, "while reinitilizing cache"); - return(3); - } - - /* krb5_cc_store_cred */ - if (code = ccache->ops->store(ccache, *krbtgt)) { - com_err(progname, code, "while updating cache"); - return(2); - } - - sec_login_pag_new_tgt(pag, (*krbtgt)->times.endtime); - return(0); -} -/*--------------------------------------------------*/ -/* k5dcecreate - create a new DCE context */ - -int k5dcecreate(luid, luser, pname, krbtgt) - uid_t luid; - char *luser; - char *pname; - krb5_creds **krbtgt; -{ - - char *cp; - char *urealm; - char *username; - char *defrealm; - uid_t uid; - - error_status_t st; - sec_login_handle_t lcontext = 0; - sec_login_auth_src_t auth_src = 0; - boolean32 reset_passwd = 0; - int lst; - dce_error_string_t err_string; - - setenv("KRB5CCNAME","",1); /* make sure it not misused */ - - uid = getuid(); - DEEDEBUG2("uid=%d\n",uid); - - /* if run as root, change to user, so as to have the - * cache created for the local user even if cross-cell - * If run as a user, let standard file protection work. - */ - - if (uid == 0) { - seteuid(luid); - } - - cp = strchr(pname,'@'); - *cp = '\0'; - urealm = ++cp; - - DEEDEBUG2("basename=%s\n",cp); - DEEDEBUG2("realm=%s\n",urealm); - - /* now build the username as a single string or a /.../cell/user - * if this is a cross cell - */ - - if ((username = malloc(7+strlen(pname)+strlen(urealm))) == 0) { - fprintf(stderr,"Malloc failed for username\n"); - goto abort; - } - if (krb5_get_default_realm(&defrealm)) { - DEEDEBUG("krb5_get_default_realm failed\n"); - goto abort; - } - - - if (!strcmp(urealm,defrealm)) { - strcpy(username,pname); - } else { - strcpy(username,"/.../"); - strcat(username,urealm); - strcat(username,"/"); - strcat(username,pname); - } - - /* - * Setup a DCE login context - */ - - if (sec_login_setup_identity((unsigned_char_p_t)username, - (sec_login_external_tgt|sec_login_proxy_cred), - &lcontext, &st)) { - /* - * Add our TGT. - */ - DEEDEBUG("Adding our new TGT\n"); - sec_login_krb5_add_cred(lcontext, *krbtgt, &st); - if (st) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Error while adding credentials for %s because %s\n", - username, err_string); - goto abort; - } - DEEDEBUG("validating and certifying\n"); - /* - * Now "validate" and certify the identity, - * usually we would pass a password here, but... - * sec_login_valid_and_cert_ident - * sec_login_validate_identity - */ - - if (sec_login_validate_identity(lcontext, 0, &reset_passwd, - &auth_src, &st)) { - DEEDEBUG2("validate_identity st=%d\n",st); - if (st) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, "Validation error for %s because %s\n", - username, err_string); - goto abort; - } - if (!sec_login_certify_identity(lcontext,&st)) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Credentials not certified because %s\n",err_string); - } - if (reset_passwd) { - fprintf(stderr, - "Password must be changed for %s\n", username); - } - if (auth_src == sec_login_auth_src_local) { - fprintf(stderr, - "Credentials obtained from local registry for %s\n", - username); - } - if (auth_src == sec_login_auth_src_overridden) { - fprintf(stderr, "Validated %s from local override entry, no network credentials obtained\n", username); - goto abort; - - } - /* - * Actually create the cred files. - */ - DEEDEBUG("Ceating new cred files.\n"); - sec_login_set_context(lcontext, &st); - if (st) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Unable to set context for %s because %s\n", - username, err_string); - goto abort; - } - - /* - * Now free up the local context and leave the - * network context with its pag - */ -#if 0 - sec_login_release_context(&lcontext, &st); - if (st) { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Unable to release context for %s because %s\n", - username, err_string); - goto abort; - } -#endif - } - else { - DEEDEBUG2("validate failed %d\n",st); - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Unable to validate %s because %s\n", username, - err_string); - goto abort; - } - } - else { - dce_error_inq_text(st, err_string, &lst); - fprintf(stderr, - "Unable to setup login entry for %s because %s\n", - username, err_string); - goto abort; - } - - done: - /* if we were root, get back to root */ - - DEEDEBUG2("sec_login_inq_pag %8.8x\n", - sec_login_inq_pag(lcontext, &st)); - - if (uid == 0) { - seteuid(0); - } - - DEEDEBUG("completed\n"); - return(0); - - abort: - if (uid == 0) { - seteuid(0); - } - - DEEDEBUG("Aborting\n"); - return(2); -} - - - -/*-------------------------------------------------*/ -main(argc, argv) - int argc; - char *argv[]; -{ - int status; - extern int optind; - extern char *optarg; - int rv; - - char *lusername = NULL; - char *pname = NULL; - int fflag = 0; - struct passwd *pw; - uid_t luid; - uid_t myuid; - char *ccname; - krb5_creds *tgt = NULL; - -#ifdef DEBUG - close(2); - open("/tmp/k5dce.debug",O_WRONLY|O_CREAT|O_APPEND, 0600); -#endif - - if (myuid = getuid()) { - DEEDEBUG2("UID = %d\n",myuid); - exit(33); /* must be root to run this, get out now */ - } - - while ((rv = getopt(argc,argv,"l:p:fs")) != -1) { - DEEDEBUG2("Arg = %c\n", rv); - switch(rv) { - case 'l': /* user name */ - lusername = optarg; - DEEDEBUG2("Optarg = %s\n", optarg); - break; - case 'p': /* principal name */ - pname = optarg; - DEEDEBUG2("Optarg = %s\n", optarg); - break; - case 'f': /* convert a forwarded TGT to a context */ - fflag++; - break; - case 's': /* old test parameter, ignore it */ - break; - } - } - - setlocale(LC_ALL, ""); - krb5_init_ets(); - time(&now); /* set time to check expired tickets */ - - /* if lusername == NULL, Then user is passed as the USER= variable */ - - if (!lusername) { - lusername = getenv("USER"); - if (!lusername) { - fprintf(stderr, "USER not in environment\n"); - return(3); - } - } - - if ((pw = getpwnam(lusername)) == NULL) { - fprintf(stderr, "Who are you?\n"); - return(44); - } - - luid = pw->pw_uid; - - if (fflag) { - status = k5dcecon(luid, lusername, pname); - } else { - status = k5dcesession(luid, pname, &tgt, NULL, 0); - } - - if (!status) { - printf("%s",getenv("KRB5CCNAME")); /* return via stdout to caller */ - DEEDEBUG2("KRB5CCNAME=%s\n",getenv("KRB5CCNAME")); - } - - DEEDEBUG2("Returning status %d\n",status); - return (status); -} diff --git a/crypto/heimdal/appl/dceutils/testpag.c b/crypto/heimdal/appl/dceutils/testpag.c deleted file mode 100644 index 4613fba5e94a..000000000000 --- a/crypto/heimdal/appl/dceutils/testpag.c +++ /dev/null @@ -1,150 +0,0 @@ -/* Test the k5dcepag routine by setting a pag, and - * and execing a shell under this pag. - * - * This allows you to join a PAG which was created - * earlier by some other means. - * for example k5dcecon - * - * Must be run as root for testing only. - * - */ - -#include -#include -#include -#include -#include -#include -#include - -#define POSIX_SETJMP -#define POSIX_SIGNALS - -#ifdef POSIX_SIGNALS -typedef struct sigaction handler; -#define handler_init(H,F) (sigemptyset(&(H).sa_mask), \ - (H).sa_flags=0, \ - (H).sa_handler=(F)) -#define handler_swap(S,NEW,OLD) sigaction(S, &NEW, &OLD) -#define handler_set(S,OLD) sigaction(S, &OLD, NULL) -#else -typedef sigtype (*handler)(); -#define handler_init(H,F) ((H) = (F)) -#define handler_swap(S,NEW,OLD) ((OLD) = signal ((S), (NEW))) - -#define handler_set(S,OLD) (signal ((S), (OLD))) -#endif - -typedef void sigtype; - -/* - * We could include the dcedfs/syscall.h which should have these - * numbers, but it has extra baggage. So for - * simplicity sake now, we define these here. - */ - - -#define AFSCALL_SETPAG 2 -#define AFSCALL_GETPAG 11 - -#if defined(sun) -#define AFS_SYSCALL 72 - -#elif defined(hpux) -/* assume HPUX 10 + or is it 50 */ -#define AFS_SYSCALL 326 - -#elif defined(_AIX) -#define DPAGAIX "dpagaix" -/* #define DPAGAIX "/krb5/sbin/dpagaix" */ - -#elif defined(sgi) || defined(_sgi) -#define AFS_SYSCALL 206+1000 - -#else -#define AFS_SYSCALL (Unknown_DFS_AFS_SYSCALL) -#endif - -static sigjmp_buf setpag_buf; - -static sigtype mysig() -{ - siglongjmp(setpag_buf, 1); -} - - -int krb5_dfs_newpag(new_pag) - int new_pag; -{ - handler sa1, osa1; - handler sa2, osa2; - int pag = -1; - - handler_init (sa1, mysig); - handler_init (sa2, mysig); - handler_swap (SIGSYS, sa1, osa1); - handler_swap (SIGSEGV, sa2, osa2); - - if (sigsetjmp(setpag_buf, 1) == 0) { -#if defined(_AIX) - int (*dpagaix)(int, int, int, int, int, int); - - if (dpagaix = load(DPAGAIX, 0, 0)) - pag = (*dpagaix)(AFSCALL_SETPAG, new_pag, 0, 0, 0, 0); -#else - pag = syscall(AFS_SYSCALL,AFSCALL_SETPAG, new_pag, 0, 0, 0, 0); -#endif - handler_set (SIGSYS, osa1); - handler_set (SIGSEGV, osa2); - return(pag); - } - - fprintf(stderr,"Setpag failed with a system error\n"); - /* syscall failed! return 0 */ - handler_set (SIGSYS, osa1); - handler_set (SIGSEGV, osa2); - return(-1); -} - -main(argc, argv) - int argc; - char *argv[]; -{ - extern int optind; - extern char *optarg; - int rv; - int rc; - unsigned int pag; - unsigned int newpag = 0; - char ccname[256]; - int nflag = 0; - - while((rv = getopt(argc,argv,"n:")) != -1) { - switch(rv) { - case 'n': - nflag++; - sscanf(optarg,"%8x",&newpag); - break; - default: - printf("Usage: k5dcepagt -n pag \n"); - exit(1); - } - } - - if (nflag) { - fprintf (stderr,"calling k5dcepag newpag=%8.8x\n",newpag); - pag = krb5_dfs_newpag(newpag); - - fprintf (stderr,"PAG returned = %8.8x\n",pag); - if ((pag != 0) && (pag != -1)) { - sprintf (ccname, - "FILE:/opt/dcelocal/var/security/creds/dcecred_%8.8x", - pag); - esetenv("KRB5CCNAME",ccname,1); - execl("/bin/csh","csh",0); - } - else { - fprintf(stderr," Not a good pag value\n"); - } - } -} diff --git a/crypto/heimdal/appl/ftp/Makefile b/crypto/heimdal/appl/ftp/Makefile deleted file mode 100644 index 0051ebabad5c..000000000000 --- a/crypto/heimdal/appl/ftp/Makefile +++ /dev/null @@ -1,605 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/ftp/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -SUBDIRS = common ftp ftpd -subdir = appl/ftp -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = - -RECURSIVE_TARGETS = info-recursive dvi-recursive install-info-recursive \ - uninstall-info-recursive all-recursive install-data-recursive \ - install-exec-recursive installdirs-recursive install-recursive \ - uninstall-recursive check-recursive installcheck-recursive -DIST_COMMON = ChangeLog Makefile.am Makefile.in -DIST_SUBDIRS = $(SUBDIRS) -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/ftp/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d $(distdir)/$$subdir \ - || mkdir $(distdir)/$$subdir \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" \ - distdir=../$(distdir)/$$subdir \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: - -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -info: info-recursive - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) GTAGS all all-am all-local check check-am \ - check-local clean clean-generic clean-libtool clean-recursive \ - distclean distclean-generic distclean-libtool \ - distclean-recursive distclean-tags distdir dvi dvi-am \ - dvi-recursive info info-am info-recursive install install-am \ - install-data install-data-am install-data-local \ - install-data-recursive install-exec install-exec-am \ - install-exec-recursive install-info install-info-am \ - install-info-recursive install-man install-recursive \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am installdirs-recursive maintainer-clean \ - maintainer-clean-generic maintainer-clean-recursive mostlyclean \ - mostlyclean-generic mostlyclean-libtool mostlyclean-recursive \ - tags tags-recursive uninstall uninstall-am uninstall-info-am \ - uninstall-info-recursive uninstall-recursive - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/ftp/common/Makefile b/crypto/heimdal/appl/ftp/common/Makefile deleted file mode 100644 index 9a52cb9873c5..000000000000 --- a/crypto/heimdal/appl/ftp/common/Makefile +++ /dev/null @@ -1,566 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/ftp/common/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -noinst_LIBRARIES = libcommon.a - -libcommon_a_SOURCES = \ - sockbuf.c \ - buffer.c \ - common.h - -subdir = appl/ftp/common -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LIBRARIES = $(noinst_LIBRARIES) - -libcommon_a_AR = $(AR) cru -libcommon_a_LIBADD = -am_libcommon_a_OBJECTS = sockbuf.$(OBJEXT) buffer.$(OBJEXT) -libcommon_a_OBJECTS = $(am_libcommon_a_OBJECTS) - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libcommon_a_SOURCES) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(libcommon_a_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/ftp/common/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -AR = ar - -clean-noinstLIBRARIES: - -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) -libcommon.a: $(libcommon_a_OBJECTS) $(libcommon_a_DEPENDENCIES) - -rm -f libcommon.a - $(libcommon_a_AR) libcommon.a $(libcommon_a_OBJECTS) $(libcommon_a_LIBADD) - $(RANLIB) libcommon.a - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LIBRARIES) all-local - -installdirs: - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool clean-noinstLIBRARIES distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-man install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile b/crypto/heimdal/appl/ftp/ftp/Makefile deleted file mode 100644 index 8646d33b045f..000000000000 --- a/crypto/heimdal/appl/ftp/ftp/Makefile +++ /dev/null @@ -1,678 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/ftp/ftp/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.15 2001/08/28 08:31:21 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = ftp - -CHECK_LOCAL = - -#krb4_sources = krb4.c kauth.c -krb5_sources = gssapi.c - -ftp_SOURCES = \ - cmds.c \ - cmdtab.c \ - extern.h \ - ftp.c \ - ftp_locl.h \ - ftp_var.h \ - main.c \ - pathnames.h \ - ruserpass.c \ - domacro.c \ - globals.c \ - security.c \ - security.h \ - $(krb4_sources) \ - $(krb5_sources) - - -EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c - -man_MANS = ftp.1 - -LDADD = \ - ../common/libcommon.a \ - $(LIB_gssapi) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_readline) - -subdir = appl/ftp/ftp -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = ftp$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -#am__objects_1 = krb4.$(OBJEXT) kauth.$(OBJEXT) -am__objects_2 = gssapi.$(OBJEXT) -am_ftp_OBJECTS = cmds.$(OBJEXT) cmdtab.$(OBJEXT) ftp.$(OBJEXT) \ - main.$(OBJEXT) ruserpass.$(OBJEXT) domacro.$(OBJEXT) \ - globals.$(OBJEXT) security.$(OBJEXT) $(am__objects_1) \ - $(am__objects_2) -ftp_OBJECTS = $(am_ftp_OBJECTS) -ftp_LDADD = $(LDADD) -ftp_DEPENDENCIES = ../common/libcommon.a \ - $(top_builddir)/lib/gssapi/libgssapi.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#ftp_DEPENDENCIES = ../common/libcommon.a -ftp_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/ftp/ftp/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -ftp$(EXEEXT): $(ftp_OBJECTS) $(ftp_DEPENDENCIES) - @rm -f ftp$(EXEEXT) - $(LINK) $(ftp_LDFLAGS) $(ftp_OBJECTS) $(ftp_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-man1 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-man uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.cat1 b/crypto/heimdal/appl/ftp/ftp/ftp.cat1 deleted file mode 100644 index 83323cc8748e..000000000000 --- a/crypto/heimdal/appl/ftp/ftp/ftp.cat1 +++ /dev/null @@ -1,644 +0,0 @@ -FTP(1) NetBSD Reference Manual FTP(1) - -NNAAMMEE - ffttpp - ARPANET file transfer program - -SSYYNNOOPPSSIISS - ffttpp [--tt] [--vv] [--dd] [--ii] [--nn] [--gg] [--pp] [--ll] [_h_o_s_t] - -DDEESSCCRRIIPPTTIIOONN - FFttpp is the user interface to the ARPANET standard File Transfer Protocol. - The program allows a user to transfer files to and from a remote network - site. - - Modifications has been made so that it almost follows the ftpsec Internet - draft. - - Options may be specified at the command line, or to the command inter- - preter. - - --tt Enables packet tracing. - - --vv Verbose option forces ffttpp to show all responses from the remote - server, as well as report on data transfer statistics. - - --nn Restrains ffttpp from attempting ``auto-login'' upon initial connec- - tion. If auto-login is enabled, ffttpp will check the _._n_e_t_r_c (see be- - low) file in the user's home directory for an entry describing an - account on the remote machine. If no entry exists, ffttpp will prompt - for the remote machine login name (default is the user identity on - the local machine), and, if necessary, prompt for a password and an - account with which to login. - - --ii Turns off interactive prompting during multiple file transfers. - - --pp Turn on passive mode. - - --dd Enables debugging. - - --gg Disables file name globbing. - - --ll Disables command line editing. - - The client host with which ffttpp is to communicate may be specified on the - command line. If this is done, ffttpp will immediately attempt to establish - a connection to an FTP server on that host; otherwise, ffttpp will enter its - command interpreter and await instructions from the user. When ffttpp is - awaiting commands from the user the prompt `ftp>' is provided to the us- - er. The following commands are recognized by ffttpp: - - !! [_c_o_m_m_a_n_d [_a_r_g_s]] - Invoke an interactive shell on the local machine. If there - are arguments, the first is taken to be a command to execute - directly, with the rest of the arguments as its arguments. - - $$ _m_a_c_r_o_-_n_a_m_e [_a_r_g_s] - Execute the macro _m_a_c_r_o_-_n_a_m_e that was defined with the mmaaccddeeff - command. Arguments are passed to the macro unglobbed. - - aaccccoouunntt [_p_a_s_s_w_d] - Supply a supplemental password required by a remote system - for access to resources once a login has been successfully - completed. If no argument is included, the user will be - prompted for an account password in a non-echoing input mode. - - aappppeenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e] - Append a local file to a file on the remote machine. If - _r_e_m_o_t_e_-_f_i_l_e is left unspecified, the local file name is used - in naming the remote file after being altered by any nnttrraannss - or nnmmaapp setting. File transfer uses the current settings for - ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree. - - aasscciiii Set the file transfer ttyyppee to network ASCII. This is the de- - fault type. - - bbeellll Arrange that a bell be sounded after each file transfer com- - mand is completed. - - bbiinnaarryy Set the file transfer ttyyppee to support binary image transfer. - - bbyyee Terminate the FTP session with the remote server and exit - ffttpp. An end of file will also terminate the session and ex- - it. - - ccaassee Toggle remote computer file name case mapping during mmggeett - commands. When ccaassee is on (default is off), remote computer - file names with all letters in upper case are written in the - local directory with the letters mapped to lower case. - - ccdd _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y - Change the working directory on the remote machine to _r_e_m_o_t_e_- - _d_i_r_e_c_t_o_r_y. - - ccdduupp Change the remote machine working directory to the parent of - the current remote machine working directory. - - cchhmmoodd _m_o_d_e _f_i_l_e_-_n_a_m_e - Change the permission modes of the file _f_i_l_e_-_n_a_m_e on the re- - mote sytem to _m_o_d_e. - - cclloossee Terminate the FTP session with the remote server, and return - to the command interpreter. Any defined macros are erased. - - ccrr Toggle carriage return stripping during ascii type file re- - trieval. Records are denoted by a carriage return/linefeed - sequence during ascii type file transfer. When ccrr is on (the - default), carriage returns are stripped from this sequence to - conform with the UNIX single linefeed record delimiter. - Records on non-UNIX remote systems may contain single line- - feeds; when an ascii type transfer is made, these linefeeds - may be distinguished from a record delimiter only when ccrr is - off. - - ddeelleettee _r_e_m_o_t_e_-_f_i_l_e - Delete the file _r_e_m_o_t_e_-_f_i_l_e on the remote machine. - - ddeebbuugg [_d_e_b_u_g_-_v_a_l_u_e] - Toggle debugging mode. If an optional _d_e_b_u_g_-_v_a_l_u_e is speci- - fied it is used to set the debugging level. When debugging - is on, ffttpp prints each command sent to the remote machine, - preceded by the string `-->' - - ddiirr [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e] - Print a listing of the directory contents in the directory, - _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y, and, optionally, placing the output in - _l_o_c_a_l_-_f_i_l_e. If interactive prompting is on, ffttpp will prompt - the user to verify that the last argument is indeed the tar- - get local file for receiving ddiirr output. If no directory is - specified, the current working directory on the remote ma- - chine is used. If no local file is specified, or _l_o_c_a_l_-_f_i_l_e - is --, output comes to the terminal. - - ddiissccoonnnneecctt A synonym for _c_l_o_s_e. - - ffoorrmm _f_o_r_m_a_t - Set the file transfer ffoorrmm to _f_o_r_m_a_t. The default format is - ``file''. - - ggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e] - Retrieve the _r_e_m_o_t_e_-_f_i_l_e and store it on the local machine. - If the local file name is not specified, it is given the same - name it has on the remote machine, subject to alteration by - the current ccaassee, nnttrraannss, and nnmmaapp settings. The current - settings for ttyyppee, ffoorrmm, mmooddee, and ssttrruuccttuurree are used while - transferring the file. - - gglloobb Toggle filename expansion for mmddeelleettee, mmggeett and mmppuutt. If - globbing is turned off with gglloobb, the file name arguments are - taken literally and not expanded. Globbing for mmppuutt is done - as in csh(1). For mmddeelleettee and mmggeett, each remote file name is - expanded separately on the remote machine and the lists are - not merged. Expansion of a directory name is likely to be - different from expansion of the name of an ordinary file: the - exact result depends on the foreign operating system and ftp - server, and can be previewed by doing `mls remote-files -'. - As a security measure, remotely globbed files that starts - with `/' or contains `../', will not be automatically re- - ceived. If you have interactive prompting turned off, these - filenames will be ignored. Note: mmggeett and mmppuutt are not meant - to transfer entire directory subtrees of files. That can be - done by transferring a tar(1) archive of the subtree (in bi- - nary mode). - - hhaasshh Toggle hash-sign (``#'') printing for each data block trans- - ferred. The size of a data block is 1024 bytes. - - hheellpp [_c_o_m_m_a_n_d] - Print an informative message about the meaning of _c_o_m_m_a_n_d. - If no argument is given, ffttpp prints a list of the known com- - mands. - - iiddllee [_s_e_c_o_n_d_s] - Set the inactivity timer on the remote server to _s_e_c_o_n_d_s sec- - onds. If _s_e_c_o_n_d_s is omitted, the current inactivity timer is - printed. - - llccdd [_d_i_r_e_c_t_o_r_y] - Change the working directory on the local machine. If no - _d_i_r_e_c_t_o_r_y is specified, the user's home directory is used. - - llss [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e] - Print a listing of the contents of a directory on the remote - machine. The listing includes any system-dependent informa- - tion that the server chooses to include; for example, most - UNIX systems will produce output from the command `ls -l'. - (See also nnlliisstt.) If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified, - the current working directory is used. If interactive - prompting is on, ffttpp will prompt the user to verify that the - last argument is indeed the target local file for receiving - llss output. If no local file is specified, or if _l_o_c_a_l_-_f_i_l_e - is `--', the output is sent to the terminal. - - mmaaccddeeff _m_a_c_r_o_-_n_a_m_e - Define a macro. Subsequent lines are stored as the macro - _m_a_c_r_o_-_n_a_m_e; a null line (consecutive newline characters in a - file or carriage returns from the terminal) terminates macro - input mode. There is a limit of 16 macros and 4096 total - characters in all defined macros. Macros remain defined un- - til a cclloossee command is executed. The macro processor inter- - prets `$' and `\' as special characters. A `$' followed by a - number (or numbers) is replaced by the corresponding argument - on the macro invocation command line. A `$' followed by an - `i' signals that macro processor that the executing macro is - to be looped. On the first pass `$i' is replaced by the - first argument on the macro invocation command line, on the - second pass it is replaced by the second argument, and so on. - A `\' followed by any character is replaced by that charac- - ter. Use the `\' to prevent special treatment of the `$'. - - mmddeelleettee [_r_e_m_o_t_e_-_f_i_l_e_s] - Delete the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine. - - mmddiirr _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e - Like ddiirr, except multiple remote files may be specified. If - interactive prompting is on, ffttpp will prompt the user to ver- - ify that the last argument is indeed the target local file - for receiving mmddiirr output. - - mmggeett _r_e_m_o_t_e_-_f_i_l_e_s - Expand the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine and do a ggeett - for each file name thus produced. See gglloobb for details on - the filename expansion. Resulting file names will then be - processed according to ccaassee, nnttrraannss, and nnmmaapp settings. - Files are transferred into the local working directory, which - can be changed with `lcd directory'; new local directories - can be created with `! mkdir directory'. - - mmkkddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e - Make a directory on the remote machine. - - mmllss _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e - Like nnlliisstt, except multiple remote files may be specified, - and the _l_o_c_a_l_-_f_i_l_e must be specified. If interactive prompt- - ing is on, ffttpp will prompt the user to verify that the last - argument is indeed the target local file for receiving mmllss - output. - - mmooddee [_m_o_d_e_-_n_a_m_e] - Set the file transfer mmooddee to _m_o_d_e_-_n_a_m_e. The default mode is - ``stream'' mode. - - mmooddttiimmee _f_i_l_e_-_n_a_m_e - Show the last modification time of the file on the remote ma- - chine. - - mmppuutt _l_o_c_a_l_-_f_i_l_e_s - Expand wild cards in the list of local files given as argu- - ments and do a ppuutt for each file in the resulting list. See - gglloobb for details of filename expansion. Resulting file names - will then be processed according to nnttrraannss and nnmmaapp settings. - - nneewweerr _f_i_l_e_-_n_a_m_e - Get the file only if the modification time of the remote file - is more recent that the file on the current system. If the - file does not exist on the current system, the remote file is - considered nneewweerr. Otherwise, this command is identical to - _g_e_t. - - nnlliisstt [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e] - Print a list of the files in a directory on the remote ma- - chine. If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified, the current - working directory is used. If interactive prompting is on, - ffttpp will prompt the user to verify that the last argument is - indeed the target local file for receiving nnlliisstt output. If - no local file is specified, or if _l_o_c_a_l_-_f_i_l_e is --, the output - is sent to the terminal. - - nnmmaapp [_i_n_p_a_t_t_e_r_n _o_u_t_p_a_t_t_e_r_n] - Set or unset the filename mapping mechanism. If no arguments - are specified, the filename mapping mechanism is unset. If - arguments are specified, remote filenames are mapped during - mmppuutt commands and ppuutt commands issued without a specified re- - mote target filename. If arguments are specified, local - filenames are mapped during mmggeett commands and ggeett commands - issued without a specified local target filename. This com- - mand is useful when connecting to a non-UNIX remote computer - with different file naming conventions or practices. The - mapping follows the pattern set by _i_n_p_a_t_t_e_r_n and _o_u_t_p_a_t_t_e_r_n. - [_I_n_p_a_t_t_e_r_n] is a template for incoming filenames (which may - have already been processed according to the nnttrraannss and ccaassee - settings). Variable templating is accomplished by including - the sequences `$1', `$2', ..., `$9' in _i_n_p_a_t_t_e_r_n. Use `\' to - prevent this special treatment of the `$' character. All - other characters are treated literally, and are used to de- - termine the nnmmaapp [_i_n_p_a_t_t_e_r_n] variable values. For example, - given _i_n_p_a_t_t_e_r_n $1.$2 and the remote file name "mydata.data", - $1 would have the value "mydata", and $2 would have the value - "data". The _o_u_t_p_a_t_t_e_r_n determines the resulting mapped file- - name. The sequences `$1', `$2', ...., `$9' are replaced by - any value resulting from the _i_n_p_a_t_t_e_r_n template. The se- - quence `$0' is replace by the original filename. Additional- - ly, the sequence `[_s_e_q_1, _s_e_q_2]' is replaced by [_s_e_q_1] if _s_e_q_1 - is not a null string; otherwise it is replaced by _s_e_q_2. For - example, the command - - nmap $1.$2.$3 [$1,$2].[$2,file] - - would yield the output filename "myfile.data" for input file- - names "myfile.data" and "myfile.data.old", "myfile.file" for - the input filename "myfile", and "myfile.myfile" for the in- - put filename ".myfile". Spaces may be included in - _o_u_t_p_a_t_t_e_r_n, as in the example: `nmap $1 sed "s/ *$//" > $1' - . Use the `\' character to prevent special treatment of the - `$','[','[', and `,' characters. - - nnttrraannss [_i_n_c_h_a_r_s [_o_u_t_c_h_a_r_s]] - Set or unset the filename character translation mechanism. - If no arguments are specified, the filename character trans- - lation mechanism is unset. If arguments are specified, char- - acters in remote filenames are translated during mmppuutt com- - mands and ppuutt commands issued without a specified remote tar- - get filename. If arguments are specified, characters in lo- - cal filenames are translated during mmggeett commands and ggeett - commands issued without a specified local target filename. - This command is useful when connecting to a non-UNIX remote - computer with different file naming conventions or practices. - Characters in a filename matching a character in _i_n_c_h_a_r_s are - replaced with the corresponding character in _o_u_t_c_h_a_r_s. If - the character's position in _i_n_c_h_a_r_s is longer than the length - of _o_u_t_c_h_a_r_s, the character is deleted from the file name. - - ooppeenn _h_o_s_t [_p_o_r_t] - Establish a connection to the specified _h_o_s_t FTP server. An - optional port number may be supplied, in which case, ffttpp will - attempt to contact an FTP server at that port. If the aauuttoo-- - llooggiinn option is on (default), ffttpp will also attempt to auto- - matically log the user in to the FTP server (see below). - - ppaassssiivvee Toggle passive mode. If passive mode is turned on (default - is off), the ftp client will send a PASV command for all data - connections instead of the usual PORT command. The PASV com- - mand requests that the remote server open a port for the data - connection and return the address of that port. The remote - server listens on that port and the client connects to it. - When using the more traditional PORT command, the client lis- - tens on a port and sends that address to the remote server, - who connects back to it. Passive mode is useful when using - ffttpp through a gateway router or host that controls the direc- - tionality of traffic. (Note that though ftp servers are re- - quired to support the PASV command by RFC 1123, some do not.) - - pprroommpptt Toggle interactive prompting. Interactive prompting occurs - during multiple file transfers to allow the user to selec- - tively retrieve or store files. If prompting is turned off - (default is on), any mmggeett or mmppuutt will transfer all files, - and any mmddeelleettee will delete all files. - - pprrooxxyy _f_t_p_-_c_o_m_m_a_n_d - Execute an ftp command on a secondary control connection. - This command allows simultaneous connection to two remote ftp - servers for transferring files between the two servers. The - first pprrooxxyy command should be an ooppeenn, to establish the sec- - ondary control connection. Enter the command "proxy ?" to - see other ftp commands executable on the secondary connec- - tion. The following commands behave differently when pref- - aced by pprrooxxyy: ooppeenn will not define new macros during the au- - to-login process, cclloossee will not erase existing macro defini- - tions, ggeett and mmggeett transfer files from the host on the pri- - mary control connection to the host on the secondary control - connection, and ppuutt, mmppuutt, and aappppeenndd transfer files from the - host on the secondary control connection to the host on the - primary control connection. Third party file transfers de- - pend upon support of the ftp protocol PASV command by the - server on the secondary control connection. - - ppuutt _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e] - Store a local file on the remote machine. If _r_e_m_o_t_e_-_f_i_l_e is - left unspecified, the local file name is used after process- - ing according to any nnttrraannss or nnmmaapp settings in naming the - remote file. File transfer uses the current settings for - ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree. - - ppwwdd Print the name of the current working directory on the remote - machine. - - qquuiitt A synonym for bbyyee. - - qquuoottee _a_r_g_1 _a_r_g_2 _._._. - The arguments specified are sent, verbatim, to the remote FTP - server. - - rreeccvv _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e] - A synonym for get. - - rreeggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e] - Reget acts like get, except that if _l_o_c_a_l_-_f_i_l_e exists and is - smaller than _r_e_m_o_t_e_-_f_i_l_e, _l_o_c_a_l_-_f_i_l_e is presumed to be a par- - tially transferred copy of _r_e_m_o_t_e_-_f_i_l_e and the transfer is - continued from the apparent point of failure. This command - is useful when transferring very large files over networks - that are prone to dropping connections. - - rreemmootteehheellpp [_c_o_m_m_a_n_d_-_n_a_m_e] - Request help from the remote FTP server. If a _c_o_m_m_a_n_d_-_n_a_m_e - is specified it is supplied to the server as well. - - rreemmootteessttaattuuss [_f_i_l_e_-_n_a_m_e] - With no arguments, show status of remote machine. If _f_i_l_e_- - _n_a_m_e is specified, show status of _f_i_l_e_-_n_a_m_e on remote ma- - chine. - - rreennaammee [_f_r_o_m] [_t_o] - Rename the file _f_r_o_m on the remote machine, to the file _t_o. - - rreesseett Clear reply queue. This command re-synchronizes command/re- - ply sequencing with the remote ftp server. Resynchronization - may be necessary following a violation of the ftp protocol by - the remote server. - - rreessttaarrtt _m_a_r_k_e_r - Restart the immediately following ggeett or ppuutt at the indicated - _m_a_r_k_e_r. On UNIX systems, marker is usually a byte offset in- - to the file. - - rrmmddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e - Delete a directory on the remote machine. - - rruunniiqquuee Toggle storing of files on the local system with unique file- - names. If a file already exists with a name equal to the - target local filename for a ggeett or mmggeett command, a ".1" is - appended to the name. If the resulting name matches another - existing file, a ".2" is appended to the original name. If - this process continues up to ".99", an error message is - printed, and the transfer does not take place. The generated - unique filename will be reported. Note that rruunniiqquuee will not - affect local files generated from a shell command (see be- - low). The default value is off. - - sseenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e] - A synonym for put. - - sseennddppoorrtt Toggle the use of PORT commands. By default, ffttpp will at- - tempt to use a PORT command when establishing a connection - for each data transfer. The use of PORT commands can prevent - delays when performing multiple file transfers. If the PORT - command fails, ffttpp will use the default data port. When the - use of PORT commands is disabled, no attempt will be made to - use PORT commands for each data transfer. This is useful for - certain FTP implementations which do ignore PORT commands - but, incorrectly, indicate they've been accepted. - - ssiittee _a_r_g_1 _a_r_g_2 _._._. - The arguments specified are sent, verbatim, to the remote FTP - server as a SITE command. - - ssiizzee _f_i_l_e_-_n_a_m_e - Return size of _f_i_l_e_-_n_a_m_e on remote machine. - - ssttaattuuss Show the current status of ffttpp. - - ssttrruucctt [_s_t_r_u_c_t_-_n_a_m_e] - Set the file transfer _s_t_r_u_c_t_u_r_e to _s_t_r_u_c_t_-_n_a_m_e. By default - ``stream'' structure is used. - - ssuunniiqquuee Toggle storing of files on remote machine under unique file - names. Remote ftp server must support ftp protocol STOU com- - mand for successful completion. The remote server will re- - port unique name. Default value is off. - - ssyysstteemm Show the type of operating system running on the remote ma- - chine. - - tteenneexx Set the file transfer type to that needed to talk to TENEX - machines. - - ttrraaccee Toggle packet tracing. - - ttyyppee [_t_y_p_e_-_n_a_m_e] - Set the file transfer ttyyppee to _t_y_p_e_-_n_a_m_e. If no type is spec- - ified, the current type is printed. The default type is net- - work ASCII. - - uummaasskk [_n_e_w_m_a_s_k] - Set the default umask on the remote server to _n_e_w_m_a_s_k. If - _n_e_w_m_a_s_k is omitted, the current umask is printed. - - uusseerr _u_s_e_r_-_n_a_m_e [_p_a_s_s_w_o_r_d] [_a_c_c_o_u_n_t] - Identify yourself to the remote FTP server. If the _p_a_s_s_w_o_r_d - is not specified and the server requires it, ffttpp will prompt - the user for it (after disabling local echo). If an _a_c_c_o_u_n_t - field is not specified, and the FTP server requires it, the - user will be prompted for it. If an _a_c_c_o_u_n_t field is speci- - fied, an account command will be relayed to the remote server - after the login sequence is completed if the remote server - did not require it for logging in. Unless ffttpp is invoked - with ``auto-login'' disabled, this process is done automati- - cally on initial connection to the FTP server. - - vveerrbboossee Toggle verbose mode. In verbose mode, all responses from the - FTP server are displayed to the user. In addition, if ver- - bose is on, when a file transfer completes, statistics re- - garding the efficiency of the transfer are reported. By de- - fault, verbose is on. - - ?? [_c_o_m_m_a_n_d] - A synonym for help. - - The following command can be used with ftpsec-aware servers. - - pprroott _c_l_e_a_r | _s_a_f_e | _c_o_n_f_i_d_e_n_t_i_a_l | _p_r_i_v_a_t_e - Set the data protection level to the requested level. - - The following command can be used with ftp servers that has implemented - the KAUTH site command. - - kkaauutthh [_p_r_i_n_c_i_p_a_l] - Obtain remote tickets. - - Command arguments which have embedded spaces may be quoted with quote `"' - marks. - -AABBOORRTTIINNGG AA FFIILLEE TTRRAANNSSFFEERR - To abort a file transfer, use the terminal interrupt key (usually Ctrl- - C). Sending transfers will be immediately halted. Receiving transfers - will be halted by sending a ftp protocol ABOR command to the remote serv- - er, and discarding any further data received. The speed at which this is - accomplished depends upon the remote server's support for ABOR process- - ing. If the remote server does not support the ABOR command, an `ftp>' - prompt will not appear until the remote server has completed sending the - requested file. - - The terminal interrupt key sequence will be ignored when ffttpp has complet- - ed any local processing and is awaiting a reply from the remote server. - A long delay in this mode may result from the ABOR processing described - above, or from unexpected behavior by the remote server, including viola- - tions of the ftp protocol. If the delay results from unexpected remote - server behavior, the local ffttpp program must be killed by hand. - -FFIILLEE NNAAMMIINNGG CCOONNVVEENNTTIIOONNSS - Files specified as arguments to ffttpp commands are processed according to - the following rules. - - 1. If the file name `--' is specified, the _s_t_d_i_n (for reading) or _s_t_d_o_u_t - (for writing) is used. - - 2. If the first character of the file name is `|', the remainder of the - argument is interpreted as a shell command. FFttpp then forks a shell, - using popen(3) with the argument supplied, and reads (writes) from - the stdout (stdin). If the shell command includes spaces, the argu- - ment must be quoted; e.g. ``" ls -lt"''. A particularly useful ex- - ample of this mechanism is: ``dir more''. - - 3. Failing the above checks, if ``globbing'' is enabled, local file - names are expanded according to the rules used in the csh(1); c.f. - the gglloobb command. If the ffttpp command expects a single local file - (.e.g. ppuutt), only the first filename generated by the "globbing" - operation is used. - - 4. For mmggeett commands and ggeett commands with unspecified local file - names, the local filename is the remote filename, which may be al- - tered by a ccaassee, nnttrraannss, or nnmmaapp setting. The resulting filename - may then be altered if rruunniiqquuee is on. - - 5. For mmppuutt commands and ppuutt commands with unspecified remote file - names, the remote filename is the local filename, which may be al- - tered by a nnttrraannss or nnmmaapp setting. The resulting filename may then - be altered by the remote server if ssuunniiqquuee is on. - -FFIILLEE TTRRAANNSSFFEERR PPAARRAAMMEETTEERRSS - The FTP specification specifies many parameters which may affect a file - transfer. The ttyyppee may be one of ``ascii'', ``image'' (binary), - ``ebcdic'', and ``local byte size'' (for PDP-10's and PDP-20's mostly). - FFttpp supports the ascii and image types of file transfer, plus local byte - size 8 for tteenneexx mode transfers. - - FFttpp supports only the default values for the remaining file transfer pa- - rameters: mmooddee, ffoorrmm, and ssttrruucctt. - -TTHHEE ..nneettrrcc FFIILLEE - The _._n_e_t_r_c file contains login and initialization information used by the - auto-login process. It resides in the user's home directory. The fol- - lowing tokens are recognized; they may be separated by spaces, tabs, or - new-lines: - - mmaacchhiinnee _n_a_m_e - Identify a remote machine _n_a_m_e. The auto-login process search- - es the _._n_e_t_r_c file for a mmaacchhiinnee token that matches the remote - machine specified on the ffttpp command line or as an ooppeenn command - argument. Once a match is made, the subsequent _._n_e_t_r_c tokens - are processed, stopping when the end of file is reached or an- - other mmaacchhiinnee or a ddeeffaauulltt token is encountered. - - ddeeffaauulltt This is the same as mmaacchhiinnee _n_a_m_e except that ddeeffaauulltt matches - any name. There can be only one ddeeffaauulltt token, and it must be - after all mmaacchhiinnee tokens. This is normally used as: - - default login anonymous password user@site - - thereby giving the user _a_u_t_o_m_a_t_i_c anonymous ftp login to ma- - chines not specified in _._n_e_t_r_c. This can be overridden by us- - ing the --nn flag to disable auto-login. - - llooggiinn _n_a_m_e - Identify a user on the remote machine. If this token is pre- - sent, the auto-login process will initiate a login using the - specified _n_a_m_e. - - ppaasssswwoorrdd _s_t_r_i_n_g - Supply a password. If this token is present, the auto-login - process will supply the specified string if the remote server - requires a password as part of the login process. Note that if - this token is present in the _._n_e_t_r_c file for any user other - than _a_n_o_n_y_m_o_u_s, ffttpp will abort the auto-login process if the - _._n_e_t_r_c is readable by anyone besides the user. - - aaccccoouunntt _s_t_r_i_n_g - Supply an additional account password. If this token is pre- - sent, the auto-login process will supply the specified string - if the remote server requires an additional account password, - or the auto-login process will initiate an ACCT command if it - does not. - - mmaaccddeeff _n_a_m_e - Define a macro. This token functions like the ffttpp mmaaccddeeff com- - mand functions. A macro is defined with the specified name; - its contents begin with the next _._n_e_t_r_c line and continue until - a null line (consecutive new-line characters) is encountered. - If a macro named iinniitt is defined, it is automatically executed - as the last step in the auto-login process. - -EENNVVIIRROONNMMEENNTT - FFttpp utilizes the following environment variables. - - HOME For default location of a _._n_e_t_r_c file, if one exists. - - SHELL For default shell. - -SSEEEE AALLSSOO - ftpd(8) - - _R_F_C_2_2_2_8. - -HHIISSTTOORRYY - The ffttpp command appeared in 4.2BSD. - -BBUUGGSS - Correct execution of many commands depends upon proper behavior by the - remote server. - - An error in the treatment of carriage returns in the 4.2BSD ascii-mode - transfer code has been corrected. This correction may result in incor- - rect transfers of binary files to and from 4.2BSD servers using the ascii - type. Avoid this problem by using the binary image type. - -4.2 Berkeley Distribution April 27, 1996 10 diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile b/crypto/heimdal/appl/ftp/ftpd/Makefile deleted file mode 100644 index 755bca04022d..000000000000 --- a/crypto/heimdal/appl/ftp/ftpd/Makefile +++ /dev/null @@ -1,762 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/ftp/ftpd/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.26 2001/09/06 12:18:34 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -libexec_PROGRAMS = ftpd - -CHECK_LOCAL = - -#krb4_sources = krb4.c kauth.c -krb5_sources = gssapi.c gss_userok.c - -ftpd_SOURCES = \ - extern.h \ - ftpcmd.y \ - ftpd.c \ - ftpd_locl.h \ - logwtmp.c \ - ls.c \ - pathnames.h \ - popen.c \ - security.c \ - $(krb4_sources) \ - $(krb5_sources) - - -EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c - -CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c - -man_MANS = ftpd.8 ftpusers.5 - -LDADD = ../common/libcommon.a \ - $(LIB_otp) \ - $(LIB_gssapi) \ - $(LIB_krb5) \ - $(LIB_kafs) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) - -subdir = appl/ftp/ftpd -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -libexec_PROGRAMS = ftpd$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) - -#am__objects_1 = krb4.$(OBJEXT) kauth.$(OBJEXT) -am__objects_2 = gssapi.$(OBJEXT) gss_userok.$(OBJEXT) -am_ftpd_OBJECTS = ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) logwtmp.$(OBJEXT) \ - ls.$(OBJEXT) popen.$(OBJEXT) security.$(OBJEXT) \ - $(am__objects_1) $(am__objects_2) -ftpd_OBJECTS = $(am_ftpd_OBJECTS) -ftpd_LDADD = $(LDADD) -ftpd_DEPENDENCIES = ../common/libcommon.a \ - $(top_builddir)/lib/gssapi/libgssapi.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#ftpd_DEPENDENCIES = ../common/libcommon.a -#ftpd_DEPENDENCIES = ../common/libcommon.a \ -# $(top_builddir)/lib/gssapi/libgssapi.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la \ -# $(top_builddir)/lib/kafs/libkafs.la -##ftpd_DEPENDENCIES = ../common/libcommon.a \ -## $(top_builddir)/lib/kafs/libkafs.la -ftpd_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) -LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS) -DIST_SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in ftpcmd.c -SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj .y -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/ftp/ftpd/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -ftpd$(EXEEXT): $(ftpd_OBJECTS) $(ftpd_DEPENDENCIES) - @rm -f ftpd$(EXEEXT) - $(LINK) $(ftpd_LDFLAGS) $(ftpd_OBJECTS) $(ftpd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -.y.c: - $(YACCCOMPILE) `test -f '$<' || echo '$(srcdir)/'`$< - sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@ - rm -f y.tab.c - if test -f y.tab.h; then \ - to=`echo "$*_H" | sed \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ - -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \ - sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \ - rm -f y.tab.h; \ - if cmp -s $*.ht $*.h; then \ - rm -f $*.ht ;\ - else \ - mv $*.ht $*.h; \ - fi; \ - fi - if test -f y.output; then \ - mv y.output $*.output; \ - fi - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man5dir = $(mandir)/man5 -install-man5: $(man5_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man5dir) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \ - done -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \ - rm -f $(DESTDIR)$(man5dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libexecdir) $(DESTDIR)$(man5dir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "ftpcmd.c" || rm -f ftpcmd.c -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man5 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man5 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libexecPROGRAMS clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man5 install-man8 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - tags uninstall uninstall-am uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man5 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(ftpd_OBJECTS): security.h - -security.c: - @test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c . -security.h: - @test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h . -krb4.c: - @test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c . -gssapi.c: - @test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8 b/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8 deleted file mode 100644 index 4951f6a564b1..000000000000 --- a/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8 +++ /dev/null @@ -1,297 +0,0 @@ -FTPD(8) NetBSD System Manager's Manual FTPD(8) - -NNAAMMEE - ffttppdd - Internet File Transfer Protocol server - -SSYYNNOOPPSSIISS - ffttppdd [--aa _a_u_t_h_m_o_d_e] [--ddiillvvUU] [--gg _u_m_a_s_k] [--pp _p_o_r_t] [--TT _m_a_x_t_i_m_e_o_u_t] [--tt - _t_i_m_e_o_u_t] [--uu _d_e_f_a_u_l_t _u_m_a_s_k] [--BB | ----bbuuiillttiinn--llss] [----ggoooodd--cchhaarrss==_s_t_r_i_n_g] - -DDEESSCCRRIIPPTTIIOONN - FFttppdd is the Internet File Transfer Protocol server process. The server - uses the TCP protocol and listens at the port specified in the ``ftp'' - service specification; see services(5). - - Available options: - - --aa Select the level of authentication required. Kerberised login - can not be turned off. The default is to only allow kerberised - login. Other possibilities can be turned on by giving a string - of comma separated flags as argument to --aa. Recognised flags are: - - _p_l_a_i_n Allow logging in with plaintext password. The password can - be a(n) OTP or an ordinary password. - - _o_t_p Same as _p_l_a_i_n, but only OTP is allowed. - - _f_t_p Allow anonymous login. - - The following combination modes exists for backwards compatibili- - ty: - - _n_o_n_e Same as _p_l_a_i_n_,_f_t_p. - - _s_a_f_e Same as _f_t_p. - - _u_s_e_r Ignored. - - --dd Debugging information is written to the syslog using LOG_FTP. - - --gg Anonymous users will get a umask of _u_m_a_s_k. - - --ii Open a socket and wait for a connection. This is mainly used for - debugging when ftpd isn't started by inetd. - - --ll Each successful and failed ftp(1) session is logged using syslog - with a facility of LOG_FTP. If this option is specified twice, - the retrieve (get), store (put), append, delete, make directory, - remove directory and rename operations and their filename argu- - ments are also logged. - - --pp Use _p_o_r_t (a service name or number) instead of the default - _f_t_p_/_t_c_p. - - --TT A client may also request a different timeout period; the maximum - period allowed may be set to _t_i_m_e_o_u_t seconds with the --TT option. - The default limit is 2 hours. - - --tt The inactivity timeout period is set to _t_i_m_e_o_u_t seconds (the de- - fault is 15 minutes). - - --uu Set the initial umask to something else than the default 027. - - --UU In previous versions of ffttppdd, when a passive mode client request- - ed a data connection to the server, the server would use data - ports in the range 1024..4999. Now, by default, if the system - supports the IP_PORTRANGE socket option, the server will use data - ports in the range 49152..65535. Specifying this option will re- - vert to the old behavior. - - --vv Verbose mode. - - --BB, ----bbuuiillttiinn--llss - use built-in ls to list files - - ----ggoooodd--cchhaarrss==_s_t_r_i_n_g - allowed anonymous upload filename chars - - The file _/_e_t_c_/_n_o_l_o_g_i_n can be used to disable ftp access. If the file ex- - ists, ffttppdd displays it and exits. If the file _/_e_t_c_/_f_t_p_w_e_l_c_o_m_e exists, - ffttppdd prints it before issuing the ``ready'' message. If the file - _/_e_t_c_/_m_o_t_d exists, ffttppdd prints it after a successful login. - - The ftp server currently supports the following ftp requests. The case - of the requests is ignored. - - Request Description - ABOR abort previous command - ACCT specify account (ignored) - ALLO allocate storage (vacuously) - APPE append to a file - CDUP change to parent of current working directory - CWD change working directory - DELE delete a file - HELP give help information - LIST give list files in a directory (``ls -lgA'') - MKD make a directory - MDTM show last modification time of file - MODE specify data transfer _m_o_d_e - NLST give name list of files in directory - NOOP do nothing - PASS specify password - PASV prepare for server-to-server transfer - PORT specify data connection port - PWD print the current working directory - QUIT terminate session - REST restart incomplete transfer - RETR retrieve a file - RMD remove a directory - RNFR specify rename-from file name - RNTO specify rename-to file name - SITE non-standard commands (see next section) - SIZE return size of file - STAT return status of server - STOR store a file - STOU store a file with a unique name - STRU specify data transfer _s_t_r_u_c_t_u_r_e - SYST show operating system type of server system - TYPE specify data transfer _t_y_p_e - USER specify user name - XCUP change to parent of current working directory - (deprecated) - XCWD change working directory (deprecated) - XMKD make a directory (deprecated) - XPWD print the current working directory (deprecated) - XRMD remove a directory (deprecated) - - The following commands are specified by RFC2228. - - AUTH authentication/security mechanism - ADAT authentication/security data - PROT data channel protection level - PBSZ protection buffer size - MIC integrity protected command - CONF confidentiality protected command - ENC privacy protected command - CCC clear command channel - - The following non-standard or UNIX specific commands are supported by the - SITE request. - - UMASK change umask, (e.g. SSIITTEE UUMMAASSKK 000022) - IDLE set idle-timer, (e.g. SSIITTEE IIDDLLEE 6600) - CHMOD change mode of a file (e.g. SSIITTEE CCHHMMOODD 775555 ffiilleennaammee) - FIND quickly find a specific file with GNU locate(1). - HELP give help information. - - The following Kerberos related site commands are understood. - - KAUTH obtain remote tickets. - KLIST show remote tickets - - The remaining ftp requests specified in Internet RFC 959 are recognized, - but not implemented. MDTM and SIZE are not specified in RFC 959, but - will appear in the next updated FTP RFC. - - The ftp server will abort an active file transfer only when the ABOR com- - mand is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet - "Synch" signal in the command Telnet stream, as described in Internet RFC - 959. If a STAT command is received during a data transfer, preceded by a - Telnet IP and Synch, transfer status will be returned. - - FFttppdd interprets file names according to the ``globbing'' conventions used - by csh(1). This allows users to utilize the metacharacters ``*?[]{}~''. - - FFttppdd authenticates users according to these rules. - - 1. If Kerberos authentication is used, the user must pass valid - tickets and the principal must be allowed to login as the re- - mote user. - - 2. The login name must be in the password data base, and not have - a null password (if kerberos is used the password field is not - checked). In this case a password must be provided by the - client before any file operations may be performed. If the - user has an OTP key, the response from a successful USER com- - mand will include an OTP challenge. The client may choose to - respond with a PASS command giving either a standard password - or an OTP one-time password. The server will automatically de- - termine which type of password it has been given and attempt - to authenticate accordingly. See otp(1) for more information - on OTP authentication. - - 3. The login name must not appear in the file _/_e_t_c_/_f_t_p_u_s_e_r_s. - - 4. The user must have a standard shell returned by - getusershell(3). - - 5. If the user name appears in the file _/_e_t_c_/_f_t_p_c_h_r_o_o_t the ses- - sion's root will be changed to the user's login directory by - chroot(2) as for an ``anonymous'' or ``ftp'' account (see next - item). However, the user must still supply a password. This - feature is intended as a compromise between a fully anonymous - account and a fully privileged account. The account should - also be set up as for an anonymous account. - - 6. If the user name is ``anonymous'' or ``ftp'', an anonymous ftp - account must be present in the password file (user ``ftp''). - In this case the user is allowed to log in by specifying any - password (by convention an email address for the user should - be used as the password). - - In the last case, ffttppdd takes special measures to restrict the client's - access privileges. The server performs a chroot(2) to the home directory - of the ``ftp'' user. In order that system security is not breached, it - is recommended that the ``ftp'' subtree be constructed with care, consid- - er following these guidelines for anonymous ftp. - - In general all files should be owned by ``root'', and have non-write per- - missions (644 or 755 depending on the kind of file). No files should be - owned or writable by ``ftp'' (possibly with exception for the - _~_f_t_p_/_i_n_c_o_m_i_n_g, as specified below). - - _~_f_t_p The ``ftp'' homedirectory should be owned by root. - - _~_f_t_p_/_b_i_n The directory for external programs (such as ls(1)). - These programs must either be statically linked, or you - must setup an environment for dynamic linking when run- - ning chrooted. These programs will be used if present: - - ls Used when listing files. - - compress - When retrieving a filename that ends in _._Z, - and that file isn't present, ffttppdd will try - to find the filename without _._Z and com- - press it on the fly. - - gzip Same as compress, just with files ending in - _._g_z. - - gtar Enables retrieval of whole directories as - files ending in _._t_a_r. Can also be combined - with compression. You must use GNU Tar (or - some other that supports the --zz and --ZZ - flags). - - locate Will enable ``fast find'' with the SSIITTEE - FFIINNDD command. You must also create a - _l_o_c_a_t_e_d_b file in _~_f_t_p_/_e_t_c. - - _~_f_t_p_/_e_t_c If you put copies of the passwd(5) and group(5) files - here, ls will be able to produce owner names rather than - numbers. Remember to remove any passwords from these - files. - - The file _m_o_t_d, if present, will be printed after a suc- - cessful login. - - _~_f_t_p_/_d_e_v Put a copy of /dev/null(7) here. - - _~_f_t_p_/_p_u_b Traditional place to put whatever you want to make pub- - lic. - - If you want guests to be able to upload files, create a _~_f_t_p_/_i_n_c_o_m_i_n_g di- - rectory owned by ``root'', and group ``ftp'' with mode 730 (make sure - ``ftp'' is member of group ``ftp''). The following restrictions apply to - anonymous users: - - ++oo Directories created will have mode 700. - - ++oo Uploaded files will be created with an umask of 777, if not changed - with the --gg option. - - ++oo These command are not accessible: DDEELLEE, RRMMDD, RRNNTTOO, RRNNFFRR, SSIITTEE UUMMAASSKK, - and SSIITTEE CCHHMMOODD. - - ++oo Filenames must start with an alpha-numeric character, and consist of - alpha-numeric characters or any of the following: + (plus), - (mi- - nus), = (equal), _ (underscore), . (period), and , (comma). - -FFIILLEESS - /etc/ftpusers Access list for users. - /etc/ftpchroot List of normal users who should be chroot'd. - /etc/ftpwelcome Welcome notice. - /etc/motd Welcome notice after login. - /etc/nologin Displayed and access refused. - ~/.klogin Login access for Kerberos. - -SSEEEE AALLSSOO - ftp(1), otp(1), getusershell(3), ftpusers(5), syslogd(8) - -SSTTAANNDDAARRDDSS - RRFFCC 995599 FTP PROTOCOL SPECIFICATION - RRFFCC 11993388 OTP Specification - RRFFCC 22222288 FTP Security Extensions. - -BBUUGGSS - The server must run as the super-user to create sockets with privileged - port numbers. It maintains an effective user id of the logged in user, - reverting to the super-user only when binding addresses to sockets. The - possible security holes have been extensively scrutinized, but are possi- - bly incomplete. - -HHIISSTTOORRYY - The ffttppdd command appeared in 4.2BSD. - -4.2 Berkeley Distribution April 19, 1997 5 diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5 b/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5 deleted file mode 100644 index 2957aee71641..000000000000 --- a/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5 +++ /dev/null @@ -1,26 +0,0 @@ -FTPUSERS(5) NetBSD Programmer's Manual FTPUSERS(5) - -NNAAMMEE - _/_e_t_c_/_f_t_p_u_s_e_r_s - FTP access list file - -DDEESSCCRRIIPPTTIIOONN - _/_e_t_c_/_f_t_p_u_s_e_r_s contains a list of users that should be allowed or denied - FTP access. Each line contains a user, optionally followed by ``allow'' - (anything but ``allow'' is ignored). The semi-user ``*'' matches any us- - er. Users that has an explicit ``allow'', or that does not match any - line, are allowed access. Anyone else is denied access. - - Note that this is compatible with the old format, where this file con- - tained a list of users that should be denied access. - -EEXXAAMMPPLLEESS - This will deny anyone but ``foo'' and ``bar'' to use FTP: - - foo allow - bar allow - * - -SSEEEE AALLSSOO - ftpd(8) - - KTH-KRB May 7, 1997 1 diff --git a/crypto/heimdal/appl/kauth/ChangeLog b/crypto/heimdal/appl/kauth/ChangeLog deleted file mode 100644 index ac0491fb1766..000000000000 --- a/crypto/heimdal/appl/kauth/ChangeLog +++ /dev/null @@ -1,39 +0,0 @@ -1999-12-06 Assar Westerlund - - * rkinit.c (doit_host): NAT work-around - * kauthd.c (doit): type correctness - -1999-12-05 Assar Westerlund - - * kauthd.c: use getnameinfo instead of inaddr2str and inet_ntoa - -1999-08-31 Johan Danielsson - - * kauth.c: cleanup usage string; handle `kauth -h' gracefully - (print usage); add `-a' flag to get the ticket address (useful for - firewall configurations) - -Thu Apr 15 15:05:33 1999 Johan Danielsson - - * kauth.c: add `-v' - -Thu Mar 18 11:17:14 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Sun Nov 22 10:30:47 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Tue May 26 17:41:47 1998 Johan Danielsson - - * kauth.c: use krb_enable_debug - -Fri May 1 07:15:18 1998 Assar Westerlund - - * rkinit.c: unifdef -DHAVE_H_ERRNO - -Thu Mar 19 16:07:18 1998 Johan Danielsson - - * kauth.c: Check for negative return value from krb_afslog(). - diff --git a/crypto/heimdal/appl/kauth/Makefile.am b/crypto/heimdal/appl/kauth/Makefile.am deleted file mode 100644 index a5bf0fdacac6..000000000000 --- a/crypto/heimdal/appl/kauth/Makefile.am +++ /dev/null @@ -1,42 +0,0 @@ -# $Id: Makefile.am,v 1.7 1999/04/09 18:22:45 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -bin_PROGRAMS = kauth -bin_SCRIPTS = ksrvtgt -libexec_PROGRAMS = kauthd - -EXTRA_DIST = zrefresh ksrvtgt.in - -kauth_SOURCES = \ - kauth.c \ - kauth.h \ - rkinit.c \ - marshall.c \ - encdata.c - -kauthd_SOURCES = \ - kauthd.c \ - kauth.h \ - marshall.c \ - encdata.c - -ksrvtgt: ksrvtgt.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/ksrvtgt.in > $@ - chmod +x $@ - -install-exec-local: - if test -f $(bindir)/zrefresh -o -r $(bindir)/zrefresh; then \ - true; \ - else \ - $(INSTALL_PROGRAM) $(srcdir)/zrefresh $(bindir)/`echo zrefresh | sed '$(transform)'`; \ - fi - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(top_builddir)/lib/des/libdes.la \ - $(LIB_roken) diff --git a/crypto/heimdal/appl/kauth/Makefile.in b/crypto/heimdal/appl/kauth/Makefile.in deleted file mode 100644 index f9c005f68f34..000000000000 --- a/crypto/heimdal/appl/kauth/Makefile.in +++ /dev/null @@ -1,739 +0,0 @@ -# Makefile.in generated automatically by automake 1.4 from Makefile.am - -# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -# $Id: Makefile.am,v 1.7 1999/04/09 18:22:45 assar Exp $ - - -# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $ - - -# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $ - - -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include - -DESTDIR = - -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ - -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS) -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -transform = @program_transform_name@ - -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ -AFS_EXTRA_LD = @AFS_EXTRA_LD@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -DBLIB = @DBLIB@ -EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDE_ = @INCLUDE_@ -LD = @LD@ -LEX = @LEX@ -LIBOBJS = @LIBOBJS@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@ -MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@ -MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NM = @NM@ -NROFF = @NROFF@ -OBJEXT = @OBJEXT@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -YACC = @YACC@ - -AUTOMAKE_OPTIONS = foreign no-dependencies - -SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x - -INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4) - -AM_CFLAGS = $(WFLAGS) - -COMPILE_ET = $(top_builddir)/lib/com_err/compile_et - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_readline = @LIB_readline@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_readline = @INCLUDE_readline@ - -LEXLIB = @LEXLIB@ - -cat1dir = $(mandir)/cat1 -cat3dir = $(mandir)/cat3 -cat5dir = $(mandir)/cat5 -cat8dir = $(mandir)/cat8 - -MANRX = \(.*\)\.\([0-9]\) -CATSUFFIX = @CATSUFFIX@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -CHECK_LOCAL = $(PROGRAMS) - -bin_PROGRAMS = kauth -bin_SCRIPTS = ksrvtgt -libexec_PROGRAMS = kauthd - -EXTRA_DIST = zrefresh ksrvtgt.in - -kauth_SOURCES = kauth.c kauth.h rkinit.c marshall.c encdata.c - - -kauthd_SOURCES = kauthd.c kauth.h marshall.c encdata.c - - -LDADD = $(LIB_kafs) $(LIB_krb5) $(LIB_krb4) $(top_builddir)/lib/des/libdes.la $(LIB_roken) - -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = ../../include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = kauth$(EXEEXT) -libexec_PROGRAMS = kauthd$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) - - -DEFS = @DEFS@ -I. -I$(srcdir) -I../../include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -X_CFLAGS = @X_CFLAGS@ -X_LIBS = @X_LIBS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -kauth_OBJECTS = kauth.$(OBJEXT) rkinit.$(OBJEXT) marshall.$(OBJEXT) \ -encdata.$(OBJEXT) -kauth_LDADD = $(LDADD) -@KRB4_TRUE@@KRB5_FALSE@kauth_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \ -@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la -@KRB4_FALSE@@KRB5_TRUE@kauth_DEPENDENCIES = \ -@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \ -@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la -@KRB4_FALSE@@KRB5_FALSE@kauth_DEPENDENCIES = \ -@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la -@KRB4_TRUE@@KRB5_TRUE@kauth_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \ -@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \ -@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la -kauth_LDFLAGS = -kauthd_OBJECTS = kauthd.$(OBJEXT) marshall.$(OBJEXT) encdata.$(OBJEXT) -kauthd_LDADD = $(LDADD) -@KRB4_TRUE@@KRB5_FALSE@kauthd_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \ -@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la -@KRB4_FALSE@@KRB5_TRUE@kauthd_DEPENDENCIES = \ -@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \ -@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la -@KRB4_FALSE@@KRB5_FALSE@kauthd_DEPENDENCIES = \ -@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la -@KRB4_TRUE@@KRB5_TRUE@kauthd_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \ -@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \ -@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la -kauthd_LDFLAGS = -SCRIPTS = $(bin_SCRIPTS) - -CFLAGS = @CFLAGS@ -COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ -DIST_COMMON = ChangeLog Makefile.am Makefile.in - - -DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) - -TAR = tar -GZIP_ENV = --best -SOURCES = $(kauth_SOURCES) $(kauthd_SOURCES) -OBJECTS = $(kauth_OBJECTS) $(kauthd_OBJECTS) - -all: all-redirect -.SUFFIXES: -.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common - cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kauth/Makefile - -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) \ - && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status - - -mostlyclean-binPROGRAMS: - -clean-binPROGRAMS: - -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) - -distclean-binPROGRAMS: - -maintainer-clean-binPROGRAMS: - -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - if test -f $$p; then \ - echo " $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \ - $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - list='$(bin_PROGRAMS)'; for p in $$list; do \ - rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \ - done - -mostlyclean-libexecPROGRAMS: - -clean-libexecPROGRAMS: - -test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS) - -distclean-libexecPROGRAMS: - -maintainer-clean-libexecPROGRAMS: - -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - if test -f $$p; then \ - echo " $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \ - $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - list='$(libexec_PROGRAMS)'; for p in $$list; do \ - rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \ - done - -.c.o: - $(COMPILE) -c $< - -# FIXME: We should only use cygpath when building on Windows, -# and only if it is available. -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.s.o: - $(COMPILE) -c $< - -.S.o: - $(COMPILE) -c $< - -mostlyclean-compile: - -rm -f *.o core *.core - -rm -f *.$(OBJEXT) - -clean-compile: - -distclean-compile: - -rm -f *.tab.c - -maintainer-clean-compile: - -.c.lo: - $(LIBTOOL) --mode=compile $(COMPILE) -c $< - -.s.lo: - $(LIBTOOL) --mode=compile $(COMPILE) -c $< - -.S.lo: - $(LIBTOOL) --mode=compile $(COMPILE) -c $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -maintainer-clean-libtool: - -kauth$(EXEEXT): $(kauth_OBJECTS) $(kauth_DEPENDENCIES) - @rm -f kauth$(EXEEXT) - $(LINK) $(kauth_LDFLAGS) $(kauth_OBJECTS) $(kauth_LDADD) $(LIBS) - -kauthd$(EXEEXT): $(kauthd_OBJECTS) $(kauthd_DEPENDENCIES) - @rm -f kauthd$(EXEEXT) - $(LINK) $(kauthd_LDFLAGS) $(kauthd_OBJECTS) $(kauthd_LDADD) $(LIBS) - -install-binSCRIPTS: $(bin_SCRIPTS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - if test -f $$p; then \ - echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \ - $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \ - else if test -f $(srcdir)/$$p; then \ - echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \ - $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \ - else :; fi; fi; \ - done - -uninstall-binSCRIPTS: - @$(NORMAL_UNINSTALL) - list='$(bin_SCRIPTS)'; for p in $$list; do \ - rm -f $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \ - done - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) - list='$(SOURCES) $(HEADERS)'; \ - unique=`for i in $$list; do echo $$i; done | \ - awk ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - here=`pwd` && cd $(srcdir) \ - && mkid -f$$here/ID $$unique $(LISP) - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS)'; \ - unique=`for i in $$list; do echo $$i; done | \ - awk ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \ - || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags $$unique $(LISP) -o $$here/TAGS) - -mostlyclean-tags: - -clean-tags: - -distclean-tags: - -rm -f TAGS ID - -maintainer-clean-tags: - -distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir) - -subdir = appl/kauth - -distdir: $(DISTFILES) - @for file in $(DISTFILES); do \ - d=$(srcdir); \ - if test -d $$d/$$file; then \ - cp -pr $$/$$file $(distdir)/$$file; \ - else \ - test -f $(distdir)/$$file \ - || ln $$d/$$file $(distdir)/$$file 2> /dev/null \ - || cp -p $$d/$$file $(distdir)/$$file || :; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook -info-am: -info: info-am -dvi-am: -dvi: dvi-am -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -installcheck-am: -installcheck: installcheck-am -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \ - install-binSCRIPTS install-exec-local - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook -install-exec: install-exec-am - -install-data-am: install-data-local -install-data: install-data-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am -install: install-am -uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \ - uninstall-binSCRIPTS -uninstall: uninstall-am -all-am: Makefile $(PROGRAMS) $(SCRIPTS) all-local -all-redirect: all-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \ - $(DESTDIR)$(bindir) - - -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -rm -f config.cache config.log stamp-h stamp-h[0-9]* - -maintainer-clean-generic: -mostlyclean-am: mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \ - mostlyclean-compile mostlyclean-libtool \ - mostlyclean-tags mostlyclean-generic - -mostlyclean: mostlyclean-am - -clean-am: clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \ - clean-libtool clean-tags clean-generic mostlyclean-am - -clean: clean-am - -distclean-am: distclean-binPROGRAMS distclean-libexecPROGRAMS \ - distclean-compile distclean-libtool distclean-tags \ - distclean-generic clean-am - -rm -f libtool - -distclean: distclean-am - -maintainer-clean-am: maintainer-clean-binPROGRAMS \ - maintainer-clean-libexecPROGRAMS \ - maintainer-clean-compile maintainer-clean-libtool \ - maintainer-clean-tags maintainer-clean-generic \ - distclean-am - @echo "This command is intended for maintainers to use;" - @echo "it deletes files that may require special tools to rebuild." - -maintainer-clean: maintainer-clean-am - -.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \ -maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \ -mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \ -clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \ -uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \ -distclean-compile clean-compile maintainer-clean-compile \ -mostlyclean-libtool distclean-libtool clean-libtool \ -maintainer-clean-libtool uninstall-binSCRIPTS install-binSCRIPTS tags \ -mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \ -distdir info-am info dvi-am dvi check-local check check-am \ -installcheck-am installcheck install-exec-local install-exec-am \ -install-exec install-data-local install-data-am install-data install-am \ -install uninstall-am uninstall all-local all-redirect all-am all \ -installdirs mostlyclean-generic distclean-generic clean-generic \ -maintainer-clean-generic clean mostlyclean distclean maintainer-clean - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - chmod 0 $$x; fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " cp $$file $(buildinclude)/$$f"; \ - cp $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat1-mans: - @ext=1;\ - foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat1dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat3-mans: - @ext=3;\ - foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat3dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat5-mans: - @ext=5;\ - foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat5dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat8-mans: - @ext=8;\ - foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat8dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ - -check-local:: - @foo='$(CHECK_LOCAL)'; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -ksrvtgt: ksrvtgt.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/ksrvtgt.in > $@ - chmod +x $@ - -install-exec-local: - if test -f $(bindir)/zrefresh -o -r $(bindir)/zrefresh; then \ - true; \ - else \ - $(INSTALL_PROGRAM) $(srcdir)/zrefresh $(bindir)/`echo zrefresh | sed '$(transform)'`; \ - fi - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/kauth/encdata.c b/crypto/heimdal/appl/kauth/encdata.c deleted file mode 100644 index 886f5490bad8..000000000000 --- a/crypto/heimdal/appl/kauth/encdata.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kauth.h" - -RCSID("$Id: encdata.c,v 1.10 1999/12/02 16:58:31 joda Exp $"); - -int -write_encrypted (int fd, void *buf, size_t len, des_key_schedule schedule, - des_cblock *session, struct sockaddr_in *me, - struct sockaddr_in *him) -{ - void *outbuf; - int32_t outlen, l; - int i; - unsigned char tmp[4]; - - outbuf = malloc(len + 30); - if (outbuf == NULL) - return -1; - outlen = krb_mk_priv (buf, outbuf, len, schedule, session, me, him); - if (outlen < 0) { - free(outbuf); - return -1; - } - l = outlen; - for(i = 3; i >= 0; i--, l = l >> 8) - tmp[i] = l & 0xff; - if (krb_net_write (fd, tmp, 4) != 4 || - krb_net_write (fd, outbuf, outlen) != outlen) { - free(outbuf); - return -1; - } - - free(outbuf); - return 0; -} - - -int -read_encrypted (int fd, void *buf, size_t len, void **ret, - des_key_schedule schedule, des_cblock *session, - struct sockaddr_in *him, struct sockaddr_in *me) -{ - int status; - int32_t l; - MSG_DAT msg; - unsigned char tmp[4]; - - l = krb_net_read (fd, tmp, 4); - if (l != 4) - return l; - l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; - if (l > len) - return -1; - if (krb_net_read (fd, buf, l) != l) - return -1; - status = krb_rd_priv (buf, l, schedule, session, him, me, &msg); - if (status != RD_AP_OK) { - fprintf (stderr, "read_encrypted: %s\n", - krb_get_err_text(status)); - return -1; - } - *ret = msg.app_data; - return msg.app_length; -} diff --git a/crypto/heimdal/appl/kauth/kauth.c b/crypto/heimdal/appl/kauth/kauth.c deleted file mode 100644 index 13448a040dda..000000000000 --- a/crypto/heimdal/appl/kauth/kauth.c +++ /dev/null @@ -1,385 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Little program that reads an srvtab or password and - * creates a suitable ticketfile and associated AFS tokens. - * - * If an optional command is given the command is executed in a - * new PAG and when the command exits the tickets are destroyed. - */ - -#include "kauth.h" - -RCSID("$Id: kauth.c,v 1.97 1999/12/02 16:58:31 joda Exp $"); - -krb_principal princ; -static char srvtab[MaxPathLen]; -static int lifetime = DEFAULT_TKT_LIFE; -static char remote_tktfile[MaxPathLen]; -static char remoteuser[100]; -static char *cell = 0; - -static void -usage(void) -{ - fprintf(stderr, - "Usage:\n" - " %s [name]\n" - "or\n" - " %s [-ad] [-n name] [-r remoteuser] [-t remote ticketfile]\n" - " [-l lifetime (in minutes) ] [-f srvtab ] [-c AFS cell name ]\n" - " [-h hosts... [--]] [command ... ]\n\n", - __progname, __progname); - fprintf(stderr, - "A fully qualified name can be given: user[.instance][@realm]\n" - "Realm is converted to uppercase!\n"); - exit(1); -} - -#define EX_NOEXEC 126 -#define EX_NOTFOUND 127 - -static int -doexec(int argc, char **argv) -{ - int ret = simple_execvp(argv[0], argv); - if(ret == -2) - warn ("fork"); - if(ret == -3) - warn("waitpid"); - if(ret < 0) - return EX_NOEXEC; - if(ret == EX_NOEXEC || ret == EX_NOTFOUND) - warnx("Can't exec program ``%s''", argv[0]); - - return ret; -} - -static RETSIGTYPE -renew(int sig) -{ - int code; - - signal(SIGALRM, renew); - - code = krb_get_svc_in_tkt(princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, - princ.realm, lifetime, srvtab); - if (code) - warnx ("%s", krb_get_err_text(code)); - else if (k_hasafs()) - { - if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) { - warnx ("%s", krb_get_err_text(code)); - } - } - - alarm(krb_life_to_time(0, lifetime)/2 - 60); - SIGRETURN(0); -} - -static int -zrefresh(void) -{ - switch (fork()) { - case -1: - err (1, "Warning: Failed to fork zrefresh"); - return -1; - case 0: - /* Child */ - execlp("zrefresh", "zrefresh", 0); - execl(BINDIR "/zrefresh", "zrefresh", 0); - exit(1); - default: - /* Parent */ - break; - } - return 0; -} - -static int -key_to_key(const char *user, - char *instance, - const char *realm, - const void *arg, - des_cblock *key) -{ - memcpy(key, arg, sizeof(des_cblock)); - return 0; -} - -static int -get_ticket_address(krb_principal *princ, des_cblock *key) -{ - int code; - unsigned char flags; - krb_principal service; - u_int32_t addr; - struct in_addr addr2; - des_cblock session; - int life; - u_int32_t time_sec; - des_key_schedule schedule; - CREDENTIALS c; - - code = get_ad_tkt(princ->name, princ->instance, princ->realm, 0); - if(code) { - warnx("get_ad_tkt: %s\n", krb_get_err_text(code)); - return code; - } - code = krb_get_cred(princ->name, princ->instance, princ->realm, &c); - if(code) { - warnx("krb_get_cred: %s\n", krb_get_err_text(code)); - return code; - } - - des_set_key(key, schedule); - code = decomp_ticket(&c.ticket_st, - &flags, - princ->name, - princ->instance, - princ->realm, - &addr, - session, - &life, - &time_sec, - service.name, - service.instance, - key, - schedule); - if(code) { - warnx("decomp_ticket: %s\n", krb_get_err_text(code)); - return code; - } - memset(&session, 0, sizeof(session)); - memset(schedule, 0, sizeof(schedule)); - addr2.s_addr = addr; - fprintf(stdout, "ticket address = %s\n", inet_ntoa(addr2)); -} - - -int -main(int argc, char **argv) -{ - int code, more_args; - int ret; - int c; - char *file; - int pflag = 0; - int aflag = 0; - int version_flag = 0; - char passwd[100]; - des_cblock key; - char **host; - int nhost; - char tf[MaxPathLen]; - - set_progname (argv[0]); - - if ((file = getenv("KRBTKFILE")) == 0) - file = TKT_FILE; - - memset(&princ, 0, sizeof(princ)); - memset(srvtab, 0, sizeof(srvtab)); - *remoteuser = '\0'; - nhost = 0; - host = NULL; - - /* Look for kerberos name */ - if (argc > 1 && - argv[1][0] != '-' && - krb_parse_name(argv[1], &princ) == 0) - { - argc--; argv++; - strupr(princ.realm); - } - - while ((c = getopt(argc, argv, "ar:t:f:hdl:n:c:v")) != -1) - switch (c) { - case 'a': - aflag++; - break; - case 'd': - krb_enable_debug(); - _kafs_debug = 1; - aflag++; - break; - case 'f': - strlcpy(srvtab, optarg, sizeof(srvtab)); - break; - case 't': - strlcpy(remote_tktfile, optarg, sizeof(remote_tktfile)); - break; - case 'r': - strlcpy(remoteuser, optarg, sizeof(remoteuser)); - break; - case 'l': - lifetime = atoi(optarg); - if (lifetime == -1) - lifetime = 255; - else if (lifetime < 5) - lifetime = 1; - else - lifetime = krb_time_to_life(0, lifetime*60); - if (lifetime > 255) - lifetime = 255; - break; - case 'n': - if ((code = krb_parse_name(optarg, &princ)) != 0) { - warnx ("%s", krb_get_err_text(code)); - usage(); - } - strupr(princ.realm); - pflag = 1; - break; - case 'c': - cell = optarg; - break; - case 'h': - host = argv + optind; - for(nhost = 0; optind < argc && *argv[optind] != '-'; ++optind) - ++nhost; - if(nhost == 0) - usage(); - break; - case 'v': - version_flag++; - print_version(NULL); - break; - case '?': - default: - usage(); - break; - } - - if(version_flag) { - print_version(NULL); - exit(0); - } - if (princ.name[0] == '\0' && krb_get_default_principal (princ.name, - princ.instance, - princ.realm) < 0) - errx (1, "Could not get default principal"); - - /* With root tickets assume remote user is root */ - if (*remoteuser == '\0') { - if (strcmp(princ.instance, "root") == 0) - strlcpy(remoteuser, princ.instance, sizeof(remoteuser)); - else - strlcpy(remoteuser, princ.name, sizeof(remoteuser)); - } - - more_args = argc - optind; - - if (princ.realm[0] == '\0') - if (krb_get_lrealm(princ.realm, 1) != KSUCCESS) - strlcpy(princ.realm, KRB_REALM, REALM_SZ); - - if (more_args) { - int f; - - do{ - snprintf(tf, sizeof(tf), "%s%u_%u", TKT_ROOT, (unsigned)getuid(), - (unsigned)(getpid()*time(0))); - f = open(tf, O_CREAT|O_EXCL|O_RDWR); - }while(f < 0); - close(f); - unlink(tf); - setenv("KRBTKFILE", tf, 1); - krb_set_tkt_string (tf); - } - - if (srvtab[0]) - { - signal(SIGALRM, renew); - - code = read_service_key (princ.name, princ.instance, princ.realm, 0, - srvtab, (char *)&key); - if (code == KSUCCESS) - code = krb_get_in_tkt(princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, - princ.realm, lifetime, - key_to_key, NULL, key); - alarm(krb_life_to_time(0, lifetime)/2 - 60); - } - else { - char prompt[128]; - - snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&princ)); - if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){ - memset(passwd, 0, sizeof(passwd)); - exit(1); - } - code = krb_get_pw_in_tkt2(princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, princ.realm, - lifetime, passwd, &key); - - memset(passwd, 0, sizeof(passwd)); - } - if (code) { - memset (key, 0, sizeof(key)); - errx (1, "%s", krb_get_err_text(code)); - } - - if(aflag) - get_ticket_address(&princ, &key); - - if (k_hasafs()) { - if (more_args) - k_setpag(); - if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) { - if(code > 0) - warnx ("%s", krb_get_err_text(code)); - else - warnx ("failed to store AFS token"); - } - } - - for(ret = 0; nhost-- > 0; host++) - ret += rkinit(&princ, lifetime, remoteuser, remote_tktfile, &key, *host); - - if (ret) - return ret; - - if (more_args) { - ret = doexec(more_args, &argv[optind]); - dest_tkt(); - if (k_hasafs()) - k_unlog(); - } - else - zrefresh(); - - return ret; -} diff --git a/crypto/heimdal/appl/kauth/kauth.h b/crypto/heimdal/appl/kauth/kauth.h deleted file mode 100644 index 32243c7d4333..000000000000 --- a/crypto/heimdal/appl/kauth/kauth.h +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kauth.h,v 1.21 1999/12/02 16:58:31 joda Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif /* HAVE_CONFIG_H */ - -#include -#include -#include -#include -#include -#ifdef HAVE_FCNTL_H -#include -#endif -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_GRP_H -#include -#endif - -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif /* HAVE_SYS_RESOURCE_H */ -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef SOCKS -#include -/* This doesn't belong here. */ -struct tm *localtime(const time_t *); -struct hostent *gethostbyname(const char *); -#endif - -#include - -#include -#include - -#include - -#define KAUTH_PORT 2120 - -#define KAUTH_VERSION "RKINIT.0" - -int rkinit (krb_principal*, int, char*, char*, des_cblock*, char*); - -int write_encrypted (int, void*, size_t, des_key_schedule, - des_cblock*, struct sockaddr_in*, struct sockaddr_in*); - -int read_encrypted (int, void*, size_t, void **, des_key_schedule, - des_cblock*, struct sockaddr_in*, struct sockaddr_in*); - -int pack_args (char *, size_t, krb_principal*, int, const char*, const char*); - -int unpack_args (const char*, krb_principal*, int*, char*, char*); diff --git a/crypto/heimdal/appl/kauth/kauthd.c b/crypto/heimdal/appl/kauth/kauthd.c deleted file mode 100644 index fe0ceb2da855..000000000000 --- a/crypto/heimdal/appl/kauth/kauthd.c +++ /dev/null @@ -1,207 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kauth.h" - -RCSID("$Id: kauthd.c,v 1.27 1999/12/06 16:46:05 assar Exp $"); - -krb_principal princ; -static char locuser[SNAME_SZ]; -static int lifetime; -static char tktfile[MaxPathLen]; - -struct remote_args { - int sock; - des_key_schedule *schedule; - des_cblock *session; - struct sockaddr_in *me, *her; -}; - -static int -decrypt_remote_tkt (const char *user, - const char *inst, - const char *realm, - const void *varg, - key_proc_t key_proc, - KTEXT *cipp) -{ - char buf[BUFSIZ]; - void *ptr; - int len; - KTEXT cip = *cipp; - struct remote_args *args = (struct remote_args *)varg; - - write_encrypted (args->sock, cip->dat, cip->length, - *args->schedule, args->session, args->me, - args->her); - len = read_encrypted (args->sock, buf, sizeof(buf), &ptr, *args->schedule, - args->session, args->her, args->me); - memcpy(cip->dat, ptr, cip->length); - - return 0; -} - -static int -doit(int sock) -{ - int status; - KTEXT_ST ticket; - AUTH_DAT auth; - char instance[INST_SZ]; - des_key_schedule schedule; - struct sockaddr_in thisaddr, thataddr; - int addrlen; - int len; - char buf[BUFSIZ]; - void *data; - struct passwd *passwd; - char version[KRB_SENDAUTH_VLEN + 1]; - char remotehost[MaxHostNameLen]; - - addrlen = sizeof(thisaddr); - if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 || - addrlen != sizeof(thisaddr)) { - return 1; - } - addrlen = sizeof(thataddr); - if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 || - addrlen != sizeof(thataddr)) { - return 1; - } - - getnameinfo_verified ((struct sockaddr *)&thataddr, sizeof(thataddr), - remotehost, sizeof(remotehost), - NULL, 0, 0); - - k_getsockinst (sock, instance, sizeof(instance)); - status = krb_recvauth (KOPT_DO_MUTUAL, sock, &ticket, "rcmd", instance, - &thataddr, &thisaddr, &auth, "", schedule, - version); - if (status != KSUCCESS || - strncmp(version, KAUTH_VERSION, KRB_SENDAUTH_VLEN) != 0) { - return 1; - } - len = read_encrypted (sock, buf, sizeof(buf), &data, schedule, - &auth.session, &thataddr, &thisaddr); - if (len < 0) { - write_encrypted (sock, "read_enc failed", - sizeof("read_enc failed") - 1, schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - if (unpack_args(data, &princ, &lifetime, locuser, - tktfile)) { - write_encrypted (sock, "unpack_args failed", - sizeof("unpack_args failed") - 1, schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - - if( kuserok(&auth, locuser) != 0) { - snprintf(buf, sizeof(buf), "%s cannot get tickets for %s", - locuser, krb_unparse_name(&princ)); - syslog (LOG_ERR, "%s", buf); - write_encrypted (sock, buf, strlen(buf), schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - passwd = k_getpwnam (locuser); - if (passwd == NULL) { - snprintf (buf, sizeof(buf), "No user '%s'", locuser); - syslog (LOG_ERR, "%s", buf); - write_encrypted (sock, buf, strlen(buf), schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - if (setgid (passwd->pw_gid) || - initgroups(passwd->pw_name, passwd->pw_gid) || - setuid(passwd->pw_uid)) { - snprintf (buf, sizeof(buf), "Could not change user"); - syslog (LOG_ERR, "%s", buf); - write_encrypted (sock, buf, strlen(buf), schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - write_encrypted (sock, "ok", sizeof("ok") - 1, schedule, - &auth.session, &thisaddr, &thataddr); - - if (*tktfile == 0) - snprintf(tktfile, sizeof(tktfile), "%s%u", TKT_ROOT, (unsigned)getuid()); - krb_set_tkt_string (tktfile); - - { - struct remote_args arg; - - arg.sock = sock; - arg.schedule = &schedule; - arg.session = &auth.session; - arg.me = &thisaddr; - arg.her = &thataddr; - - status = krb_get_in_tkt (princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, - princ.realm, - lifetime, NULL, decrypt_remote_tkt, &arg); - } - if (status == KSUCCESS) { - char remoteaddr[INET6_ADDRSTRLEN]; - - getnameinfo ((struct sockaddr *)&thataddr, sizeof(thataddr), - remoteaddr, sizeof(remoteaddr), - NULL, 0, NI_NUMERICHOST); - - syslog (LOG_INFO, "from %s(%s): %s -> %s", - remotehost, remoteaddr, - locuser, - krb_unparse_name (&princ)); - write_encrypted (sock, "ok", sizeof("ok") - 1, schedule, - &auth.session, &thisaddr, &thataddr); - return 0; - } else { - snprintf (buf, sizeof(buf), "TGT failed: %s", krb_get_err_text(status)); - syslog (LOG_NOTICE, "%s", buf); - write_encrypted (sock, buf, strlen(buf), schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } -} - -int -main (int argc, char **argv) -{ - openlog ("kauthd", LOG_ODELAY, LOG_AUTH); - - if(argc > 1 && strcmp(argv[1], "-i") == 0) - mini_inetd (k_getportbyname("kauth", "tcp", htons(KAUTH_PORT))); - return doit(STDIN_FILENO); -} diff --git a/crypto/heimdal/appl/kauth/ksrvtgt.in b/crypto/heimdal/appl/kauth/ksrvtgt.in deleted file mode 100755 index c2f33bb22fb0..000000000000 --- a/crypto/heimdal/appl/kauth/ksrvtgt.in +++ /dev/null @@ -1,14 +0,0 @@ -#! /bin/sh -# $Id: ksrvtgt.in,v 1.3 1997/09/13 03:39:03 joda Exp $ - -usage="Usage: `basename $0` name instance [[realm] srvtab]" - -if [ $# -lt 2 -o $# -gt 4 ]; then - echo "$usage" - exit 1 -fi - -srvtab="${4-${3-/etc/srvtab}}" -realm="${4+@$3}" - -%bindir%/kauth -n "$1.$2$realm" -l 5 -f "$srvtab" diff --git a/crypto/heimdal/appl/kauth/marshall.c b/crypto/heimdal/appl/kauth/marshall.c deleted file mode 100644 index e37b8c969c81..000000000000 --- a/crypto/heimdal/appl/kauth/marshall.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kauth.h" - -RCSID("$Id: marshall.c,v 1.10 1999/12/02 16:58:31 joda Exp $"); - -int -pack_args (char *buf, - size_t sz, - krb_principal *pr, - int lifetime, - const char *locuser, - const char *tktfile) -{ - char *p = buf; - int len; - - p = buf; - - len = strlen(pr->name); - if (len >= sz) - return -1; - memcpy (p, pr->name, len + 1); - p += len + 1; - sz -= len + 1; - - len = strlen(pr->instance); - if (len >= sz) - return -1; - memcpy (p, pr->instance, len + 1); - p += len + 1; - sz -= len + 1; - - len = strlen(pr->realm); - if (len >= sz) - return -1; - memcpy(p, pr->realm, len + 1); - p += len + 1; - sz -= len + 1; - - if (sz < 1) - return -1; - *p++ = (unsigned char)lifetime; - - len = strlen(locuser); - if (len >= sz) - return -1; - memcpy (p, locuser, len + 1); - p += len + 1; - sz -= len + 1; - - len = strlen(tktfile); - if (len >= sz) - return -1; - memcpy (p, tktfile, len + 1); - p += len + 1; - sz -= len + 1; - - return p - buf; -} - -int -unpack_args (const char *buf, krb_principal *pr, int *lifetime, - char *locuser, char *tktfile) -{ - int len; - - len = strlen(buf); - if (len >= SNAME_SZ) - return -1; - strlcpy (pr->name, buf, ANAME_SZ); - buf += len + 1; - len = strlen (buf); - if (len >= INST_SZ) - return -1; - strlcpy (pr->instance, buf, INST_SZ); - buf += len + 1; - len = strlen (buf); - if (len >= REALM_SZ) - return -1; - strlcpy (pr->realm, buf, REALM_SZ); - buf += len + 1; - *lifetime = (unsigned char)*buf++; - len = strlen(buf); - if (len >= SNAME_SZ) - return -1; - strlcpy (locuser, buf, SNAME_SZ); - buf += len + 1; - len = strlen(buf); - if (len >= MaxPathLen) - return -1; - strlcpy (tktfile, buf, MaxPathLen); - buf += len + 1; - return 0; -} diff --git a/crypto/heimdal/appl/kauth/rkinit.c b/crypto/heimdal/appl/kauth/rkinit.c deleted file mode 100644 index d4b07c6c842d..000000000000 --- a/crypto/heimdal/appl/kauth/rkinit.c +++ /dev/null @@ -1,226 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kauth.h" - -RCSID("$Id: rkinit.c,v 1.23 1999/12/06 17:07:20 assar Exp $"); - -static struct in_addr * -getalladdrs (char *hostname, unsigned *count) -{ - struct hostent *hostent; - struct in_addr **h; - struct in_addr *addr; - unsigned naddr; - unsigned maxaddr; - - hostent = gethostbyname (hostname); - if (hostent == NULL) { - warnx ("gethostbyname '%s' failed: %s\n", - hostname, - hstrerror(h_errno)); - return NULL; - } - maxaddr = 1; - naddr = 0; - addr = malloc(sizeof(*addr) * maxaddr); - if (addr == NULL) { - warnx ("out of memory"); - return NULL; - } - for (h = (struct in_addr **)(hostent->h_addr_list); - *h != NULL; - h++) { - if (naddr >= maxaddr) { - maxaddr *= 2; - addr = realloc (addr, sizeof(*addr) * maxaddr); - if (addr == NULL) { - warnx ("out of memory"); - return NULL; - } - } - addr[naddr++] = **h; - } - addr = realloc (addr, sizeof(*addr) * naddr); - if (addr == NULL) { - warnx ("out of memory"); - return NULL; - } - *count = naddr; - return addr; -} - -static int -doit_host (krb_principal *princ, int lifetime, char *locuser, - char *tktfile, des_cblock *key, int s, char *hostname) -{ - char buf[BUFSIZ]; - int inlen; - KTEXT_ST text; - CREDENTIALS cred; - MSG_DAT msg; - int status; - des_key_schedule schedule; - struct sockaddr_in thisaddr, thataddr; - int addrlen; - void *ret; - - addrlen = sizeof(thisaddr); - if (getsockname (s, (struct sockaddr *)&thisaddr, &addrlen) < 0 || - addrlen != sizeof(thisaddr)) { - warn ("getsockname(%s)", hostname); - return 1; - } - addrlen = sizeof(thataddr); - if (getpeername (s, (struct sockaddr *)&thataddr, &addrlen) < 0 || - addrlen != sizeof(thataddr)) { - warn ("getpeername(%s)", hostname); - return 1; - } - - if (krb_get_config_bool("nat_in_use")) { - struct in_addr natAddr; - - if (krb_get_our_ip_for_realm(krb_realmofhost(hostname), - &natAddr) == KSUCCESS - || krb_get_our_ip_for_realm (NULL, &natAddr) == KSUCCESS) - thisaddr.sin_addr = natAddr; - } - - status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd", - hostname, krb_realmofhost (hostname), - getpid(), &msg, &cred, schedule, - &thisaddr, &thataddr, KAUTH_VERSION); - if (status != KSUCCESS) { - warnx ("%s: %s\n", hostname, krb_get_err_text(status)); - return 1; - } - inlen = pack_args (buf, sizeof(buf), - princ, lifetime, locuser, tktfile); - if (inlen < 0) { - warn ("cannot marshall arguments to %s", hostname); - return 1; - } - - if (write_encrypted(s, buf, inlen, schedule, &cred.session, - &thisaddr, &thataddr) < 0) { - warn ("write to %s", hostname); - return 1; - } - - inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, - &cred.session, &thataddr, &thisaddr); - if (inlen < 0) { - warn ("read from %s failed", hostname); - return 1; - } - - if (strncmp(ret, "ok", inlen) != 0) { - warnx ("error from %s: %.*s\n", - hostname, inlen, (char *)ret); - return 1; - } - - inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, - &cred.session, &thataddr, &thisaddr); - if (inlen < 0) { - warn ("read from %s", hostname); - return 1; - } - - { - des_key_schedule key_s; - - des_key_sched(key, key_s); - des_pcbc_encrypt(ret, ret, inlen, key_s, key, DES_DECRYPT); - memset(key_s, 0, sizeof(key_s)); - } - write_encrypted (s, ret, inlen, schedule, &cred.session, - &thisaddr, &thataddr); - - inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, - &cred.session, &thataddr, &thisaddr); - if (inlen < 0) { - warn ("read from %s", hostname); - return 1; - } - - if (strncmp(ret, "ok", inlen) != 0) { - warnx ("error from %s: %.*s\n", - hostname, inlen, (char *)ret); - return 1; - } - return 0; -} - -int -rkinit (krb_principal *princ, int lifetime, char *locuser, - char *tktfile, des_cblock *key, char *hostname) -{ - struct in_addr *addr; - unsigned naddr; - unsigned i; - int port; - int success; - - addr = getalladdrs (hostname, &naddr); - if (addr == NULL) - return 1; - port = k_getportbyname ("kauth", "tcp", htons(KAUTH_PORT)); - success = 0; - for (i = 0; !success && i < naddr; ++i) { - struct sockaddr_in a; - int s; - - memset(&a, 0, sizeof(a)); - a.sin_family = AF_INET; - a.sin_port = port; - a.sin_addr = addr[i]; - - s = socket (AF_INET, SOCK_STREAM, 0); - if (s < 0) { - warn("socket"); - return 1; - } - if (connect(s, (struct sockaddr *)&a, sizeof(a)) < 0) { - warn("connect(%s)", hostname); - continue; - } - - success = success || !doit_host (princ, lifetime, - locuser, tktfile, key, - s, hostname); - close (s); - } - return !success; -} diff --git a/crypto/heimdal/appl/kauth/zrefresh b/crypto/heimdal/appl/kauth/zrefresh deleted file mode 100755 index 8347a1b33c0c..000000000000 --- a/crypto/heimdal/appl/kauth/zrefresh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -# -# @(#) $Id: zrefresh,v 1.3 1996/06/09 19:21:59 joda Exp $ -# -# Substitute this script with a real zrefresh if running Zephyr. For -# instance: -# -# if [ -f "$WGFILE" ] ; then -# zctl load -# fi - -exit 0 diff --git a/crypto/heimdal/appl/kf/Makefile b/crypto/heimdal/appl/kf/Makefile deleted file mode 100644 index d163c040cecc..000000000000 --- a/crypto/heimdal/appl/kf/Makefile +++ /dev/null @@ -1,733 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/kf/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = kf - -libexec_PROGRAMS = kfd - -man_MANS = kf.1 kfd.8 - -kf_SOURCES = kf.c kf_locl.h - -kfd_SOURCES = kfd.c kf_locl.h - -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -subdir = appl/kf -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = kf$(EXEEXT) -libexec_PROGRAMS = kfd$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) - -am_kf_OBJECTS = kf.$(OBJEXT) -kf_OBJECTS = $(am_kf_OBJECTS) -kf_LDADD = $(LDADD) -kf_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kf_LDFLAGS = -am_kfd_OBJECTS = kfd.$(OBJEXT) -kfd_OBJECTS = $(am_kfd_OBJECTS) -kfd_LDADD = $(LDADD) -kfd_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kfd_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(kf_SOURCES) $(kfd_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(kf_SOURCES) $(kfd_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/kf/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -kf$(EXEEXT): $(kf_OBJECTS) $(kf_DEPENDENCIES) - @rm -f kf$(EXEEXT) - $(LINK) $(kf_LDFLAGS) $(kf_OBJECTS) $(kf_LDADD) $(LIBS) -kfd$(EXEEXT): $(kfd_OBJECTS) $(kfd_DEPENDENCIES) - @rm -f kfd$(EXEEXT) - $(LINK) $(kfd_LDFLAGS) $(kfd_OBJECTS) $(kfd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(man1dir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am info \ - info-am install install-am install-binPROGRAMS install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man1 install-man8 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/kf/kf.cat1 b/crypto/heimdal/appl/kf/kf.cat1 deleted file mode 100644 index 30ae354ea924..000000000000 --- a/crypto/heimdal/appl/kf/kf.cat1 +++ /dev/null @@ -1,45 +0,0 @@ -KF(1) NetBSD Reference Manual KF(1) - -NNAAMMEE - kkff - securly forward tickets - -SSYYNNOOPPSSIISS - kkff [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ll _l_o_g_i_n | ----llooggiinn=_l_o_g_i_n] [--cc _c_c_a_c_h_e | - ----ccccaacchhee=_c_c_a_c_h_e] [--FF | ----ffoorrwwaarrddaabbllee] [--GG | ----nnoo--ffoorrwwaarrddaabbllee] [--hh | - ----hheellpp] [----vveerrssiioonn] _h_o_s_t _._._. - -DDEESSCCRRIIPPTTIIOONN - The kkff program forwards tickets to a remove host through an authenticated - and encrypted stream. Options supported are: - - --pp _p_o_r_t, ----ppoorrtt=_p_o_r_t - port to connect to - - --ll _l_o_g_i_n, ----llooggiinn=_l_o_g_i_n - remote login name - - --cc _c_c_a_c_h_e, ----ccccaacchhee=_c_c_a_c_h_e - remote cred cache - - --FF, ----ffoorrwwaarrddaabbllee - forward forwardable credentials - - --GG, ----nnoo--ffoorrwwaarrddaabbllee - do not forward forwardable credentials - - --hh, ----hheellpp - - ----vveerrssiioonn - - kkff is useful when you do not want to enter your password on a remote host - but want to have your tickets one for example afs. - - In order for kkff to work you will need to acquire your initial ticket with - forwardable flag, ie kkiinniitt ----ffoorrwwaarrddaabbllee. - - tteellnneett is able to forward ticket by itself. - -SSEEEE AALLSSOO - kinit(1), telnet(1), kfd(8) - - Heimdal July 2, 2000 1 diff --git a/crypto/heimdal/appl/kf/kfd.cat8 b/crypto/heimdal/appl/kf/kfd.cat8 deleted file mode 100644 index 65ec8ac4a9ea..000000000000 --- a/crypto/heimdal/appl/kf/kfd.cat8 +++ /dev/null @@ -1,30 +0,0 @@ -KFD(8) NetBSD System Manager's Manual KFD(8) - -NNAAMMEE - kkffdd - receive forwarded tickets - -SSYYNNOOPPSSIISS - kkffdd [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ii | ----iinneettdd] [--RR _r_e_g_p_a_g | ----rreeggppaagg=_r_e_g_p_a_g] - [--hh | ----hheellpp] [----vveerrssiioonn] - -DDEESSCCRRIIPPTTIIOONN - This is the daemon for kf(1). Supported options: - - --pp _p_o_r_t, ----ppoorrtt=_p_o_r_t - port to listen to - - --ii, ----iinneettdd - not started from inetd - - --RR _r_e_g_p_a_g, ----rreeggppaagg==_r_e_g_p_a_g - path to regpag binary - -EEXXAAMMPPLLEESS - Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f: - - kf stream tcp nowait root /usr/heimdal/libexec/kfd kfd - -SSEEEE AALLSSOO - kf(1) - - Heimdal July 2, 2000 1 diff --git a/crypto/heimdal/appl/kx/ChangeLog b/crypto/heimdal/appl/kx/ChangeLog deleted file mode 100644 index 1f00507b1147..000000000000 --- a/crypto/heimdal/appl/kx/ChangeLog +++ /dev/null @@ -1,354 +0,0 @@ -2002-08-22 Johan Danielsson - - * common.c: remove only reference to strndup - -2002-05-07 Johan Danielsson - - * krb5.c: use krb5_warn where appropriate - -2002-03-18 Johan Danielsson - - * rxtelnet.in, rxterm.in: add forward (-f) option - -2001-09-17 Assar Westerlund - - * kx.h: add a kludge to make it build on aix (that defines NOERROR - in both sys/stream.h and arpa/nameser.h and considers that a fatal - error) - -2001-07-12 Assar Westerlund - - * common.c (connect_local_xsocket): handle a tcp socket as last - resort - - * rxterm.in: add -K (send arguments to kx) - * rxtelnet.in: add -K (send arguments to kx) - -2001-06-21 Assar Westerlund - - * rxterm.in: add -b for pointing to the rsh program. from - - * rxtelnet.in: add -b for pointing to the telnet program. from - - -2001-01-17 Johan Danielsson - - * common.c: don't write to string constants - -2000-12-31 Assar Westerlund - - * krb5.c (krb5_make_context): handle krb5_init_context failure - consistently - -2000-10-08 Assar Westerlund - - * kxd.c (doit_passive): check that fds are not too large to select - on - * kx.c (doit_active): check that fds are not too large to select - on - * krb5.c (krb5_copy_encrypted): check that fds are not too large - to select on - * krb4.c (krb4_copy_encrypted): check that fds are not too large - to select on - -2000-07-17 Johan Danielsson - - * Makefile.am: use conditional for X - -2000-06-10 Assar Westerlund - - * Makefile.in: use INSTALL_SCRIPT for installing rxterm, rxtelnet, - tenletxr - -2000-04-19 Assar Westerlund - - * common.c: try hostname uncanonified if getaddrinfo() fails - -2000-02-06 Assar Westerlund - - * kx.h: remove old prorotypes - -2000-01-08 Assar Westerlund - - * common.c (match_local_auth): handle ai_canonname being set in - any of the addresses returnedby getaddrinfo. glibc apparently - returns the reverse lookup of every address in ai_canonname. - -1999-12-28 Assar Westerlund - - * kxd.c (main): call krb5_getportbyname with the default in - host-byte-order - -1999-12-17 Assar Westerlund - - * common.c (match_local_auth): remove extra brace. spotted by - Jakob Schlyter - -1999-12-16 Assar Westerlund - - * common.c (match_local_auth): handle ai_canonname not being set - -1999-12-06 Assar Westerlund - - * krb4.c (krb4_authenticate): the NAT address might not be the one - for the relevant realm, try anyway. - * kxd.c (recv_conn): type correctness - * kx.c (connect_host): typo - -1999-12-05 Assar Westerlund - - * common.c (INADDR_LOOPBACK): remove. now in roken. - - * kxd.c (recv_conn): use getnameinfo_verified - * kxd.c (recv_conn): replace inaddr2str with getnameinfo - -1999-12-04 Assar Westerlund - - * kx.c (connect_host): use getaddrinfo - * common.c (find_auth_cookie, match_local_auth): re-write to use - getaddrinfo - -1999-11-27 Assar Westerlund - - * kxd.c (recv_conn): better errors when getting unrecognized data - -1999-11-25 Assar Westerlund - - * krb4.c (krb4_authenticate): obtain the `local' address when - doing NAT. also turn on passive mode. From - -1999-11-18 Assar Westerlund - - * krb5.c (krb5_destroy): free the correct part of the context - -1999-11-02 Assar Westerlund - - * kx.c (main): redo the v4/v5 selection for consistency. -4 -> - try only v4 -5 -> try only v5 none, -45 -> try v5, v4 - -1999-10-10 Assar Westerlund - - * Makefile.am (CLEANFILES): add generated files so that they get - cleaned away - -1999-09-29 Assar Westerlund - - * common.c (match_local_auth): only look for FamilyLocal (and - FamilyWild) cookies. This will not work when we start talking tcp - to the local X-server but `connect_local_xsocket' and the rest of - the code doesn't handle it anyway and the old code could (and did) - pick up the wrong cookie sometimes. If we have to match - FamilyInternet cookies, the search order has to be changed anyway - -1999-09-02 Assar Westerlund - - * kxd.c (childhandler): watch for child `wait_on_pid' to die. - (recv_conn): set `wait_on_pid' instead of looping on waitpid here - also. This should solve the problem of kxd looping which was - caused by the signal handler getting invoked before this waitpid - and reaping the child leaving this poor loop without any child - -1999-08-19 Assar Westerlund - - * kxd.c (recv_conn): give better error message - (doit_active): don't die if fork gives EAGAIN - -1999-08-19 Johan Danielsson - - * kxd.c (recv_conn): call setjob on crays; - (doit_passive): if fork fails with EAGAIN, don't shutdown, just close - the connection re-implement `-t' flag - -1999-07-12 Assar Westerlund - - * Makefile.am: handle not building X programs - -1999-06-23 Assar Westerlund - - * kx.c: conditionalize krb_enable_debug - -1999-06-20 Assar Westerlund - - * kxd.c (main): hopefully do inetd confusion right - -1999-06-15 Assar Westerlund - - * krb4.c (krb4_authenticate): get rid of a warning - - * kx.h: const-pollution - - * kx.c: use get_default_username and resulting const pollution - - * context.c (context_set): const pollution - -1999-05-22 Assar Westerlund - - * kxd.c (recv_conn): fix syslog messages - (main): fix inetd_flag thinko - -1999-05-21 Assar Westerlund - - * kx.c (main): don't byte-swap the argument to krb5_getportbyname - - * kx.c (main): try to use $USERNAME - -1999-05-10 Assar Westerlund - - * Makefile.in (SOURCES*): update sources list - - * kx.c (main): forgot to conditionalize some KRB5 code - - * kxd.c (main): use getarg - (*): handle v4 and/or v5 - - * kx.h: update - - * kx.c (main): use getarg. - (*): handle v4 and/or v5 - - * common.c (do_enccopy, copy_encrypted): remove use - net_{read,write} instead of krb_net_{read,write} - (krb_get_int, krb_put_int): include fallback of these for when we - compile without krb4 - - * Makefile.am (*_SOURCES): remove encdata, add krb[45].c, - context.c - (LDADD): add krb5 - - * krb4.c, krb5.c, context.c: new files - -1999-05-08 Assar Westerlund - - * kxd.c (doit_passive): handle error code from - create_and_write_cookie - - * kx.c (doit_active): handle error code from - create_and_write_cookie - - * common.c (create_and_write_cookie): try to return better (and - correct) errors. Based on a patch from Love - - * common.c (try_pie): more braces - (match_local_auth): new function - (find_auth_cookie): new function - (replace_cookie): don't just take the first auth cookie. based on - patch from Ake Sandgren - -Wed Apr 7 23:39:23 1999 Assar Westerlund - - * common.c (get_xsockets): init local variable to get rid of a gcc - warning - -Thu Apr 1 21:11:36 1999 Johan Danielsson - - * Makefile.in: fix for writeauth.o - -Fri Mar 19 15:12:31 1999 Johan Danielsson - - * kx.c: add gcc-braces - -Thu Mar 18 11:18:20 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Thu Mar 11 14:58:32 1999 Johan Danielsson - - * writeauth.c: protoize - - * common.c: fix some warnings - -Wed Mar 10 19:33:39 1999 Johan Danielsson - - * kxd.c: openlog -> roken_openlog - -Wed Feb 3 22:01:55 1999 Assar Westerlund - - * rxtelnet.in: print out what telnet program we are running. From - - - * tenletxr.in: add --version, [-h | --help], -v - - * rxterm.in: add --version, [-h | --help], -v - - * rxtelnet.in: add --version, [-h | --help], -v - - * Makefile.in (rxterm, rxtelnet, telnetxr): substitute VERSION and - PACKAGE - - * rxtelnet.in: update usage string - -Fri Jan 22 23:51:05 1999 Assar Westerlund - - * common.c (verify_and_remove_cookies): give back a meaningful - error message if we're using the wrong cookie - -Fri Dec 18 17:42:02 1998 Assar Westerlund - - * common.c (replace_cookie): try to handle the case of not finding - any cookies - -Sun Nov 22 10:31:53 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Wed Nov 18 20:25:37 1998 Assar Westerlund - - * rxtelnet.in: new argument -n for not starting any terminal - emulator - - * kx.c (doit_passive): parse $DISPLAY correctly - -Fri Oct 2 06:34:51 1998 Assar Westerlund - - * kx.c (doit_active): check DISPLAY to figure out what local - socket to connect to. From Åke Sandgren - -Thu Oct 1 23:02:29 1998 Johan Danielsson - - * kx.h: case MAY_HAVE_X11_PIPES with Solaris - -Tue Sep 29 02:22:44 1998 Assar Westerlund - - * kx.c: fix from Ake Sandgren - -Mon Sep 28 18:04:03 1998 Johan Danielsson - - * common.c (try_pipe): return -1 if I_PUSH fails with ENOSYS - -Sat Sep 26 17:34:21 1998 Assar Westerlund - - * kxd.c: create sockets before setuid to handle Solaris' strange - permissions on /tmp/.X11-{unix,pipe} - - * common.c (chown_xsockets): new function - - * kx.h (chown_xsockets): new prototype - -Sun Aug 16 18:34:30 1998 Assar Westerlund - - * kxd.c (doit_passive): conditionalize stream pipe code - - * implement support for Solaris's named-pipe X transport - -Thu May 28 17:20:39 1998 Johan Danielsson - - * common.c: fix for (compiler?) bug in solaris 2.4 bind - - * kx.c: get_xsockets returns int, not unsigned - -Wed May 27 04:20:20 1998 Assar Westerlund - - * kxd.c (doit): better error reporting - -Tue May 26 17:41:23 1998 Johan Danielsson - - * kx.c: use krb_enable_debug - -Mon May 25 05:22:18 1998 Assar Westerlund - - * Makefile.in (clean): remove encdata.c - -Fri May 1 07:16:36 1998 Assar Westerlund - - * kx.c: unifdef -DHAVE_H_ERRNO - diff --git a/crypto/heimdal/appl/kx/Makefile b/crypto/heimdal/appl/kx/Makefile deleted file mode 100644 index c53998295970..000000000000 --- a/crypto/heimdal/appl/kx/Makefile +++ /dev/null @@ -1,825 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/kx/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = - -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = kx -#bin_PROGRAMS = -bin_SCRIPTS = rxterm rxtelnet tenletxr -#bin_SCRIPTS = -libexec_PROGRAMS = kxd -#libexec_PROGRAMS = - -CLEANFILES = rxterm rxtelnet tenletxr - -#XauWriteAuth_c = writeauth.c - -kx_SOURCES = \ - kx.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - - -EXTRA_kx_SOURCES = writeauth.c - -kxd_SOURCES = \ - kxd.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - - -EXTRA_kxd_SOURCES = writeauth.c - -EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in - -man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8 - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS) - -subdir = appl/kx -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = kx$(EXEEXT) -#bin_PROGRAMS = -libexec_PROGRAMS = kxd$(EXEEXT) -#libexec_PROGRAMS = -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) - -#am__objects_1 = writeauth.$(OBJEXT) -am_kx_OBJECTS = kx.$(OBJEXT) common.$(OBJEXT) context.$(OBJEXT) \ - krb4.$(OBJEXT) krb5.$(OBJEXT) $(am__objects_1) -kx_OBJECTS = $(am_kx_OBJECTS) -kx_LDADD = $(LDADD) -kx_DEPENDENCIES = \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#kx_DEPENDENCIES = -#kx_DEPENDENCIES = \ -# $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -##kx_DEPENDENCIES = \ -## $(top_builddir)/lib/kafs/libkafs.la -kx_LDFLAGS = -am_kxd_OBJECTS = kxd.$(OBJEXT) common.$(OBJEXT) context.$(OBJEXT) \ - krb4.$(OBJEXT) krb5.$(OBJEXT) $(am__objects_1) -kxd_OBJECTS = $(am_kxd_OBJECTS) -kxd_LDADD = $(LDADD) -kxd_DEPENDENCIES = \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#kxd_DEPENDENCIES = -#kxd_DEPENDENCIES = \ -# $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -##kxd_DEPENDENCIES = \ -## $(top_builddir)/lib/kafs/libkafs.la -kxd_LDFLAGS = -SCRIPTS = $(bin_SCRIPTS) - - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) \ - $(EXTRA_kxd_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) $(EXTRA_kxd_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/kx/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -kx$(EXEEXT): $(kx_OBJECTS) $(kx_DEPENDENCIES) - @rm -f kx$(EXEEXT) - $(LINK) $(kx_LDFLAGS) $(kx_OBJECTS) $(kx_LDADD) $(LIBS) -kxd$(EXEEXT): $(kxd_OBJECTS) $(kxd_DEPENDENCIES) - @rm -f kxd$(EXEEXT) - $(LINK) $(kxd_LDFLAGS) $(kxd_OBJECTS) $(kxd_LDADD) $(LIBS) -binSCRIPT_INSTALL = $(INSTALL_SCRIPT) -install-binSCRIPTS: $(bin_SCRIPTS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f $$d$$p; then \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " $(binSCRIPT_INSTALL) $$d$$p $(DESTDIR)$(bindir)/$$f"; \ - $(binSCRIPT_INSTALL) $$d$$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS install-binSCRIPTS \ - install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am info \ - info-am install install-am install-binPROGRAMS \ - install-binSCRIPTS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-man1 install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-binSCRIPTS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \ - uninstall-man1 uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -rxterm: rxterm.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@ - chmod +x $@ - -rxtelnet: rxtelnet.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@ - chmod +x $@ - -tenletxr: tenletxr.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@ - chmod +x $@ -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/kx/Makefile.am b/crypto/heimdal/appl/kx/Makefile.am deleted file mode 100644 index ec3f2498e0b5..000000000000 --- a/crypto/heimdal/appl/kx/Makefile.am +++ /dev/null @@ -1,73 +0,0 @@ -# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(X_CFLAGS) - -WFLAGS += $(WFLAGS_NOIMPLICITINT) - -if HAVE_X - -bin_PROGRAMS = kx -bin_SCRIPTS = rxterm rxtelnet tenletxr -libexec_PROGRAMS = kxd - -else - -bin_PROGRAMS = -bin_SCRIPTS = -libexec_PROGRAMS = - -endif - -CLEANFILES = rxterm rxtelnet tenletxr - -if NEED_WRITEAUTH -XauWriteAuth_c = writeauth.c -endif - -kx_SOURCES = \ - kx.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - -EXTRA_kx_SOURCES = writeauth.c - -kxd_SOURCES = \ - kxd.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - -EXTRA_kxd_SOURCES = writeauth.c - -EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in - -man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8 - -rxterm: rxterm.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@ - chmod +x $@ - -rxtelnet: rxtelnet.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@ - chmod +x $@ - -tenletxr: tenletxr.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@ - chmod +x $@ - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS) diff --git a/crypto/heimdal/appl/kx/Makefile.in b/crypto/heimdal/appl/kx/Makefile.in deleted file mode 100644 index 7a017e6bf94d..000000000000 --- a/crypto/heimdal/appl/kx/Makefile.in +++ /dev/null @@ -1,825 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# @configure_input@ - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AMTAR = @AMTAR@ -AS = @AS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ -ECHO = @ECHO@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = @INCLUDE_des@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LEX = @LEX@ - -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ - -WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS) - -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -@HAVE_X_TRUE@bin_PROGRAMS = kx -@HAVE_X_FALSE@bin_PROGRAMS = -@HAVE_X_TRUE@bin_SCRIPTS = rxterm rxtelnet tenletxr -@HAVE_X_FALSE@bin_SCRIPTS = -@HAVE_X_TRUE@libexec_PROGRAMS = kxd -@HAVE_X_FALSE@libexec_PROGRAMS = - -CLEANFILES = rxterm rxtelnet tenletxr - -@NEED_WRITEAUTH_TRUE@XauWriteAuth_c = writeauth.c - -kx_SOURCES = \ - kx.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - - -EXTRA_kx_SOURCES = writeauth.c - -kxd_SOURCES = \ - kxd.c \ - kx.h \ - common.c \ - context.c \ - krb4.c \ - krb5.c \ - $(XauWriteAuth_c) - - -EXTRA_kxd_SOURCES = writeauth.c - -EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in - -man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8 - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS) - -subdir = appl/kx -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -@HAVE_X_TRUE@bin_PROGRAMS = kx$(EXEEXT) -@HAVE_X_FALSE@bin_PROGRAMS = -@HAVE_X_TRUE@libexec_PROGRAMS = kxd$(EXEEXT) -@HAVE_X_FALSE@libexec_PROGRAMS = -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) - -@NEED_WRITEAUTH_TRUE@am__objects_1 = writeauth.$(OBJEXT) -am_kx_OBJECTS = kx.$(OBJEXT) common.$(OBJEXT) context.$(OBJEXT) \ - krb4.$(OBJEXT) krb5.$(OBJEXT) $(am__objects_1) -kx_OBJECTS = $(am_kx_OBJECTS) -kx_LDADD = $(LDADD) -@KRB4_FALSE@@KRB5_TRUE@kx_DEPENDENCIES = \ -@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@KRB4_FALSE@@KRB5_FALSE@kx_DEPENDENCIES = -@KRB4_TRUE@@KRB5_TRUE@kx_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@KRB4_TRUE@@KRB5_FALSE@kx_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la -kx_LDFLAGS = -am_kxd_OBJECTS = kxd.$(OBJEXT) common.$(OBJEXT) context.$(OBJEXT) \ - krb4.$(OBJEXT) krb5.$(OBJEXT) $(am__objects_1) -kxd_OBJECTS = $(am_kxd_OBJECTS) -kxd_LDADD = $(LDADD) -@KRB4_FALSE@@KRB5_TRUE@kxd_DEPENDENCIES = \ -@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@KRB4_FALSE@@KRB5_FALSE@kxd_DEPENDENCIES = -@KRB4_TRUE@@KRB5_TRUE@kxd_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@KRB4_TRUE@@KRB5_FALSE@kxd_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la -kxd_LDFLAGS = -SCRIPTS = $(bin_SCRIPTS) - - -DEFS = @DEFS@ -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) \ - $(EXTRA_kxd_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) $(EXTRA_kxd_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/kx/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -kx$(EXEEXT): $(kx_OBJECTS) $(kx_DEPENDENCIES) - @rm -f kx$(EXEEXT) - $(LINK) $(kx_LDFLAGS) $(kx_OBJECTS) $(kx_LDADD) $(LIBS) -kxd$(EXEEXT): $(kxd_OBJECTS) $(kxd_DEPENDENCIES) - @rm -f kxd$(EXEEXT) - $(LINK) $(kxd_LDFLAGS) $(kxd_OBJECTS) $(kxd_LDADD) $(LIBS) -binSCRIPT_INSTALL = $(INSTALL_SCRIPT) -install-binSCRIPTS: $(bin_SCRIPTS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f $$d$$p; then \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " $(binSCRIPT_INSTALL) $$d$$p $(DESTDIR)$(bindir)/$$f"; \ - $(binSCRIPT_INSTALL) $$d$$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS install-binSCRIPTS \ - install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am info \ - info-am install install-am install-binPROGRAMS \ - install-binSCRIPTS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-man1 install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-binSCRIPTS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \ - uninstall-man1 uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -rxterm: rxterm.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@ - chmod +x $@ - -rxtelnet: rxtelnet.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@ - chmod +x $@ - -tenletxr: tenletxr.in - sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@ - chmod +x $@ -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/kx/common.c b/crypto/heimdal/appl/kx/common.c deleted file mode 100644 index 223c6bbe5eac..000000000000 --- a/crypto/heimdal/appl/kx/common.c +++ /dev/null @@ -1,812 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: common.c,v 1.66 2002/08/22 16:23:28 joda Exp $"); - -char x_socket[MaxPathLen]; - -u_int32_t display_num; -char display[MaxPathLen]; -int display_size = sizeof(display); -char xauthfile[MaxPathLen]; -int xauthfile_size = sizeof(xauthfile); -u_char cookie[16]; -size_t cookie_len = sizeof(cookie); - -#ifndef X_UNIX_PATH -#define X_UNIX_PATH "/tmp/.X11-unix/X" -#endif - -#ifndef X_PIPE_PATH -#define X_PIPE_PATH "/tmp/.X11-pipe/X" -#endif - -/* - * Allocate a unix domain socket in `s' for display `dpy' and with - * filename `pattern' - * - * 0 if all is OK - * -1 if bind failed badly - * 1 if dpy is already used */ - -static int -try_socket (struct x_socket *s, int dpy, const char *pattern) -{ - struct sockaddr_un addr; - int fd; - - fd = socket (AF_UNIX, SOCK_STREAM, 0); - if (fd < 0) - err (1, "socket AF_UNIX"); - memset (&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - snprintf (addr.sun_path, sizeof(addr.sun_path), pattern, dpy); - if(bind(fd, - (struct sockaddr *)&addr, - sizeof(addr)) < 0) { - close (fd); - if (errno == EADDRINUSE || - errno == EACCES /* Cray return EACCESS */ -#ifdef ENOTUNIQ - || errno == ENOTUNIQ /* bug in Solaris 2.4 */ -#endif - ) - return 1; - else - return -1; - } - s->fd = fd; - s->pathname = strdup (addr.sun_path); - if (s->pathname == NULL) - errx (1, "strdup: out of memory"); - s->flags = UNIX_SOCKET; - return 0; -} - -#ifdef MAY_HAVE_X11_PIPES -/* - * Allocate a stream (masqueraded as a named pipe) - * - * 0 if all is OK - * -1 if bind failed badly - * 1 if dpy is already used - */ - -static int -try_pipe (struct x_socket *s, int dpy, const char *pattern) -{ - char path[MAXPATHLEN]; - int ret; - int fd; - int pipefd[2]; - - snprintf (path, sizeof(path), pattern, dpy); - fd = open (path, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) { - if (errno == EEXIST) - return 1; - else - return -1; - } - - close (fd); - - ret = pipe (pipefd); - if (ret < 0) - err (1, "pipe"); - - ret = ioctl (pipefd[1], I_PUSH, "connld"); - if (ret < 0) { - if(errno == ENOSYS) - return -1; - err (1, "ioctl I_PUSH"); - } - - ret = fattach (pipefd[1], path); - if (ret < 0) - err (1, "fattach %s", path); - - s->fd = pipefd[0]; - close (pipefd[1]); - s->pathname = strdup (path); - if (s->pathname == NULL) - errx (1, "strdup: out of memory"); - s->flags = STREAM_PIPE; - return 0; -} -#endif /* MAY_HAVE_X11_PIPES */ - -/* - * Try to create a TCP socket in `s' corresponding to display `dpy'. - * - * 0 if all is OK - * -1 if bind failed badly - * 1 if dpy is already used - */ - -static int -try_tcp (struct x_socket *s, int dpy) -{ - struct sockaddr_in tcpaddr; - struct in_addr local; - int one = 1; - int fd; - - memset(&local, 0, sizeof(local)); - local.s_addr = htonl(INADDR_LOOPBACK); - - fd = socket (AF_INET, SOCK_STREAM, 0); - if (fd < 0) - err (1, "socket AF_INET"); -#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) - setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one, - sizeof(one)); -#endif - memset (&tcpaddr, 0, sizeof(tcpaddr)); - tcpaddr.sin_family = AF_INET; - tcpaddr.sin_addr = local; - tcpaddr.sin_port = htons(6000 + dpy); - if (bind (fd, (struct sockaddr *)&tcpaddr, - sizeof(tcpaddr)) < 0) { - close (fd); - if (errno == EADDRINUSE) - return 1; - else - return -1; - } - s->fd = fd; - s->pathname = NULL; - s->flags = TCP; - return 0; -} - -/* - * The potential places to create unix sockets. - */ - -static char *x_sockets[] = { -X_UNIX_PATH "%u", -"/var/X/.X11-unix/X" "%u", -"/usr/spool/sockets/X11/" "%u", -NULL -}; - -/* - * Dito for stream pipes. - */ - -#ifdef MAY_HAVE_X11_PIPES -static char *x_pipes[] = { -X_PIPE_PATH "%u", -"/var/X/.X11-pipe/X" "%u", -NULL -}; -#endif - -/* - * Create the directory corresponding to dirname of `path' or fail. - */ - -static void -try_mkdir (const char *path) -{ - char *dir; - char *p; - int oldmask; - - if((dir = strdup (path)) == NULL) - errx (1, "strdup: out of memory"); - p = strrchr (dir, '/'); - if (p) - *p = '\0'; - - oldmask = umask(0); - mkdir (dir, 01777); - umask (oldmask); - free (dir); -} - -/* - * Allocate a display, returning the number of sockets in `number' and - * all the corresponding sockets in `sockets'. If `tcp_socket' is - * true, also allcoaet a TCP socket. - * - * The return value is the display allocated or -1 if an error occurred. - */ - -int -get_xsockets (int *number, struct x_socket **sockets, int tcp_socket) -{ - int dpy; - struct x_socket *s; - int n; - int i; - - s = malloc (sizeof(*s) * 5); - if (s == NULL) - errx (1, "malloc: out of memory"); - - try_mkdir (X_UNIX_PATH); - try_mkdir (X_PIPE_PATH); - - for(dpy = 4; dpy < 256; ++dpy) { - char **path; - int tmp = 0; - - n = 0; - for (path = x_sockets; *path; ++path) { - tmp = try_socket (&s[n], dpy, *path); - if (tmp == -1) { - if (errno != ENOTDIR && errno != ENOENT) - return -1; - } else if (tmp == 1) { - while(--n >= 0) { - close (s[n].fd); - free (s[n].pathname); - } - break; - } else if (tmp == 0) - ++n; - } - if (tmp == 1) - continue; - -#ifdef MAY_HAVE_X11_PIPES - for (path = x_pipes; *path; ++path) { - tmp = try_pipe (&s[n], dpy, *path); - if (tmp == -1) { - if (errno != ENOTDIR && errno != ENOENT && errno != ENOSYS) - return -1; - } else if (tmp == 1) { - while (--n >= 0) { - close (s[n].fd); - free (s[n].pathname); - } - break; - } else if (tmp == 0) - ++n; - } - - if (tmp == 1) - continue; -#endif - - if (tcp_socket) { - tmp = try_tcp (&s[n], dpy); - if (tmp == -1) - return -1; - else if (tmp == 1) { - while (--n >= 0) { - close (s[n].fd); - free (s[n].pathname); - } - break; - } else if (tmp == 0) - ++n; - } - break; - } - if (dpy == 256) - errx (1, "no free x-servers"); - for (i = 0; i < n; ++i) - if (s[i].flags & LISTENP - && listen (s[i].fd, SOMAXCONN) < 0) - err (1, "listen %s", s[i].pathname ? s[i].pathname : "tcp"); - *number = n; - *sockets = s; - return dpy; -} - -/* - * Change owner on the `n' sockets in `sockets' to `uid', `gid'. - * Return 0 is succesful or -1 if an error occurred. - */ - -int -chown_xsockets (int n, struct x_socket *sockets, uid_t uid, gid_t gid) -{ - int i; - - for (i = 0; i < n; ++i) - if (sockets[i].pathname != NULL) - if (chown (sockets[i].pathname, uid, gid) < 0) - return -1; - return 0; -} - -/* - * Connect to local display `dnr' with local transport or TCP. - * Return a file descriptor. - */ - -int -connect_local_xsocket (unsigned dnr) -{ - int fd; - char **path; - - for (path = x_sockets; *path; ++path) { - struct sockaddr_un addr; - - fd = socket (AF_UNIX, SOCK_STREAM, 0); - if (fd < 0) - break; - memset (&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - snprintf (addr.sun_path, sizeof(addr.sun_path), *path, dnr); - if (connect (fd, (struct sockaddr *)&addr, sizeof(addr)) == 0) - return fd; - close(fd); - } - { - struct sockaddr_in addr; - - fd = socket(AF_INET, SOCK_STREAM, 0); - if (fd < 0) - err (1, "socket AF_INET"); - memset (&addr, 0, sizeof(addr)); - addr.sin_family = AF_INET; - addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); - addr.sin_port = htons(6000 + dnr); - if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == 0) - return fd; - close(fd); - } - err (1, "connecting to local display %u", dnr); -} - -/* - * Create a cookie file with a random cookie for the localhost. The - * file name will be stored in `xauthfile' (but not larger than - * `xauthfile_size'), and the cookie returned in `cookie', `cookie_sz'. - * Return 0 if succesful, or errno. - */ - -int -create_and_write_cookie (char *xauthfile, - size_t xauthfile_size, - u_char *cookie, - size_t cookie_sz) -{ - Xauth auth; - char tmp[64]; - int fd; - FILE *f; - char hostname[MaxHostNameLen]; - struct in_addr loopback; - int saved_errno; - - gethostname (hostname, sizeof(hostname)); - loopback.s_addr = htonl(INADDR_LOOPBACK); - - auth.family = FamilyLocal; - auth.address = hostname; - auth.address_length = strlen(auth.address); - snprintf (tmp, sizeof(tmp), "%d", display_num); - auth.number_length = strlen(tmp); - auth.number = tmp; - auth.name = COOKIE_TYPE; - auth.name_length = strlen(auth.name); - auth.data_length = cookie_sz; - auth.data = (char*)cookie; -#ifdef KRB5 - krb5_generate_random_block (cookie, cookie_sz); -#else - krb_generate_random_block (cookie, cookie_sz); -#endif - - strlcpy(xauthfile, "/tmp/AXXXXXX", xauthfile_size); - fd = mkstemp(xauthfile); - if(fd < 0) { - saved_errno = errno; - syslog(LOG_ERR, "create_and_write_cookie: mkstemp: %m"); - return saved_errno; - } - f = fdopen(fd, "r+"); - if(f == NULL){ - saved_errno = errno; - close(fd); - return errno; - } - if(XauWriteAuth(f, &auth) == 0) { - saved_errno = errno; - fclose(f); - return saved_errno; - } - - /* - * I would like to write a cookie for localhost:n here, but some - * stupid code in libX11 will not look for cookies of that type, - * so we are forced to use FamilyWild instead. - */ - - auth.family = FamilyWild; - auth.address_length = 0; - -#if 0 /* XXX */ - auth.address = (char *)&loopback; - auth.address_length = sizeof(loopback); -#endif - - if (XauWriteAuth(f, &auth) == 0) { - saved_errno = errno; - fclose (f); - return saved_errno; - } - - if(fclose(f)) - return errno; - return 0; -} - -/* - * Verify and remove cookies. Read and parse a X-connection from - * `fd'. Check the cookie used is the same as in `cookie'. Remove the - * cookie and copy the rest of it to `sock'. - * Expect cookies iff cookiesp. - * Return 0 iff ok. - * - * The protocol is as follows: - * - * C->S: [Bl] 1 - * unused 1 - * protocol major version 2 - * protocol minor version 2 - * length of auth protocol name(n) 2 - * length of auth protocol data 2 - * unused 2 - * authorization protocol name n - * pad pad(n) - * authorization protocol data d - * pad pad(d) - * - * S->C: Failed - * 0 1 - * length of reason 1 - * protocol major version 2 - * protocol minor version 2 - * length in 4 bytes unit of - * additional data (n+p)/4 2 - * reason n - * unused p = pad(n) - */ - -int -verify_and_remove_cookies (int fd, int sock, int cookiesp) -{ - u_char beg[12]; - int bigendianp; - unsigned n, d, npad, dpad; - char *protocol_name, *protocol_data; - u_char zeros[6] = {0, 0, 0, 0, 0, 0}; - u_char refused[20] = {0, 10, - 0, 0, /* protocol major version */ - 0, 0, /* protocol minor version */ - 0, 0, /* length of additional data / 4 */ - 'b', 'a', 'd', ' ', 'c', 'o', 'o', 'k', 'i', 'e', - 0, 0}; - - if (net_read (fd, beg, sizeof(beg)) != sizeof(beg)) - return 1; - if (net_write (sock, beg, 6) != 6) - return 1; - bigendianp = beg[0] == 'B'; - if (bigendianp) { - n = (beg[6] << 8) | beg[7]; - d = (beg[8] << 8) | beg[9]; - } else { - n = (beg[7] << 8) | beg[6]; - d = (beg[9] << 8) | beg[8]; - } - npad = (4 - (n % 4)) % 4; - dpad = (4 - (d % 4)) % 4; - protocol_name = malloc(n + npad); - if (n + npad != 0 && protocol_name == NULL) - return 1; - protocol_data = malloc(d + dpad); - if (d + dpad != 0 && protocol_data == NULL) { - free (protocol_name); - return 1; - } - if (net_read (fd, protocol_name, n + npad) != n + npad) - goto fail; - if (net_read (fd, protocol_data, d + dpad) != d + dpad) - goto fail; - if (cookiesp) { - if (strncmp (protocol_name, COOKIE_TYPE, strlen(COOKIE_TYPE)) != 0) - goto refused; - if (d != cookie_len || - memcmp (protocol_data, cookie, cookie_len) != 0) - goto refused; - } - free (protocol_name); - free (protocol_data); - if (net_write (sock, zeros, 6) != 6) - return 1; - return 0; -refused: - refused[2] = beg[2]; - refused[3] = beg[3]; - refused[4] = beg[4]; - refused[5] = beg[5]; - if (bigendianp) - refused[7] = 3; - else - refused[6] = 3; - - net_write (fd, refused, sizeof(refused)); -fail: - free (protocol_name); - free (protocol_data); - return 1; -} - -/* - * Return 0 iff `cookie' is compatible with the cookie for the - * localhost with name given in `ai' (or `hostname') and display - * number in `disp_nr'. - */ - -static int -match_local_auth (Xauth* auth, - struct addrinfo *ai, const char *hostname, int disp_nr) -{ - int auth_disp; - char *tmp_disp; - struct addrinfo *a; - - tmp_disp = malloc(auth->number_length + 1); - if (tmp_disp == NULL) - return -1; - memcpy(tmp_disp, auth->number, auth->number_length); - tmp_disp[auth->number_length] = '\0'; - auth_disp = atoi(tmp_disp); - free (tmp_disp); - if (auth_disp != disp_nr) - return 1; - for (a = ai; a != NULL; a = a->ai_next) { - if ((auth->family == FamilyLocal - || auth->family == FamilyWild) - && a->ai_canonname != NULL - && strncmp (auth->address, - a->ai_canonname, - auth->address_length) == 0) - return 0; - } - if (hostname != NULL - && (auth->family == FamilyLocal - || auth->family == FamilyWild) - && strncmp (auth->address, hostname, auth->address_length) == 0) - return 0; - return 1; -} - -/* - * Find `our' cookie from the cookie file `f' and return it or NULL. - */ - -static Xauth* -find_auth_cookie (FILE *f) -{ - Xauth *ret = NULL; - char local_hostname[MaxHostNameLen]; - char *display = getenv("DISPLAY"); - char d[MaxHostNameLen + 4]; - char *colon; - struct addrinfo *ai; - struct addrinfo hints; - int disp; - int error; - - if(display == NULL) - display = ":0"; - strlcpy(d, display, sizeof(d)); - display = d; - colon = strchr (display, ':'); - if (colon == NULL) - disp = 0; - else { - *colon = '\0'; - disp = atoi (colon + 1); - } - if (strcmp (display, "") == 0 - || strncmp (display, "unix", 4) == 0 - || strncmp (display, "localhost", 9) == 0) { - gethostname (local_hostname, sizeof(local_hostname)); - display = local_hostname; - } - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - error = getaddrinfo (display, NULL, &hints, &ai); - if (error) - ai = NULL; - - for (; (ret = XauReadAuth (f)) != NULL; XauDisposeAuth(ret)) { - if (match_local_auth (ret, ai, display, disp) == 0) { - if (ai != NULL) - freeaddrinfo (ai); - return ret; - } - } - if (ai != NULL) - freeaddrinfo (ai); - return NULL; -} - -/* - * Get rid of the cookie that we were sent and get the correct one - * from our own cookie file instead. - */ - -int -replace_cookie(int xserver, int fd, char *filename, int cookiesp) /* XXX */ -{ - u_char beg[12]; - int bigendianp; - unsigned n, d, npad, dpad; - FILE *f; - u_char zeros[6] = {0, 0, 0, 0, 0, 0}; - - if (net_read (fd, beg, sizeof(beg)) != sizeof(beg)) - return 1; - if (net_write (xserver, beg, 6) != 6) - return 1; - bigendianp = beg[0] == 'B'; - if (bigendianp) { - n = (beg[6] << 8) | beg[7]; - d = (beg[8] << 8) | beg[9]; - } else { - n = (beg[7] << 8) | beg[6]; - d = (beg[9] << 8) | beg[8]; - } - if (n != 0 || d != 0) - return 1; - f = fopen(filename, "r"); - if (f != NULL) { - Xauth *auth = find_auth_cookie (f); - u_char len[6] = {0, 0, 0, 0, 0, 0}; - - fclose (f); - - if (auth != NULL) { - n = auth->name_length; - d = auth->data_length; - } else { - n = 0; - d = 0; - } - if (bigendianp) { - len[0] = n >> 8; - len[1] = n & 0xFF; - len[2] = d >> 8; - len[3] = d & 0xFF; - } else { - len[0] = n & 0xFF; - len[1] = n >> 8; - len[2] = d & 0xFF; - len[3] = d >> 8; - } - if (net_write (xserver, len, 6) != 6) { - XauDisposeAuth(auth); - return 1; - } - if(n != 0 && net_write (xserver, auth->name, n) != n) { - XauDisposeAuth(auth); - return 1; - } - npad = (4 - (n % 4)) % 4; - if (npad && net_write (xserver, zeros, npad) != npad) { - XauDisposeAuth(auth); - return 1; - } - if (d != 0 && net_write (xserver, auth->data, d) != d) { - XauDisposeAuth(auth); - return 1; - } - XauDisposeAuth(auth); - dpad = (4 - (d % 4)) % 4; - if (dpad && net_write (xserver, zeros, dpad) != dpad) - return 1; - } else { - if(net_write(xserver, zeros, 6) != 6) - return 1; - } - return 0; -} - -/* - * Some simple controls on the address and corresponding socket - */ - -int -suspicious_address (int sock, struct sockaddr_in addr) -{ - char data[40]; - socklen_t len = sizeof(data); - - return addr.sin_addr.s_addr != htonl(INADDR_LOOPBACK) -#if defined(IP_OPTIONS) && defined(HAVE_GETSOCKOPT) - || getsockopt (sock, IPPROTO_IP, IP_OPTIONS, data, &len) < 0 - || len != 0 -#endif - ; -} - -/* - * This really sucks, but these functions are used and if we're not - * linking against libkrb they don't exist. Using the heimdal storage - * functions will not work either cause we do not always link with - * libkrb5 either. - */ - -#ifndef KRB4 - -int -krb_get_int(void *f, u_int32_t *to, int size, int lsb) -{ - int i; - unsigned char *from = (unsigned char *)f; - - *to = 0; - if(lsb){ - for(i = size-1; i >= 0; i--) - *to = (*to << 8) | from[i]; - }else{ - for(i = 0; i < size; i++) - *to = (*to << 8) | from[i]; - } - return size; -} - -int -krb_put_int(u_int32_t from, void *to, size_t rem, int size) -{ - int i; - unsigned char *p = (unsigned char *)to; - - if (rem < size) - return -1; - - for(i = size - 1; i >= 0; i--){ - p[i] = from & 0xff; - from >>= 8; - } - return size; -} - -#endif /* !KRB4 */ diff --git a/crypto/heimdal/appl/kx/context.c b/crypto/heimdal/appl/kx/context.c deleted file mode 100644 index bbc8da95e875..000000000000 --- a/crypto/heimdal/appl/kx/context.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: context.c,v 1.4 1999/12/02 16:58:32 joda Exp $"); - -/* - * Set the common part of the context `kc' - */ - -void -context_set (kx_context *kc, const char *host, const char *user, int port, - int debug_flag, int keepalive_flag, int tcp_flag) -{ - kc->host = host; - kc->user = user; - kc->port = port; - kc->debug_flag = debug_flag; - kc->keepalive_flag = keepalive_flag; - kc->tcp_flag = tcp_flag; -} - -/* - * dispatch functions - */ - -void -context_destroy (kx_context *kc) -{ - (*kc->destroy)(kc); -} - -int -context_authenticate (kx_context *kc, int s) -{ - return (*kc->authenticate)(kc, s); -} - -int -context_userok (kx_context *kc, char *user) -{ - return (*kc->userok)(kc, user); -} - -ssize_t -kx_read (kx_context *kc, int fd, void *buf, size_t len) -{ - return (*kc->read)(kc, fd, buf, len); -} - -ssize_t -kx_write (kx_context *kc, int fd, const void *buf, size_t len) -{ - return (*kc->write)(kc, fd, buf, len); -} - -int -copy_encrypted (kx_context *kc, int fd1, int fd2) -{ - return (*kc->copy_encrypted)(kc, fd1, fd2); -} diff --git a/crypto/heimdal/appl/kx/krb4.c b/crypto/heimdal/appl/kx/krb4.c deleted file mode 100644 index 07852c99b235..000000000000 --- a/crypto/heimdal/appl/kx/krb4.c +++ /dev/null @@ -1,361 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: krb4.c,v 1.8 2000/10/08 13:19:22 assar Exp $"); - -#ifdef KRB4 - -struct krb4_kx_context { - des_cblock key; - des_key_schedule schedule; - AUTH_DAT auth; -}; - -typedef struct krb4_kx_context krb4_kx_context; - -/* - * Destroy the krb4 context in `c'. - */ - -static void -krb4_destroy (kx_context *c) -{ - memset (c->data, 0, sizeof(krb4_kx_context)); - free (c->data); -} - -/* - * Read the authentication information from `s' and return 0 if - * succesful, else -1. - */ - -static int -krb4_authenticate (kx_context *kc, int s) -{ - CREDENTIALS cred; - KTEXT_ST text; - MSG_DAT msg; - int status; - krb4_kx_context *c = (krb4_kx_context *)kc->data; - const char *host = kc->host; - -#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM - if (krb_get_config_bool("nat_in_use")) { - struct in_addr natAddr; - - if (krb_get_our_ip_for_realm(krb_realmofhost(kc->host), - &natAddr) == KSUCCESS - || krb_get_our_ip_for_realm (NULL, &natAddr) == KSUCCESS) - kc->thisaddr.sin_addr = natAddr; - } -#endif - - status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd", - (char *)host, krb_realmofhost (host), - getpid(), &msg, &cred, c->schedule, - &kc->thisaddr, &kc->thataddr, KX_VERSION); - if (status != KSUCCESS) { - warnx ("%s: %s\n", host, krb_get_err_text(status)); - return -1; - } - memcpy (c->key, cred.session, sizeof(des_cblock)); - return 0; -} - -/* - * Read a krb4 priv packet from `fd' into `buf' (of size `len'). - * Return the number of bytes read or 0 on EOF or -1 on error. - */ - -static ssize_t -krb4_read (kx_context *kc, - int fd, void *buf, size_t len) -{ - unsigned char tmp[4]; - ssize_t ret; - size_t l; - int status; - krb4_kx_context *c = (krb4_kx_context *)kc->data; - MSG_DAT msg; - - ret = krb_net_read (fd, tmp, 4); - if (ret == 0) - return ret; - if (ret != 4) - return -1; - l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; - if (l > len) - return -1; - if (krb_net_read (fd, buf, l) != l) - return -1; - status = krb_rd_priv (buf, l, c->schedule, &c->key, - &kc->thataddr, &kc->thisaddr, &msg); - if (status != RD_AP_OK) { - warnx ("krb4_read: %s", krb_get_err_text(status)); - return -1; - } - memmove (buf, msg.app_data, msg.app_length); - return msg.app_length; -} - -/* - * Write a krb4 priv packet on `fd' with the data in `buf, len'. - * Return len or -1 on error - */ - -static ssize_t -krb4_write(kx_context *kc, - int fd, const void *buf, size_t len) -{ - void *outbuf; - krb4_kx_context *c = (krb4_kx_context *)kc->data; - int outlen; - unsigned char tmp[4]; - - outbuf = malloc (len + 30); - if (outbuf == NULL) - return -1; - outlen = krb_mk_priv ((void *)buf, outbuf, len, c->schedule, &c->key, - &kc->thisaddr, &kc->thataddr); - if (outlen < 0) { - free (outbuf); - return -1; - } - tmp[0] = (outlen >> 24) & 0xFF; - tmp[1] = (outlen >> 16) & 0xFF; - tmp[2] = (outlen >> 8) & 0xFF; - tmp[3] = (outlen >> 0) & 0xFF; - - if (krb_net_write (fd, tmp, 4) != 4 || - krb_net_write (fd, outbuf, outlen) != outlen) { - free (outbuf); - return -1; - } - free (outbuf); - return len; -} - -/* - * Copy data from `fd1' to `fd2', {en,de}crypting with cfb64 - * with `mode' and state stored in `iv', `schedule', and `num'. - * Return -1 if error, 0 if eof, else 1 - */ - -static int -do_enccopy (int fd1, int fd2, int mode, des_cblock *iv, - des_key_schedule schedule, int *num) -{ - int ret; - u_char buf[BUFSIZ]; - - ret = read (fd1, buf, sizeof(buf)); - if (ret == 0) - return 0; - if (ret < 0) { - warn ("read"); - return ret; - } -#ifndef NOENCRYPTION - des_cfb64_encrypt (buf, buf, ret, schedule, iv, - num, mode); -#endif - ret = krb_net_write (fd2, buf, ret); - if (ret < 0) { - warn ("write"); - return ret; - } - return 1; -} - -/* - * Copy data between fd1 and fd2, encrypting one way and decrypting - * the other. - */ - -static int -krb4_copy_encrypted (kx_context *kc, - int fd1, int fd2) -{ - krb4_kx_context *c = (krb4_kx_context *)kc->data; - des_cblock iv1, iv2; - int num1 = 0, num2 = 0; - - memcpy (iv1, c->key, sizeof(iv1)); - memcpy (iv2, c->key, sizeof(iv2)); - for (;;) { - fd_set fdset; - int ret; - - if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) { - warnx ("fd too large"); - return 1; - } - - FD_ZERO(&fdset); - FD_SET(fd1, &fdset); - FD_SET(fd2, &fdset); - - ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL); - if (ret < 0 && errno != EINTR) { - warn ("select"); - return 1; - } - if (FD_ISSET(fd1, &fdset)) { - ret = do_enccopy (fd1, fd2, DES_ENCRYPT, &iv1, c->schedule, &num1); - if (ret <= 0) - return ret; - } - if (FD_ISSET(fd2, &fdset)) { - ret = do_enccopy (fd2, fd1, DES_DECRYPT, &iv2, c->schedule, &num2); - if (ret <= 0) - return ret; - } - } -} - -/* - * Return 0 if the user authenticated on `kc' is allowed to login as - * `user'. - */ - -static int -krb4_userok (kx_context *kc, char *user) -{ - krb4_kx_context *c = (krb4_kx_context *)kc->data; - char *tmp; - - tmp = krb_unparse_name_long (c->auth.pname, - c->auth.pinst, - c->auth.prealm); - kc->user = strdup (tmp); - if (kc->user == NULL) - err (1, "malloc"); - - - return kuserok (&c->auth, user); -} - -/* - * Create an instance of an krb4 context. - */ - -void -krb4_make_context (kx_context *kc) -{ - kc->authenticate = krb4_authenticate; - kc->userok = krb4_userok; - kc->read = krb4_read; - kc->write = krb4_write; - kc->copy_encrypted = krb4_copy_encrypted; - kc->destroy = krb4_destroy; - kc->user = NULL; - kc->data = malloc(sizeof(krb4_kx_context)); - - if (kc->data == NULL) - err (1, "malloc"); -} - -/* - * Receive authentication information on `sock' (first four bytes - * in `buf'). - */ - -int -recv_v4_auth (kx_context *kc, int sock, u_char *buf) -{ - int status; - KTEXT_ST ticket; - char instance[INST_SZ + 1]; - char version[KRB_SENDAUTH_VLEN + 1]; - krb4_kx_context *c; - AUTH_DAT auth; - des_key_schedule schedule; - - if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0) - return -1; - if (net_read (sock, buf + 4, KRB_SENDAUTH_VLEN - 4) != - KRB_SENDAUTH_VLEN - 4) { - syslog (LOG_ERR, "read: %m"); - exit (1); - } - if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) { - syslog (LOG_ERR, "unrecognized auth protocol: %.8s", buf); - exit (1); - } - - k_getsockinst (sock, instance, sizeof(instance)); - status = krb_recvauth (KOPT_IGNORE_PROTOCOL | KOPT_DO_MUTUAL, - sock, - &ticket, - "rcmd", - instance, - &kc->thataddr, - &kc->thisaddr, - &auth, - "", - schedule, - version); - if (status != KSUCCESS) { - syslog (LOG_ERR, "krb_recvauth: %s", krb_get_err_text(status)); - exit (1); - } - if (strncmp (version, KX_VERSION, KRB_SENDAUTH_VLEN) != 0) { - /* Try to be nice to old kx's */ - if (strncmp (version, KX_OLD_VERSION, KRB_SENDAUTH_VLEN) == 0) { - char *old_errmsg = "\001Old version of kx. Please upgrade."; - char user[64]; - - syslog (LOG_ERR, "Old version client (%s)", version); - - krb_net_read (sock, user, sizeof(user)); - krb_net_write (sock, old_errmsg, strlen(old_errmsg) + 1); - exit (1); - } else { - syslog (LOG_ERR, "bad version: %s", version); - exit (1); - } - } - - krb4_make_context (kc); - c = (krb4_kx_context *)kc->data; - - c->auth = auth; - memcpy (c->key, &auth.session, sizeof(des_cblock)); - memcpy (c->schedule, schedule, sizeof(schedule)); - - return 0; -} - -#endif /* KRB4 */ diff --git a/crypto/heimdal/appl/kx/krb5.c b/crypto/heimdal/appl/kx/krb5.c deleted file mode 100644 index 509bcb27cbf3..000000000000 --- a/crypto/heimdal/appl/kx/krb5.c +++ /dev/null @@ -1,419 +0,0 @@ -/* - * Copyright (c) 1995 - 2000, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: krb5.c,v 1.9 2002/05/24 15:13:52 joda Exp $"); - -#ifdef KRB5 - -struct krb5_kx_context { - krb5_context context; - krb5_keyblock *keyblock; - krb5_crypto crypto; - krb5_principal client; -}; - -typedef struct krb5_kx_context krb5_kx_context; - -/* - * Destroy the krb5 context in `c'. - */ - -static void -krb5_destroy (kx_context *c) -{ - krb5_kx_context *kc = (krb5_kx_context *)c->data; - - if (kc->keyblock) - krb5_free_keyblock (kc->context, kc->keyblock); - if (kc->crypto) - krb5_crypto_destroy (kc->context, kc->crypto); - if (kc->client) - krb5_free_principal (kc->context, kc->client); - if (kc->context) - krb5_free_context (kc->context); - free (kc); -} - -/* - * Read the authentication information from `s' and return 0 if - * succesful, else -1. - */ - -static int -krb5_authenticate (kx_context *kc, int s) -{ - krb5_kx_context *c = (krb5_kx_context *)kc->data; - krb5_context context = c->context; - krb5_auth_context auth_context = NULL; - krb5_error_code ret; - krb5_principal server; - const char *host = kc->host; - - ret = krb5_sname_to_principal (context, - host, "host", KRB5_NT_SRV_HST, &server); - if (ret) { - krb5_warn (context, ret, "krb5_sname_to_principal: %s", host); - return 1; - } - - ret = krb5_sendauth (context, - &auth_context, - &s, - KX_VERSION, - NULL, - server, - AP_OPTS_MUTUAL_REQUIRED, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - if (ret) { - if(ret != KRB5_SENDAUTH_BADRESPONSE) - krb5_warn (context, ret, "krb5_sendauth: %s", host); - return 1; - } - - ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock); - if (ret) { - krb5_warn (context, ret, "krb5_auth_con_getkey: %s", host); - krb5_auth_con_free (context, auth_context); - return 1; - } - - ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto); - if (ret) { - krb5_warn (context, ret, "krb5_crypto_init"); - krb5_auth_con_free (context, auth_context); - return 1; - } - return 0; -} - -/* - * Read an encapsulated krb5 packet from `fd' into `buf' (of size - * `len'). Return the number of bytes read or 0 on EOF or -1 on - * error. - */ - -static ssize_t -krb5_read (kx_context *kc, - int fd, void *buf, size_t len) -{ - krb5_kx_context *c = (krb5_kx_context *)kc->data; - krb5_context context = c->context; - size_t data_len, outer_len; - krb5_error_code ret; - unsigned char tmp[4]; - krb5_data data; - int l; - - l = krb5_net_read (context, &fd, tmp, 4); - if (l == 0) - return l; - if (l != 4) - return -1; - data_len = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; - outer_len = krb5_get_wrapped_length (context, c->crypto, data_len); - if (outer_len > len) - return -1; - if (krb5_net_read (context, &fd, buf, outer_len) != outer_len) - return -1; - - ret = krb5_decrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED, - buf, outer_len, &data); - if (ret) { - krb5_warn (context, ret, "krb5_decrypt"); - return -1; - } - if (data_len > data.length) { - krb5_data_free (&data); - return -1; - } - memmove (buf, data.data, data_len); - krb5_data_free (&data); - return data_len; -} - -/* - * Write an encapsulated krb5 packet on `fd' with the data in `buf, - * len'. Return len or -1 on error. - */ - -static ssize_t -krb5_write(kx_context *kc, - int fd, const void *buf, size_t len) -{ - krb5_kx_context *c = (krb5_kx_context *)kc->data; - krb5_context context = c->context; - krb5_data data; - krb5_error_code ret; - unsigned char tmp[4]; - size_t outlen; - - ret = krb5_encrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED, - (void *)buf, len, &data); - if (ret){ - krb5_warn (context, ret, "krb5_write"); - return -1; - } - - outlen = data.length; - tmp[0] = (len >> 24) & 0xFF; - tmp[1] = (len >> 16) & 0xFF; - tmp[2] = (len >> 8) & 0xFF; - tmp[3] = (len >> 0) & 0xFF; - - if (krb5_net_write (context, &fd, tmp, 4) != 4 || - krb5_net_write (context, &fd, data.data, outlen) != outlen) { - krb5_data_free (&data); - return -1; - } - krb5_data_free (&data); - return len; -} - -/* - * Copy from the unix socket `from_fd' encrypting to `to_fd'. - * Return 0, -1 or len. - */ - -static int -copy_out (kx_context *kc, int from_fd, int to_fd) -{ - char buf[32768]; - ssize_t len; - - len = read (from_fd, buf, sizeof(buf)); - if (len == 0) - return 0; - if (len < 0) { - warn ("read"); - return len; - } - return krb5_write (kc, to_fd, buf, len); -} - -/* - * Copy from the socket `from_fd' decrypting to `to_fd'. - * Return 0, -1 or len. - */ - -static int -copy_in (kx_context *kc, int from_fd, int to_fd) -{ - krb5_kx_context *c = (krb5_kx_context *)kc->data; - char buf[33000]; /* XXX */ - - ssize_t len; - - len = krb5_read (kc, from_fd, buf, sizeof(buf)); - if (len == 0) - return 0; - if (len < 0) { - warn ("krb5_read"); - return len; - } - - return krb5_net_write (c->context, &to_fd, buf, len); -} - -/* - * Copy data between `fd1' and `fd2', encrypting in one direction and - * decrypting in the other. - */ - -static int -krb5_copy_encrypted (kx_context *kc, int fd1, int fd2) -{ - for (;;) { - fd_set fdset; - int ret; - - if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) { - warnx ("fd too large"); - return 1; - } - - FD_ZERO(&fdset); - FD_SET(fd1, &fdset); - FD_SET(fd2, &fdset); - - ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL); - if (ret < 0 && errno != EINTR) { - warn ("select"); - return 1; - } - if (FD_ISSET(fd1, &fdset)) { - ret = copy_out (kc, fd1, fd2); - if (ret <= 0) - return ret; - } - if (FD_ISSET(fd2, &fdset)) { - ret = copy_in (kc, fd2, fd1); - if (ret <= 0) - return ret; - } - } -} - -/* - * Return 0 if the user authenticated on `kc' is allowed to login as - * `user'. - */ - -static int -krb5_userok (kx_context *kc, char *user) -{ - krb5_kx_context *c = (krb5_kx_context *)kc->data; - krb5_context context = c->context; - krb5_error_code ret; - char *tmp; - - ret = krb5_unparse_name (context, c->client, &tmp); - if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name"); - kc->user = tmp; - - return !krb5_kuserok (context, c->client, user); -} - -/* - * Create an instance of an krb5 context. - */ - -void -krb5_make_context (kx_context *kc) -{ - krb5_kx_context *c; - krb5_error_code ret; - - kc->authenticate = krb5_authenticate; - kc->userok = krb5_userok; - kc->read = krb5_read; - kc->write = krb5_write; - kc->copy_encrypted = krb5_copy_encrypted; - kc->destroy = krb5_destroy; - kc->user = NULL; - kc->data = malloc(sizeof(krb5_kx_context)); - - if (kc->data == NULL) - err (1, "malloc"); - memset (kc->data, 0, sizeof(krb5_kx_context)); - c = (krb5_kx_context *)kc->data; - ret = krb5_init_context (&c->context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); -} - -/* - * Receive authentication information on `sock' (first four bytes - * in `buf'). - */ - -int -recv_v5_auth (kx_context *kc, int sock, u_char *buf) -{ - u_int32_t len; - krb5_error_code ret; - krb5_kx_context *c; - krb5_context context; - krb5_principal server; - krb5_auth_context auth_context = NULL; - krb5_ticket *ticket; - - if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0) - return 1; - len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]); - if (net_read(sock, buf, len) != len) { - syslog (LOG_ERR, "read: %m"); - exit (1); - } - if (len != sizeof(KRB5_SENDAUTH_VERSION) - || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) { - syslog (LOG_ERR, "bad sendauth version: %.8s", buf); - exit (1); - } - - krb5_make_context (kc); - c = (krb5_kx_context *)kc->data; - context = c->context; - - ret = krb5_sock_to_principal (context, sock, "host", - KRB5_NT_SRV_HST, &server); - if (ret) { - syslog (LOG_ERR, "krb5_sock_to_principal: %s", - krb5_get_err_text (context, ret)); - exit (1); - } - - ret = krb5_recvauth (context, - &auth_context, - &sock, - KX_VERSION, - server, - KRB5_RECVAUTH_IGNORE_VERSION, - NULL, - &ticket); - krb5_free_principal (context, server); - if (ret) { - syslog (LOG_ERR, "krb5_sock_to_principal: %s", - krb5_get_err_text (context, ret)); - exit (1); - } - - ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock); - if (ret) { - syslog (LOG_ERR, "krb5_auth_con_getkey: %s", - krb5_get_err_text (context, ret)); - exit (1); - } - - ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto); - if (ret) { - syslog (LOG_ERR, "krb5_crypto_init: %s", - krb5_get_err_text (context, ret)); - exit (1); - } - - c->client = ticket->client; - ticket->client = NULL; - krb5_free_ticket (context, ticket); - - return 0; -} - -#endif /* KRB5 */ diff --git a/crypto/heimdal/appl/kx/kx.1 b/crypto/heimdal/appl/kx/kx.1 deleted file mode 100644 index fe621d8267e0..000000000000 --- a/crypto/heimdal/appl/kx/kx.1 +++ /dev/null @@ -1,62 +0,0 @@ -.\" $Id: kx.1,v 1.7 1997/09/01 15:59:07 assar Exp $ -.\" -.Dd September 27, 1996 -.Dt KX 1 -.Os KTH-KRB -.Sh NAME -.Nm kx -.Nd -securely forward X conections -.Sh SYNOPSIS -.Ar kx -.Op Fl l Ar username -.Op Fl k -.Op Fl d -.Op Fl t -.Op Fl p Ar port -.Op Fl P -.Ar host -.Sh DESCRIPTION -The -.Nm -program forwards a X connection from a remote client to a local screen -through an authenticated and encrypted stream. Options supported by -.Nm kx : -.Bl -tag -width Ds -.It Fl l -Log in on remote the host as user -.Ar username . -.It Fl k -Do not enable keep-alives on the TCP connections. -.It Fl d -Do not fork. This is mainly useful for debugging. -.It Fl t -Listen not only on a UNIX-domain socket but on a TCP socket as well. -.It Fl p -Use the port -.Ar port . -.It Fl P -Force passive mode. -.El -.Pp -This program is used by -.Nm rxtelnet -and -.Nm rxterm -and you should not need to run it directly. -.Pp -It connects to a -.Nm kxd -on the host -.Ar host -and then will relay the traffic from the remote X clients to the local -server. When started, it prints the display and Xauthority-file to be -used on host -.Ar host -and then goes to the background, waiting for connections from the -remote -.Nm kxd. -.Sh SEE ALSO -.Xr rxtelnet 1 , -.Xr rxterm 1 , -.Xr kxd 8 diff --git a/crypto/heimdal/appl/kx/kx.c b/crypto/heimdal/appl/kx/kx.c deleted file mode 100644 index 63e159507a11..000000000000 --- a/crypto/heimdal/appl/kx/kx.c +++ /dev/null @@ -1,765 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: kx.c,v 1.68 2001/02/20 01:44:45 assar Exp $"); - -static int nchild; -static int donep; - -/* - * Signal handler that justs waits for the children when they die. - */ - -static RETSIGTYPE -childhandler (int sig) -{ - pid_t pid; - int status; - - do { - pid = waitpid (-1, &status, WNOHANG|WUNTRACED); - if (pid > 0 && (WIFEXITED(status) || WIFSIGNALED(status))) - if (--nchild == 0 && donep) - exit (0); - } while(pid > 0); - signal (SIGCHLD, childhandler); - SIGRETURN(0); -} - -/* - * Handler for SIGUSR1. - * This signal means that we should wait until there are no children - * left and then exit. - */ - -static RETSIGTYPE -usr1handler (int sig) -{ - donep = 1; - - SIGRETURN(0); -} - -/* - * Almost the same as for SIGUSR1, except we should exit immediately - * if there are no active children. - */ - -static RETSIGTYPE -usr2handler (int sig) -{ - donep = 1; - if (nchild == 0) - exit (0); - - SIGRETURN(0); -} - -/* - * Establish authenticated connection. Return socket or -1. - */ - -static int -connect_host (kx_context *kc) -{ - struct addrinfo *ai, *a; - struct addrinfo hints; - int error; - char portstr[NI_MAXSERV]; - socklen_t addrlen; - int s; - struct sockaddr_storage thisaddr_ss; - struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - snprintf (portstr, sizeof(portstr), "%u", ntohs(kc->port)); - - error = getaddrinfo (kc->host, portstr, &hints, &ai); - if (error) { - warnx ("%s: %s", kc->host, gai_strerror(error)); - return -1; - } - - for (a = ai; a != NULL; a = a->ai_next) { - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - warn ("connect(%s)", kc->host); - close (s); - continue; - } - break; - } - - if (a == NULL) { - freeaddrinfo (ai); - return -1; - } - - addrlen = a->ai_addrlen; - if (getsockname (s, thisaddr, &addrlen) < 0 || - addrlen != a->ai_addrlen) - err(1, "getsockname(%s)", kc->host); - memcpy (&kc->thisaddr, thisaddr, sizeof(kc->thisaddr)); - memcpy (&kc->thataddr, a->ai_addr, sizeof(kc->thataddr)); - freeaddrinfo (ai); - if ((*kc->authenticate)(kc, s)) - return -1; - return s; -} - -/* - * Get rid of the cookie that we were sent and get the correct one - * from our own cookie file instead and then just copy data in both - * directions. - */ - -static int -passive_session (int xserver, int fd, kx_context *kc) -{ - if (replace_cookie (xserver, fd, XauFileName(), 1)) - return 1; - else - return copy_encrypted (kc, xserver, fd); -} - -static int -active_session (int xserver, int fd, kx_context *kc) -{ - if (verify_and_remove_cookies (xserver, fd, 1)) - return 1; - else - return copy_encrypted (kc, xserver, fd); -} - -/* - * fork (unless debugp) and print the output that will be used by the - * script to capture the display, xauth cookie and pid. - */ - -static void -status_output (int debugp) -{ - if(debugp) - printf ("%u\t%s\t%s\n", (unsigned)getpid(), display, xauthfile); - else { - pid_t pid; - - pid = fork(); - if (pid < 0) { - err(1, "fork"); - } else if (pid > 0) { - printf ("%u\t%s\t%s\n", (unsigned)pid, display, xauthfile); - exit (0); - } else { - fclose(stdout); - } - } -} - -/* - * Obtain an authenticated connection on `kc'. Send a kx message - * saying we are `kc->user' and want to use passive mode. Wait for - * answer on that connection and fork of a child for every new - * connection we have to make. - */ - -static int -doit_passive (kx_context *kc) -{ - int otherside; - u_char msg[1024], *p; - int len; - u_int32_t tmp; - const char *host = kc->host; - - otherside = connect_host (kc); - - if (otherside < 0) - return 1; -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (kc->keepalive_flag) { - int one = 1; - - setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - - p = msg; - *p++ = INIT; - len = strlen(kc->user); - p += KRB_PUT_INT (len, p, sizeof(msg) - 1, 4); - memcpy(p, kc->user, len); - p += len; - *p++ = PASSIVE | (kc->keepalive_flag ? KEEP_ALIVE : 0); - if (kx_write (kc, otherside, msg, p - msg) != p - msg) - err (1, "write to %s", host); - len = kx_read (kc, otherside, msg, sizeof(msg)); - if (len <= 0) - errx (1, - "error reading initial message from %s: " - "this probably means it's using an old version.", - host); - p = (u_char *)msg; - if (*p == ERROR) { - p++; - p += krb_get_int (p, &tmp, 4, 0); - errx (1, "%s: %.*s", host, (int)tmp, p); - } else if (*p != ACK) { - errx (1, "%s: strange msg %d", host, *p); - } else - p++; - p += krb_get_int (p, &tmp, 4, 0); - memcpy(display, p, tmp); - display[tmp] = '\0'; - p += tmp; - - p += krb_get_int (p, &tmp, 4, 0); - memcpy(xauthfile, p, tmp); - xauthfile[tmp] = '\0'; - p += tmp; - - status_output (kc->debug_flag); - for (;;) { - pid_t child; - - len = kx_read (kc, otherside, msg, sizeof(msg)); - if (len < 0) - err (1, "read from %s", host); - else if (len == 0) - return 0; - - p = (u_char *)msg; - if (*p == ERROR) { - p++; - p += krb_get_int (p, &tmp, 4, 0); - errx (1, "%s: %.*s", host, (int)tmp, p); - } else if(*p != NEW_CONN) { - errx (1, "%s: strange msg %d", host, *p); - } else { - p++; - p += krb_get_int (p, &tmp, 4, 0); - } - - ++nchild; - child = fork (); - if (child < 0) { - warn("fork"); - continue; - } else if (child == 0) { - struct sockaddr_in addr; - int fd; - int xserver; - - addr = kc->thataddr; - close (otherside); - - addr.sin_port = htons(tmp); - fd = socket (AF_INET, SOCK_STREAM, 0); - if (fd < 0) - err(1, "socket"); -#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) - { - int one = 1; - - setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one, - sizeof(one)); - } -#endif -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (kc->keepalive_flag) { - int one = 1; - - setsockopt (fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - - if (connect (fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) - err(1, "connect(%s)", host); - { - int d = 0; - char *s; - - s = getenv ("DISPLAY"); - if (s != NULL) { - s = strchr (s, ':'); - if (s != NULL) - d = atoi (s + 1); - } - - xserver = connect_local_xsocket (d); - if (xserver < 0) - return 1; - } - return passive_session (xserver, fd, kc); - } else { - } - } -} - -/* - * Allocate a local pseudo-xserver and wait for connections - */ - -static int -doit_active (kx_context *kc) -{ - int otherside; - int nsockets; - struct x_socket *sockets; - u_char msg[1024], *p; - int len = strlen(kc->user); - int tmp, tmp2; - char *s; - int i; - size_t rem; - u_int32_t other_port; - int error; - const char *host = kc->host; - - otherside = connect_host (kc); - if (otherside < 0) - return 1; -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (kc->keepalive_flag) { - int one = 1; - - setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - p = msg; - rem = sizeof(msg); - *p++ = INIT; - --rem; - len = strlen(kc->user); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0) - return 1; - p += tmp; - rem -= tmp; - memcpy(p, kc->user, len); - p += len; - rem -= len; - *p++ = (kc->keepalive_flag ? KEEP_ALIVE : 0); - --rem; - - s = getenv("DISPLAY"); - if (s == NULL || (s = strchr(s, ':')) == NULL) - s = ":0"; - len = strlen (s); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0) - return 1; - rem -= tmp; - p += tmp; - memcpy (p, s, len); - p += len; - rem -= len; - - s = getenv("XAUTHORITY"); - if (s == NULL) - s = ""; - len = strlen (s); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0) - return 1; - p += len; - rem -= len; - memcpy (p, s, len); - p += len; - rem -= len; - - if (kx_write (kc, otherside, msg, p - msg) != p - msg) - err (1, "write to %s", host); - - len = kx_read (kc, otherside, msg, sizeof(msg)); - if (len < 0) - err (1, "read from %s", host); - p = (u_char *)msg; - if (*p == ERROR) { - u_int32_t u32; - - p++; - p += krb_get_int (p, &u32, 4, 0); - errx (1, "%s: %.*s", host, (int)u32, p); - } else if (*p != ACK) { - errx (1, "%s: strange msg %d", host, *p); - } else - p++; - - tmp2 = get_xsockets (&nsockets, &sockets, kc->tcp_flag); - if (tmp2 < 0) - return 1; - display_num = tmp2; - if (kc->tcp_flag) - snprintf (display, display_size, "localhost:%u", display_num); - else - snprintf (display, display_size, ":%u", display_num); - error = create_and_write_cookie (xauthfile, xauthfile_size, - cookie, cookie_len); - if (error) { - warnx ("failed creating cookie file: %s", strerror(error)); - return 1; - } - status_output (kc->debug_flag); - for (;;) { - fd_set fdset; - pid_t child; - int fd, thisfd = -1; - socklen_t zero = 0; - - FD_ZERO(&fdset); - for (i = 0; i < nsockets; ++i) { - if (sockets[i].fd >= FD_SETSIZE) - errx (1, "fd too large"); - FD_SET(sockets[i].fd, &fdset); - } - if (select(FD_SETSIZE, &fdset, NULL, NULL, NULL) <= 0) - continue; - for (i = 0; i < nsockets; ++i) - if (FD_ISSET(sockets[i].fd, &fdset)) { - thisfd = sockets[i].fd; - break; - } - fd = accept (thisfd, NULL, &zero); - if (fd < 0) { - if (errno == EINTR) - continue; - else - err(1, "accept"); - } - - p = msg; - *p++ = NEW_CONN; - if (kx_write (kc, otherside, msg, p - msg) != p - msg) - err (1, "write to %s", host); - len = kx_read (kc, otherside, msg, sizeof(msg)); - if (len < 0) - err (1, "read from %s", host); - p = (u_char *)msg; - if (*p == ERROR) { - u_int32_t val; - - p++; - p += krb_get_int (p, &val, 4, 0); - errx (1, "%s: %.*s", host, (int)val, p); - } else if (*p != NEW_CONN) { - errx (1, "%s: strange msg %d", host, *p); - } else { - p++; - p += krb_get_int (p, &other_port, 4, 0); - } - - ++nchild; - child = fork (); - if (child < 0) { - warn("fork"); - continue; - } else if (child == 0) { - int s; - struct sockaddr_in addr; - - for (i = 0; i < nsockets; ++i) - close (sockets[i].fd); - - addr = kc->thataddr; - close (otherside); - - addr.sin_port = htons(other_port); - s = socket (AF_INET, SOCK_STREAM, 0); - if (s < 0) - err(1, "socket"); -#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) - { - int one = 1; - - setsockopt (s, IPPROTO_TCP, TCP_NODELAY, (void *)&one, - sizeof(one)); - } -#endif -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (kc->keepalive_flag) { - int one = 1; - - setsockopt (s, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - - if (connect (s, (struct sockaddr *)&addr, sizeof(addr)) < 0) - err(1, "connect"); - - return active_session (fd, s, kc); - } else { - close (fd); - } - } -} - -/* - * Should we interpret `disp' as this being a passive call? - */ - -static int -check_for_passive (const char *disp) -{ - char local_hostname[MaxHostNameLen]; - - gethostname (local_hostname, sizeof(local_hostname)); - - return disp != NULL && - (*disp == ':' - || strncmp(disp, "unix", 4) == 0 - || strncmp(disp, "localhost", 9) == 0 - || strncmp(disp, local_hostname, strlen(local_hostname)) == 0); -} - -/* - * Set up signal handlers and then call the functions. - */ - -static int -doit (kx_context *kc, int passive_flag) -{ - signal (SIGCHLD, childhandler); - signal (SIGUSR1, usr1handler); - signal (SIGUSR2, usr2handler); - if (passive_flag) - return doit_passive (kc); - else - return doit_active (kc); -} - -#ifdef KRB4 - -/* - * Start a v4-authenticatated kx connection. - */ - -static int -doit_v4 (const char *host, int port, const char *user, - int passive_flag, int debug_flag, int keepalive_flag, int tcp_flag) -{ - int ret; - kx_context context; - - krb4_make_context (&context); - context_set (&context, - host, user, port, debug_flag, keepalive_flag, tcp_flag); - - ret = doit (&context, passive_flag); - context_destroy (&context); - return ret; -} -#endif /* KRB4 */ - -#ifdef KRB5 - -/* - * Start a v5-authenticatated kx connection. - */ - -static int -doit_v5 (const char *host, int port, const char *user, - int passive_flag, int debug_flag, int keepalive_flag, int tcp_flag) -{ - int ret; - kx_context context; - - krb5_make_context (&context); - context_set (&context, - host, user, port, debug_flag, keepalive_flag, tcp_flag); - - ret = doit (&context, passive_flag); - context_destroy (&context); - return ret; -} -#endif /* KRB5 */ - -/* - * Variables set from the arguments - */ - -#ifdef KRB4 -static int use_v4 = -1; -#ifdef HAVE_KRB_ENABLE_DEBUG -static int krb_debug_flag = 0; -#endif /* HAVE_KRB_ENABLE_DEBUG */ -#endif /* KRB4 */ -#ifdef KRB5 -static int use_v5 = -1; -#endif -static char *port_str = NULL; -static const char *user = NULL; -static int tcp_flag = 0; -static int passive_flag = 0; -static int keepalive_flag = 1; -static int debug_flag = 0; -static int version_flag = 0; -static int help_flag = 0; - -struct getargs args[] = { -#ifdef KRB4 - { "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4", - NULL }, -#ifdef HAVE_KRB_ENABLE_DEBUG - { "krb4-debug", 'D', arg_flag, &krb_debug_flag, - "enable krb4 debugging" }, -#endif /* HAVE_KRB_ENABLE_DEBUG */ -#endif /* KRB4 */ -#ifdef KRB5 - { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5", - NULL }, -#endif - { "port", 'p', arg_string, &port_str, "Use this port", - "number-of-service" }, - { "user", 'l', arg_string, &user, "Run as this user", - NULL }, - { "tcp", 't', arg_flag, &tcp_flag, - "Use a TCP connection for X11" }, - { "passive", 'P', arg_flag, &passive_flag, - "Force a passive connection" }, - { "keepalive", 'k', arg_negative_flag, &keepalive_flag, - "disable keep-alives" }, - { "debug", 'd', arg_flag, &debug_flag, - "Enable debug information" }, - { "version", 0, arg_flag, &version_flag, "Print version", - NULL }, - { "help", 0, arg_flag, &help_flag, NULL, - NULL } -}; - -static void -usage(int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "host"); - exit (ret); -} - -/* - * kx - forward an x-connection over a kerberos-encrypted channel. - */ - -int -main(int argc, char **argv) -{ - int port = 0; - int optind = 0; - int ret = 1; - char *host = NULL; - - setprogname (argv[0]); - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - if (help_flag) - usage (0); - - if (version_flag) { - print_version (NULL); - return 0; - } - - if (optind != argc - 1) - usage (1); - - host = argv[optind]; - - if (port_str) { - struct servent *s = roken_getservbyname (port_str, "tcp"); - - if (s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - - if (user == NULL) { - user = get_default_username (); - if (user == NULL) - errx (1, "who are you?"); - } - - if (!passive_flag) - passive_flag = check_for_passive (getenv("DISPLAY")); - -#if defined(HAVE_KERNEL_ENABLE_DEBUG) - if (krb_debug_flag) - krb_enable_debug (); -#endif - -#if defined(KRB4) && defined(KRB5) - if(use_v4 == -1 && use_v5 == 1) - use_v4 = 0; - if(use_v5 == -1 && use_v4 == 1) - use_v5 = 0; -#endif - -#ifdef KRB5 - if (ret && use_v5) { - if (port == 0) - port = krb5_getportbyname(NULL, "kx", "tcp", KX_PORT); - ret = doit_v5 (host, port, user, - passive_flag, debug_flag, keepalive_flag, tcp_flag); - } -#endif -#ifdef KRB4 - if (ret && use_v4) { - if (port == 0) - port = k_getportbyname("kx", "tcp", htons(KX_PORT)); - ret = doit_v4 (host, port, user, - passive_flag, debug_flag, keepalive_flag, tcp_flag); - } -#endif - return ret; -} diff --git a/crypto/heimdal/appl/kx/kx.cat1 b/crypto/heimdal/appl/kx/kx.cat1 deleted file mode 100644 index d3f34e50e05c..000000000000 --- a/crypto/heimdal/appl/kx/kx.cat1 +++ /dev/null @@ -1,38 +0,0 @@ -KX(1) FreeBSD General Commands Manual KX(1) - -NNAAMMEE - kkxx - securely forward X conections - -SSYYNNOOPPSSIISS - _k_x [--ll _u_s_e_r_n_a_m_e] [--kk] [--dd] [--tt] [--pp _p_o_r_t] [--PP] _h_o_s_t - -DDEESSCCRRIIPPTTIIOONN - The kkxx program forwards a X connection from a remote client to a local - screen through an authenticated and encrypted stream. Options supported - by kkxx: - - --ll Log in on remote the host as user _u_s_e_r_n_a_m_e. - - --kk Do not enable keep-alives on the TCP connections. - - --dd Do not fork. This is mainly useful for debugging. - - --tt Listen not only on a UNIX-domain socket but on a TCP socket as - well. - - --pp Use the port _p_o_r_t. - - --PP Force passive mode. - - This program is used by rrxxtteellnneett and rrxxtteerrmm and you should not need to - run it directly. - - It connects to a kkxxdd on the host _h_o_s_t and then will relay the traffic - from the remote X clients to the local server. When started, it prints - the display and Xauthority-file to be used on host _h_o_s_t and then goes to - the background, waiting for connections from the remote kkxxdd.. - -SSEEEE AALLSSOO - rxtelnet(1), rxterm(1), kxd(8) - -KTH-KRB September 27, 1996 KTH-KRB diff --git a/crypto/heimdal/appl/kx/kx.h b/crypto/heimdal/appl/kx/kx.h deleted file mode 100644 index d3214cb779e1..000000000000 --- a/crypto/heimdal/appl/kx/kx.h +++ /dev/null @@ -1,263 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kx.h,v 1.39 2001/09/17 01:59:41 assar Exp $ */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif /* HAVE_CONFIG_H */ - -#include -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_GRP_H -#include -#endif -#ifdef HAVE_SYSLOG_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_TCP_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_SYS_UN_H -#include -#endif -#include -#include -#include - -#ifdef HAVE_SYS_STREAM_H -#include -#endif -#ifdef HAVE_SYS_STROPTS_H -#include -#endif - -/* defined by aix's sys/stream.h and again by arpa/nameser.h */ - -#undef NOERROR - -/* as far as we know, this is only used with later versions of Slowlaris */ -#if SunOS >= 50 && defined(HAVE_SYS_STROPTS_H) && defined(HAVE_FATTACH) && defined(I_PUSH) -#define MAY_HAVE_X11_PIPES -#endif - -#ifdef SOCKS -#include -/* This doesn't belong here. */ -struct tm *localtime(const time_t *); -struct hostent *gethostbyname(const char *); -#endif - -#ifdef KRB4 -#include -#include -#endif -#ifdef KRB5 -#include -#endif - -#include -#include -#include - -struct x_socket { - char *pathname; - int fd; - enum { - LISTENP = 0x80, - TCP = LISTENP | 1, - UNIX_SOCKET = LISTENP | 2, - STREAM_PIPE = 3 - } flags; -}; - -extern char x_socket[]; -extern u_int32_t display_num; -extern char display[]; -extern int display_size; -extern char xauthfile[]; -extern int xauthfile_size; -extern u_char cookie[]; -extern size_t cookie_len; - -int get_xsockets (int *number, struct x_socket **sockets, int tcpp); -int chown_xsockets (int n, struct x_socket *sockets, uid_t uid, gid_t gid); - -int connect_local_xsocket (unsigned dnr); -int create_and_write_cookie (char *xauthfile, - size_t size, - u_char *cookie, - size_t sz); -int verify_and_remove_cookies (int fd, int sock, int cookiesp); -int replace_cookie(int xserver, int fd, char *filename, int cookiesp); - -int suspicious_address (int sock, struct sockaddr_in addr); - -#define KX_PORT 2111 - -#define KX_OLD_VERSION "KXSERV.1" -#define KX_VERSION "KXSERV.2" - -#define COOKIE_TYPE "MIT-MAGIC-COOKIE-1" - -enum { INIT = 0, ACK = 1, NEW_CONN = 2, ERROR = 3 }; - -enum kx_flags { PASSIVE = 1, KEEP_ALIVE = 2 }; - -typedef enum kx_flags kx_flags; - -struct kx_context { - int (*authenticate)(struct kx_context *kc, int s); - int (*userok)(struct kx_context *kc, char *user); - ssize_t (*read)(struct kx_context *kc, - int fd, void *buf, size_t len); - ssize_t (*write)(struct kx_context *kc, - int fd, const void *buf, size_t len); - int (*copy_encrypted)(struct kx_context *kc, - int fd1, int fd2); - void (*destroy)(struct kx_context *kc); - const char *host; - const char *user; - int port; - int debug_flag; - int keepalive_flag; - int tcp_flag; - struct sockaddr_in thisaddr, thataddr; - void *data; -}; - -typedef struct kx_context kx_context; - -void -context_set (kx_context *kc, const char *host, const char *user, int port, - int debug_flag, int keepalive_flag, int tcp_flag); - -void -context_destroy (kx_context *kc); - -int -context_authenticate (kx_context *kc, int s); - -int -context_userok (kx_context *kc, char *user); - -ssize_t -kx_read (kx_context *kc, int fd, void *buf, size_t len); - -ssize_t -kx_write (kx_context *kc, int fd, const void *buf, size_t len); - -int -copy_encrypted (kx_context *kc, int fd1, int fd2); - -#ifdef KRB4 - -void -krb4_make_context (kx_context *c); - -int -recv_v4_auth (kx_context *kc, int sock, u_char *buf); - -#endif - -#ifdef KRB5 - -void -krb5_make_context (kx_context *c); - -int -recv_v5_auth (kx_context *kc, int sock, u_char *buf); - -#endif - -void -fatal (kx_context *kc, int fd, char *format, ...) -#ifdef __GNUC__ -__attribute__ ((format (printf, 3, 4))) -#endif -; - -#ifndef KRB4 - -int -krb_get_int(void *f, u_int32_t *to, int size, int lsb); - -int -krb_put_int(u_int32_t from, void *to, size_t rem, int size); - -#endif diff --git a/crypto/heimdal/appl/kx/kxd.8 b/crypto/heimdal/appl/kx/kxd.8 deleted file mode 100644 index 04b7db5f3a54..000000000000 --- a/crypto/heimdal/appl/kx/kxd.8 +++ /dev/null @@ -1,53 +0,0 @@ -.\" $Id: kxd.8,v 1.5 2001/01/11 16:16:26 assar Exp $ -.\" -.Dd September 27, 1996 -.Dt KXD 8 -.Os KTH-KRB -.Sh NAME -.Nm kxd -.Nd -securely forward X conections -.Sh SYNOPSIS -.Ar kxd -.Op Fl t -.Op Fl i -.Op Fl p Ar port -.Sh DESCRIPTION -This is the daemon for -.Nm kx . -.Pp -Options supported by -.Nm kxd : -.Bl -tag -width Ds -.It Fl t -TCP. Normally -.Nm kxd -will only listen for X connections on a UNIX socket, but some machines -(for example, Cray) have X libraries that are not able to use UNIX -sockets and thus you need to use TCP to talk to the pseudo-xserver -created by -.Nm kxd. -This option decreases the security significantly and should only be -used when it is necessary and you have considered the consequences of -doing so. -.It Fl i -Interactive. Do not expect to be started by -.Nm inetd, -but allocate and listen to the socket yourself. Handy for testing -and debugging. -.It Fl p -Port. Listen on the port -.Ar port . -Only usable with -.Fl i . -.El -.Sh EXAMPLES -Put the following in -.Pa /etc/inetd.conf : -.Bd -literal -kx stream tcp nowait root /usr/athena/libexec/kxd kxd -.Ed -.Sh SEE ALSO -.Xr kx 1 , -.Xr rxtelnet 1 , -.Xr rxterm 1 diff --git a/crypto/heimdal/appl/kx/kxd.c b/crypto/heimdal/appl/kx/kxd.c deleted file mode 100644 index 65f6165da885..000000000000 --- a/crypto/heimdal/appl/kx/kxd.c +++ /dev/null @@ -1,754 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kx.h" - -RCSID("$Id: kxd.c,v 1.69 2001/02/20 01:44:45 assar Exp $"); - -static pid_t wait_on_pid = -1; -static int done = 0; - -/* - * Signal handler that justs waits for the children when they die. - */ - -static RETSIGTYPE -childhandler (int sig) -{ - pid_t pid; - int status; - - do { - pid = waitpid (-1, &status, WNOHANG|WUNTRACED); - if (pid > 0 && pid == wait_on_pid) - done = 1; - } while(pid > 0); - signal (SIGCHLD, childhandler); - SIGRETURN(0); -} - -/* - * Print the error message `format' and `...' on fd and die. - */ - -void -fatal (kx_context *kc, int fd, char *format, ...) -{ - u_char msg[1024]; - u_char *p; - va_list args; - int len; - - va_start(args, format); - p = msg; - *p++ = ERROR; - vsnprintf ((char *)p + 4, sizeof(msg) - 5, format, args); - syslog (LOG_ERR, "%s", (char *)p + 4); - len = strlen ((char *)p + 4); - p += KRB_PUT_INT (len, p, 4, 4); - p += len; - kx_write (kc, fd, msg, p - msg); - va_end(args); - exit (1); -} - -/* - * Remove all sockets and cookie files. - */ - -static void -cleanup(int nsockets, struct x_socket *sockets) -{ - int i; - - if(xauthfile[0]) - unlink(xauthfile); - for (i = 0; i < nsockets; ++i) { - if (sockets[i].pathname != NULL) { - unlink (sockets[i].pathname); - free (sockets[i].pathname); - } - } -} - -/* - * Prepare to receive a connection on `sock'. - */ - -static int -recv_conn (int sock, kx_context *kc, - int *dispnr, int *nsockets, struct x_socket **sockets, - int tcp_flag) -{ - u_char msg[1024], *p; - char user[256]; - socklen_t addrlen; - struct passwd *passwd; - struct sockaddr_in thisaddr, thataddr; - char remotehost[MaxHostNameLen]; - char remoteaddr[INET6_ADDRSTRLEN]; - int ret = 1; - int flags; - int len; - u_int32_t tmp32; - - addrlen = sizeof(thisaddr); - if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 || - addrlen != sizeof(thisaddr)) { - syslog (LOG_ERR, "getsockname: %m"); - exit (1); - } - addrlen = sizeof(thataddr); - if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 || - addrlen != sizeof(thataddr)) { - syslog (LOG_ERR, "getpeername: %m"); - exit (1); - } - - kc->thisaddr = thisaddr; - kc->thataddr = thataddr; - - getnameinfo_verified ((struct sockaddr *)&thataddr, addrlen, - remotehost, sizeof(remotehost), - NULL, 0, 0); - - if (net_read (sock, msg, 4) != 4) { - syslog (LOG_ERR, "read: %m"); - exit (1); - } - -#ifdef KRB5 - if (ret && recv_v5_auth (kc, sock, msg) == 0) - ret = 0; -#endif -#ifdef KRB4 - if (ret && recv_v4_auth (kc, sock, msg) == 0) - ret = 0; -#endif - if (ret) { - syslog (LOG_ERR, "unrecognized auth protocol: %x %x %x %x", - msg[0], msg[1], msg[2], msg[3]); - exit (1); - } - - len = kx_read (kc, sock, msg, sizeof(msg)); - if (len < 0) { - syslog (LOG_ERR, "kx_read failed"); - exit (1); - } - p = (u_char *)msg; - if (*p != INIT) - fatal(kc, sock, "Bad message"); - p++; - p += krb_get_int (p, &tmp32, 4, 0); - len = min(sizeof(user), tmp32); - memcpy (user, p, len); - p += tmp32; - user[len] = '\0'; - - passwd = k_getpwnam (user); - if (passwd == NULL) - fatal (kc, sock, "cannot find uid for %s", user); - - if (context_userok (kc, user) != 0) - fatal (kc, sock, "%s not allowed to login as %s", - kc->user, user); - - flags = *p++; - - if (flags & PASSIVE) { - pid_t pid; - int tmp; - - tmp = get_xsockets (nsockets, sockets, tcp_flag); - if (tmp < 0) { - fatal (kc, sock, "Cannot create X socket(s): %s", - strerror(errno)); - } - *dispnr = tmp; - - if (chown_xsockets (*nsockets, *sockets, - passwd->pw_uid, passwd->pw_gid)) { - cleanup (*nsockets, *sockets); - fatal (kc, sock, "Cannot chown sockets: %s", - strerror(errno)); - } - - pid = fork(); - if (pid == -1) { - cleanup (*nsockets, *sockets); - fatal (kc, sock, "fork: %s", strerror(errno)); - } else if (pid != 0) { - wait_on_pid = pid; - while (!done) - pause (); - cleanup (*nsockets, *sockets); - exit (0); - } - } - - if (setgid (passwd->pw_gid) || - initgroups(passwd->pw_name, passwd->pw_gid) || -#ifdef HAVE_GETUDBNAM /* XXX this happens on crays */ - setjob(passwd->pw_uid, 0) == -1 || -#endif - setuid(passwd->pw_uid)) { - syslog(LOG_ERR, "setting uid/groups: %m"); - fatal (kc, sock, "cannot set uid"); - } - inet_ntop (thataddr.sin_family, - &thataddr.sin_addr, remoteaddr, sizeof(remoteaddr)); - - syslog (LOG_INFO, "from %s(%s): %s -> %s", - remotehost, remoteaddr, - kc->user, user); - umask(077); - if (!(flags & PASSIVE)) { - p += krb_get_int (p, &tmp32, 4, 0); - len = min(tmp32, display_size); - memcpy (display, p, len); - display[len] = '\0'; - p += tmp32; - p += krb_get_int (p, &tmp32, 4, 0); - len = min(tmp32, xauthfile_size); - memcpy (xauthfile, p, len); - xauthfile[len] = '\0'; - p += tmp32; - } -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (flags & KEEP_ALIVE) { - int one = 1; - - setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - return flags; -} - -/* - * - */ - -static int -passive_session (kx_context *kc, int fd, int sock, int cookiesp) -{ - if (verify_and_remove_cookies (fd, sock, cookiesp)) - return 1; - else - return copy_encrypted (kc, fd, sock); -} - -/* - * - */ - -static int -active_session (kx_context *kc, int fd, int sock, int cookiesp) -{ - fd = connect_local_xsocket(0); - - if (replace_cookie (fd, sock, xauthfile, cookiesp)) - return 1; - else - return copy_encrypted (kc, fd, sock); -} - -/* - * Handle a new connection. - */ - -static int -doit_conn (kx_context *kc, - int fd, int meta_sock, int flags, int cookiesp) -{ - int sock, sock2; - struct sockaddr_in addr; - struct sockaddr_in thisaddr; - socklen_t addrlen; - u_char msg[1024], *p; - - sock = socket (AF_INET, SOCK_STREAM, 0); - if (sock < 0) { - syslog (LOG_ERR, "socket: %m"); - return 1; - } -#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) - { - int one = 1; - setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, (void *)&one, sizeof(one)); - } -#endif -#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) - if (flags & KEEP_ALIVE) { - int one = 1; - - setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, - sizeof(one)); - } -#endif - memset (&addr, 0, sizeof(addr)); - addr.sin_family = AF_INET; - if (bind (sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { - syslog (LOG_ERR, "bind: %m"); - return 1; - } - addrlen = sizeof(addr); - if (getsockname (sock, (struct sockaddr *)&addr, &addrlen) < 0) { - syslog (LOG_ERR, "getsockname: %m"); - return 1; - } - if (listen (sock, SOMAXCONN) < 0) { - syslog (LOG_ERR, "listen: %m"); - return 1; - } - p = msg; - *p++ = NEW_CONN; - p += KRB_PUT_INT (ntohs(addr.sin_port), p, 4, 4); - - if (kx_write (kc, meta_sock, msg, p - msg) < 0) { - syslog (LOG_ERR, "write: %m"); - return 1; - } - - addrlen = sizeof(thisaddr); - sock2 = accept (sock, (struct sockaddr *)&thisaddr, &addrlen); - if (sock2 < 0) { - syslog (LOG_ERR, "accept: %m"); - return 1; - } - close (sock); - close (meta_sock); - - if (flags & PASSIVE) - return passive_session (kc, fd, sock2, cookiesp); - else - return active_session (kc, fd, sock2, cookiesp); -} - -/* - * Is the current user the owner of the console? - */ - -static void -check_user_console (kx_context *kc, int fd) -{ - struct stat sb; - - if (stat ("/dev/console", &sb) < 0) - fatal (kc, fd, "Cannot stat /dev/console: %s", strerror(errno)); - if (getuid() != sb.st_uid) - fatal (kc, fd, "Permission denied"); -} - -/* close down the new connection with a reasonable error message */ -static void -close_connection(int fd, const char *message) -{ - char buf[264]; /* max message */ - char *p; - int lsb = 0; - size_t mlen; - - mlen = strlen(message); - if(mlen > 255) - mlen = 255; - - /* read first part of connection packet, to get byte order */ - if(read(fd, buf, 6) != 6) { - close(fd); - return; - } - if(buf[0] == 0x6c) - lsb++; - p = buf; - *p++ = 0; /* failed */ - *p++ = mlen; /* length of message */ - p += 4; /* skip protocol version */ - p += 2; /* skip additional length */ - memcpy(p, message, mlen); /* copy message */ - p += mlen; - while((p - buf) % 4) /* pad to multiple of 4 bytes */ - *p++ = 0; - - /* now fill in length of additional data */ - if(lsb) { - buf[6] = (p - buf - 8) / 4; - buf[7] = 0; - }else{ - buf[6] = 0; - buf[7] = (p - buf - 8) / 4; - } - write(fd, buf, p - buf); - close(fd); -} - - -/* - * Handle a passive session on `sock' - */ - -static int -doit_passive (kx_context *kc, - int sock, - int flags, - int dispnr, - int nsockets, - struct x_socket *sockets, - int tcp_flag) -{ - int tmp; - int len; - size_t rem; - u_char msg[1024], *p; - int error; - - display_num = dispnr; - if (tcp_flag) - snprintf (display, display_size, "localhost:%u", display_num); - else - snprintf (display, display_size, ":%u", display_num); - error = create_and_write_cookie (xauthfile, xauthfile_size, - cookie, cookie_len); - if (error) { - cleanup(nsockets, sockets); - fatal (kc, sock, "Cookie-creation failed: %s", strerror(error)); - return 1; - } - - p = msg; - rem = sizeof(msg); - *p++ = ACK; - --rem; - - len = strlen (display); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0 || rem < len + 4) { - syslog (LOG_ERR, "doit: buffer too small"); - cleanup(nsockets, sockets); - return 1; - } - p += tmp; - rem -= tmp; - - memcpy (p, display, len); - p += len; - rem -= len; - - len = strlen (xauthfile); - tmp = KRB_PUT_INT (len, p, rem, 4); - if (tmp < 0 || rem < len + 4) { - syslog (LOG_ERR, "doit: buffer too small"); - cleanup(nsockets, sockets); - return 1; - } - p += tmp; - rem -= tmp; - - memcpy (p, xauthfile, len); - p += len; - rem -= len; - - if(kx_write (kc, sock, msg, p - msg) < 0) { - syslog (LOG_ERR, "write: %m"); - cleanup(nsockets, sockets); - return 1; - } - for (;;) { - pid_t child; - int fd = -1; - fd_set fds; - int i; - int ret; - int cookiesp = TRUE; - - FD_ZERO(&fds); - if (sock >= FD_SETSIZE) { - syslog (LOG_ERR, "fd too large"); - cleanup(nsockets, sockets); - return 1; - } - - FD_SET(sock, &fds); - for (i = 0; i < nsockets; ++i) { - if (sockets[i].fd >= FD_SETSIZE) { - syslog (LOG_ERR, "fd too large"); - cleanup(nsockets, sockets); - return 1; - } - FD_SET(sockets[i].fd, &fds); - } - ret = select(FD_SETSIZE, &fds, NULL, NULL, NULL); - if(ret <= 0) - continue; - if(FD_ISSET(sock, &fds)){ - /* there are no processes left on the remote side - */ - cleanup(nsockets, sockets); - exit(0); - } else if(ret) { - for (i = 0; i < nsockets; ++i) { - if (FD_ISSET(sockets[i].fd, &fds)) { - if (sockets[i].flags == TCP) { - struct sockaddr_in peer; - socklen_t len = sizeof(peer); - - fd = accept (sockets[i].fd, - (struct sockaddr *)&peer, - &len); - if (fd < 0 && errno != EINTR) - syslog (LOG_ERR, "accept: %m"); - - /* XXX */ - if (fd >= 0 && suspicious_address (fd, peer)) { - close (fd); - fd = -1; - errno = EINTR; - } - } else if(sockets[i].flags == UNIX_SOCKET) { - socklen_t zero = 0; - - fd = accept (sockets[i].fd, NULL, &zero); - - if (fd < 0 && errno != EINTR) - syslog (LOG_ERR, "accept: %m"); -#ifdef MAY_HAVE_X11_PIPES - } else if(sockets[i].flags == STREAM_PIPE) { - /* - * this code tries to handle the - * send fd-over-pipe stuff for - * solaris - */ - - struct strrecvfd strrecvfd; - - ret = ioctl (sockets[i].fd, - I_RECVFD, &strrecvfd); - if (ret < 0 && errno != EINTR) { - syslog (LOG_ERR, "ioctl I_RECVFD: %m"); - } - - /* XXX */ - if (ret == 0) { - if (strrecvfd.uid != getuid()) { - close (strrecvfd.fd); - fd = -1; - errno = EINTR; - } else { - fd = strrecvfd.fd; - cookiesp = FALSE; - } - } -#endif /* MAY_HAVE_X11_PIPES */ - } else - abort (); - break; - } - } - } - if (fd < 0) { - if (errno == EINTR) - continue; - else - return 1; - } - - child = fork (); - if (child < 0) { - syslog (LOG_ERR, "fork: %m"); - if(errno != EAGAIN) - return 1; - close_connection(fd, strerror(errno)); - } else if (child == 0) { - for (i = 0; i < nsockets; ++i) - close (sockets[i].fd); - return doit_conn (kc, fd, sock, flags, cookiesp); - } else { - close (fd); - } - } -} - -/* - * Handle an active session on `sock' - */ - -static int -doit_active (kx_context *kc, - int sock, - int flags, - int tcp_flag) -{ - u_char msg[1024], *p; - - check_user_console (kc, sock); - - p = msg; - *p++ = ACK; - - if(kx_write (kc, sock, msg, p - msg) < 0) { - syslog (LOG_ERR, "write: %m"); - return 1; - } - for (;;) { - pid_t child; - int len; - - len = kx_read (kc, sock, msg, sizeof(msg)); - if (len < 0) { - syslog (LOG_ERR, "read: %m"); - return 1; - } - p = (u_char *)msg; - if (*p != NEW_CONN) { - syslog (LOG_ERR, "bad_message: %d", *p); - return 1; - } - - child = fork (); - if (child < 0) { - syslog (LOG_ERR, "fork: %m"); - if (errno != EAGAIN) - return 1; - } else if (child == 0) { - return doit_conn (kc, sock, sock, flags, 1); - } else { - } - } -} - -/* - * Receive a connection on `sock' and process it. - */ - -static int -doit(int sock, int tcp_flag) -{ - int ret; - kx_context context; - int dispnr; - int nsockets; - struct x_socket *sockets; - int flags; - - flags = recv_conn (sock, &context, &dispnr, &nsockets, &sockets, tcp_flag); - - if (flags & PASSIVE) - ret = doit_passive (&context, sock, flags, dispnr, - nsockets, sockets, tcp_flag); - else - ret = doit_active (&context, sock, flags, tcp_flag); - context_destroy (&context); - return ret; -} - -static char *port_str = NULL; -static int inetd_flag = 1; -static int tcp_flag = 0; -static int version_flag = 0; -static int help_flag = 0; - -struct getargs args[] = { - { "inetd", 'i', arg_negative_flag, &inetd_flag, - "Not started from inetd" }, - { "tcp", 't', arg_flag, &tcp_flag, "Use TCP" }, - { "port", 'p', arg_string, &port_str, "Use this port", - "port" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -static void -usage(int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "host"); - exit (ret); -} - -/* - * kxd - receive a forwarded X conncection - */ - -int -main (int argc, char **argv) -{ - int port; - int optind = 0; - - setprogname (argv[0]); - roken_openlog ("kxd", LOG_ODELAY | LOG_PID, LOG_DAEMON); - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - if (help_flag) - usage (0); - - if (version_flag) { - print_version (NULL); - return 0; - } - - if(port_str) { - struct servent *s = roken_getservbyname (port_str, "tcp"); - - if (s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "bad port `%s'", port_str); - port = htons(port); - } - } else { -#if defined(KRB5) - port = krb5_getportbyname(NULL, "kx", "tcp", KX_PORT); -#elif defined(KRB4) - port = k_getportbyname ("kx", "tcp", htons(KX_PORT)); -#else -#error define KRB4 or KRB5 -#endif - } - - if (!inetd_flag) - mini_inetd (port); - - signal (SIGCHLD, childhandler); - return doit(STDIN_FILENO, tcp_flag); -} diff --git a/crypto/heimdal/appl/kx/kxd.cat8 b/crypto/heimdal/appl/kx/kxd.cat8 deleted file mode 100644 index 6235edb2a8a2..000000000000 --- a/crypto/heimdal/appl/kx/kxd.cat8 +++ /dev/null @@ -1,36 +0,0 @@ -KXD(8) FreeBSD System Manager's Manual KXD(8) - -NNAAMMEE - kkxxdd - securely forward X conections - -SSYYNNOOPPSSIISS - _k_x_d [--tt] [--ii] [--pp _p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - This is the daemon for kkxx. - - Options supported by kkxxdd: - - --tt TCP. Normally kkxxdd will only listen for X connections on a UNIX - socket, but some machines (for example, Cray) have X libraries - that are not able to use UNIX sockets and thus you need to use - TCP to talk to the pseudo-xserver created by kkxxdd.. This option - decreases the security significantly and should only be used when - it is necessary and you have considered the consequences of doing - so. - - --ii Interactive. Do not expect to be started by iinneettdd,, but allocate - and listen to the socket yourself. Handy for testing and debug- - ging. - - --pp Port. Listen on the port _p_o_r_t. Only usable with --ii. - -EEXXAAMMPPLLEESS - Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f: - - kx stream tcp nowait root /usr/athena/libexec/kxd kxd - -SSEEEE AALLSSOO - kx(1), rxtelnet(1), rxterm(1) - -KTH-KRB September 27, 1996 KTH-KRB diff --git a/crypto/heimdal/appl/kx/rxtelnet.1 b/crypto/heimdal/appl/kx/rxtelnet.1 deleted file mode 100644 index 2d7aec3843aa..000000000000 --- a/crypto/heimdal/appl/kx/rxtelnet.1 +++ /dev/null @@ -1,94 +0,0 @@ -.\" $Id: rxtelnet.1,v 1.10 2002/08/20 17:07:05 joda Exp $ -.\" -.Dd September 27, 1996 -.Dt RXTELNET 1 -.Os KTH_KRB -.Sh NAME -.Nm rxtelnet -.Nd -start a telnet and forward X-connections. -.Sh SYNOPSIS -.Nm rxtelnet -.Op Fl l Ar username -.Op Fl k -.Op Fl t Ar telnet_args -.Op Fl x Ar xterm_args -.Op Fl K Ar kx_args -.Op Fl w Ar term_emulator -.Op Fl b Ar telnet_program -.Op Fl n -.Op Fl v -.Ar host -.Op Ar port -.Sh DESCRIPTION -The -.Nm -program starts a -.Nm xterm -window with a telnet to host -.Ar host . -From this window you will also be able to run X clients that will be -able to connect securily to your X server. If -.Ar port -is given, that port will be used instead of the default. -.Pp -The supported options are: -.Bl -tag -width Ds -.It Fl l -Log in on the remote host as user -.Ar username -.It Fl k -Disables keep-alives -.It Fl t -Send -.Ar telnet_args -as arguments to -.Nm telnet -.It Fl x -Send -.Ar xterm_args -as arguments to -.Nm xterm -.It Fl X -Send -.Ar kx_args -as arguments to -.Nm kx -.It Fl w -Use -.Ar term_emulator -instead of xterm. -.It Fl b -Use -.Ar telnet_program -instead of telnet. -.It Fl n -Do not start any terminal emulator. -.It Fl v -Be verbose. -.El -.Sh EXAMPLE -To login from host -.Va foo -(where your display is) -to host -.Va bar , -you might do the following. -.Bl -enum -.It -On foo: -.Nm -.Va bar -.It -You will get a new window with a -.Nm telnet -to -.Va bar . -In this window you will be able to start X clients. -.El -.Sh SEE ALSO -.Xr kx 1 , -.Xr rxterm 1 , -.Xr telnet 1 , -.Xr tenletxr 1 , -.Xr kxd 8 diff --git a/crypto/heimdal/appl/kx/rxtelnet.cat1 b/crypto/heimdal/appl/kx/rxtelnet.cat1 deleted file mode 100644 index 042850ced8bb..000000000000 --- a/crypto/heimdal/appl/kx/rxtelnet.cat1 +++ /dev/null @@ -1,48 +0,0 @@ -RXTELNET(1) FreeBSD General Commands Manual RXTELNET(1) - -NNAAMMEE - rrxxtteellnneett - start a telnet and forward X-connections. - -SSYYNNOOPPSSIISS - rrxxtteellnneett [--ll _u_s_e_r_n_a_m_e] [--kk] [--tt _t_e_l_n_e_t___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--KK _k_x___a_r_g_s] - [--ww _t_e_r_m___e_m_u_l_a_t_o_r] [--bb _t_e_l_n_e_t___p_r_o_g_r_a_m] [--nn] [--vv] _h_o_s_t [_p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - The rrxxtteellnneett program starts a xxtteerrmm window with a telnet to host _h_o_s_t. - From this window you will also be able to run X clients that will be able - to connect securily to your X server. If _p_o_r_t is given, that port will be - used instead of the default. - - The supported options are: - - --ll Log in on the remote host as user _u_s_e_r_n_a_m_e - - --kk Disables keep-alives - - --tt Send _t_e_l_n_e_t___a_r_g_s as arguments to tteellnneett - - --xx Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm - - --XX Send _k_x___a_r_g_s as arguments to kkxx - - --ww Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm. - - --bb Use _t_e_l_n_e_t___p_r_o_g_r_a_m instead of telnet. - - --nn Do not start any terminal emulator. - - --vv Be verbose. - -EEXXAAMMPPLLEE - To login from host _f_o_o (where your display is) to host _b_a_r, you might do - the following. - - 1. On foo: rrxxtteellnneett _b_a_r - - 2. You will get a new window with a tteellnneett to _b_a_r. In this window you - will be able to start X clients. - -SSEEEE AALLSSOO - kx(1), rxterm(1), telnet(1), tenletxr(1), kxd(8) - -KTH_KRB September 27, 1996 KTH_KRB diff --git a/crypto/heimdal/appl/kx/rxtelnet.in b/crypto/heimdal/appl/kx/rxtelnet.in deleted file mode 100644 index b4497c74b307..000000000000 --- a/crypto/heimdal/appl/kx/rxtelnet.in +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh -# $Id: rxtelnet.in,v 1.29 2002/03/18 17:37:34 joda Exp $ -# -usage="Usage: $0 [-l username] [-k] [-f] [-t args_to_telnet] [-x args_to_xterm] [-K args_to_kx] [-w term_emulator] [-b telnet_binary] [-n] [-v] [-h | --help] [--version] host [port]" -binary=telnet -term= -kx_args=-P -while true -do - case $1 in - -l) telnet_args="${telnet_args} -l $2 "; kx_args="${kx_args} -l $2"; title="${2}@"; shift 2;; - -t) telnet_args="${telnet_args} $2 "; shift 2;; - -x) xterm_args="${xterm_args} $2 "; shift 2;; - -f) telnet_args="${telnet_args} -f"; shift;; - -k) kx_args="${kx_args} -k"; shift;; - -K) kx_args="${kx_args} $2 "; shift 2;; - -n) term=none; shift;; - -w) term=$2; shift 2;; - -b) binary=$2; shift 2;; - --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;; - -h) echo $usage; exit 0;; - --help) echo $usage; exit 0;; - -v) set -x; verb=1; shift;; - -*) echo "$0: Bad option $1"; echo $usage; exit 1;; - *) break;; - esac -done -if test $# -lt 1; then - echo $usage - exit 1 -fi -host=$1 -port=$2 -title="${title}${host}" -bindir=%bindir% -pdc_trams=`dirname $0` -PATH=$pdc_trams:$bindir:$PATH -export PATH -set -- `kx $kx_args $host` -if test $# -ne 3; then - exit 1 -fi -screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'` -pid=$1 -disp=${2}${screen} -auth=$3 -oldifs=$IFS -IFS=: -set -- $PATH -IFS=$oldifs -if test -z "$term"; then - for j in xterm dtterm aixterm dxterm hpterm; do - for i in $*; do - test -n "$i" || i="." - if test -x $i/$j; then - term=$j; break 2 - fi - done - done -fi -test "$verb" && echo "Telnet command used is `type $binary`." -if test -n "$term" -a "$term" != "none"; then - ($term -title $title -n $title $xterm_args -e env DISPLAY=$disp XAUTHORITY=$auth $binary -D $telnet_args $host $port; kill -USR2 $pid) & -else - env DISPLAY=$disp XAUTHORITY=$auth $binary -D $telnet_args $host $port - kill -USR2 $pid -fi diff --git a/crypto/heimdal/appl/kx/rxterm.1 b/crypto/heimdal/appl/kx/rxterm.1 deleted file mode 100644 index 3e62d0d8754e..000000000000 --- a/crypto/heimdal/appl/kx/rxterm.1 +++ /dev/null @@ -1,90 +0,0 @@ -.\" $Id: rxterm.1,v 1.8 2002/08/20 17:07:06 joda Exp $ -.\" -.Dd September 27, 1996 -.Dt RXTERM 1 -.Os KTH_KRB -.Sh NAME -.Nm rxterm -.Nd -start a secure remote xterm -.Sh SYNOPSIS -.Nm rxterm -.Op Fl l Ar username -.Op Fl k -.Op Fl r Ar rsh_args -.Op Fl x Ar xterm_args -.Op Fl K Ar kx_args -.Op Fl w Ar term_emulator -.Op Fl b Ar rsh_program -.Ar host -.Op Ar port -.Sh DESCRIPTION -The -.Nm -program starts a -.Nm xterm -window on host -.Ar host . -From this window you will also be able to run X clients that will be -able to connect securily to your X server. If -.Ar port -is given, that port will be used instead of the default. -.Pp -The supported options are: -.Bl -tag -width Ds -.It Fl l -Log in on the remote host as user -.Ar username -.It Fl k -Disable keep-alives -.It Fl r -Send -.Ar rsh_args -as arguments to -.Nm rsh -.It Fl x -Send -.Ar xterm_args -as arguments to -.Nm xterm -.It Fl X -Send -.Ar kx_args -as arguments to -.Nm kx -.It Fl w -Use -.Ar term_emulator -instead of xterm. -.It Fl b -Use -.Ar rsh_program -instead of rsh. -.It Fl v -Be verbose. -.El -.Sh EXAMPLE -To login from host -.Va foo -(where your display is) -to host -.Va bar , -you might do the following. -.Bl -enum -.It -On foo: -.Nm -.Va bar -.It -You will get a new window running an -.Nm xterm -on host -.Va bar . -In this window you will be able to start X clients. -.El -.Sh SEE ALSO -.Xr kx 1 , -.Xr rsh 1 , -.Xr rxtelnet 1 , -.Xr tenletxr 1 , -.Xr kxd 8 diff --git a/crypto/heimdal/appl/kx/rxterm.cat1 b/crypto/heimdal/appl/kx/rxterm.cat1 deleted file mode 100644 index 530fba36986b..000000000000 --- a/crypto/heimdal/appl/kx/rxterm.cat1 +++ /dev/null @@ -1,46 +0,0 @@ -RXTERM(1) FreeBSD General Commands Manual RXTERM(1) - -NNAAMMEE - rrxxtteerrmm - start a secure remote xterm - -SSYYNNOOPPSSIISS - rrxxtteerrmm [--ll _u_s_e_r_n_a_m_e] [--kk] [--rr _r_s_h___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--KK _k_x___a_r_g_s] - [--ww _t_e_r_m___e_m_u_l_a_t_o_r] [--bb _r_s_h___p_r_o_g_r_a_m] _h_o_s_t [_p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - The rrxxtteerrmm program starts a xxtteerrmm window on host _h_o_s_t. From this window - you will also be able to run X clients that will be able to connect - securily to your X server. If _p_o_r_t is given, that port will be used - instead of the default. - - The supported options are: - - --ll Log in on the remote host as user _u_s_e_r_n_a_m_e - - --kk Disable keep-alives - - --rr Send _r_s_h___a_r_g_s as arguments to rrsshh - - --xx Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm - - --XX Send _k_x___a_r_g_s as arguments to kkxx - - --ww Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm. - - --bb Use _r_s_h___p_r_o_g_r_a_m instead of rsh. - - --vv Be verbose. - -EEXXAAMMPPLLEE - To login from host _f_o_o (where your display is) to host _b_a_r, you might do - the following. - - 1. On foo: rrxxtteerrmm _b_a_r - - 2. You will get a new window running an xxtteerrmm on host _b_a_r. In this - window you will be able to start X clients. - -SSEEEE AALLSSOO - kx(1), rsh(1), rxtelnet(1), tenletxr(1), kxd(8) - -KTH_KRB September 27, 1996 KTH_KRB diff --git a/crypto/heimdal/appl/kx/rxterm.in b/crypto/heimdal/appl/kx/rxterm.in deleted file mode 100644 index 9291d21dfaca..000000000000 --- a/crypto/heimdal/appl/kx/rxterm.in +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -# $Id: rxterm.in,v 1.23 2002/03/18 17:37:34 joda Exp $ -# -usage="Usage: $0 [-l username] [-k] [-f] [-r rsh_args] [-x xterm_args] [-K kx_args] [-w term_emulator] [-b rsh_binary][-v] [-h | --help] [--version] host" -binary=rsh -term=xterm -while true -do - case $1 in - -l) rsh_args="${rsh_args} -l $2 "; kx_args="${kx_args} -l $2"; title="${2}@"; shift 2;; - -r) rsh_args="${rsh_args} $2 "; shift 2;; - -x) xterm_args="${xterm_args} $2 "; shift 2;; - -f) rsh_args="${rsh_args} -f"; shift;; - -k) kx_args="${kx_args} -k"; shift;; - -K) kx_args="${kx_args} $2 "; shift 2;; - -w) term=$2; shift 2;; - -b) binary=$2; shift 2;; - --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;; - -h) echo $usage; exit 0;; - --help) echo $usage; exit 0;; - -v) set -x; shift;; - -*) echo "$0: Bad option $1"; echo $usage; exit 1;; - *) break;; - esac -done -if test $# -lt 1; then - echo "Usage: $0 host [arguments to $term]" - exit 1 -fi -host=$1 -title="${title}${host}" -bindir=%bindir% -pdc_trams=`dirname $0` -PATH=$pdc_trams:$bindir:$PATH -export PATH -set -- `kx $kx_args $host` -if test $# -ne 3; then - exit 1 -fi -screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'` -pid=$1 -disp=${2}${screen} -auth=$3 -kill -USR1 $pid -$binary -n $rsh_args $host "/bin/sh -c 'DISPLAY=$disp XAUTHORITY=$auth $term -T $title -n $title $xterm_args /dev/null 2>/dev/null &'" diff --git a/crypto/heimdal/appl/kx/tenletxr.1 b/crypto/heimdal/appl/kx/tenletxr.1 deleted file mode 100644 index c9c49cd57ff7..000000000000 --- a/crypto/heimdal/appl/kx/tenletxr.1 +++ /dev/null @@ -1,61 +0,0 @@ -.\" $Id: tenletxr.1,v 1.4 2002/08/20 17:07:06 joda Exp $ -.\" -.Dd March 31, 1997 -.Dt TENLETXR 1 -.Os KTH_KRB -.Sh NAME -.Nm tenletxr -.Nd -forward X-connections backwards. -.Sh SYNOPSIS -.Nm tenletxr -.Op Fl l Ar username -.Op Fl k -.Ar host -.Op Ar port -.Sh DESCRIPTION -The -.Nm -program -enables forwarding of X-connections from this machine to host -.Ar host . -If -.Ar port -is given, that port will be used instead of the default. -.Pp -The supported options are: -.Bl -tag -width Ds -.It Fl l -Log in on the remote host as user -.Ar username -.It Fl k -Disables keep-alives. -.El -.Sh EXAMPLE -To login from host -.Va foo -to host -.Va bar -(where your display is), -you might do the following. -.Bl -enum -.It -On foo: -.Nm -.Va bar -.It -You will get a new shell where you will be able to start X clients -that will show their windows on -.Va bar . -.El -.Sh BUGS -It currently checks if you have permission to run it by checking if -you own -.Pa /dev/console -on the remote host. -.Sh SEE ALSO -.Xr kx 1 , -.Xr rxtelnet 1 , -.Xr rxterm 1 , -.Xr telnet 1 , -.Xr kxd 8 diff --git a/crypto/heimdal/appl/kx/tenletxr.cat1 b/crypto/heimdal/appl/kx/tenletxr.cat1 deleted file mode 100644 index ba39b38133de..000000000000 --- a/crypto/heimdal/appl/kx/tenletxr.cat1 +++ /dev/null @@ -1,36 +0,0 @@ -TENLETXR(1) FreeBSD General Commands Manual TENLETXR(1) - -NNAAMMEE - tteennlleettxxrr - forward X-connections backwards. - -SSYYNNOOPPSSIISS - tteennlleettxxrr [--ll _u_s_e_r_n_a_m_e] [--kk] _h_o_s_t [_p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - The tteennlleettxxrr program enables forwarding of X-connections from this - machine to host _h_o_s_t. If _p_o_r_t is given, that port will be used instead - of the default. - - The supported options are: - - --ll Log in on the remote host as user _u_s_e_r_n_a_m_e - - --kk Disables keep-alives. - -EEXXAAMMPPLLEE - To login from host _f_o_o to host _b_a_r (where your display is), you might do - the following. - - 1. On foo: tteennlleettxxrr _b_a_r - - 2. You will get a new shell where you will be able to start X clients - that will show their windows on _b_a_r. - -BBUUGGSS - It currently checks if you have permission to run it by checking if you - own _/_d_e_v_/_c_o_n_s_o_l_e on the remote host. - -SSEEEE AALLSSOO - kx(1), rxtelnet(1), rxterm(1), telnet(1), kxd(8) - -KTH_KRB March 31, 1997 KTH_KRB diff --git a/crypto/heimdal/appl/kx/tenletxr.in b/crypto/heimdal/appl/kx/tenletxr.in deleted file mode 100644 index 5c05dc9d4c9d..000000000000 --- a/crypto/heimdal/appl/kx/tenletxr.in +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh -# $Id: tenletxr.in,v 1.3 1999/02/04 09:29:59 assar Exp $ -# -usage="Usage: $0 [-l username] [-k] [-v] [-h | --help] [--version] host [port]" -while true -do - case $1 in - -l) kx_args="${kx_args} -l $2"; shift 2;; - -k) kx_args="${kx_args} -k"; shift;; - --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;; - -h) echo $usage; exit 0;; - --help) echo $usage; exit 0;; - -v) set -x; shift;; - -*) echo "$0: Bad option $1"; echo $usage; exit 1;; - *) break;; - esac -done -if test $# -lt 1; then - echo $usage - exit 1 -fi -host=$1 -port=$2 -bindir=%bindir% -pdc_trams=`dirname $0` -PATH=$pdc_trams:$bindir:$PATH -export PATH -set -- `kx $kx_args $host` -if test $# -ne 3; then - exit 1 -fi -screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'` -pid=$1 -disp=${2}${screen} -auth=$3 -env DISPLAY=$disp XAUTHORITY=$auth $SHELL -kill -USR2 $pid diff --git a/crypto/heimdal/appl/kx/writeauth.c b/crypto/heimdal/appl/kx/writeauth.c deleted file mode 100644 index 11dc72dfecbc..000000000000 --- a/crypto/heimdal/appl/kx/writeauth.c +++ /dev/null @@ -1,73 +0,0 @@ -/* $XConsortium: AuWrite.c,v 1.6 94/04/17 20:15:45 gildea Exp $ */ - -/* - -Copyright (c) 1988 X Consortium - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN -AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -Except as contained in this notice, the name of the X Consortium shall not be -used in advertising or otherwise to promote the sale, use or other dealings -in this Software without prior written authorization from the X Consortium. - -*/ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: writeauth.c,v 1.4 1999/05/12 17:59:44 assar Exp $"); -#endif - -#include - -static int -write_short (unsigned short s, FILE *file) -{ - unsigned char file_short[2]; - - file_short[0] = (s & (unsigned)0xff00) >> 8; - file_short[1] = s & 0xff; - if (fwrite (file_short, sizeof (file_short), 1, file) != 1) - return 0; - return 1; -} - -static int -write_counted_string (unsigned short count, char *string, FILE *file) -{ - if (write_short (count, file) == 0) - return 0; - if (fwrite (string, (int) sizeof (char), (int) count, file) != count) - return 0; - return 1; -} - -int -XauWriteAuth (FILE *auth_file, Xauth *auth) -{ - if (write_short (auth->family, auth_file) == 0) - return 0; - if (write_counted_string (auth->address_length, auth->address, auth_file) == 0) - return 0; - if (write_counted_string (auth->number_length, auth->number, auth_file) == 0) - return 0; - if (write_counted_string (auth->name_length, auth->name, auth_file) == 0) - return 0; - if (write_counted_string (auth->data_length, auth->data, auth_file) == 0) - return 0; - return 1; -} diff --git a/crypto/heimdal/appl/login/Makefile b/crypto/heimdal/appl/login/Makefile deleted file mode 100644 index 2ebdd9ed1a61..000000000000 --- a/crypto/heimdal/appl/login/Makefile +++ /dev/null @@ -1,624 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/login/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.20 2002/08/19 17:00:36 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = login - -login_SOURCES = \ - conf.c \ - env.c \ - login.c \ - login_access.c \ - login_locl.h \ - login_protos.h \ - osfc2.c \ - read_string.c \ - shadow.c \ - stty_default.c \ - tty.c \ - utmp_login.c \ - utmpx_login.c - - -LDADD = $(LIB_otp) \ - $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(LIB_security) \ - $(DBLIB) - -subdir = appl/login -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = login$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -am_login_OBJECTS = conf.$(OBJEXT) env.$(OBJEXT) login.$(OBJEXT) \ - login_access.$(OBJEXT) osfc2.$(OBJEXT) read_string.$(OBJEXT) \ - shadow.$(OBJEXT) stty_default.$(OBJEXT) tty.$(OBJEXT) \ - utmp_login.$(OBJEXT) utmpx_login.$(OBJEXT) -login_OBJECTS = $(am_login_OBJECTS) -login_LDADD = $(LDADD) -#login_DEPENDENCIES = $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -login_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -login_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(login_SOURCES) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(login_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/login/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -login$(EXEEXT): $(login_OBJECTS) $(login_DEPENDENCIES) - @rm -f login$(EXEEXT) - $(LINK) $(login_LDFLAGS) $(login_OBJECTS) $(login_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(srcdir)/login_protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h -q -P comment $(login_SOURCES) || rm -f login_protos.h - -$(login_OBJECTS): $(srcdir)/login_protos.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/otp/ChangeLog b/crypto/heimdal/appl/otp/ChangeLog deleted file mode 100644 index cffff9ef4ea2..000000000000 --- a/crypto/heimdal/appl/otp/ChangeLog +++ /dev/null @@ -1,40 +0,0 @@ -2000-11-29 Johan Danielsson - - * otpprint.1: sort parameters and close a list - - * otp.1: sort parameters and close a list - -1999-09-14 Assar Westerlund - - * otp.c (verify_user_otp): check return value from - des_read_pw_string - -Thu Apr 1 16:51:07 1999 Johan Danielsson - - * otpprint.c: use getarg - - * otp.c: use getarg - -Thu Mar 18 12:08:58 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Thu Mar 4 19:45:40 1999 Johan Danielsson - - * Makefile.am: DESTDIR - -Sat Feb 27 19:44:25 1999 Johan Danielsson - - * Makefile.am: add - -Sun Nov 22 10:32:50 1998 Assar Westerlund - - * otpprint.c: more braces - - * Makefile.in (WFLAGS): set - -Sun Dec 21 09:31:30 1997 Assar Westerlund - - * otp.c (renew): don't set the OTP if the reading of the string - fails. - diff --git a/crypto/heimdal/appl/otp/Makefile b/crypto/heimdal/appl/otp/Makefile deleted file mode 100644 index 1a2bad5e3e88..000000000000 --- a/crypto/heimdal/appl/otp/Makefile +++ /dev/null @@ -1,649 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/otp/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.11 2001/08/28 08:31:21 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = otp otpprint -bin_SUIDS = otp -otp_SOURCES = otp.c otp_locl.h -otpprint_SOURCES = otpprint.c otp_locl.h - -man_MANS = otp.1 otpprint.1 - -LDADD = \ - $(top_builddir)/lib/otp/libotp.la - -subdir = appl/otp -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = otp$(EXEEXT) otpprint$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -am_otp_OBJECTS = otp.$(OBJEXT) -otp_OBJECTS = $(am_otp_OBJECTS) -otp_LDADD = $(LDADD) -otp_DEPENDENCIES = $(top_builddir)/lib/otp/libotp.la -otp_LDFLAGS = -am_otpprint_OBJECTS = otpprint.$(OBJEXT) -otpprint_OBJECTS = $(am_otpprint_OBJECTS) -otpprint_LDADD = $(LDADD) -otpprint_DEPENDENCIES = $(top_builddir)/lib/otp/libotp.la -otpprint_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(otp_SOURCES) $(otpprint_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(otp_SOURCES) $(otpprint_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/otp/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -otp$(EXEEXT): $(otp_OBJECTS) $(otp_DEPENDENCIES) - @rm -f otp$(EXEEXT) - $(LINK) $(otp_LDFLAGS) $(otp_OBJECTS) $(otp_LDADD) $(LIBS) -otpprint$(EXEEXT): $(otpprint_OBJECTS) $(otpprint_DEPENDENCIES) - @rm -f otpprint$(EXEEXT) - $(LINK) $(otpprint_LDFLAGS) $(otpprint_OBJECTS) $(otpprint_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-man1 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-man uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/otp/Makefile.am b/crypto/heimdal/appl/otp/Makefile.am deleted file mode 100644 index 16e1c0c4e8ff..000000000000 --- a/crypto/heimdal/appl/otp/Makefile.am +++ /dev/null @@ -1,15 +0,0 @@ -# $Id: Makefile.am,v 1.11 2001/08/28 08:31:21 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_des) - -bin_PROGRAMS = otp otpprint -bin_SUIDS = otp -otp_SOURCES = otp.c otp_locl.h -otpprint_SOURCES = otpprint.c otp_locl.h - -man_MANS = otp.1 otpprint.1 - -LDADD = \ - $(top_builddir)/lib/otp/libotp.la diff --git a/crypto/heimdal/appl/otp/Makefile.in b/crypto/heimdal/appl/otp/Makefile.in deleted file mode 100644 index 49e9e8d96730..000000000000 --- a/crypto/heimdal/appl/otp/Makefile.in +++ /dev/null @@ -1,649 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# @configure_input@ - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.11 2001/08/28 08:31:21 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AMTAR = @AMTAR@ -AS = @AS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ -ECHO = @ECHO@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = @INCLUDE_des@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LEX = @LEX@ - -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des) - -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = otp otpprint -bin_SUIDS = otp -otp_SOURCES = otp.c otp_locl.h -otpprint_SOURCES = otpprint.c otp_locl.h - -man_MANS = otp.1 otpprint.1 - -LDADD = \ - $(top_builddir)/lib/otp/libotp.la - -subdir = appl/otp -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = otp$(EXEEXT) otpprint$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -am_otp_OBJECTS = otp.$(OBJEXT) -otp_OBJECTS = $(am_otp_OBJECTS) -otp_LDADD = $(LDADD) -otp_DEPENDENCIES = $(top_builddir)/lib/otp/libotp.la -otp_LDFLAGS = -am_otpprint_OBJECTS = otpprint.$(OBJEXT) -otpprint_OBJECTS = $(am_otpprint_OBJECTS) -otpprint_LDADD = $(LDADD) -otpprint_DEPENDENCIES = $(top_builddir)/lib/otp/libotp.la -otpprint_LDFLAGS = - -DEFS = @DEFS@ -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = $(otp_SOURCES) $(otpprint_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(otp_SOURCES) $(otpprint_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/otp/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -otp$(EXEEXT): $(otp_OBJECTS) $(otp_DEPENDENCIES) - @rm -f otp$(EXEEXT) - $(LINK) $(otp_LDFLAGS) $(otp_OBJECTS) $(otp_LDADD) $(LIBS) -otpprint$(EXEEXT): $(otpprint_OBJECTS) $(otpprint_DEPENDENCIES) - @rm -f otpprint$(EXEEXT) - $(LINK) $(otpprint_LDFLAGS) $(otpprint_OBJECTS) $(otpprint_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-man1 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-man uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/otp/otp.1 b/crypto/heimdal/appl/otp/otp.1 deleted file mode 100644 index 473a4b0bc8ae..000000000000 --- a/crypto/heimdal/appl/otp/otp.1 +++ /dev/null @@ -1,60 +0,0 @@ -.\" $Id: otp.1,v 1.2 2000/11/29 18:18:22 joda Exp $ -.\" -.Dd November 17, 1996 -.Dt OTP 1 -.Os KTH-KRB -.Sh NAME -.Nm otp -.Nd -manages one-time passwords -.Sh SYNOPSIS -.Nm otp -.Op Fl dhlor -.Op Fl f Ar algorithm -.Op Fl u Ar user -.Ar sequence-number -.Ar seed -.Sh DESCRIPTION -The -.Nm -program initializes and updates your current series of one-time -passwords (OTPs). -.Pp -Use this to set a new series of one-time passwords. Only perform this -on the console or over an encrypted link as you will have to supply -your pass-phrase. The other two parameters are -.Ar sequence-number -and -.Ar seed . -.Pp -Options are: -.Bl -tag -width Ds -.It Fl d -To delete a one-time password. -.It Fl f -Choose a different -.Ar algorithm -from the default md5. Pick any of: md4, md5, and sha. -.It Fl h -For getting a help message. -.It Fl l -List the current table of one-time passwords. -.It Fl o -To open (unlock) the otp-entry for a user. -.It Fl r -To renew a one-time password series. This operation can be performed -over an potentially eavesdropped link because you do not supply the -pass-phrase. First you need to supply the current one-time password -and then the new one corresponding to the supplied -.Ar sequence-number -and -.Ar seed . -.It Fl u -To choose a different -.Ar user -to set one-time passwords for. This only works when running -.Nm -as root. -.El -.Sh SEE ALSO -.Xr otpprint 1 diff --git a/crypto/heimdal/appl/otp/otp.c b/crypto/heimdal/appl/otp/otp.c deleted file mode 100644 index 66de4e0b6591..000000000000 --- a/crypto/heimdal/appl/otp/otp.c +++ /dev/null @@ -1,366 +0,0 @@ -/* - * Copyright (c) 1995-1997, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "otp_locl.h" -#include - -RCSID("$Id: otp.c,v 1.33 2001/02/20 01:44:46 assar Exp $"); - -static int listp; -static int deletep; -static int openp; -static int renewp; -static char* alg_string; -static char *user; -static int version_flag; -static int help_flag; - -struct getargs args[] = { - { "list", 'l', arg_flag, &listp, "list OTP status" }, - { "delete", 'd', arg_flag, &deletep, "delete OTP" }, - { "open", 'o', arg_flag, &openp, "open a locked OTP" }, - { "renew", 'r', arg_flag, &renewp, "securely renew OTP" }, - { "hash", 'f', arg_string, &alg_string, - "hash algorithm (md4, md5, or sha)", "algorithm"}, - { "user", 'u', arg_string, &user, - "user other than current user (root only)", "user" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag } -}; - -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "[num seed]"); - exit(code); -} - -/* - * Renew the OTP for a user. - * The pass-phrase is not required (RFC 1938/8.0) - */ - -static int -renew (int argc, char **argv, OtpAlgorithm *alg, char *user) -{ - OtpContext newctx, *ctx; - char prompt[128]; - char pw[64]; - void *dbm; - int ret; - - newctx.alg = alg; - newctx.user = user; - newctx.n = atoi (argv[0]); - strlcpy (newctx.seed, argv[1], sizeof(newctx.seed)); - strlwr(newctx.seed); - snprintf (prompt, sizeof(prompt), - "[ otp-%s %u %s ]", - newctx.alg->name, - newctx.n, - newctx.seed); - if (des_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 && - otp_parse (newctx.key, pw, alg) == 0) { - ctx = &newctx; - ret = 0; - } else - return 1; - - dbm = otp_db_open (); - if (dbm == NULL) { - warnx ("otp_db_open failed"); - return 1; - } - otp_put (dbm, ctx); - otp_db_close (dbm); - return ret; -} - -/* - * Return 0 if the user could enter the next OTP. - * I would rather have returned !=0 but it's shell-like here around. - */ - -static int -verify_user_otp(char *username) -{ - OtpContext ctx; - char passwd[OTP_MAX_PASSPHRASE + 1]; - char prompt[128], ss[256]; - - if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) { - warnx("no otp challenge found for %s", username); - return 1; - } - - snprintf (prompt, sizeof(prompt), "%s's %s Password: ", username, ss); - if(des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)) - return 1; - return otp_verify_user (&ctx, passwd); -} - -/* - * Set the OTP for a user - */ - -static int -set (int argc, char **argv, OtpAlgorithm *alg, char *user) -{ - void *db; - OtpContext ctx; - char pw[OTP_MAX_PASSPHRASE + 1]; - int ret; - int i; - - ctx.alg = alg; - ctx.user = strdup (user); - if (ctx.user == NULL) - err (1, "out of memory"); - - ctx.n = atoi (argv[0]); - strlcpy (ctx.seed, argv[1], sizeof(ctx.seed)); - strlwr(ctx.seed); - do { - if (des_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 1)) - return 1; - if (strlen (pw) < OTP_MIN_PASSPHRASE) - printf ("Too short pass-phrase. Use at least %d characters\n", - OTP_MIN_PASSPHRASE); - } while(strlen(pw) < OTP_MIN_PASSPHRASE); - ctx.alg->init (ctx.key, pw, ctx.seed); - for (i = 0; i < ctx.n; ++i) - ctx.alg->next (ctx.key); - db = otp_db_open (); - if(db == NULL) { - free (ctx.user); - err (1, "otp_db_open failed"); - } - ret = otp_put (db, &ctx); - otp_db_close (db); - free (ctx.user); - return ret; -} - -/* - * Delete otp of user from the database - */ - -static int -delete_otp (int argc, char **argv, char *user) -{ - void *db; - OtpContext ctx; - int ret; - - db = otp_db_open (); - if(db == NULL) - errx (1, "otp_db_open failed"); - - ctx.user = user; - ret = otp_delete(db, &ctx); - otp_db_close (db); - return ret; -} - -/* - * Tell whether the user has an otp - */ - -static int -has_an_otp(char *user) -{ - void *db; - OtpContext ctx; - int ret; - - db = otp_db_open (); - if(db == NULL) { - warnx ("otp_db_open failed"); - return 0; /* if no db no otp! */ - } - - ctx.user = user; - ret = otp_simple_get(db, &ctx); - - otp_db_close (db); - return !ret; -} - -/* - * Get and print out the otp entry for some user - */ - -static void -print_otp_entry_for_name (void *db, char *user) -{ - OtpContext ctx; - - ctx.user = user; - if (!otp_simple_get(db, &ctx)) { - fprintf(stdout, - "%s\totp-%s %d %s", - ctx.user, ctx.alg->name, ctx.n, ctx.seed); - if (ctx.lock_time) - fprintf(stdout, - "\tlocked since %s", - ctime(&ctx.lock_time)); - else - fprintf(stdout, "\n"); - } -} - -static int -open_otp (int argc, char **argv, char *user) -{ - void *db; - OtpContext ctx; - int ret; - - db = otp_db_open (); - if (db == NULL) - errx (1, "otp_db_open failed"); - - ctx.user = user; - ret = otp_simple_get (db, &ctx); - if (ret == 0) - ret = otp_put (db, &ctx); - otp_db_close (db); - return ret; -} - -/* - * Print otp entries for one or all users - */ - -static int -list_otps (int argc, char **argv, char *user) -{ - void *db; - struct passwd *pw; - - db = otp_db_open (); - if(db == NULL) - errx (1, "otp_db_open failed"); - - if (user) - print_otp_entry_for_name(db, user); - else - /* scans all users... so as to get a deterministic order */ - while ((pw = getpwent())) - print_otp_entry_for_name(db, pw->pw_name); - - otp_db_close (db); - return 0; -} - -int -main (int argc, char **argv) -{ - int defaultp = 0; - int uid = getuid(); - OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT); - int optind = 0; - - setprogname (argv[0]); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(deletep && uid != 0) - errx (1, "Only root can delete OTPs"); - if(alg_string) { - alg = otp_find_alg (alg_string); - if (alg == NULL) - errx (1, "Unknown algorithm: %s", alg_string); - } - if (user && uid != 0) - errx (1, "Only root can use `-u'"); - argc -= optind; - argv += optind; - - if (!(listp || deletep || renewp || openp)) - defaultp = 1; - - if ( listp + deletep + renewp + defaultp + openp != 1) - usage(1); /* one of -d or -l or -r or none */ - - if(deletep || openp || listp) { - if(argc != 0) - errx(1, "delete, open, and list requires no arguments\n"); - } else { - if(argc != 2) - errx(1, "setup, and renew requires `num', and `seed'"); - } - if (listp) - return list_otps (argc, argv, user); - - if (user == NULL) { - struct passwd *pwd; - - pwd = k_getpwuid(uid); - if (pwd == NULL) - err (1, "You don't exist"); - user = pwd->pw_name; - } - - /* - * users other that root must provide the next OTP to update the sequence. - * it avoids someone to use a pending session to change an OTP sequence. - * see RFC 1938/8.0. - */ - if (uid != 0 && (defaultp || renewp)) { - if (!has_an_otp(user)) { - errx (1, "Only root can set an initial OTP"); - } else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */ - if (verify_user_otp(user) != 0) { - errx (1, "User authentification failed"); - } - } - } - - if (deletep) - return delete_otp (argc, argv, user); - else if (renewp) - return renew (argc, argv, alg, user); - else if (openp) - return open_otp (argc, argv, user); - else - return set (argc, argv, alg, user); -} diff --git a/crypto/heimdal/appl/otp/otp.cat1 b/crypto/heimdal/appl/otp/otp.cat1 deleted file mode 100644 index 853b440af005..000000000000 --- a/crypto/heimdal/appl/otp/otp.cat1 +++ /dev/null @@ -1,42 +0,0 @@ -OTP(1) FreeBSD General Commands Manual OTP(1) - -NNAAMMEE - oottpp - manages one-time passwords - -SSYYNNOOPPSSIISS - oottpp [--ddhhlloorr] [--ff _a_l_g_o_r_i_t_h_m] [--uu _u_s_e_r] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d - -DDEESSCCRRIIPPTTIIOONN - The oottpp program initializes and updates your current series of one-time - passwords (OTPs). - - Use this to set a new series of one-time passwords. Only perform this on - the console or over an encrypted link as you will have to supply your - pass-phrase. The other two parameters are _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d. - - Options are: - - --dd To delete a one-time password. - - --ff Choose a different _a_l_g_o_r_i_t_h_m from the default md5. Pick any of: - md4, md5, and sha. - - --hh For getting a help message. - - --ll List the current table of one-time passwords. - - --oo To open (unlock) the otp-entry for a user. - - --rr To renew a one-time password series. This operation can be per- - formed over an potentially eavesdropped link because you do not - supply the pass-phrase. First you need to supply the current - one-time password and then the new one corresponding to the sup- - plied _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d. - - --uu To choose a different _u_s_e_r to set one-time passwords for. This - only works when running oottpp as root. - -SSEEEE AALLSSOO - otpprint(1) - -KTH-KRB November 17, 1996 KTH-KRB diff --git a/crypto/heimdal/appl/otp/otp_locl.h b/crypto/heimdal/appl/otp/otp_locl.h deleted file mode 100644 index 342f4fd0073f..000000000000 --- a/crypto/heimdal/appl/otp/otp_locl.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: otp_locl.h,v 1.9 2001/08/22 20:30:21 assar Exp $ */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#include -#include -#ifdef HAVE_OPENSSL -#include -#else -#include -#endif -#include diff --git a/crypto/heimdal/appl/otp/otpprint.1 b/crypto/heimdal/appl/otp/otpprint.1 deleted file mode 100644 index 7f7d5bec7783..000000000000 --- a/crypto/heimdal/appl/otp/otpprint.1 +++ /dev/null @@ -1,52 +0,0 @@ -.\" $Id: otpprint.1,v 1.4 2001/06/08 20:44:46 assar Exp $ -.\" -.Dd November 17, 1996 -.Dt OTP 1 -.Os KTH-KRB -.Sh NAME -.Nm otpprint -.Nd -print lists of one-time passwords -.Sh SYNOPSIS -.Nm otp -.Op Fl n Ar count -.Op Fl e -.Op Fl h -.Op Fl f Ar algorithm -.Ar sequence-number -.Ar seed -.Sh DESCRIPTION -The -.Nm -program prints lists of OTPs. -.Pp -Use this to print out a series of one-time passwords. You will have -to supply the -.Ar sequence number -and the -.Ar seed -as arguments and then the program will prompt you for your pass-phrase. -.Pp -There are several different print formats. The default is to print -each password with six short english words. -.Pp -Options are: -.Bl -tag -width Ds -.It Fl e -Print the passwords in ``extended'' format. In this format a prefix -that says ``hex:'' or ``word:'' is included. -.It Fl f -To choose a different -.Ar algorithm -from the default md5. Pick any of: md4, md5, and sha. -.It Fl h -Print the passwords in hex. -.It Fl n -Print -.Ar count -one-time passwords, starting at -.Ar sequence-number -and going backwards. The default is 10. -.El -.Sh SEE ALSO -.Xr otp 1 diff --git a/crypto/heimdal/appl/otp/otpprint.c b/crypto/heimdal/appl/otp/otpprint.c deleted file mode 100644 index b1d0a84a054c..000000000000 --- a/crypto/heimdal/appl/otp/otpprint.c +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "otp_locl.h" -#include - -RCSID("$Id: otpprint.c,v 1.14 2001/02/20 01:44:46 assar Exp $"); - -static int extendedp; -static int count = 10; -static int hexp; -static char* alg_string; -static int version_flag; -static int help_flag; - -struct getargs args[] = { - { "extended", 'e', arg_flag, &extendedp, "print keys in extended format" }, - { "count", 'n', arg_integer, &count, "number of keys to print" }, - { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal" }, - { "hash", 'f', arg_string, &alg_string, - "hash algorithm (md4, md5, or sha)", "algorithm"}, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; - -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "num seed"); - exit(code); -} - -static int -print (int argc, - char **argv, - int count, - OtpAlgorithm *alg, - void (*print_fn)(OtpKey, char *, size_t)) -{ - char pw[64]; - OtpKey key; - int n; - int i; - char *seed; - - if (argc != 2) - usage (1); - n = atoi(argv[0]); - seed = argv[1]; - if (des_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 0)) - return 1; - alg->init (key, pw, seed); - for (i = 0; i < n; ++i) { - char s[64]; - - alg->next (key); - if (i >= n - count) { - (*print_fn)(key, s, sizeof(s)); - printf ("%d: %s\n", i + 1, s); - } - } - return 0; -} - -int -main (int argc, char **argv) -{ - int optind = 0; - void (*fn)(OtpKey, char *, size_t); - OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT); - - setprogname (argv[0]); - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - if(alg_string) { - alg = otp_find_alg (alg_string); - if (alg == NULL) - errx(1, "Unknown algorithm: %s", alg_string); - } - argc -= optind; - argv += optind; - - if (hexp) { - if (extendedp) - fn = otp_print_hex_extended; - else - fn = otp_print_hex; - } else { - if (extendedp) - fn = otp_print_stddict_extended; - else - fn = otp_print_stddict; - } - - return print (argc, argv, count, alg, fn); -} diff --git a/crypto/heimdal/appl/otp/otpprint.cat1 b/crypto/heimdal/appl/otp/otpprint.cat1 deleted file mode 100644 index afd8c904a0b3..000000000000 --- a/crypto/heimdal/appl/otp/otpprint.cat1 +++ /dev/null @@ -1,35 +0,0 @@ -OTP(1) FreeBSD General Commands Manual OTP(1) - -NNAAMMEE - oottpppprriinntt - print lists of one-time passwords - -SSYYNNOOPPSSIISS - oottpp [--nn _c_o_u_n_t] [--ee] [--hh] [--ff _a_l_g_o_r_i_t_h_m] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d - -DDEESSCCRRIIPPTTIIOONN - The oottpppprriinntt program prints lists of OTPs. - - Use this to print out a series of one-time passwords. You will have to - supply the _s_e_q_u_e_n_c_e _n_u_m_b_e_r and the _s_e_e_d as arguments and then the program - will prompt you for your pass-phrase. - - There are several different print formats. The default is to print each - password with six short english words. - - Options are: - - --ee Print the passwords in ``extended'' format. In this format a - prefix that says ``hex:'' or ``word:'' is included. - - --ff To choose a different _a_l_g_o_r_i_t_h_m from the default md5. Pick any - of: md4, md5, and sha. - - --hh Print the passwords in hex. - - --nn Print _c_o_u_n_t one-time passwords, starting at _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and - going backwards. The default is 10. - -SSEEEE AALLSSOO - otp(1) - -KTH-KRB November 17, 1996 KTH-KRB diff --git a/crypto/heimdal/appl/popper/ChangeLog b/crypto/heimdal/appl/popper/ChangeLog deleted file mode 100644 index 8e24c1dca77d..000000000000 --- a/crypto/heimdal/appl/popper/ChangeLog +++ /dev/null @@ -1,197 +0,0 @@ -2002-07-04 Johan Danielsson - - * pop_dropcopy.c: use RESP-CODES - - * pop_get_command.c: implement CAPA - - * popper.c: don't print our version in the greeting string - - * popper.h: add a flags parameter to the pop context - -2002-05-02 Johan Danielsson - - * pop_debug.c: revert some accidentally commited code in previous - -2002-02-07 Johan Danielsson - - * pop_debug.c: only claim krb5 support if really present - -2001-09-10 Johan Danielsson - - * maildir.c: replace MAXDROPLEN with MAXPATHLEN - - * popper.h: replace MAXDROPLEN with MAXPATHLEN - -2001-08-13 Johan Danielsson - - * popper.8: rewritten man page - -2000-12-31 Assar Westerlund - - * pop_init.c (pop_init): handle krb5_init_context failure - consistently - * pop_debug.c (doit_v5): handle krb5_init_context failure - consistently - -2000-06-10 Assar Westerlund - - * pop_init.c (krb4_authenticate): do not exit on failure, just - return - (krb5_authenticate): log errors from krb5_recvauth - -2000-04-12 Assar Westerlund - - * *.c: replace all erroneous calls to pop_log with POP_FAILURE - with POP_PRIORITY. reported by Janne Johansson ' - -2000-01-27 Assar Westerlund - - * pop_debug.c (main): figure out port number - -1999-12-20 Assar Westerlund - - * pop_init.c (pop_init): use getnameinfo_verified - - * pop_debug.c (get_socket): use getaddrinfo - -1999-12-03 Johan Danielsson - - * pop_init.c: optionally trace connected addresses to a file - -1999-11-02 Assar Westerlund - - * pop_debug.c (main): redo the v4/v5 selection for consistency. - -4 -> try only v4 -5 -> try only v5 none, -45 -> try v5, v4 - -1999-10-16 Johan Danielsson - - * pop_init.c (krb5_authenticate): don't use the principal - associated with the socket for authentication, instead let - krb5_rd_req pick the correct one from the ticket; just check that - it actually was a pop-ticket - -1999-08-12 Johan Danielsson - - * pop_init.c (pop_init): don't freehostent if ch == NULL - - * pop_dele.c: implement XDELE to delete a range of messages - -1999-08-05 Assar Westerlund - - * pop_init.c: v6-ify - - * pop_debug.c: v6-ify - -1999-05-10 Assar Westerlund - - * pop_debug.c (doit_v5): call krb5_sendauth with ccache == NULL - -1999-04-11 Assar Westerlund - - * pop_debug.c (main): use print_version - -Thu Apr 8 15:07:11 1999 Johan Danielsson - - * pop_pass.c: remove definition of KRB_VERIFY_USER (moved to - config.h) - -Thu Mar 18 12:55:42 1999 Johan Danielsson - - * pop_pass.c: define KRB_VERIFY_SECURE if not defined - - * Makefile.am: include Makefile.am.common - -Wed Mar 17 23:36:21 1999 Assar Westerlund - - * pop_pass.c (krb4_verify_password): use KRB_VERIFY_SECURE instead - of 1 - -Tue Mar 16 22:28:52 1999 Assar Westerlund - - * pop_pass.c: krb_verify_user_multiple -> krb_verify_user - -Sat Mar 13 22:17:29 1999 Assar Westerlund - - * pop_parse.c (pop_parse): cast when calling is* to get rid of a - warning - -Mon Mar 8 11:50:06 1999 Johan Danielsson - - * pop_init.c: use print_version - -Fri Mar 5 15:14:29 1999 Johan Danielsson - - * pop_send.c: fix handling of messages w/o body - -Sun Nov 22 10:33:29 1998 Assar Westerlund - - * pop_pass.c (pop_pass): try to always log - - * Makefile.in (WFLAGS): set - -Fri Jul 10 01:14:25 1998 Assar Westerlund - - * pop_init.c: s/net_read/pop_net_read/ - -Tue Jun 2 17:33:54 1998 Johan Danielsson - - * pop_send.c: add missing newlines - -Sun May 24 20:59:45 1998 Johan Danielsson - - * maildir.c (make_path): fix reversed args - -Sat May 16 00:02:18 1998 Assar Westerlund - - * Makefile.am: link with DBLIB - -Sun Apr 26 11:47:58 1998 Assar Westerlund - - * pop_pass.c (pop_pass): check return value from changeuser - - * pop_dropcopy.c (changeuser): check that `setuid' and `setgid' - succeeded. - - * popper.h: changeuser now returns int - -Thu Apr 23 00:54:38 1998 Johan Danielsson - - * Add support for maildir spoolfiles. - - * popper.h (MsgInfoList): replace `del_flag' and `retr_flag' with - single `flags' - - * pop_dropcopy.c: Fix mismatched parenthesis. - -Sat Apr 4 15:13:56 1998 Assar Westerlund - - * pop_dropcopy.c (pop_dropcopy): first do mkstemp and then fdopen. - Originally from - - * popper.h: include - -Sat Feb 7 10:07:39 1998 Assar Westerlund - - * pop_pass.c(krb4_verify_password: Don't use REALM_SZ + 1, just - REALM_SZ - -Mon Dec 29 16:37:26 1997 Assar Westerlund - - * pop_updt.c (pop_updt): lseek before ftruncating the file. From - - -Sat Nov 22 13:46:39 1997 Johan Danielsson - - * pop_pass.c: Destroy tickets after verification. - -Sun Nov 9 09:11:14 1997 Assar Westerlund - - * pop_dropinfo.c: be careful with mails without msg-id, subject, - or from - -Wed Oct 29 02:09:24 1997 Assar Westerlund - - * pop_pass.c: conditionalize OTP-support - - * pop_init.c: conditionalize OTP-support - diff --git a/crypto/heimdal/appl/popper/Makefile b/crypto/heimdal/appl/popper/Makefile deleted file mode 100644 index 510f8deadc2f..000000000000 --- a/crypto/heimdal/appl/popper/Makefile +++ /dev/null @@ -1,688 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/popper/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.14 2001/08/04 03:08:02 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -noinst_PROGRAMS = pop_debug - -libexec_PROGRAMS = popper - -popper_SOURCES = \ - pop_dele.c pop_dropcopy.c pop_dropinfo.c \ - pop_get_command.c pop_init.c \ - pop_last.c pop_list.c pop_log.c \ - pop_msg.c pop_parse.c pop_pass.c pop_quit.c \ - pop_rset.c pop_send.c pop_stat.c pop_updt.c \ - pop_user.c pop_uidl.c pop_xover.c popper.c \ - maildir.c popper.h version.h - - -EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \ - popper.README.release README-FIRST README-KRB4 - - -LDADD = \ - $(LIB_otp) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(DBLIB) - - -man_MANS = popper.8 -subdir = appl/popper -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -libexec_PROGRAMS = popper$(EXEEXT) -noinst_PROGRAMS = pop_debug$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) $(noinst_PROGRAMS) - -pop_debug_SOURCES = pop_debug.c -pop_debug_OBJECTS = pop_debug.$(OBJEXT) -pop_debug_LDADD = $(LDADD) -pop_debug_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#pop_debug_DEPENDENCIES = -pop_debug_LDFLAGS = -am_popper_OBJECTS = pop_dele.$(OBJEXT) pop_dropcopy.$(OBJEXT) \ - pop_dropinfo.$(OBJEXT) pop_get_command.$(OBJEXT) \ - pop_init.$(OBJEXT) pop_last.$(OBJEXT) pop_list.$(OBJEXT) \ - pop_log.$(OBJEXT) pop_msg.$(OBJEXT) pop_parse.$(OBJEXT) \ - pop_pass.$(OBJEXT) pop_quit.$(OBJEXT) pop_rset.$(OBJEXT) \ - pop_send.$(OBJEXT) pop_stat.$(OBJEXT) pop_updt.$(OBJEXT) \ - pop_user.$(OBJEXT) pop_uidl.$(OBJEXT) pop_xover.$(OBJEXT) \ - popper.$(OBJEXT) maildir.$(OBJEXT) -popper_OBJECTS = $(am_popper_OBJECTS) -popper_LDADD = $(LDADD) -popper_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#popper_DEPENDENCIES = -popper_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = pop_debug.c $(popper_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = README ChangeLog Makefile.am Makefile.in -SOURCES = pop_debug.c $(popper_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/popper/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -pop_debug$(EXEEXT): $(pop_debug_OBJECTS) $(pop_debug_DEPENDENCIES) - @rm -f pop_debug$(EXEEXT) - $(LINK) $(pop_debug_LDFLAGS) $(pop_debug_OBJECTS) $(pop_debug_LDADD) $(LIBS) -popper$(EXEEXT): $(popper_OBJECTS) $(popper_DEPENDENCIES) - @rm -f popper$(EXEEXT) - $(LINK) $(popper_LDFLAGS) $(popper_OBJECTS) $(popper_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libexecdir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/popper/Makefile.am b/crypto/heimdal/appl/popper/Makefile.am deleted file mode 100644 index e3311dadf7b7..000000000000 --- a/crypto/heimdal/appl/popper/Makefile.am +++ /dev/null @@ -1,31 +0,0 @@ -# $Id: Makefile.am,v 1.14 2001/08/04 03:08:02 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -noinst_PROGRAMS = pop_debug - -libexec_PROGRAMS = popper - -popper_SOURCES = \ - pop_dele.c pop_dropcopy.c pop_dropinfo.c \ - pop_get_command.c pop_init.c \ - pop_last.c pop_list.c pop_log.c \ - pop_msg.c pop_parse.c pop_pass.c pop_quit.c \ - pop_rset.c pop_send.c pop_stat.c pop_updt.c \ - pop_user.c pop_uidl.c pop_xover.c popper.c \ - maildir.c popper.h version.h - -EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \ - popper.README.release README-FIRST README-KRB4 - -LDADD = \ - $(LIB_otp) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(DBLIB) - -man_MANS = popper.8 diff --git a/crypto/heimdal/appl/popper/Makefile.in b/crypto/heimdal/appl/popper/Makefile.in deleted file mode 100644 index 59fd8b009c5f..000000000000 --- a/crypto/heimdal/appl/popper/Makefile.in +++ /dev/null @@ -1,688 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# @configure_input@ - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.14 2001/08/04 03:08:02 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AMTAR = @AMTAR@ -AS = @AS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ -ECHO = @ECHO@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = @INCLUDE_des@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LEX = @LEX@ - -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -noinst_PROGRAMS = pop_debug - -libexec_PROGRAMS = popper - -popper_SOURCES = \ - pop_dele.c pop_dropcopy.c pop_dropinfo.c \ - pop_get_command.c pop_init.c \ - pop_last.c pop_list.c pop_log.c \ - pop_msg.c pop_parse.c pop_pass.c pop_quit.c \ - pop_rset.c pop_send.c pop_stat.c pop_updt.c \ - pop_user.c pop_uidl.c pop_xover.c popper.c \ - maildir.c popper.h version.h - - -EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \ - popper.README.release README-FIRST README-KRB4 - - -LDADD = \ - $(LIB_otp) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(DBLIB) - - -man_MANS = popper.8 -subdir = appl/popper -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -libexec_PROGRAMS = popper$(EXEEXT) -noinst_PROGRAMS = pop_debug$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) $(noinst_PROGRAMS) - -pop_debug_SOURCES = pop_debug.c -pop_debug_OBJECTS = pop_debug.$(OBJEXT) -pop_debug_LDADD = $(LDADD) -@KRB5_TRUE@pop_debug_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@KRB5_FALSE@pop_debug_DEPENDENCIES = -pop_debug_LDFLAGS = -am_popper_OBJECTS = pop_dele.$(OBJEXT) pop_dropcopy.$(OBJEXT) \ - pop_dropinfo.$(OBJEXT) pop_get_command.$(OBJEXT) \ - pop_init.$(OBJEXT) pop_last.$(OBJEXT) pop_list.$(OBJEXT) \ - pop_log.$(OBJEXT) pop_msg.$(OBJEXT) pop_parse.$(OBJEXT) \ - pop_pass.$(OBJEXT) pop_quit.$(OBJEXT) pop_rset.$(OBJEXT) \ - pop_send.$(OBJEXT) pop_stat.$(OBJEXT) pop_updt.$(OBJEXT) \ - pop_user.$(OBJEXT) pop_uidl.$(OBJEXT) pop_xover.$(OBJEXT) \ - popper.$(OBJEXT) maildir.$(OBJEXT) -popper_OBJECTS = $(am_popper_OBJECTS) -popper_LDADD = $(LDADD) -@KRB5_TRUE@popper_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@KRB5_FALSE@popper_DEPENDENCIES = -popper_LDFLAGS = - -DEFS = @DEFS@ -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = pop_debug.c $(popper_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = README ChangeLog Makefile.am Makefile.in -SOURCES = pop_debug.c $(popper_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/popper/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -pop_debug$(EXEEXT): $(pop_debug_OBJECTS) $(pop_debug_DEPENDENCIES) - @rm -f pop_debug$(EXEEXT) - $(LINK) $(pop_debug_LDFLAGS) $(pop_debug_OBJECTS) $(pop_debug_LDADD) $(LIBS) -popper$(EXEEXT): $(popper_OBJECTS) $(popper_DEPENDENCIES) - @rm -f popper$(EXEEXT) - $(LINK) $(popper_LDFLAGS) $(popper_OBJECTS) $(popper_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libexecdir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/popper/README b/crypto/heimdal/appl/popper/README deleted file mode 100644 index 0735fdd56c39..000000000000 --- a/crypto/heimdal/appl/popper/README +++ /dev/null @@ -1,381 +0,0 @@ -@(#)@(#)README 2.6 2.6 4/2/91 - - -The Post Office Protocol Server: Installation Guide - - - -Introduction - -The Post Office Protocol server runs on a variety of Unix[1] computers -to manage electronic mail for Macintosh and MS-DOS computers. The -server was developed at the University of California at Berkeley and -conforms fully to the specifications in RFC 1081[2] and RFC 1082[3]. -The Berkeley server also has extensions to send electronic mail on -behalf of a client. - -This guide explains how to install the POP server on your Unix -computer. It assumes that you are not only familiar with Unix but also -capable of performing Unix system administration. - - -How to Obtain the Server - -The POP server is available via anonymous ftp from ftp.CC.Berkeley.EDU -(128.32.136.9, 128.32.206.12). It is in two files in the pub directory: -a compressed tar file popper-version.tar.Z and a Macintosh StuffIt archive -in BinHex format called MacPOP.sit.hqx. - - -Contents of the Distribution - -The distribution contains the following: - -+ All of the C source necessary to create the server program. - -+ A visual representation of how the POP system works. - -+ Reprints of RFC 1081 and RFC 1082. - -+ A HyperCard stack POP client implementation using MacTCP. - -+ A man page for the popper daemon. - -+ This guide. - - -Compatibility - -The Berkeley POP server has been successfully tested on the following -Unix operating systems: - -+ Berkeley Systems Distribution 4.3 - -+ Sun Microsystems Operating System versions 3.5 and 4.0 - -+ Ultrix version 2.3 - -The following POP clients operate correctly with the Berkeley POP server: - -+ The Berkeley HyperMail HyperCard stack for the Apple Macintosh - (distributed with the server). - -+ The Stanford University Macintosh Internet Protocol MacMH program. - -+ The Stanford University Personal Computer Internet Protocol MH - program. - -+ The mh version 6.0 programs for Unix. - - -Support - -The Berkeley POP server is not officially supported and is without any -warranty, explicit or implied. However, we are interested in your -experiences using the server. Bugs, comments and suggestions should be -sent electronically to netinfo@garnet.Berkeley.EDU. - - -Operational Characteristics - -The POP Transaction Cycle - -The Berkeley POP server is a single program (called popper) that is -launched by inetd when it gets a service request on the POP TCP port. -(The official port number specified in RFC 1081 for POP version 3 is -port 110. However, some POP3 clients attempt to contact the server at -port 109, the POP version 2 port. Unless you are running both POP2 and -POP3 servers, you can simply define both ports for use by the POP3 -server. This is explained in the installation instructions later on.) -The popper program initializes and verifies that the peer IP address is -registered in the local domain, logging a warning message when a -connection is made to a client whose IP address does not have a -canonical name. For systems using BSD 4.3 bind, it also checks to see -if a cannonical name lookup for the client returns the same peer IP -address, logging a warning message if it does not. The the server -enters the authorization state, during which the client must correctly -identify itself by providing a valid Unix userid and password on the -server's host machine. No other exchanges are allowed during this -state (other than a request to quit.) If authentication fails, a -warning message is logged and the session ends. Once the user is -identified, popper changes its user and group ids to match that of the -user and enters the transaction state. The server makes a temporary -copy of the user's maildrop (ordinarily in /usr/spool/mail) which is -used for all subsequent transactions. These include the bulk of POP -commands to retrieve mail, delete mail, undelete mail, and so forth. A -Berkeley extension also allows the user to submit a mail parcel to the -server who mails it using the sendmail program (this extension is -supported in the HyperMail client distributed with the server). When -the client quits, the server enters the final update state during which -the network connection is terminated and the user's maildrop is updated -with the (possibly) modified temporary maildrop. - - -Logging - -The POP server uses syslog to keep a record of its activities. On -systems with BSD 4.3 syslogging, the server logs (by default) to the -"local0" facility at priority "notice" for all messages except -debugging which is logged at priority "debug". The default log file is -/usr/spool/mqueue/POPlog. These can be changed, if desired. On -systems with 4.2 syslogging all messages are logged to the local log -file, usually /usr/spool/mqueue/syslog. - -Problems - -If the filesystem which holds the /usr/spool/mail fills up users will -experience difficulties. The filesystem must have enough space to hold -(approximately) two copies of the largest mail box. Popper (v1.81 and -above) is designed to be robust in the face of this problem, but you may -end up with a situation where some of the user's mail is in - - /usr/spool/mail/.userid.pop - -and some of the mail is in - - /usr/spool/mail/userid - -If this happens the System Administrator should clear enough disk space -so that the filesystem has at least as much free disk as both mailboxes -hold and probably a little more. Then the user should initiate a POP -session, and do nothing but quit. If the POP session ends without an -error the user can then use POP or another mail program to clean up his/her -mailbox. - -Alternatively, the System Administrator can combine the two files (but -popper will do this for you if there is enough disk space). - - -Debugging - -The popper program will log debugging information when the -d parameter -is specified after its invocation in the inetd.conf file. Care should -be exercised in using this option since it generates considerable -output in the syslog file. Alternatively, the "-t " option -will place debugging information into file "" using fprintf -instead of syslog. (To enable debugging, you must edit the Makefile -to add -DDEBUG to the compiler options.) - -For SunOS version 3.5, the popper program is launched by inetd from -/etc/servers. This file does not allow you to specify command line -arguments. Therefore, if you want to enable debugging, you can specify -a shell script in /etc/servers to be launched instead of popper and in -this script call popper with the desired arguments. - - -Installation - -1. Examine this file for the latest information, warnings, etc. - -2. Check the Makefile for conformity with your system. - -3. Issue the make command in the directory containing the popper - source. - -4. Issue the make install command in the directory containing the - popper source to copy the program to /usr/etc. - -5. Enable syslogging: - - + For systems with 4.3 syslogging: - - Add the following line to the /etc/syslog.conf file: - - local0.notice;local0.debug /usr/spool/mqueue/POPlog - - Create the empty file /usr/spool/mqueue/POPlog. - - Kill and restart the syslogd daemon. - - + For systems with 4.2 syslogging: - - Be sure that you are logging messages of priority 7 and higher. - For example: - - 7/usr/spool/mqueue/syslog - 9/dev/null - -6. Update /etc/services: - - Add the following line to the /etc/services file: - - pop 110/tcp - - Note: This is the official port number for version 3 of the - Post Office Protocol as defined in RFC 1081. However, some - POP3 clients use port 109, the port number for the previous - version (2) of POP. Therefore you may also want to add the - following line to the /etc/services file: - - pop2 109/tcp - - For Sun systems running yp, also do the following: - - + Change to the /var/yp directory. - - + Issue the make services command. - -7. Update the inetd daemon configuration. Include the second line ONLY if you - are running the server at both ports. - - + On BSD 4.3 and SunOS 4.0 systems, add the following line to the - /etc/inetd.conf file: - - pop stream tcp nowait root /usr/etc/popper popper - pop2 stream tcp nowait root /usr/etc/popper popper - - + On Ultrix systems, add the following line to the - /etc/inetd.conf file: - - pop stream tcp nowait /usr/etc/popper popper - pop2 stream tcp nowait /usr/etc/popper popper - - + On SunOS 3.5 systems, add the following line to the - /etc/servers file: - - pop tcp /usr/etc/popper - pop2 tcp /usr/etc/popper - - Kill and restart the inetd daemon. - -You can confirm that the POP server is running on Unix by telneting to -port 110 (or 109 if you set it up that way). For example: - -%telnet myhost 110 -Trying... -Connected to myhost.berkeley.edu. -Escape character is '^]'. -+OK UCB Pop server (version 1.6) at myhost starting. -quit -Connection closed by foreign host. - - -Release Notes - -1.83 Make sure that everything we do as root is non-destructive. - -1.82 Make the /usr/spool/mail/.userid.pop file owned by the user rather - than owned by root. - -1.81 There were two versions of 1.7 floating around, 1.7b4 and 1.7b5. - The difference is that 1.7b5 attempted to save disk space on - /usr/spool/mail by deleting the users permanent maildrop after - making the temporary copy. Unfortunately, if compiled with - -DDEBUG, this version could easily wipe out a users' mail file. - This is now fixed. - - This version also fixes a security hole for systems that have - /usr/spool/mail writeable by all users. - - With this version we go to all new SCCS IDs for all files. This - is unfortunate, and we hope it is not too much of a problem. - - Thanks to Steve Dorner of UIUC for pointing out the major problem. - -1.7 Extensive re-write of the maildrop processing code contributed by - Viktor Dukhovni that greatly reduces the - possibility that the maildrop can be corrupted as the result of - simultaneous access by two or more processes. - - Added "pop_dropcopy" module to create a temporary maildrop from - the existing, standard maildrop as root before the setuid and - setgid for the user is done. This allows the temporary maildrop - to be created in a mail spool area that is not world read-writable. - - This version does *not* send the sendmail "From " delimiter line - in response to a TOP or RETR command. - - Encased all debugging code in #ifdef DEBUG constructs. This code can - be included by specifying the DEGUG compiler flag. Note: You still - need to use the -d or -t option to obtain debugging output. - -1.6 Corrects a bug that causes the server to crash on SunOS - 4.0 systems. - - Uses varargs and vsprintf (if available) in pop_log and - pop_msg. This is enabled by the "HAVE_VSPRINTF" - compiler flag. - - For systems with BSD 4.3 bind, performs a cannonical - name lookup and searches the returned address(es) for - the client's address, logging a warning message if it - is not located. This is enabled by the "BIND43" - comiler flag. - - Removed all the includes from popper.h and distributed - them throughout the porgrams files, as needed. - - Reformatted the source to convert tabs to spaces and - shorten lines for display on 80-column terminals. - -1.5 Creates the temporary maildrop with mode "600" and - immediately unlinks it. - - Uses client's IP address in lieu of a canonical name if - the latter cannot be obtained. - - Added "-t " option. The presence of this - option causes debugging output to be placed in the file - "file-name" using fprintf instead of the system log - file using syslog. - - Corrected maildrop parsing problem. - -1.4 Copies user's mail into a temporary maildrop on which - all subsequent activity is performed. - - Added "pop_log" function and replaced "syslog" calls - throughout the code with it. - -1.3 Corrected updating of Status: header line. - - Added strncasecmp for systems that do not have one. - Used strncasecmp in all appropriate places. This is - enabled by the STRNCASECMP compiler flag. - -1.2 Support for version 4.2 syslogging added. This is - enabled by the SYSLOG42 compiler flag. - -1.1 Several bugs fixed. - -1.0 Original version. - - -Limitations - -+ The POP server copies the user's entire maildrop to /tmp and - then operates on that copy. If the maildrop is particularly - large, or inadequate space is available in /tmp, then the - server will refuse to continue and terminate the connection. - -+ Simultaneous modification of a single maildrop can result in - confusing results. For example, manipulating messages in a - maildrop using the Unix /usr/ucb/mail command while a copy of - it is being processed by the POP server can cause the changes - made by one program to be lost when the other terminates. This - problem is being worked on and will be fixed in a later - release. - - -Credits - -The POP server was written by Edward Moy and Austin Shelton with -contributions from Robert Campbell (U.C. Berkeley) and Viktor Dukhovni -(Princeton University). Edward Moy wrote the HyperMail stack and drew -the POP operation diagram. This installation guide was written by -Austin Shelton. - - -Footnotes - -[1] Copyright (c) 1990 Regents of the University of California. - All rights reserved. The Berkeley software License Agreement - specifies the terms and conditions for redistribution. Unix is - a registered trademark of AT&T corporation. HyperCard and - Macintosh are registered trademarks of Apple Corporation. - -[2] M. Rose, Post Office Protocol - Version 3. RFC 1081, NIC, - November 1988. - -[3] M. Rose, Post Office Protocol - Version 3 Extended Service - Offerings. RFC 1082, NIC, November 1988. diff --git a/crypto/heimdal/appl/popper/README-FIRST b/crypto/heimdal/appl/popper/README-FIRST deleted file mode 100644 index 3d78fb644b62..000000000000 --- a/crypto/heimdal/appl/popper/README-FIRST +++ /dev/null @@ -1,11 +0,0 @@ -This kerberized popper was based on popper-1.831beta -which was later announced as "offical" and not beta. - -This program is able to talk both the pop3 and the kpop3 protocol. - -Please note that the server principal is pop.hostname and not -rcmd.hostname. I.e an additional entry is needed in your mailhub's -/etc/srvtab. Use ksrvutil to add the extra prinicpal. - -The server is usually started from inetd and there is already an entry -for that in inetd.conf.changes. diff --git a/crypto/heimdal/appl/popper/README-KRB4 b/crypto/heimdal/appl/popper/README-KRB4 deleted file mode 100644 index f029cf97c2de..000000000000 --- a/crypto/heimdal/appl/popper/README-KRB4 +++ /dev/null @@ -1,3 +0,0 @@ -Define KERBEROS if you want support for Kerberos V4 style -authentification, then you will be able to start a kerberise pop with -the `-k' flag. diff --git a/crypto/heimdal/appl/popper/maildir.c b/crypto/heimdal/appl/popper/maildir.c deleted file mode 100644 index 4953d4bd4e88..000000000000 --- a/crypto/heimdal/appl/popper/maildir.c +++ /dev/null @@ -1,216 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -RCSID("$Id: maildir.c,v 1.6 2001/09/10 11:56:53 joda Exp $"); - -static void -make_path(POP *p, MsgInfoList *mp, int new, char *buf, size_t len) -{ - snprintf(buf, len, "%s/%s%s%s", p->drop_name, - new ? "new" : "cur", mp ? "/" : "", mp ? mp->name : ""); -} - -static int -scan_file(POP *p, MsgInfoList *mp) -{ - char path[MAXPATHLEN]; - FILE *f; - char buf[1024]; - int eoh = 0; - - make_path(p, mp, mp->flags & NEW_FLAG, path, sizeof(path)); - f = fopen(path, "r"); - - if(f == NULL) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, - "Failed to open message file `%s': %s", - path, strerror(errno)); -#endif - return pop_msg (p, POP_FAILURE, - "Failed to open message file `%s'", path); - } - while(fgets(buf, sizeof(buf), f)) { - if(buf[strlen(buf) - 1] == '\n') - mp->lines++; - mp->length += strlen(buf); - if(eoh) - continue; - if(strcmp(buf, "\n") == 0) - eoh = 1; - parse_header(mp, buf); - } - fclose(f); - return add_missing_headers(p, mp); -} - -static int -scan_dir(POP *p, int new) -{ - char tmp[MAXPATHLEN]; - DIR *dir; - struct dirent *dent; - MsgInfoList *mp = p->mlp; - int n_mp = p->msg_count; - int e; - - make_path(p, NULL, new, tmp, sizeof(tmp)); - mkdir(tmp, 0700); - dir = opendir(tmp); - while((dent = readdir(dir)) != NULL) { - if(strcmp(dent->d_name, ".") == 0 || strcmp(dent->d_name, "..") == 0) - continue; - mp = realloc(mp, (n_mp + 1) * sizeof(*mp)); - if(mp == NULL) { - p->msg_count = 0; - return pop_msg (p, POP_FAILURE, - "Can't build message list for '%s': Out of memory", - p->user); - } - memset(mp + n_mp, 0, sizeof(*mp)); - mp[n_mp].name = strdup(dent->d_name); - if(mp[n_mp].name == NULL) { - p->msg_count = 0; - return pop_msg (p, POP_FAILURE, - "Can't build message list for '%s': Out of memory", - p->user); - } - mp[n_mp].number = n_mp + 1; - mp[n_mp].flags = 0; - if(new) - mp[n_mp].flags |= NEW_FLAG; - e = scan_file(p, &mp[n_mp]); - if(e != POP_SUCCESS) - return e; - p->drop_size += mp[n_mp].length; - n_mp++; - } - closedir(dir); - p->mlp = mp; - p->msg_count = n_mp; - return POP_SUCCESS; -} - -int -pop_maildir_info(POP *p) -{ - int e; - - p->temp_drop[0] = '\0'; - p->mlp = NULL; - p->msg_count = 0; - - e = scan_dir(p, 0); - if(e != POP_SUCCESS) return e; - - e = scan_dir(p, 1); - if(e != POP_SUCCESS) return e; - return POP_SUCCESS; -} - -int -pop_maildir_update(POP *p) -{ - int i; - char tmp1[MAXPATHLEN], tmp2[MAXPATHLEN]; - for(i = 0; i < p->msg_count; i++) { - make_path(p, &p->mlp[i], p->mlp[i].flags & NEW_FLAG, - tmp1, sizeof(tmp1)); - if(p->mlp[i].flags & DEL_FLAG) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Removing `%s'", tmp1); -#endif - if(unlink(tmp1) < 0) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Failed to remove `%s': %s", - tmp1, strerror(errno)); -#endif - /* return failure? */ - } - } else if((p->mlp[i].flags & NEW_FLAG) && - (p->mlp[i].flags & RETR_FLAG)) { - make_path(p, &p->mlp[i], 0, tmp2, sizeof(tmp2)); -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Linking `%s' to `%s'", tmp1, tmp2); -#endif - if(link(tmp1, tmp2) == 0) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Removing `%s'", tmp1); -#endif - if(unlink(tmp1) < 0) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Failed to remove `%s'", tmp1); -#endif - /* return failure? */ - } - } else { - if(errno == EXDEV) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Trying to rename `%s' to `%s'", - tmp1, tmp2); -#endif - if(rename(tmp1, tmp2) < 0) { -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, "Failed to rename `%s' to `%s'", - tmp1, tmp2); -#endif - } - } - } - } - } - return(pop_quit(p)); -} - -int -pop_maildir_open(POP *p, MsgInfoList *mp) -{ - char tmp[MAXPATHLEN]; - make_path(p, mp, mp->flags & NEW_FLAG, tmp, sizeof(tmp)); - if(p->drop) - fclose(p->drop); - p->drop = fopen(tmp, "r"); - if(p->drop == NULL) - return pop_msg(p, POP_FAILURE, "Failed to open message file"); - return POP_SUCCESS; -} diff --git a/crypto/heimdal/appl/popper/pop3.rfc1081 b/crypto/heimdal/appl/popper/pop3.rfc1081 deleted file mode 100644 index 08ea6dd1430b..000000000000 --- a/crypto/heimdal/appl/popper/pop3.rfc1081 +++ /dev/null @@ -1,898 +0,0 @@ - - - - - - -Network Working Group M. Rose -Request for Comments: 1081 TWG - November 1988 - - Post Office Protocol - Version 3 - - -Status of this Memo - - This memo suggests a simple method for workstations to dynamically - access mail from a mailbox server. This RFC specifies a proposed - protocol for the Internet community, and requests discussion and - suggestions for improvements. Distribution of this memo is - unlimited. - - This memo is based on RFC 918 (since revised as RFC 937). Although - similar in form to the original Post Office Protocol (POP) proposed - for the Internet community, the protocol discussed in this memo is - similar in spirit to the ideas investigated by the MZnet project at - the University of California, Irvine. - - Further, substantial work was done on examining POP in a PC-based - environment. This work, which resulted in additional functionality - in this protocol, was performed by the ACIS Networking Systems Group - at Stanford University. The author gratefully acknowledges their - interest. - -Introduction - - On certain types of smaller nodes in the Internet it is often - impractical to maintain a message transport system (MTS). For - example, a workstation may not have sufficient resources (cycles, - disk space) in order to permit a SMTP server and associated local - mail delivery system to be kept resident and continuously running. - Similarly, it may be expensive (or impossible) to keep a personal - computer interconnected to an IP-style network for long amounts of - time (the node is lacking the resource known as "connectivity"). - - Despite this, it is often very useful to be able to manage mail on - these smaller nodes, and they often support a user agent (UA) to aid - the tasks of mail handling. To solve this problem, a node which can - support an MTS entity offers a maildrop service to these less endowed - nodes. The Post Office Protocol - Version 3 (POP3) is intended to - permit a workstation to dynamically access a maildrop on a server - host in a useful fashion. Usually, this means that the POP3 is used - to allow a workstation to retrieve mail that the server is holding - for it. - - - - -Rose [Page 1] - -RFC 1081 POP3 November 1988 - - - For the remainder of this memo, the term "client host" refers to a - host making use of the POP3 service, while the term "server host" - refers to a host which offers the POP3 service. - -A Short Digression - - This memo does not specify how a client host enters mail into the - transport system, although a method consistent with the philosophy of - this memo is presented here: - - When the user agent on a client host wishes to enter a message - into the transport system, it establishes an SMTP connection to - its relay host (this relay host could be, but need not be, the - POP3 server host for the client host). - - If this method is followed, then the client host appears to the MTS - as a user agent, and should NOT be regarded as a "trusted" MTS entity - in any sense whatsoever. This concept, along with the role of the - POP3 as a part of a split-UA model is discussed later in this memo. - - Initially, the server host starts the POP3 service by listening on - TCP port 110. When a client host wishes to make use of the service, - it establishes a TCP connection with the server host. When the - connection is established, the POP3 server sends a greeting. The - client and POP3 server then exchange commands and responses - (respectively) until the connection is closed or aborted. - - Commands in the POP3 consist of a keyword possibly followed by an - argument. All commands are terminated by a CRLF pair. - - Responses in the POP3 consist of a success indicator and a keyword - possibly followed by additional information. All responses are - terminated by a CRLF pair. There are currently two success - indicators: positive ("+OK") and negative ("-ERR"). - - Responses to certain commands are multi-line. In these cases, which - are clearly indicated below, after sending the first line of the - response and a CRLF, any additional lines are sent, each terminated - by a CRLF pair. When all lines of the response have been sent, a - final line is sent, consisting of a termination octet (decimal code - 046, ".") and a CRLF pair. If any line of the multi-line response - begins with the termination octet, the line is "byte-stuffed" by - pre-pending the termination octet to that line of the response. - Hence a multi-line response is terminated with the five octets - "CRLF.CRLF". When examining a multi-line response, the client checks - to see if the line begins with the termination octet. If so and if - octets other than CRLF follow, the the first octet of the line (the - termination octet) is stripped away. If so and if CRLF immediately - - - -Rose [Page 2] - -RFC 1081 POP3 November 1988 - - - follows the termination character, then the response from the POP - server is ended and the line containing ".CRLF" is not considered - part of the multi-line response. - - A POP3 session progresses through a number of states during its - lifetime. Once the TCP connection has been opened and the POP3 - server has sent the greeting, the session enters the AUTHORIZATION - state. In this state, the client must identify itself to the POP3 - server. Once the client has successfully done this, the server - acquires resources associated with the client's maildrop, and the - session enters the TRANSACTION state. In this state, the client - requests actions on the part of the POP3 server. When the client has - finished its transactions, the session enters the UPDATE state. In - this state, the POP3 server releases any resources acquired during - the TRANSACTION state and says goodbye. The TCP connection is then - closed. - -The AUTHORIZATION State - - Once the TCP connection has been opened by a POP3 client, the POP3 - server issues a one line greeting. This can be any string terminated - by CRLF. An example might be: - - S. +OK dewey POP3 server ready (Comments to: PostMaster@UDEL.EDU) - - Note that this greeting is a POP3 reply. The POP3 server should - always give a positive response as the greeting. - - The POP3 session is now in the AUTHORIZATION state. The client must - now issue the USER command. If the POP3 server responds with a - positive success indicator ("+OK"), then the client may issue either - the PASS command to complete the authorization, or the QUIT command - to terminate the POP3 session. If the POP3 server responds with a - negative success indicator ("-ERR") to the USER command, then the - client may either issue a new USER command or may issue the QUIT - command. - - When the client issues the PASS command, the POP3 server uses the - argument pair from the USER and PASS commands to determine if the - client should be given access to the appropriate maildrop. If so, - the POP3 server then acquires an exclusive-access lock on the - maildrop. If the lock is successfully acquired, the POP3 server - parses the maildrop into individual messages (read note below), - determines the last message (if any) present in the maildrop that was - referenced by the RETR command, and responds with a positive success - indicator. The POP3 session now enters the TRANSACTION state. If - the lock can not be acquired or the client should is denied access to - the appropriate maildrop or the maildrop can't be parsed for some - - - -Rose [Page 3] - -RFC 1081 POP3 November 1988 - - - reason, the POP3 server responds with a negative success indicator. - (If a lock was acquired but the POP3 server intends to respond with a - negative success indicator, the POP3 server must release the lock - prior to rejecting the command.) At this point, the client may - either issue a new USER command and start again, or the client may - issue the QUIT command. - - NOTE: Minimal implementations of the POP3 need only be - able to break a maildrop into its component messages; - they need NOT be able to parse individual messages. - More advanced implementations may wish to have this - capability, for reasons discussed later. - - After the POP3 server has parsed the maildrop into individual - messages, it assigns a message-id to each message, and notes the size - of the message in octets. The first message in the maildrop is - assigned a message-id of "1", the second is assigned "2", and so on, - so that the n'th message in a maildrop is assigned a message-id of - "n". In POP3 commands and responses, all message-id's and message - sizes are expressed in base-10 (i.e., decimal). - - It sets the "highest number accessed" to be that of the last message - referenced by the RETR command. - - Here are summaries for the three POP3 commands discussed thus far: - - USER name - Arguments: a server specific user-id (required) - Restrictions: may only be given in the AUTHORIZATION - state after the POP3 greeting or after an - unsuccessful USER or PASS command - Possible Responses: - +OK name is welcome here - -ERR never heard of name - Examples: - C: USER mrose - S: +OK mrose is a real hoopy frood - ... - C: USER frated - S: -ERR sorry, frated doesn't get his mail here - - PASS string - Arguments: a server/user-id specific password (required) - Restrictions: may only be given in the AUTHORIZATION - state after a successful USER command - Possible Responses: - +OK maildrop locked and ready - -ERR invalid password - - - -Rose [Page 4] - -RFC 1081 POP3 November 1988 - - - -ERR unable to lock maildrop - Examples: - C: USER mrose - S: +OK mrose is a real hoopy frood - C: PASS secret - S: +OK mrose's maildrop has 2 messages - (320 octets) - ... - C: USER mrose - S: +OK mrose is a real hoopy frood - C: PASS secret - S: -ERR unable to lock mrose's maildrop, file - already locked - - QUIT - Arguments: none - Restrictions: none - Possible Responses: - +OK - Examples: - C: QUIT - S: +OK dewey POP3 server signing off - - -The TRANSACTION State - - Once the client has successfully identified itself to the POP3 server - and the POP3 server has locked and burst the appropriate maildrop, - the POP3 session is now in the TRANSACTION state. The client may now - issue any of the following POP3 commands repeatedly. After each - command, the POP3 server issues a response. Eventually, the client - issues the QUIT command and the POP3 session enters the UPDATE state. - - Here are the POP3 commands valid in the TRANSACTION state: - - STAT - Arguments: none - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server issues a positive response with a line - containing information for the maildrop. This line is - called a "drop listing" for that maildrop. - - In order to simplify parsing, all POP3 servers are - required to use a certain format for drop listings. - The first octets present must indicate the number of - messages in the maildrop. Following this is the size - - - -Rose [Page 5] - -RFC 1081 POP3 November 1988 - - - of the maildrop in octets. This memo makes no - requirement on what follows the maildrop size. - Minimal implementations should just end that line of - the response with a CRLF pair. More advanced - implementations may include other information. - - NOTE: This memo STRONGLY discourages - implementations from supplying additional - information in the drop listing. Other, - optional, facilities are discussed later on - which permit the client to parse the messages - in the maildrop. - - Note that messages marked as deleted are not counted in - either total. - - Possible Responses: - +OK nn mm - Examples: - C: STAT - S: +OK 2 320 - - LIST [msg] - Arguments: a message-id (optionally) If a message-id is - given, it may NOT refer to a message marked as - deleted. - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - If an argument was given and the POP3 server issues a - positive response with a line containing information - for that message. This line is called a "scan listing" - for that message. - - If no argument was given and the POP3 server issues a - positive response, then the response given is - multi-line. After the initial +OK, for each message - in the maildrop, the POP3 server responds with a line - containing information for that message. This line - is called a "scan listing" for that message. - - In order to simplify parsing, all POP3 servers are - required to use a certain format for scan listings. - The first octets present must be the message-id of - the message. Following the message-id is the size of - the message in octets. This memo makes no requirement - on what follows the message size in the scan listing. - Minimal implementations should just end that line of - - - -Rose [Page 6] - -RFC 1081 POP3 November 1988 - - - the response with a CRLF pair. More advanced - implementations may include other information, as - parsed from the message. - - NOTE: This memo STRONGLY discourages - implementations from supplying additional - information in the scan listing. Other, optional, - facilities are discussed later on which permit - the client to parse the messages in the maildrop. - - Note that messages marked as deleted are not listed. - - Possible Responses: - +OK scan listing follows - -ERR no such message - Examples: - C: LIST - S: +OK 2 messages (320 octets) - S: 1 120 - S: 2 200 - S: . - ... - C: LIST 2 - S: +OK 2 200 - ... - C: LIST 3 - S: -ERR no such message, only 2 messages in - maildrop - - RETR msg - Arguments: a message-id (required) This message-id may - NOT refer to a message marked as deleted. - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - If the POP3 server issues a positive response, then the - response given is multi-line. After the initial +OK, - the POP3 server sends the message corresponding to the - given message-id, being careful to byte-stuff the - termination character (as with all multi-line - responses). - - If the number associated with this message is higher - than the "highest number accessed" in the maildrop, the - POP3 server updates the "highest number accessed" to - the number associated with this message. - - - - - -Rose [Page 7] - -RFC 1081 POP3 November 1988 - - - Possible Responses: - +OK message follows - -ERR no such message - Examples: - C: RETR 1 - S: +OK 120 octets - S: - S: . - - DELE msg - Arguments: a message-id (required) This message-id - may NOT refer to a message marked as deleted. - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server marks the message as deleted. Any - future reference to the message-id associated with the - message in a POP3 command generates an error. The POP3 - server does not actually delete the message until the - POP3 session enters the UPDATE state. - - If the number associated with this message is higher - than the "highest number accessed" in the maildrop, - the POP3 server updates the "highest number accessed" - to the number associated with this message. - - Possible Responses: - +OK message deleted - -ERR no such message - Examples: - C: DELE 1 - S: +OK message 1 deleted - ... - C: DELE 2 - S: -ERR message 2 already deleted - - NOOP - Arguments: none - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server does nothing, it merely replies with a - positive response. - - Possible Responses: - +OK - - - - - -Rose [Page 8] - -RFC 1081 POP3 November 1988 - - - Examples: - C: NOOP - S: +OK - - LAST - Arguments: none - Restrictions: may only be issued in the TRANSACTION state. - Discussion: - - The POP3 server issues a positive response with a line - containing the highest message number which accessed. - Zero is returned in case no message in the maildrop has - been accessed during previous transactions. A client - may thereafter infer that messages, if any, numbered - greater than the response to the LAST command are - messages not yet accessed by the client. - - Possible Response: - +OK nn - - Examples: - C: STAT - S: +OK 4 320 - C: LAST - S: +OK 1 - C: RETR 3 - S: +OK 120 octets - S: - S: . - C: LAST - S: +OK 3 - C: DELE 2 - S: +OK message 2 deleted - C: LAST - S: +OK 3 - C: RSET - S: +OK - C: LAST - S: +OK 1 - - RSET - Arguments: none - Restrictions: may only be given in the TRANSACTION - state. - Discussion: - - If any messages have been marked as deleted by the POP3 - - - -Rose [Page 9] - -RFC 1081 POP3 November 1988 - - - server, they are unmarked. The POP3 server then - replies with a positive response. In addition, the - "highest number accessed" is also reset to the value - determined at the beginning of the POP3 session. - - Possible Responses: - +OK - Examples: - C: RSET - S: +OK maildrop has 2 messages (320 octets) - - - -The UPDATE State - - When the client issues the QUIT command from the TRANSACTION state, - the POP3 session enters the UPDATE state. (Note that if the client - issues the QUIT command from the AUTHORIZATION state, the POP3 - session terminates but does NOT enter the UPDATE state.) - - QUIT - Arguments: none - Restrictions: none - Discussion: - - The POP3 server removes all messages marked as deleted - from the maildrop. It then releases the - exclusive-access lock on the maildrop and replies as - to the success of - these operations. The TCP connection is then closed. - - Possible Responses: - +OK - Examples: - C: QUIT - S: +OK dewey POP3 server signing off (maildrop - empty) - ... - C: QUIT - S: +OK dewey POP3 server signing off (2 messages - left) - ... - - -Optional POP3 Commands - - The POP3 commands discussed above must be supported by all minimal - implementations of POP3 servers. - - - -Rose [Page 10] - -RFC 1081 POP3 November 1988 - - - The optional POP3 commands described below permit a POP3 client - greater freedom in message handling, while preserving a simple POP3 - server implementation. - - NOTE: This memo STRONGLY encourages implementations to - support these commands in lieu of developing augmented - drop and scan listings. In short, the philosophy of - this memo is to put intelligence in the part of the - POP3 client and not the POP3 server. - - TOP msg n - Arguments: a message-id (required) and a number. This - message-id may NOT refer to a message marked as - deleted. - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - If the POP3 server issues a positive response, then - the response given is multi-line. After the initial - +OK, the POP3 server sends the headers of the message, - the blank line separating the headers from the body, - and then the number of lines indicated message's body, - being careful to byte-stuff the termination character - (as with all multi-line responses). - - Note that if the number of lines requested by the POP3 - client is greater than than the number of lines in the - body, then the POP3 server sends the entire message. - - Possible Responses: - +OK top of message follows - -ERR no such message - Examples: - C: TOP 10 - S: +OK - S: - S: . - ... - C: TOP 100 - S: -ERR no such message - - RPOP user - Arguments: a client specific user-id (required) - Restrictions: may only be given in the AUTHORIZATION - state after a successful USER command; in addition, - may only be given if the client used a reserved - - - -Rose [Page 11] - -RFC 1081 POP3 November 1988 - - - (privileged) TCP port to connect to the server. - Discussion: - - The RPOP command may be used instead of the PASS - command to authenticate access to the maildrop. In - order for this command to be successful, the POP3 - client must use a reserved TCP port (port < 1024) to - connect tothe server. The POP3 server uses the - argument pair from the USER and RPOP commands to - determine if the client should be given access to - the appropriate maildrop. Unlike the PASS command - however, the POP3 server considers if the remote user - specified by the RPOP command who resides on the POP3 - client host is allowed to access the maildrop for the - user specified by the USER command (e.g., on Berkeley - UNIX, the .rhosts mechanism is used). With the - exception of this differing in authentication, this - command is identical to the PASS command. - - Note that the use of this feature has allowed much wider - penetration into numerous hosts on local networks (and - sometimes remote networks) by those who gain illegal - access to computers by guessing passwords or otherwise - breaking into the system. - - Possible Responses: - +OK maildrop locked and ready - -ERR permission denied - Examples: - C: USER mrose - S: +OK mrose is a real hoopy frood - C: RPOP mrose - S: +OK mrose's maildrop has 2 messages (320 - octets) - - Minimal POP3 Commands: - USER name valid in the AUTHORIZATION state - PASS string - QUIT - - STAT valid in the TRANSACTION state - LIST [msg] - RETR msg - DELE msg - NOOP - LAST - RSET - - - - -Rose [Page 12] - -RFC 1081 POP3 November 1988 - - - QUIT valid in the UPDATE state - - Optional POP3 Commands: - RPOP user valid in the AUTHORIZATION state - - TOP msg n valid in the TRANSACTION state - - POP3 Replies: - +OK - -ERR - - Note that with the exception of the STAT command, the reply given - by the POP3 server to any command is significant only to "+OK" - and "-ERR". Any text occurring after this reply may be ignored - by the client. - -Example POP3 Session - - S: - ... - C: - S: +OK dewey POP3 server ready (Comments to: PostMaster@UDEL.EDU) - C: USER mrose - S: +OK mrose is a real hoopy frood - C: PASS secret - S: +OK mrose's maildrop has 2 messages (320 octets) - C: STAT - S: +OK 2 320 - C: LIST - S: +OK 2 messages (320 octets) - S: 1 120 - S: 2 200 - S: . - C: RETR 1 - S: +OK 120 octets - S: - S: . - C: DELE 1 - S: +OK message 1 deleted - C: RETR 2 - S: +OK 200 octets - S: - S: . - C: DELE 2 - S: +OK message 2 deleted - C: QUIT - - - - - -Rose [Page 13] - -RFC 1081 POP3 November 1988 - - - S: +OK dewey POP3 server signing off (maildrop empty) - C: - S: - -Message Format - - All messages transmitted during a POP3 session are assumed to conform - to the standard for the format of Internet text messages [RFC822]. - - It is important to note that the byte count for a message on the - server host may differ from the octet count assigned to that message - due to local conventions for designating end-of-line. Usually, - during the AUTHORIZATION state of the POP3 session, the POP3 client - can calculate the size of each message in octets when it parses the - maildrop into messages. For example, if the POP3 server host - internally represents end-of-line as a single character, then the - POP3 server simply counts each occurrence of this character in a - message as two octets. Note that lines in the message which start - with the termination octet need not be counted twice, since the POP3 - client will remove all byte-stuffed termination characters when it - receives a multi-line response. - -The POP and the Split-UA model - - The underlying paradigm in which the POP3 functions is that of a - split-UA model. The POP3 client host, being a remote PC based - workstation, acts solely as a client to the message transport system. - It does not provide delivery/authentication services to others. - Hence, it is acting as a UA, on behalf of the person using the - workstation. Furthermore, the workstation uses SMTP to enter mail - into the MTS. - - In this sense, we have two UA functions which interface to the - message transport system: Posting (SMTP) and Retrieval (POP3). The - entity which supports this type of environment is called a split-UA - (since the user agent is split between two hosts which must - interoperate to provide these functions). - - ASIDE: Others might term this a remote-UA instead. - There are arguments supporting the use of both terms. - - This memo has explicitly referenced TCP as the underlying transport - agent for the POP3. This need not be the case. In the MZnet split- - UA, for example, personal micro-computer systems are used which do - not have IP-style networking capability. To connect to the POP3 - server host, a PC establishes a terminal connection using some simple - protocol (PhoneNet). A program on the PC drives the connection, - first establishing a login session as a normal user. The login shell - - - -Rose [Page 14] - -RFC 1081 POP3 November 1988 - - - for this pseudo-user is a program which drives the other half of the - terminal protocol and communicates with one of two servers. Although - MZnet can support several PCs, a single pseudo-user login is present - on the server host. The user-id and password for this pseudo-user - login is known to all members of MZnet. Hence, the first action of - the login shell, after starting the terminal protocol, is to demand a - USER/PASS authorization pair from the PC. This second level of - authorization is used to ascertain who is interacting with the MTS. - Although the server host is deemed to support a "trusted" MTS entity, - PCs in MZnet are not. Naturally, the USER/PASS authorization pair - for a PC is known only to the owner of the PC (in theory, at least). - - After successfully verifying the identity of the client, a modified - SMTP server is started, and the PC posts mail with the server host. - After the QUIT command is given to the SMTP server and it terminates, - a modified POP3 server is started, and the PC retrieves mail from the - server host. After the QUIT command is given to the POP3 server and - it terminates, the login shell for the pseudo-user terminates the - terminal protocol and logs the job out. The PC then closes the - terminal connection to the server host. - - The SMTP server used by MZnet is modified in the sense that it knows - that it's talking to a user agent and not a "trusted" entity in the - message transport system. Hence, it does performs the validation - activities normally performed by an entity in the MTS when it accepts - a message from a UA. - - The POP3 server used by MZnet is modified in the sense that it does - not require a USER/PASS combination before entering the TRANSACTION - state. The reason for this (of course) is that the PC has already - identified itself during the second-level authorization step - described above. - - NOTE: Truth in advertising laws require that the author - of this memo state that MZnet has not actually been - fully implemented. The concepts presented and proven - by the project led to the notion of the MZnet - split-slot model. This notion has inspired the - split-UA concept described in this memo, led to the - author's interest in the POP, and heavily influenced - the the description of the POP3 herein. - - In fact, some UAs present in the Internet already support the notion - of posting directly to an SMTP server and retrieving mail directly - from a POP server, even if the POP server and client resided on the - same host! - - ASIDE: this discussion raises an issue which this memo - - - -Rose [Page 15] - -RFC 1081 POP3 November 1988 - - - purposedly avoids: how does SMTP know that it's talking - to a "trusted" MTS entity? - -References - - [MZnet] Stefferud, E., J. Sweet, and T. Domae, "MZnet: Mail - Service for Personal Micro-Computer Systems", - Proceedings, IFIP 6.5 International Conference on - Computer Message Systems, Nottingham, U.K., May 1984. - - [RFC821] Postel, J., "Simple Mail Transfer Protocol", - USC/Information Sciences Institute, August 1982. - - [RFC822] Crocker, D., "Standard for the Format of ARPA-Internet - Text Messages", University of Delaware, August 1982. - - [RFC937] Butler, M., J. Postel, D. Chase, J. Goldberger, and J. - Reynolds, "Post Office Protocol - Version 2", RFC 937, - USC/Information Sciences Institute, February 1985. - - [RFC1010] Reynolds, J., and J. Postel, "Assigned Numbers", RFC - 1010, USC/Information Sciences Institute, May 1987. - -Author's Address: - - - Marshall Rose - The Wollongong Group - 1129 San Antonio Rd. - Palo Alto, California 94303 - - Phone: (415) 962-7100 - - Email: MRose@TWG.COM - - - - - - - - - - - - - - - - - -Rose [Page 16] diff --git a/crypto/heimdal/appl/popper/pop3e.rfc1082 b/crypto/heimdal/appl/popper/pop3e.rfc1082 deleted file mode 100644 index ac49448b5e11..000000000000 --- a/crypto/heimdal/appl/popper/pop3e.rfc1082 +++ /dev/null @@ -1,619 +0,0 @@ - - - - - - -Network Working Group M. Rose -Request for Comments: 1082 TWG - November 1988 - - - - Post Office Protocol - Version 3 - Extended Service Offerings - -Status of This Memo - - This memo suggests a simple method for workstations to dynamically - access mail from a discussion group server, as an extension to an - earlier memo which dealt with dynamically accessing mail from a - mailbox server using the Post Office Protocol - Version 3 (POP3). - This RFC specifies a proposed protocol for the Internet community, - and requests discussion and suggestions for improvements. All of the - extensions described in this memo to the POP3 are OPTIONAL. - Distribution of this memo is unlimited. - -Introduction and Motivation - - It is assumed that the reader is familiar with RFC 1081 that - discusses the Post Office Protocol - Version 3 (POP3) [RFC1081]. - This memo describes extensions to the POP3 which enhance the service - it offers to clients. This additional service permits a client host - to access discussion group mail, which is often kept in a separate - spool area, using the general POP3 facilities. - - The next section describes the evolution of discussion groups and the - technologies currently used to implement them. To summarize: - - o An exploder is used to map from a single address to - a list of addresses which subscribe to the list, and redirects - any subsequent error reports associated with the delivery of - each message. This has two primary advantages: - - Subscribers need know only a single address - - Responsible parties get the error reports and not - the subscribers - - - - - - - - - - - - -Rose [Page 1] - -RFC 1082 POP3 Extended Service November 1988 - - - o Typically, each subscription address is not a person's private - maildrop, but a system-wide maildrop, which can be accessed - by more than one user. This has several advantages: - - Only a single copy of each message need traverse the - net for a given site (which may contain several local - hosts). This conserves bandwidth and cycles. - - Only a single copy of each message need reside on each - subscribing host. This conserves disk space. - - The private maildrop for each user is not cluttered - with discussion group mail. - - Despite this optimization of resources, further economy can be - achieved at sites with more than one host. Typically, sites with - more than one host either: - - 1. Replicate discussion group mail on each host. This - results in literally gigabytes of disk space committed to - unnecessarily store redundant information. - - 2. Keep discussion group mail on one host and give all users a - login on that host (in addition to any other logins they may - have). This is usually a gross inconvenience for users who - work on other hosts, or a burden to users who are forced to - work on that host. - - As discussed in [RFC1081], the problem of giving workstations dynamic - access to mail from a mailbox server has been explored in great - detail (originally there was [RFC918], this prompted the author to - write [RFC1081], independently of this [RFC918] was upgraded to - [RFC937]). A natural solution to the problem outlined above is to - keep discussion group mail on a mailbox server at each site and - permit different hosts at that site to employ the POP3 to access - discussion group mail. If implemented properly, this avoids the - problems of both strategies outlined above. - - ASIDE: It might be noted that a good distributed filesystem - could also solve this problem. Sadly, "good" - distributed filesystems, which do not suffer - unacceptable response time for interactive use, are - few and far between these days! - - Given this motivation, now let's consider discussion groups, both in - general and from the point of view of a user agent. Following this, - extensions to the POP3 defined in [RFC1081] are presented. Finally, - some additional policy details are discussed along with some initial - experiences. - - - - - -Rose [Page 2] - -RFC 1082 POP3 Extended Service November 1988 - - -What's in a Discussion Group - - Since mailers and user agents first crawled out of the primordial - ARPAnet, the value of discussion groups have been appreciated, - (though their implementation has not always been well-understood). - - Described simply, a discussion group is composed of a number of - subscribers with a common interest. These subscribers post mail to a - single address, known as a distribution address. From this - distribution address, a copy of the message is sent to each - subscriber. Each group has a moderator, which is the person that - administrates the group. The moderator can usually be reached at a - special address, known as a request address. Usually, the - responsibilities of the moderator are quite simple, since the mail - system handles the distribution to subscribers automatically. In - some cases, the interest group, instead of being distributed directly - to its subscribers, is put into a digest format by the moderator and - then sent to the subscribers. Although this requires more work on - the part of the moderator, such groups tend to be better organized. - - Unfortunately, there are a few problems with the scheme outlined - above. First, if two users on the same host subscribe to the same - interest group, two copies of the message get delivered. This is - wasteful of both processor and disk resources. - - Second, some of these groups carry a lot of traffic. Although - subscription to an group does indicate interest on the part of a - subscriber, it is usually not interesting to get 50 messages or so - delivered to the user's private maildrop each day, interspersed with - personal mail, that is likely to be of a much more important and - timely nature. - - Third, if a subscriber on the distribution list for a group becomes - "bad" somehow, the originator of the message and not the moderator of - the group is notified. It is not uncommon for a large list to have - 10 or so bogus addresses present. This results in the originator - being flooded with "error messages" from mailers across the Internet - stating that a given address on the list was bad. Needless to say, - the originator usually could not care less if the bogus addresses got - a copy of the message or not. The originator is merely interested in - posting a message to the group at large. Furthermore, the moderator - of the group does care if there are bogus addresses on the list, but - ironically does not receive notification. - - There are various approaches which can be used to solve some or all - of these problems. Usually these involve placing an exploder agent - at the distribution source of the discussion group, which expands the - name of the group into the list of subscription addresses for the - - - -Rose [Page 3] - -RFC 1082 POP3 Extended Service November 1988 - - - group. In the process, the exploder will also change the address - that receives error notifications to be the request address or other - responsible party. - - A complementary approach, used in order to cut down on resource - utilization of all kinds, replaces all the subscribers at a single - host (or group of hosts under a single administration) with a single - address at that host. This address maps to a file on the host, - usually in a spool area, which all users can access. (Advanced - implementations can also implement private discussion groups this - way, in which a single copy of each message is kept, but is - accessible to only a select number of users on the host.) - - The two approaches can be combined to avoid all of the problems - described above. - - Finally, a third approach can be taken, which can be used to aid user - agents processing mail for the discussion group: In order to speed - querying of the maildrop which contains the local host's copy of the - discussion group, two other items are usually associated with the - discussion group, on a local basis. These are the maxima and the - last-date. Each time a message is received for the group on the - local host, the maxima is increased by at least one. Furthermore, - when a new maxima is generated, the current date is determined. This - is called the last date. As the message is entered into the local - maildrop, it is given the current maxima and last-date. This permits - the user agent to quickly determine if new messages are present in - the maildrop. - - NOTE: The maxima may be characterized as a monotonically - increasing quanity. Although sucessive values of the - maxima need not be consecutive, any maxima assigned - is always greater than any previously assigned value. - -Definition of Terms - - To formalize these notions somewhat, consider the following 7 - parameters which describe a given discussion group from the - perspective of the user agent (the syntax given is from [RFC822]): - - - - - - - - - - - - -Rose [Page 4] - -RFC 1082 POP3 Extended Service November 1988 - - - NAME Meaning: the name of the discussion group - Syntax: TOKEN (ALPHA *[ ALPHA / DIGIT / "-" ]) - (case-insensitive recognition) - Example: unix-wizards - - ALIASES Meaning: alternates names for the group, which - are locally meaningful; these are - typically used to shorten user typein - Syntax: TOKEN (case-insensitive recognition) - Example: uwiz - - ADDRESS Meaning: the primary source of the group - Syntax: 822 address - Example: Unix-Wizards@BRL.MIL - - REQUEST Meaning: the primary moderator of the group - Syntax: 822 address - Example: Unix-Wizards-Request@BRL.MIL - - FLAGS Meaning: locally meaningful flags associated - with the discussion group; this memo - leaves interpretation of this - parameter to each POP3 implementation - Syntax: octal number - Example: 01 - - MAXIMA Meaning: the magic cookie associated with the - last message locally received for the - group; it is the property of the magic - cookie that it's value NEVER - decreases, and increases by at least - one each time a message is locally - received - Syntax: decimal number - Example: 1004 - - LASTDATE Meaning: the date that the last message was - locally received - Syntax: 822 date - Example: Thu, 19 Dec 85 10:26:48 -0800 - - Note that the last two values are locally determined for the maildrop - associated with the discussion group and with each message in that - maildrop. Note however that the last message in the maildrop have a - different MAXIMA and LASTDATE than the discussion group. This often - occurs when the maildrop has been archived. - - - - - -Rose [Page 5] - -RFC 1082 POP3 Extended Service November 1988 - - - Finally, some local systems provide mechanisms for automatically - archiving discussion group mail. In some cases, a two-level archive - scheme is used: current mail is kept in the standard maildrop, - recent mail is kept in an archive maildrop, and older mail is kept - off-line. With this scheme, in addition to having a "standard" - maildrop for each discussion group, an "archive" maildrop may also be - available. This permits a user agent to examine the most recent - archive using the same mechanisms as those used on the current mail. - -The XTND Command - - The following commands are valid only in the TRANSACTION state of the - POP3. This implies that the POP3 server has already opened the - user's maildrop (which may be empty). This maildrop is called the - "default maildrop". The phrase "closes the current maildrop" has two - meanings, depending on whether the current maildrop is the default - maildrop or is a maildrop associated with a discussion group. - - In the former context, when the current maildrop is closed any - messages marked as deleted are removed from the maildrop currently in - use. The exclusive-access lock on the maildrop is then released - along with any implementation-specific resources (e.g., file- - descriptors). - - In the latter context, a maildrop associated with a discussion group - is considered to be read-only to the POP3 client. In this case, the - phrase "closes the current maildrop" merely means that any - implementation-specific resources are released. (Hence, the POP3 - command DELE is a no-op.) - - All the new facilities are introduced via a single POP3 command, - XTND. All positive reponses to the XTND command are multi-line. - - The most common multi-line response to the commands contains a - "discussion group listing" which presents the name of the discussion - group along with it's maxima. In order to simplify parsing all POP3 - servers are required to use a certain format for discussion group - listings: - - NAME SP MAXIMA - - This memo makes no requirement on what follows the maxima in the - listing. Minimal implementations should just end that line of the - response with a CRLF pair. More advanced implementations may include - other information, as parsed from the message. - - NOTE: This memo STRONGLY discourages implementations from - supplying additional information in the listing. - - - -Rose [Page 6] - -RFC 1082 POP3 Extended Service November 1988 - - - XTND BBOARDS [name] - Arguments: the name of a discussion group (optionally) - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - If an argument was given, the POP3 server closes the current - maildrop. The POP3 server then validates the argument as the name of - a discussion group. If this is successful, it opens the maildrop - associated with the group, and returns a multi-line response - containing the discussion group listing. If the discussion group - named is not valid, or the associated archive maildrop is not - readable by the user, then an error response is returned. - - If no argument was given, the POP3 server issues a multi-line - response. After the initial +OK, for each discussion group known, - the POP3 server responds with a line containing the listing for that - discussion group. Note that only world-readable discussion groups - are included in the multi-line response. - - In order to aid user agents, this memo requires an extension to the - scan listing when an "XTND BBOARDS" command has been given. - Normally, a scan listing, as generated by the LIST, takes the form: - - MSGNO SIZE - - where MSGNO is the number of the message being listed and SIZE is the - size of the message in octets. When reading a maildrop accessed via - "XTND BBOARDS", the scan listing takes the form - - MSGNO SIZE MAXIMA - - where MAXIMA is the maxima that was assigned to the message when it - was placed in the BBoard. - - Possible Responses: - +OK XTND - -ERR no such bboard - Examples: - C: XTND BBOARDS - S: +OK XTND - S: system 10 - S: mh-users 100 - S: . - C: XTND BBOARDS system - S: + OK XTND - S: system 10 - S: . - - - - -Rose [Page 7] - -RFC 1082 POP3 Extended Service November 1988 - - - XTND ARCHIVE name - Arguments: the name of a discussion group (required) - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server closes the current maildrop. The POP3 server then - validates the argument as the name of a discussion group. If this is - successful, it opens the archive maildrop associated with the group, - and returns a multi-line response containing the discussion group - listing. If the discussion group named is not valid, or the - associated archive maildrop is not readable by the user, then an - error response is returned. - - In addition, the scan listing generated by the LIST command is - augmented (as described above). - - Possible Responses: - +OK XTND - -ERR no such bboard Examples: - C: XTND ARCHIVE system - S: + OK XTND - S: system 3 - S: . - - XTND X-BBOARDS name - Arguments: the name of a discussion group (required) - Restrictions: may only be given in the TRANSACTION state. - Discussion: - - The POP3 server validates the argument as the name of a - discussion group. If this is unsuccessful, then an error - response is returned. Otherwise a multi-line response is - returned. The first 14 lines of this response (after the - initial +OK) are defined in this memo. Minimal implementations - need not include other information (and may omit certain - information, outputing a bare CRLF pair). More advanced - implementations may include other information. - - Line Information (refer to "Definition of Terms") - ---- ----------- - 1 NAME - 2 ALIASES, separated by SP - 3 system-specific: maildrop - 4 system-specific: archive maildrop - 5 system-specific: information - 6 system-specific: maildrop map - 7 system-specific: encrypted password - 8 system-specific: local leaders, separated by SP - - - -Rose [Page 8] - -RFC 1082 POP3 Extended Service November 1988 - - - 9 ADDRESS - 10 REQUEST - 11 system-specific: incoming feed - 12 system-specific: outgoing feeds - 13 FLAGS SP MAXIMA - 14 LASTDATE - - Most of this information is entirely too specific to the UCI Version - of the Rand MH Message Handling System [MRose85]. Nevertheless, - lines 1, 2, 9, 10, 13, and 14 are of general interest, regardless of - the implementation. - - Possible Responses: - +OK XTND - -ERR no such bboard - Examples: - C: XTND X-BBOARDS system - S: + OK XTND - S: system - S: local general - S: /usr/bboards/system.mbox - S: /usr/bboards/archive/system.mbox - S: /usr/bboards/.system.cnt - S: /usr/bboards/.system.map - S: * - S: mother - S: system@nrtc.northrop.com - S: system-request@nrtc.northrop.com - S: - S: dist-system@nrtc-gremlin.northrop.com - S: 01 10 - S: Thu, 19 Dec 85 00:08:49 -0800 - S: . - -Policy Notes - - Depending on the particular entity administrating the POP3 service - host, two additional policies might be implemented: - - 1. Private Discussion Groups - - In the general case, discussion groups are world-readable, any user, - once logged in (via a terminal, terminal server, or POP3, etc.), is - able to read the maildrop for each discussion group known to the POP3 - service host. Nevertheless, it is desirable, usually for privacy - reasons, to implement private discussion groups as well. - - Support of this is consistent with the extensions outlined in this - - - -Rose [Page 9] - -RFC 1082 POP3 Extended Service November 1988 - - - memo. Once the AUTHORIZATION state has successfully concluded, the - POP3 server grants the user access to exactly those discussion groups - the POP3 service host permits the authenticated user to access. As a - "security" feature, discussion groups associated with unreadable - maildrops should not be listed in a positive response to the XTND - BBOARDS command. - - 2. Anonymous POP3 Users - - In order to minimize the authentication problem, a policy permitting - "anonymous" access to the world-readable maildrops for discussion - groups on the POP3 server may be implemented. - - Support of this is consistent with the extensions outlined in this - memo. The POP3 server can be modified to accept a USER command for a - well-known pseudonym (i.e., "anonymous") which is valid with any PASS - command. As a "security" feature, it is advisable to limit this kind - of access to only hosts at the local site, or to hosts named in an - access list. - -Experiences and Conclusions - - All of the facilities described in this memo and in [RFC1081] have - been implemented in MH #6.1. Initial experiences have been, on the - whole, very positive. - - After the first implementation, some performance tuning was required. - This consisted primarily of caching the datastructures which describe - discussion groups in the POP3 server. A second optimization - pertained to the client: the program most commonly used to read - BBoards in MH was modified to retrieve messages only when needed. - Two schemes are used: - - o If only the headers (and the first few lines of the body) of - the message are required (e.g., for a scan listing), then only - these are retrieved. The resulting output is then cached, on - a per-message basis. - - o If the entire message is required, then it is retrieved intact, - and cached locally. - - With these optimizations, response time is quite adequate when the - POP3 server and client are connected via a high-speed local area - network. In fact, the author uses this mechanism to access certain - private discussion groups over the Internet. In this case, response - is still good. When a 9.6Kbps modem is inserted in the path, - response went from good to almost tolerable (fortunately the author - only reads a few discussion groups in this fashion). - - - -Rose [Page 10] - -RFC 1082 POP3 Extended Service November 1988 - - - To conclude: the POP3 is a good thing, not only for personal mail but - for discussion group mail as well. - - -References - - [RFC1081] Rose, M., "Post Office Protocol - Verison 3 (POP3)", RFC - 1081, TWG, November 1988. - - [MRose85] Rose, M., and J. Romine, "The Rand MH Message Handling - System: User's Manual", University of California, Irvine, - November 1985. - - [RFC822] Crocker, D., "Standard for the Format of ARPA-Internet - Text Messages", RFC 822, University of Delaware, August - 1982. - - [RFC918] Reynolds, J., "Post Office Protocol", RFC 918, - USC/Information Sciences Institute, October 1984. - - [RFC937] Butler, M., J. Postel, D. Chase, J. Goldberger, and J. - Reynolds, "Post Office Protocol - Version 2", RFC 937, - USC/Information Sciences Institute, February 1985. - -Author's Address: - - - Marshall Rose - The Wollongong Group - 1129 San Antonio Rd. - Palo Alto, California 94303 - - Phone: (415) 962-7100 - - Email: MRose@TWG.COM - - - - - - - - - - - - - - - - -Rose [Page 11] - diff --git a/crypto/heimdal/appl/popper/pop_auth.c b/crypto/heimdal/appl/popper/pop_auth.c deleted file mode 100644 index 525beaa38163..000000000000 --- a/crypto/heimdal/appl/popper/pop_auth.c +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -RCSID("$Id: pop_auth.c,v 1.2 2000/04/12 15:37:45 assar Exp $"); - -#ifdef KRB4 - -enum { - NO_PROT = 1, - INT_PROT = 2, - PRIV_PROT = 4 -}; - -static int -auth_krb4(POP *p) -{ - int ret; - des_cblock key; - u_int32_t nonce, nonce_reply; - u_int32_t max_client_packet; - int protocols = NO_PROT | INT_PROT | PRIV_PROT; - char data[8]; - int len; - char *s; - char instance[INST_SZ]; - KTEXT_ST authent; - des_key_schedule schedule; - struct passwd *pw; - - /* S -> C: 32 bit nonce in MSB base64 */ - - des_new_random_key(&key); - nonce = (key[0] | (key[1] << 8) | (key[2] << 16) | (key[3] << 24) - | key[4] | (key[5] << 8) | (key[6] << 16) | (key[7] << 24)); - krb_put_int(nonce, data, 4, 8); - len = base64_encode(data, 4, &s); - - pop_msg(p, POP_CONTINUE, "%s", s); - free(s); - - /* C -> S: ticket and authenticator */ - - ret = sch_readline(p->input, &s); - if (ret <= 0 || strcmp (s, "*") == 0) - return pop_msg(p, POP_FAILURE, - "authentication aborted by client"); - len = strlen(s); - if (len > sizeof(authent.dat)) { - return pop_msg(p, POP_FAILURE, "data packet too long"); - } - - authent.length = base64_decode(s, authent.dat); - - k_getsockinst (0, instance, sizeof(instance)); - ret = krb_rd_req(&authent, "pop", instance, - p->in_addr.sin_addr.s_addr, - &p->kdata, NULL); - if (ret != 0) { - return pop_msg(p, POP_FAILURE, "rd_req: %s", - krb_get_err_text(ret)); - } - if (p->kdata.checksum != nonce) { - return pop_msg(p, POP_FAILURE, "data stream modified"); - } - - /* S -> C: nonce + 1 | bit | max segment */ - - krb_put_int(nonce + 1, data, 4, 7); - data[4] = protocols; - krb_put_int(1024, data + 5, 3, 3); /* XXX */ - des_key_sched(&p->kdata.session, schedule); - des_pcbc_encrypt((des_cblock*)data, - (des_cblock*)data, 8, - schedule, - &p->kdata.session, - DES_ENCRYPT); - len = base64_encode(data, 8, &s); - pop_msg(p, POP_CONTINUE, "%s", s); - - free(s); - - /* C -> S: nonce | bit | max segment | username */ - - ret = sch_readline(p->input, &s); - if (ret <= 0 || strcmp (s, "*") == 0) - return pop_msg(p, POP_FAILURE, - "authentication aborted"); - len = strlen(s); - if (len > sizeof(authent.dat)) { - return pop_msg(p, POP_FAILURE, "data packet too long"); - } - - authent.length = base64_decode(s, authent.dat); - - if (authent.length % 8 != 0) { - return pop_msg(p, POP_FAILURE, "reply is not a multiple of 8 bytes"); - } - - des_key_sched(&p->kdata.session, schedule); - des_pcbc_encrypt((des_cblock*)authent.dat, - (des_cblock*)authent.dat, - authent.length, - schedule, - &p->kdata.session, - DES_DECRYPT); - - krb_get_int(authent.dat, &nonce_reply, 4, 0); - if (nonce_reply != nonce) { - return pop_msg(p, POP_FAILURE, "data stream modified"); - } - protocols &= authent.dat[4]; - krb_get_int(authent.dat + 5, &max_client_packet, 3, 0); - if(authent.dat[authent.length - 1] != '\0') { - return pop_msg(p, POP_FAILURE, "bad format of username"); - } - strncpy (p->user, authent.dat + 8, sizeof(p->user)); - pw = k_getpwnam(p->user); - if (pw == NULL) { - return (pop_msg(p,POP_FAILURE, - "Password supplied for \"%s\" is incorrect.", - p->user)); - } - - if (kuserok(&p->kdata, p->user)) { - pop_log(p, POP_PRIORITY, - "%s: (%s.%s@%s) tried to retrieve mail for %s.", - p->client, p->kdata.pname, p->kdata.pinst, - p->kdata.prealm, p->user); - return(pop_msg(p,POP_FAILURE, - "Popping not authorized")); - } - pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s", - p->ipaddr, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - p->user); - ret = pop_login(p, pw); - if (protocols & PRIV_PROT) - ; - else if (protocols & INT_PROT) - ; - else - ; - - return ret; -} -#endif /* KRB4 */ - -#ifdef KRB5 -static int -auth_gssapi(POP *p) -{ - -} -#endif /* KRB5 */ - -/* - * auth: RFC1734 - */ - -static struct { - const char *name; - int (*func)(POP *); -} methods[] = { -#ifdef KRB4 - {"KERBEROS_V4", auth_krb4}, -#endif -#ifdef KRB5 - {"GSSAPI", auth_gssapi}, -#endif - {NULL, NULL} -}; - -int -pop_auth (POP *p) -{ - int i; - - for (i = 0; methods[i].name != NULL; ++i) - if (strcasecmp(p->pop_parm[1], methods[i].name) == 0) - return (*methods[i].func)(p); - return pop_msg(p, POP_FAILURE, - "Authentication method %s unknown", p->pop_parm[1]); -} diff --git a/crypto/heimdal/appl/popper/pop_debug.c b/crypto/heimdal/appl/popper/pop_debug.c deleted file mode 100644 index 9a29e4d29a9d..000000000000 --- a/crypto/heimdal/appl/popper/pop_debug.c +++ /dev/null @@ -1,284 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Tiny program to help debug popper */ - -#include "popper.h" -RCSID("$Id: pop_debug.c,v 1.23 2002/05/02 16:27:16 joda Exp $"); - -static void -loop(int s) -{ - char cmd[1024]; - char buf[1024]; - fd_set fds; - while(1){ - FD_ZERO(&fds); - FD_SET(0, &fds); - FD_SET(s, &fds); - if(select(s+1, &fds, 0, 0, 0) < 0) - err(1, "select"); - if(FD_ISSET(0, &fds)){ - fgets(cmd, sizeof(cmd), stdin); - cmd[strlen(cmd) - 1] = '\0'; - strlcat (cmd, "\r\n", sizeof(cmd)); - write(s, cmd, strlen(cmd)); - } - if(FD_ISSET(s, &fds)){ - int n = read(s, buf, sizeof(buf)); - if(n == 0) - exit(0); - fwrite(buf, n, 1, stdout); - } - } -} - -static int -get_socket (const char *hostname, int port) -{ - int ret; - struct addrinfo *ai, *a; - struct addrinfo hints; - char portstr[NI_MAXSERV]; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - snprintf (portstr, sizeof(portstr), "%d", ntohs(port)); - ret = getaddrinfo (hostname, portstr, &hints, &ai); - if (ret) - errx (1, "getaddrinfo %s: %s", hostname, gai_strerror (ret)); - - for (a = ai; a != NULL; a = a->ai_next) { - int s; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - close (s); - continue; - } - freeaddrinfo (ai); - return s; - } - err (1, "failed to connect to %s", hostname); -} - -#ifdef KRB4 -static int -doit_v4 (char *host, int port) -{ - KTEXT_ST ticket; - MSG_DAT msg_data; - CREDENTIALS cred; - des_key_schedule sched; - int ret; - int s = get_socket (host, port); - - ret = krb_sendauth(0, - s, - &ticket, - "pop", - host, - krb_realmofhost(host), - getpid(), - &msg_data, - &cred, - sched, - NULL, - NULL, - "KPOPV0.1"); - if(ret) { - warnx("krb_sendauth: %s", krb_get_err_text(ret)); - return 1; - } - loop(s); - return 0; -} -#endif - -#ifdef KRB5 -static int -doit_v5 (char *host, int port) -{ - krb5_error_code ret; - krb5_context context; - krb5_auth_context auth_context = NULL; - krb5_principal server; - int s = get_socket (host, port); - - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - ret = krb5_sname_to_principal (context, - host, - "pop", - KRB5_NT_SRV_HST, - &server); - if (ret) { - warnx ("krb5_sname_to_principal: %s", - krb5_get_err_text (context, ret)); - return 1; - } - ret = krb5_sendauth (context, - &auth_context, - &s, - "KPOPV1.0", - NULL, - server, - 0, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL); - if (ret) { - warnx ("krb5_sendauth: %s", - krb5_get_err_text (context, ret)); - return 1; - } - loop (s); - return 0; -} -#endif - - -#ifdef KRB4 -static int use_v4 = -1; -#endif -#ifdef KRB5 -static int use_v5 = -1; -#endif -static char *port_str; -static int do_version; -static int do_help; - -struct getargs args[] = { -#ifdef KRB4 - { "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4", - NULL }, -#endif -#ifdef KRB5 - { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5", - NULL }, -#endif - { "port", 'p', arg_string, &port_str, "Use this port", - "number-or-service" }, - { "version", 0, arg_flag, &do_version, "Print version", - NULL }, - { "help", 0, arg_flag, &do_help, NULL, - NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "hostname"); - exit (ret); -} - -int -main(int argc, char **argv) -{ - int port = 0; - int ret = 1; - int optind = 0; - - setprogname(argv[0]); - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - argc -= optind; - argv += optind; - - if (do_help) - usage (0); - - if (do_version) { - print_version (NULL); - return 0; - } - - if (argc < 1) - usage (1); - - if (port_str) { - struct servent *s = roken_getservbyname (port_str, "tcp"); - - if (s) - port = s->s_port; - else { - char *ptr; - - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - errx (1, "Bad port `%s'", port_str); - port = htons(port); - } - } - if (port == 0) { -#ifdef KRB5 - port = krb5_getportbyname (NULL, "kpop", "tcp", 1109); -#elif defined(KRB4) - port = k_getportbyname ("kpop", "tcp", 1109); -#else -#error must define KRB4 or KRB5 -#endif - } - -#if defined(KRB4) && defined(KRB5) - if(use_v4 == -1 && use_v5 == 1) - use_v4 = 0; - if(use_v5 == -1 && use_v4 == 1) - use_v5 = 0; -#endif - -#ifdef KRB5 - if (ret && use_v5) { - ret = doit_v5 (argv[0], port); - } -#endif -#ifdef KRB4 - if (ret && use_v4) { - ret = doit_v4 (argv[0], port); - } -#endif - return ret; -} diff --git a/crypto/heimdal/appl/popper/pop_dele.c b/crypto/heimdal/appl/popper/pop_dele.c deleted file mode 100644 index f1c2952a21b4..000000000000 --- a/crypto/heimdal/appl/popper/pop_dele.c +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_dele.c,v 1.10 1999/08/12 11:35:26 joda Exp $"); - -/* - * dele: Delete a message from the POP maildrop - */ -int -pop_dele (POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - int msg_num; - - /* Convert the message number parameter to an integer */ - msg_num = atoi(p->pop_parm[1]); - - /* Is requested message out of range? */ - if ((msg_num < 1) || (msg_num > p->msg_count)) - return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_num)); - - /* Get a pointer to the message in the message list */ - mp = &(p->mlp[msg_num-1]); - - /* Is the message already flagged for deletion? */ - if (mp->flags & DEL_FLAG) - return (pop_msg (p,POP_FAILURE,"Message %d has already been deleted.", - msg_num)); - - /* Flag the message for deletion */ - mp->flags |= DEL_FLAG; - -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, - "Deleting message %u at offset %ld of length %ld\n", - mp->number, mp->offset, mp->length); -#endif /* DEBUG */ - - /* Update the messages_deleted and bytes_deleted counters */ - p->msgs_deleted++; - p->bytes_deleted += mp->length; - - /* Update the last-message-accessed number if it is lower than - the deleted message */ - if (p->last_msg < msg_num) p->last_msg = msg_num; - - return (pop_msg (p,POP_SUCCESS,"Message %d has been deleted.",msg_num)); -} - -#ifdef XDELE -/* delete a range of messages */ -int -pop_xdele(POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - - int msg_min, msg_max; - int i; - - - msg_min = atoi(p->pop_parm[1]); - if(p->parm_count == 1) - msg_max = msg_min; - else - msg_max = atoi(p->pop_parm[2]); - - if (msg_min < 1) - return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_min)); - if(msg_max > p->msg_count) - return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_max)); - for(i = msg_min; i <= msg_max; i++) { - - /* Get a pointer to the message in the message list */ - mp = &(p->mlp[i - 1]); - - /* Is the message already flagged for deletion? */ - if (mp->flags & DEL_FLAG) - continue; /* no point in returning error */ - /* Flag the message for deletion */ - mp->flags |= DEL_FLAG; - -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, - "Deleting message %u at offset %ld of length %ld\n", - mp->number, mp->offset, mp->length); -#endif /* DEBUG */ - - /* Update the messages_deleted and bytes_deleted counters */ - p->msgs_deleted++; - p->bytes_deleted += mp->length; - } - - /* Update the last-message-accessed number if it is lower than - the deleted message */ - if (p->last_msg < msg_max) p->last_msg = msg_max; - - return (pop_msg (p,POP_SUCCESS,"Messages %d-%d has been deleted.", - msg_min, msg_max)); - -} -#endif /* XDELE */ diff --git a/crypto/heimdal/appl/popper/pop_dropcopy.c b/crypto/heimdal/appl/popper/pop_dropcopy.c deleted file mode 100644 index 99ea49d08520..000000000000 --- a/crypto/heimdal/appl/popper/pop_dropcopy.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_dropcopy.c,v 1.26 2002/07/04 14:10:11 joda Exp $"); - -/* - * Run as the user in `pwd' - */ - -int -changeuser(POP *p, struct passwd *pwd) -{ - if(setgid(pwd->pw_gid) < 0) { - pop_log (p, POP_PRIORITY, - "Unable to change to gid %u: %s", - (unsigned)pwd->pw_gid, - strerror(errno)); - return pop_msg (p, POP_FAILURE, - "Unable to change gid"); - } - if(setuid(pwd->pw_uid) < 0) { - pop_log (p, POP_PRIORITY, - "Unable to change to uid %u: %s", - (unsigned)pwd->pw_uid, - strerror(errno)); - return pop_msg (p, POP_FAILURE, - "Unable to change uid"); - } -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG,"uid = %u, gid = %u", - (unsigned)getuid(), - (unsigned)getgid()); -#endif /* DEBUG */ - return POP_SUCCESS; -} - -/* - * dropcopy: Make a temporary copy of the user's mail drop and - * save a stream pointer for it. - */ - -int -pop_dropcopy(POP *p, struct passwd *pwp) -{ - int mfd; /* File descriptor for - the user's maildrop */ - int dfd; /* File descriptor for - the SERVER maildrop */ - FILE *tf; /* The temp file */ - char template[POP_TMPSIZE]; /* Temp name holder */ - char buffer[BUFSIZ]; /* Read buffer */ - long offset; /* Old/New boundary */ - int nchar; /* Bytes written/read */ - int tf_fd; /* fd for temp file */ - int ret; - - /* Create a temporary maildrop into which to copy the updated maildrop */ - snprintf(p->temp_drop, sizeof(p->temp_drop), POP_DROP,p->user); - -#ifdef DEBUG - if(p->debug) - pop_log(p,POP_DEBUG,"Creating temporary maildrop '%s'", - p->temp_drop); -#endif /* DEBUG */ - - /* Here we work to make sure the user doesn't cause us to remove or - * write over existing files by limiting how much work we do while - * running as root. - */ - - strlcpy(template, POP_TMPDROP, sizeof(template)); - if ((tf_fd = mkstemp(template)) < 0 || - (tf = fdopen(tf_fd, "w+")) == NULL) { - pop_log(p,POP_PRIORITY, - "Unable to create temporary temporary maildrop '%s': %s",template, - strerror(errno)); - return pop_msg(p,POP_FAILURE, - "System error, can't create temporary file."); - } - - /* Now give this file to the user */ - chown(template, pwp->pw_uid, pwp->pw_gid); - chmod(template, 0600); - - /* Now link this file to the temporary maildrop. If this fails it - * is probably because the temporary maildrop already exists. If so, - * this is ok. We can just go on our way, because by the time we try - * to write into the file we will be running as the user. - */ - link(template,p->temp_drop); - fclose(tf); - unlink(template); - - ret = changeuser(p, pwp); - if (ret != POP_SUCCESS) - return ret; - - /* Open for append, this solves the crash recovery problem */ - if ((dfd = open(p->temp_drop,O_RDWR|O_APPEND|O_CREAT,0600)) == -1){ - pop_log(p,POP_PRIORITY, - "Unable to open temporary maildrop '%s': %s",p->temp_drop, - strerror(errno)); - return pop_msg(p,POP_FAILURE, - "System error, can't open temporary file, do you own it?"); - } - - /* Lock the temporary maildrop */ - if ( flock (dfd, (LOCK_EX | LOCK_NB)) == -1 ) - switch(errno) { - case EWOULDBLOCK: - return pop_msg(p,POP_FAILURE, - "%sMaildrop lock busy! Is another session active?", - (p->flags & POP_FLAG_CAPA) ? "[IN-USE] " : ""); - /* NOTREACHED */ - default: - return pop_msg(p,POP_FAILURE,"flock: '%s': %s", p->temp_drop, - strerror(errno)); - /* NOTREACHED */ - } - - /* May have grown or shrunk between open and lock! */ - offset = lseek(dfd,0, SEEK_END); - - /* Open the user's maildrop, If this fails, no harm in assuming empty */ - if ((mfd = open(p->drop_name,O_RDWR)) > 0) { - - /* Lock the maildrop */ - if (flock (mfd, LOCK_EX) == -1) { - close(mfd) ; - return pop_msg(p,POP_FAILURE, "flock: '%s': %s", p->temp_drop, - strerror(errno)); - } - - /* Copy the actual mail drop into the temporary mail drop */ - while ( (nchar=read(mfd,buffer,BUFSIZ)) > 0 ) - if ( nchar != write(dfd,buffer,nchar) ) { - nchar = -1 ; - break ; - } - - if ( nchar != 0 ) { - /* Error adding new mail. Truncate to original size, - and leave the maildrop as is. The user will not - see the new mail until the error goes away. - Should let them process the current backlog, in case - the error is a quota problem requiring deletions! */ - ftruncate(dfd,(int)offset) ; - } else { - /* Mail transferred! Zero the mail drop NOW, that we - do not have to do gymnastics to figure out what's new - and what is old later */ - ftruncate(mfd,0) ; - } - - /* Close the actual mail drop */ - close (mfd); - } - - /* Acquire a stream pointer for the temporary maildrop */ - if ( (p->drop = fdopen(dfd,"a+")) == NULL ) { - close(dfd) ; - return pop_msg(p,POP_FAILURE,"Cannot assign stream for %s", - p->temp_drop); - } - - rewind (p->drop); - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal/appl/popper/pop_dropinfo.c b/crypto/heimdal/appl/popper/pop_dropinfo.c deleted file mode 100644 index 71922d2cb1a6..000000000000 --- a/crypto/heimdal/appl/popper/pop_dropinfo.c +++ /dev/null @@ -1,232 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_dropinfo.c,v 1.24 1999/09/16 20:38:49 assar Exp $"); - -#if defined(UIDL) || defined(XOVER) - -/* - * Copy the string found after after : into a malloced buffer. Stop - * copying at end of string or end of line. End of line delimiter is - * not part of the resulting copy. - */ -static -char * -find_value_after_colon(char *p) -{ - char *t, *tmp; - - for (; *p != 0 && *p != ':'; p++) /* Find : */ - ; - - if (*p == 0) - goto error; - - p++; /* Skip over : */ - - for(; *p == ' ' || *p == '\t'; p++) /* Remove white space */ - ; - - for (t = p; *t != 0 && *t != '\n' && *t != '\r'; t++) /* Find end of str */ - ; - - tmp = t = malloc(t - p + 1); - if (tmp == 0) - goto error; - - for (; *p != 0 && *p != '\n' && *p != '\r'; p++, t++) /* Copy characters */ - *t = *p; - *t = 0; /* Terminate string */ - return tmp; - -error: - return "ErrorUIDL"; -} -#endif - -void -parse_header(MsgInfoList *mp, char *buffer) -{ -#if defined(UIDL) || defined(XOVER) - if (strncasecmp("Message-Id:",buffer, 11) == 0) { - if (mp->msg_id == NULL) - mp->msg_id = find_value_after_colon(buffer); - } -#ifdef UIDL - else if (strncasecmp(buffer, "X-UIDL:", 7) == 0) { - /* Courtesy to Qualcomm, there really is no such - thing as X-UIDL */ - mp->msg_id = find_value_after_colon(buffer); - } -#endif -#endif -#ifdef XOVER - else if (strncasecmp("Subject:", buffer, 8) == 0) { - if(mp->subject == NULL){ - char *p; - mp->subject = find_value_after_colon(buffer); - for(p = mp->subject; *p; p++) - if(*p == '\t') *p = ' '; - } - } - else if (strncasecmp("From:", buffer, 5) == 0) { - if(mp->from == NULL){ - char *p; - mp->from = find_value_after_colon(buffer); - for(p = mp->from; *p; p++) - if(*p == '\t') *p = ' '; - } - } - else if (strncasecmp("Date:", buffer, 5) == 0) { - if(mp->date == NULL){ - char *p; - mp->date = find_value_after_colon(buffer); - for(p = mp->date; *p; p++) - if(*p == '\t') *p = ' '; - } - } -#endif -} - -int -add_missing_headers(POP *p, MsgInfoList *mp) -{ -#if defined(UIDL) || defined(XOVER) - if (mp->msg_id == NULL) { - asprintf(&mp->msg_id, "no-message-id-%d", mp->number); - if(mp->msg_id == NULL) { - fclose (p->drop); - p->msg_count = 0; - return pop_msg (p,POP_FAILURE, - "Can't build message list for '%s': Out of memory", - p->user); - } - } -#endif -#ifdef XOVER - if (mp->subject == NULL) - mp->subject = ""; - if (mp->from == NULL) - mp->from = ""; - if (mp->date == NULL) - mp->date = ""; -#endif - return POP_SUCCESS; -} - -/* - * dropinfo: Extract information about the POP maildrop and store - * it for use by the other POP routines. - */ - -int -pop_dropinfo(POP *p) -{ - char buffer[BUFSIZ]; /* Read buffer */ - MsgInfoList * mp; /* Pointer to message - info list */ - int msg_num; /* Current message - counter */ - int nchar; /* Bytes written/read */ - int blank_line = 1; /* previous line was blank */ - int in_header = 0; /* if we are in a header block */ - - /* Initialize maildrop status variables in the POP parameter block */ - p->msg_count = 0; - p->msgs_deleted = 0; - p->last_msg = 0; - p->bytes_deleted = 0; - p->drop_size = 0; - - /* Allocate memory for message information structures */ - p->msg_count = ALLOC_MSGS; - p->mlp = (MsgInfoList *)calloc((unsigned)p->msg_count,sizeof(MsgInfoList)); - if (p->mlp == NULL){ - fclose (p->drop); - p->msg_count = 0; - return pop_msg (p,POP_FAILURE, - "Can't build message list for '%s': Out of memory", p->user); - } - - rewind (p->drop); - - /* Scan the file, loading the message information list with - information about each message */ - - for (msg_num = p->drop_size = 0, mp = p->mlp - 1; - fgets(buffer,MAXMSGLINELEN,p->drop);) { - - nchar = strlen(buffer); - - if (blank_line && strncmp(buffer,"From ",5) == 0) { - in_header = 1; - if (++msg_num > p->msg_count) { - p->mlp=(MsgInfoList *) realloc(p->mlp, - (p->msg_count+=ALLOC_MSGS)*sizeof(MsgInfoList)); - if (p->mlp == NULL){ - fclose (p->drop); - p->msg_count = 0; - return pop_msg (p,POP_FAILURE, - "Can't build message list for '%s': Out of memory", - p->user); - } - mp = p->mlp + msg_num - 2; - } - ++mp; - mp->number = msg_num; - mp->length = 0; - mp->lines = 0; - mp->offset = ftell(p->drop) - nchar; - mp->flags = 0; -#if defined(UIDL) || defined(XOVER) - mp->msg_id = 0; -#endif -#ifdef XOVER - mp->subject = 0; - mp->from = 0; - mp->date = 0; -#endif -#ifdef DEBUG - if(p->debug) - pop_log(p, POP_DEBUG, - "Msg %d at offset %ld being added to list", - mp->number, mp->offset); -#endif /* DEBUG */ - } else if(in_header) - parse_header(mp, buffer); - blank_line = (strncmp(buffer, "\n", nchar) == 0); - if(blank_line) { - int e; - in_header = 0; - e = add_missing_headers(p, mp); - if(e != POP_SUCCESS) - return e; - } - mp->length += nchar; - p->drop_size += nchar; - mp->lines++; - } - p->msg_count = msg_num; - -#ifdef DEBUG - if(p->debug && msg_num > 0) { - int i; - for (i = 0, mp = p->mlp; i < p->msg_count; i++, mp++) -#ifdef UIDL - pop_log(p,POP_DEBUG, - "Msg %d at offset %ld is %ld octets long and has %u lines and id %s.", - mp->number,mp->offset,mp->length,mp->lines, mp->msg_id); -#else - pop_log(p,POP_DEBUG, - "Msg %d at offset %d is %d octets long and has %u lines.", - mp->number,mp->offset,mp->length,mp->lines); -#endif - } -#endif /* DEBUG */ - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal/appl/popper/pop_get_command.c b/crypto/heimdal/appl/popper/pop_get_command.c deleted file mode 100644 index f10c3fe53c98..000000000000 --- a/crypto/heimdal/appl/popper/pop_get_command.c +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_get_command.c,v 1.16 2002/07/04 14:09:47 joda Exp $"); - -/* - * get_command: Extract the command from an input line form a POP client - */ - -int pop_capa (POP *p); -static state_table states[] = { - {auth1, "user", 1, 1, pop_user, {auth1, auth2}}, - {auth2, "pass", 1, 99, pop_pass, {auth1, trans}}, -#ifdef RPOP - {auth2, "rpop", 1, 1, pop_rpop, {auth1, trans}}, -#endif /* RPOP */ - {auth1, "quit", 0, 0, pop_quit, {halt, halt}}, - {auth2, "quit", 0, 0, pop_quit, {halt, halt}}, -#ifdef CAPA - {auth1, "capa", 0, 0, pop_capa, {auth1, auth1}}, - {auth2, "capa", 0, 0, pop_capa, {auth2, auth2}}, - {trans, "capa", 0, 0, pop_capa, {trans, trans}}, -#endif - {trans, "stat", 0, 0, pop_stat, {trans, trans}}, - {trans, "list", 0, 1, pop_list, {trans, trans}}, - {trans, "retr", 1, 1, pop_send, {trans, trans}}, - {trans, "dele", 1, 1, pop_dele, {trans, trans}}, - {trans, "noop", 0, 0, NULL, {trans, trans}}, - {trans, "rset", 0, 0, pop_rset, {trans, trans}}, - {trans, "top", 2, 2, pop_send, {trans, trans}}, - {trans, "last", 0, 0, pop_last, {trans, trans}}, - {trans, "quit", 0, 0, pop_updt, {halt, halt}}, - {trans, "help", 0, 0, pop_help, {trans, trans}}, -#ifdef UIDL - {trans, "uidl", 0, 1, pop_uidl, {trans, trans}}, -#endif -#ifdef XOVER - {trans, "xover", 0, 0, pop_xover, {trans, trans}}, -#endif -#ifdef XDELE - {trans, "xdele", 1, 2, pop_xdele, {trans, trans}}, -#endif - {(state) 0, NULL, 0, 0, NULL, {halt, halt}}, -}; - -int -pop_capa (POP *p) -{ - /* Search for the POP command in the command/state table */ - pop_msg (p,POP_SUCCESS, "Capability list follows"); - fprintf(p->output, "USER\r\n"); - fprintf(p->output, "TOP\r\n"); - fprintf(p->output, "PIPELINING\r\n"); - fprintf(p->output, "EXPIRE NEVER\r\n"); - fprintf(p->output, "RESP-CODES\r\n"); -#ifdef UIDL - fprintf(p->output, "UIDL\r\n"); -#endif -#ifdef XOVER - fprintf(p->output, "XOVER\r\n"); -#endif -#ifdef XDELE - fprintf(p->output, "XDELE\r\n"); -#endif - if(p->CurrentState == trans) - fprintf(p->output, "IMPLEMENTATION %s-%s\r\n", PACKAGE, VERSION); - fprintf(p->output,".\r\n"); - fflush(p->output); - - p->flags |= POP_FLAG_CAPA; - - return(POP_SUCCESS); -} - -state_table * -pop_get_command(POP *p, char *mp) -{ - state_table * s; - char buf[MAXMSGLINELEN]; - - /* Save a copy of the original client line */ -#ifdef DEBUG - if(p->debug) strlcpy (buf, mp, sizeof(buf)); -#endif /* DEBUG */ - - /* Parse the message into the parameter array */ - if ((p->parm_count = pop_parse(p,mp)) < 0) return(NULL); - - /* Do not log cleartext passwords */ -#ifdef DEBUG - if(p->debug){ - if(strcmp(p->pop_command,"pass") == 0) - pop_log(p,POP_DEBUG,"Received: \"%s xxxxxxxxx\"",p->pop_command); - else { - /* Remove trailing */ - buf[strlen(buf)-2] = '\0'; - pop_log(p,POP_DEBUG,"Received: \"%s\"",buf); - } - } -#endif /* DEBUG */ - - /* Search for the POP command in the command/state table */ - for (s = states; s->command; s++) { - - /* Is this a valid command for the current operating state? */ - if (strcmp(s->command,p->pop_command) == 0 - && s->ValidCurrentState == p->CurrentState) { - - /* Were too few parameters passed to the command? */ - if (p->parm_count < s->min_parms) { - pop_msg(p,POP_FAILURE, - "Too few arguments for the %s command.", - p->pop_command); - return NULL; - } - - /* Were too many parameters passed to the command? */ - if (p->parm_count > s->max_parms) { - pop_msg(p,POP_FAILURE, - "Too many arguments for the %s command.", - p->pop_command); - return NULL; - } - - /* Return a pointer to the entry for this command in - the command/state table */ - return (s); - } - } - /* The client command was not located in the command/state table */ - pop_msg(p,POP_FAILURE, - "Unknown command: \"%s\".",p->pop_command); - return NULL; -} - -int -pop_help (POP *p) -{ - state_table *s; - - pop_msg(p, POP_SUCCESS, "help"); - - for (s = states; s->command; s++) { - fprintf (p->output, "%s\r\n", s->command); - } - fprintf (p->output, ".\r\n"); - fflush (p->output); - return POP_SUCCESS; -} diff --git a/crypto/heimdal/appl/popper/pop_init.c b/crypto/heimdal/appl/popper/pop_init.c deleted file mode 100644 index 7487ce666a43..000000000000 --- a/crypto/heimdal/appl/popper/pop_init.c +++ /dev/null @@ -1,398 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_init.c,v 1.58 2001/02/20 01:44:47 assar Exp $"); - - -#if defined(KRB4) || defined(KRB5) - -static int -pop_net_read(POP *p, int fd, void *buf, size_t len) -{ -#ifdef KRB5 - return krb5_net_read(p->context, &fd, buf, len); -#elif defined(KRB4) - return krb_net_read(fd, buf, len); -#endif -} -#endif - -static char *addr_log; - -static void -pop_write_addr(POP *p, struct sockaddr *addr) -{ - char ts[32]; - char as[128]; - time_t t; - FILE *f; - if(addr_log == NULL) - return; - t = time(NULL); - strftime(ts, sizeof(ts), "%Y%m%d%H%M%S", localtime(&t)); - if(inet_ntop (addr->sa_family, socket_get_address(addr), - as, sizeof(as)) == NULL) { - pop_log(p, POP_PRIORITY, "failed to print address"); - return; - } - - f = fopen(addr_log, "a"); - if(f == NULL) { - pop_log(p, POP_PRIORITY, "failed to open address log (%s)", addr_log); - return; - } - fprintf(f, "%s %s\n", as, ts); - fclose(f); -} - -#ifdef KRB4 -static int -krb4_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr) -{ - Key_schedule schedule; - KTEXT_ST ticket; - char instance[INST_SZ]; - char version[9]; - int auth; - - if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0) - return -1; - if (pop_net_read (p, s, buf + 4, - KRB_SENDAUTH_VLEN - 4) != KRB_SENDAUTH_VLEN - 4) - return -1; - if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) - return -1; - - k_getsockinst (0, instance, sizeof(instance)); - auth = krb_recvauth(KOPT_IGNORE_PROTOCOL, - s, - &ticket, - "pop", - instance, - (struct sockaddr_in *)addr, - (struct sockaddr_in *) NULL, - &p->kdata, - "", - schedule, - version); - - if (auth != KSUCCESS) { - pop_msg(p, POP_FAILURE, "Kerberos authentication failure: %s", - krb_get_err_text(auth)); - pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - krb_get_err_text(auth)); - return -1; - } - -#ifdef DEBUG - pop_log(p, POP_DEBUG, "%s.%s@%s (%s): ok", p->kdata.pname, - p->kdata.pinst, p->kdata.prealm, p->ipaddr); -#endif /* DEBUG */ - return 0; -} -#endif /* KRB4 */ - -#ifdef KRB5 -static int -krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr) -{ - krb5_error_code ret; - krb5_auth_context auth_context = NULL; - u_int32_t len; - krb5_ticket *ticket; - char *server; - - if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0) - return -1; - len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]); - - if (krb5_net_read(p->context, &s, buf, len) != len) - return -1; - if (len != sizeof(KRB5_SENDAUTH_VERSION) - || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) - return -1; - - ret = krb5_recvauth (p->context, - &auth_context, - &s, - "KPOPV1.0", - NULL, /* let rd_req figure out what server to use */ - KRB5_RECVAUTH_IGNORE_VERSION, - NULL, - &ticket); - if (ret) { - pop_log(p, POP_PRIORITY, "krb5_recvauth: %s", - krb5_get_err_text(p->context, ret)); - return -1; - } - - - ret = krb5_unparse_name(p->context, ticket->server, &server); - if(ret) { - pop_log(p, POP_PRIORITY, "krb5_unparse_name: %s", - krb5_get_err_text(p->context, ret)); - ret = -1; - goto out; - } - /* does this make sense? */ - if(strncmp(server, "pop/", 4) != 0) { - pop_log(p, POP_PRIORITY, - "Got ticket for service `%s'", server); - ret = -1; - goto out; - } else if(p->debug) - pop_log(p, POP_DEBUG, - "Accepted ticket for service `%s'", server); - free(server); - out: - krb5_auth_con_free (p->context, auth_context); - krb5_copy_principal (p->context, ticket->client, &p->principal); - krb5_free_ticket (p->context, ticket); - - return ret; -} -#endif - -static int -krb_authenticate(POP *p, struct sockaddr *addr) -{ -#if defined(KRB4) || defined(KRB5) - u_char buf[BUFSIZ]; - - if (pop_net_read (p, 0, buf, 4) != 4) { - pop_msg(p, POP_FAILURE, "Reading four bytes: %s", - strerror(errno)); - exit (1); - } -#ifdef KRB4 - if (krb4_authenticate (p, 0, buf, addr) == 0){ - pop_write_addr(p, addr); - p->version = 4; - return POP_SUCCESS; - } -#endif -#ifdef KRB5 - if (krb5_authenticate (p, 0, buf, addr) == 0){ - pop_write_addr(p, addr); - p->version = 5; - return POP_SUCCESS; - } -#endif - exit (1); - -#endif /* defined(KRB4) || defined(KRB5) */ - - return(POP_SUCCESS); -} - -static int -plain_authenticate (POP *p, struct sockaddr *addr) -{ - return(POP_SUCCESS); -} - -static int kerberos_flag; -static char *auth_str; -static int debug_flag; -static int interactive_flag; -static char *port_str; -static char *trace_file; -static int timeout; -static int help_flag; -static int version_flag; - -static struct getargs args[] = { -#if defined(KRB4) || defined(KRB5) - { "kerberos", 'k', arg_flag, &kerberos_flag, "use kerberos" }, -#endif - { "auth-mode", 'a', arg_string, &auth_str, "required authentication" }, - { "debug", 'd', arg_flag, &debug_flag }, - { "interactive", 'i', arg_flag, &interactive_flag, "create new socket" }, - { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, - { "trace-file", 't', arg_string, &trace_file, "trace all command to file", "file" }, - { "timeout", 'T', arg_integer, &timeout, "timeout", "seconds" }, - { "address-log", 0, arg_string, &addr_log, "enable address log", "file" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -/* - * init: Start a Post Office Protocol session - */ - -static int -pop_getportbyname(POP *p, const char *service, - const char *proto, short def) -{ -#ifdef KRB5 - return krb5_getportbyname(p->context, service, proto, def); -#elif defined(KRB4) - return k_getportbyname(service, proto, htons(def)); -#else - return htons(default); -#endif -} - -int -pop_init(POP *p,int argcount,char **argmessage) -{ - struct sockaddr_storage cs_ss; - struct sockaddr *cs = (struct sockaddr *)&cs_ss; - socklen_t len; - char * trace_file_name = "/tmp/popper-trace"; - int portnum = 0; - int optind = 0; - int error; - - /* Initialize the POP parameter block */ - memset (p, 0, sizeof(POP)); - - setprogname(argmessage[0]); - - /* Save my name in a global variable */ - p->myname = (char*)getprogname(); - - /* Get the name of our host */ - gethostname(p->myhost,MaxHostNameLen); - -#ifdef KRB5 - { - krb5_error_code ret; - - ret = krb5_init_context (&p->context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - - krb5_openlog(p->context, p->myname, &p->logf); - krb5_set_warn_dest(p->context, p->logf); - } -#else - /* Open the log file */ - roken_openlog(p->myname,POP_LOGOPTS,POP_FACILITY); -#endif - - p->auth_level = AUTH_NONE; - - if(getarg(args, num_args, argcount, argmessage, &optind)){ - arg_printusage(args, num_args, NULL, ""); - exit(1); - } - if(help_flag){ - arg_printusage(args, num_args, NULL, ""); - exit(0); - } - if(version_flag){ - print_version(NULL); - exit(0); - } - - argcount -= optind; - argmessage += optind; - - if (argcount != 0) { - arg_printusage(args, num_args, NULL, ""); - exit(1); - } - - if(auth_str){ - if (strcmp (auth_str, "none") == 0) - p->auth_level = AUTH_NONE; - else if(strcmp(auth_str, "otp") == 0) - p->auth_level = AUTH_OTP; - else - warnx ("bad value for -a: %s", optarg); - } - /* Debugging requested */ - p->debug = debug_flag; - - if(port_str) - portnum = htons(atoi(port_str)); - if(trace_file){ - p->debug++; - if ((p->trace = fopen(trace_file, "a+")) == NULL) { - pop_log(p, POP_PRIORITY, - "Unable to open trace file \"%s\", err = %d", - optarg,errno); - exit (1); - } - trace_file_name = trace_file; - } - -#if defined(KRB4) || defined(KRB5) - p->kerberosp = kerberos_flag; -#endif - - if(timeout) - pop_timeout = timeout; - - /* Fake inetd */ - if (interactive_flag) { - if (portnum == 0) - portnum = p->kerberosp ? - pop_getportbyname(p, "kpop", "tcp", 1109) : - pop_getportbyname(p, "pop", "tcp", 110); - mini_inetd (portnum); - } - - /* Get the address and socket of the client to whom I am speaking */ - len = sizeof(cs_ss); - if (getpeername(STDIN_FILENO, cs, &len) < 0) { - pop_log(p,POP_PRIORITY, - "Unable to obtain socket and address of client, err = %d",errno); - exit (1); - } - - /* Save the dotted decimal form of the client's IP address - in the POP parameter block */ - inet_ntop (cs->sa_family, socket_get_address (cs), - p->ipaddr, sizeof(p->ipaddr)); - - /* Save the client's port */ - p->ipport = ntohs(socket_get_port (cs)); - - /* Get the canonical name of the host to whom I am speaking */ - error = getnameinfo_verified (cs, len, p->client, sizeof(p->client), - NULL, 0, 0); - if (error) { - pop_log (p, POP_PRIORITY, - "getnameinfo: %s", gai_strerror (error)); - strlcpy (p->client, p->ipaddr, sizeof(p->client)); - } - - /* Create input file stream for TCP/IP communication */ - if ((p->input = fdopen(STDIN_FILENO,"r")) == NULL){ - pop_log(p,POP_PRIORITY, - "Unable to open communication stream for input, err = %d",errno); - exit (1); - } - - /* Create output file stream for TCP/IP communication */ - if ((p->output = fdopen(STDOUT_FILENO,"w")) == NULL){ - pop_log(p,POP_PRIORITY, - "Unable to open communication stream for output, err = %d",errno); - exit (1); - } - - pop_log(p,POP_PRIORITY, - "(v%s) Servicing request from \"%s\" at %s\n", - VERSION,p->client,p->ipaddr); - -#ifdef DEBUG - if (p->trace) - pop_log(p,POP_PRIORITY, - "Tracing session and debugging information in file \"%s\"", - trace_file_name); - else if (p->debug) - pop_log(p,POP_PRIORITY,"Debugging turned on"); -#endif /* DEBUG */ - - - return((p->kerberosp ? krb_authenticate : plain_authenticate)(p, cs)); -} diff --git a/crypto/heimdal/appl/popper/pop_last.c b/crypto/heimdal/appl/popper/pop_last.c deleted file mode 100644 index 36fdd0d25a12..000000000000 --- a/crypto/heimdal/appl/popper/pop_last.c +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_last.c,v 1.6 1996/10/28 16:25:28 assar Exp $"); - -/* - * last: Display the last message touched in a POP session - */ - -int -pop_last (POP *p) -{ - return (pop_msg(p,POP_SUCCESS,"%u is the last message seen.",p->last_msg)); -} diff --git a/crypto/heimdal/appl/popper/pop_list.c b/crypto/heimdal/appl/popper/pop_list.c deleted file mode 100644 index aa7666a63158..000000000000 --- a/crypto/heimdal/appl/popper/pop_list.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_list.c,v 1.10 1998/04/23 17:37:47 joda Exp $"); - -/* - * list: List the contents of a POP maildrop - */ - -int -pop_list (POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - int i; - int msg_num; - - /* Was a message number provided? */ - if (p->parm_count > 0) { - msg_num = atoi(p->pop_parm[1]); - - /* Is requested message out of range? */ - if ((msg_num < 1) || (msg_num > p->msg_count)) - return (pop_msg (p,POP_FAILURE, - "Message %d does not exist.",msg_num)); - - /* Get a pointer to the message in the message list */ - mp = &p->mlp[msg_num-1]; - - /* Is the message already flagged for deletion? */ - if (mp->flags & DEL_FLAG) - return (pop_msg (p,POP_FAILURE, - "Message %d has been deleted.",msg_num)); - - /* Display message information */ - return (pop_msg(p,POP_SUCCESS,"%d %ld",msg_num,mp->length)); - } - - /* Display the entire list of messages */ - pop_msg(p,POP_SUCCESS, - "%d messages (%ld octets)", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted); - - /* Loop through the message information list. Skip deleted messages */ - for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) { - if (!(mp->flags & DEL_FLAG)) - fprintf(p->output,"%u %lu\r\n",mp->number,mp->length); - } - - /* "." signals the end of a multi-line transmission */ - fprintf(p->output,".\r\n"); - fflush(p->output); - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal/appl/popper/pop_log.c b/crypto/heimdal/appl/popper/pop_log.c deleted file mode 100644 index deb9841d87e4..000000000000 --- a/crypto/heimdal/appl/popper/pop_log.c +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_log.c,v 1.13 1997/10/14 21:59:07 joda Exp $"); - -/* - * log: Make a log entry - */ - -int -pop_log(POP *p, int stat, char *format, ...) -{ - char msgbuf[MAXLINELEN]; - va_list ap; - - va_start(ap, format); - vsnprintf(msgbuf, sizeof(msgbuf), format, ap); - - if (p->debug && p->trace) { - fprintf(p->trace,"%s\n",msgbuf); - fflush(p->trace); - } else { -#ifdef KRB5 - krb5_log(p->context, p->logf, stat, "%s", msgbuf); -#else - syslog (stat,"%s",msgbuf); -#endif - } - va_end(ap); - - return(stat); -} diff --git a/crypto/heimdal/appl/popper/pop_msg.c b/crypto/heimdal/appl/popper/pop_msg.c deleted file mode 100644 index 12887a49fad8..000000000000 --- a/crypto/heimdal/appl/popper/pop_msg.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_msg.c,v 1.16 1999/09/16 20:38:50 assar Exp $"); - -/* - * msg: Send a formatted line to the POP client - */ - -int -pop_msg(POP *p, int stat, char *format, ...) -{ - char *mp; - char message[MAXLINELEN]; - va_list ap; - - va_start(ap, format); - - /* Point to the message buffer */ - mp = message; - - /* Format the POP status code at the beginning of the message */ - snprintf (mp, sizeof(message), "%s ", - (stat == POP_SUCCESS) ? POP_OK : POP_ERR); - - /* Point past the POP status indicator in the message message */ - mp += strlen(mp); - - /* Append the message (formatted, if necessary) */ - if (format) - vsnprintf (mp, sizeof(message) - strlen(message), - format, ap); - - /* Log the message if debugging is turned on */ -#ifdef DEBUG - if (p->debug && stat == POP_SUCCESS) - pop_log(p,POP_DEBUG,"%s",message); -#endif /* DEBUG */ - - /* Log the message if a failure occurred */ - if (stat != POP_SUCCESS) - pop_log(p,POP_PRIORITY,"%s",message); - - /* Append the */ - strlcat(message, "\r\n", sizeof(message)); - - /* Send the message to the client */ - fputs(message, p->output); - fflush(p->output); - - va_end(ap); - return(stat); -} diff --git a/crypto/heimdal/appl/popper/pop_parse.c b/crypto/heimdal/appl/popper/pop_parse.c deleted file mode 100644 index 37aef369a98f..000000000000 --- a/crypto/heimdal/appl/popper/pop_parse.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_parse.c,v 1.9 1999/03/13 21:17:27 assar Exp $"); - -/* - * parse: Parse a raw input line from a POP client - * into null-delimited tokens - */ - -int -pop_parse(POP *p, char *buf) -{ - char * mp; - int i; - - /* Loop through the POP command array */ - for (mp = buf, i = 0; ; i++) { - - /* Skip leading spaces and tabs in the message */ - while (isspace((unsigned char)*mp))mp++; - - /* Are we at the end of the message? */ - if (*mp == 0) break; - - /* Have we already obtained the maximum allowable parameters? */ - if (i >= MAXPARMCOUNT) { - pop_msg(p,POP_FAILURE,"Too many arguments supplied."); - return(-1); - } - - /* Point to the start of the token */ - p->pop_parm[i] = mp; - - /* Search for the first space character (end of the token) */ - while (!isspace((unsigned char)*mp) && *mp) mp++; - - /* Delimit the token with a null */ - if (*mp) *mp++ = 0; - } - - /* Were any parameters passed at all? */ - if (i == 0) return (-1); - - /* Convert the first token (POP command) to lower case */ - strlwr(p->pop_command); - - /* Return the number of tokens extracted minus the command itself */ - return (i-1); - -} diff --git a/crypto/heimdal/appl/popper/pop_pass.c b/crypto/heimdal/appl/popper/pop_pass.c deleted file mode 100644 index cebd78083c9f..000000000000 --- a/crypto/heimdal/appl/popper/pop_pass.c +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_pass.c,v 1.41 2000/04/12 15:37:46 assar Exp $"); - -#ifdef KRB4 -static int -krb4_verify_password (POP *p) -{ - int status; - char lrealm[REALM_SZ]; - char tkt[MaxPathLen]; - - status = krb_get_lrealm(lrealm,1); - if (status == KFAILURE) { - pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - krb_get_err_text(status)); - return 1; - } - snprintf(tkt, sizeof(tkt), "%s_popper.%u", TKT_ROOT, (unsigned)getpid()); - krb_set_tkt_string (tkt); - - status = krb_verify_user(p->user, "", lrealm, - p->pop_parm[1], KRB_VERIFY_SECURE, "pop"); - dest_tkt(); /* no point in keeping the tickets */ - return status; -} -#endif /* KRB4 */ - -#ifdef KRB5 -static int -krb5_verify_password (POP *p) -{ - krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; - krb5_get_init_creds_opt get_options; - krb5_verify_init_creds_opt verify_options; - krb5_error_code ret; - krb5_principal client, server; - krb5_creds creds; - - krb5_get_init_creds_opt_init (&get_options); - - krb5_get_init_creds_opt_set_preauth_list (&get_options, - pre_auth_types, - 1); - - krb5_verify_init_creds_opt_init (&verify_options); - - ret = krb5_parse_name (p->context, p->user, &client); - if (ret) { - pop_log(p, POP_PRIORITY, "krb5_parse_name: %s", - krb5_get_err_text (p->context, ret)); - return 1; - } - - ret = krb5_get_init_creds_password (p->context, - &creds, - client, - p->pop_parm[1], - NULL, - NULL, - 0, - NULL, - &get_options); - if (ret) { - pop_log(p, POP_PRIORITY, - "krb5_get_init_creds_password: %s", - krb5_get_err_text (p->context, ret)); - return 1; - } - - ret = krb5_sname_to_principal (p->context, - p->myhost, - "pop", - KRB5_NT_SRV_HST, - &server); - if (ret) { - pop_log(p, POP_PRIORITY, - "krb5_get_init_creds_password: %s", - krb5_get_err_text (p->context, ret)); - return 1; - } - - ret = krb5_verify_init_creds (p->context, - &creds, - server, - NULL, - NULL, - &verify_options); - krb5_free_principal (p->context, client); - krb5_free_principal (p->context, server); - krb5_free_creds_contents (p->context, &creds); - return ret; -} -#endif -/* - * pass: Obtain the user password from a POP client - */ - -int -pop_pass (POP *p) -{ - struct passwd *pw; - int i; - struct stat st; - - /* Make one string of all these parameters */ - - for (i = 1; i < p->parm_count; ++i) - p->pop_parm[i][strlen(p->pop_parm[i])] = ' '; - - /* Look for the user in the password file */ - if ((pw = k_getpwnam(p->user)) == NULL) - return (pop_msg(p,POP_FAILURE, - "Password supplied for \"%s\" is incorrect.", - p->user)); - - if (p->kerberosp) { -#ifdef KRB4 - if (p->version == 4) { - if(kuserok (&p->kdata, p->user)) { - pop_log(p, POP_PRIORITY, - "%s: (%s.%s@%s) tried to retrieve mail for %s.", - p->client, p->kdata.pname, p->kdata.pinst, - p->kdata.prealm, p->user); - return(pop_msg(p,POP_FAILURE, - "Popping not authorized")); - } - pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s", - p->ipaddr, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - p->user); - } else -#endif /* KRB4 */ -#ifdef KRB5 - if (p->version == 5) { - char *name; - - if (!krb5_kuserok (p->context, p->principal, p->user)) { - pop_log (p, POP_PRIORITY, - "krb5 permission denied"); - return pop_msg(p, POP_FAILURE, - "Popping not authorized"); - } - if(krb5_unparse_name (p->context, p->principal, &name) == 0) { - pop_log(p, POP_INFO, "%s: %s -> %s", - p->ipaddr, name, p->user); - free (name); - } - } else { - pop_log (p, POP_PRIORITY, "kerberos authentication failed"); - return pop_msg (p, POP_FAILURE, - "kerberos authentication failed"); - } -#endif - { } - } else { - /* We don't accept connections from users with null passwords */ - if (pw->pw_passwd == NULL) - return (pop_msg(p, - POP_FAILURE, - "Password supplied for \"%s\" is incorrect.", - p->user)); - -#ifdef OTP - if (otp_verify_user (&p->otp_ctx, p->pop_parm[1]) == 0) - /* pass OK */; - else -#endif - /* Compare the supplied password with the password file entry */ - if (p->auth_level != AUTH_NONE) - return pop_msg(p, POP_FAILURE, - "Password supplied for \"%s\" is incorrect.", - p->user); - else if (!strcmp(crypt(p->pop_parm[1], pw->pw_passwd), pw->pw_passwd)) - /* pass OK */; - else { - int ret = -1; -#ifdef KRB4 - ret = krb4_verify_password (p); -#endif -#ifdef KRB5 - if(ret) - ret = krb5_verify_password (p); -#endif - if(ret) - return pop_msg(p, POP_FAILURE, - "Password incorrect"); - } - } - pop_log(p, POP_INFO, "login from %s as %s", - p->ipaddr, p->user); - - /* Build the name of the user's maildrop */ - snprintf(p->drop_name, sizeof(p->drop_name), "%s/%s", POP_MAILDIR, p->user); - - if(stat(p->drop_name, &st) < 0 || !S_ISDIR(st.st_mode)){ - /* Make a temporary copy of the user's maildrop */ - /* and set the group and user id */ - if (pop_dropcopy(p, pw) != POP_SUCCESS) return (POP_FAILURE); - - /* Get information about the maildrop */ - if (pop_dropinfo(p) != POP_SUCCESS) return(POP_FAILURE); - } else { - if(changeuser(p, pw) != POP_SUCCESS) return POP_FAILURE; - if(pop_maildir_info(p) != POP_SUCCESS) return POP_FAILURE; - } - /* Initialize the last-message-accessed number */ - p->last_msg = 0; - - /* Authorization completed successfully */ - return (pop_msg (p, POP_SUCCESS, - "%s has %d message(s) (%ld octets).", - p->user, p->msg_count, p->drop_size)); -} diff --git a/crypto/heimdal/appl/popper/pop_quit.c b/crypto/heimdal/appl/popper/pop_quit.c deleted file mode 100644 index 429b1815dd19..000000000000 --- a/crypto/heimdal/appl/popper/pop_quit.c +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_quit.c,v 1.7 1996/11/19 22:48:30 assar Exp $"); - -/* - * quit: Terminate a POP session - */ - -int -pop_quit (POP *p) -{ - /* Release the message information list */ - if (p->mlp) free (p->mlp); - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal/appl/popper/pop_rset.c b/crypto/heimdal/appl/popper/pop_rset.c deleted file mode 100644 index 6888ebfbad48..000000000000 --- a/crypto/heimdal/appl/popper/pop_rset.c +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_rset.c,v 1.9 1998/04/23 17:38:08 joda Exp $"); - -/* - * rset: Unflag all messages flagged for deletion in a POP maildrop - */ - -int -pop_rset (POP *p) -{ - MsgInfoList * mp; /* Pointer to the message info list */ - int i; - - /* Unmark all the messages */ - for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) - mp->flags &= ~DEL_FLAG; - - /* Reset the messages-deleted and bytes-deleted counters */ - p->msgs_deleted = 0; - p->bytes_deleted = 0; - - /* Reset the last-message-access flag */ - p->last_msg = 0; - - return (pop_msg(p,POP_SUCCESS,"Maildrop has %u messages (%ld octets)", - p->msg_count, p->drop_size)); -} diff --git a/crypto/heimdal/appl/popper/pop_send.c b/crypto/heimdal/appl/popper/pop_send.c deleted file mode 100644 index 166b990a1419..000000000000 --- a/crypto/heimdal/appl/popper/pop_send.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_send.c,v 1.25 1999/03/05 14:14:28 joda Exp $"); - -/* - * sendline: Send a line of a multi-line response to a client. - */ -static int -pop_sendline(POP *p, char *buffer) -{ - char * bp; - - /* Byte stuff lines that begin with the termination octet */ - if (*buffer == POP_TERMINATE) - fputc(POP_TERMINATE,p->output); - - /* Look for a in the buffer */ - if ((bp = strchr(buffer, '\n'))) - *bp = 0; - - /* Send the line to the client */ - fputs(buffer,p->output); - -#ifdef DEBUG - if(p->debug) - pop_log(p,POP_DEBUG,"Sending line \"%s\"",buffer); -#endif /* DEBUG */ - - /* Put a if a newline was removed from the buffer */ - if (bp) - fputs ("\r\n",p->output); - return bp != NULL; -} - -/* - * send: Send the header and a specified number of lines - * from a mail message to a POP client. - */ - -int -pop_send(POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - int msg_num; - int msg_lines; - char buffer[MAXMSGLINELEN]; -#ifdef RETURN_PATH_HANDLING - char * return_path_adr; - char * return_path_end; - int return_path_sent; - int return_path_linlen; -#endif - int sent_nl = 0; - - /* Convert the first parameter into an integer */ - msg_num = atoi(p->pop_parm[1]); - - /* Is requested message out of range? */ - if ((msg_num < 1) || (msg_num > p->msg_count)) - return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_num)); - - /* Get a pointer to the message in the message list */ - mp = &p->mlp[msg_num-1]; - - /* Is the message flagged for deletion? */ - if (mp->flags & DEL_FLAG) - return (pop_msg (p,POP_FAILURE, - "Message %d has been deleted.",msg_num)); - - /* If this is a TOP command, get the number of lines to send */ - if (strcmp(p->pop_command, "top") == 0) { - /* Convert the second parameter into an integer */ - msg_lines = atoi(p->pop_parm[2]); - } - else { - /* Assume that a RETR (retrieve) command was issued */ - msg_lines = -1; - /* Flag the message as retreived */ - mp->flags |= RETR_FLAG; - } - - /* Display the number of bytes in the message */ - pop_msg(p, POP_SUCCESS, "%ld octets", mp->length); - - if(IS_MAILDIR(p)) { - int e = pop_maildir_open(p, mp); - if(e != POP_SUCCESS) - return e; - } - - /* Position to the start of the message */ - fseek(p->drop, mp->offset, 0); - - return_path_sent = 0; - - if(!IS_MAILDIR(p)) { - /* Skip the first line (the sendmail "From" line) */ - fgets (buffer,MAXMSGLINELEN,p->drop); - -#ifdef RETURN_PATH_HANDLING - if (strncmp(buffer,"From ",5) == 0) { - return_path_linlen = strlen(buffer); - for (return_path_adr = buffer+5; - (*return_path_adr == ' ' || *return_path_adr == '\t') && - return_path_adr < buffer + return_path_linlen; - return_path_adr++) - ; - if (return_path_adr < buffer + return_path_linlen) { - if ((return_path_end = strchr(return_path_adr, ' ')) != NULL) - *return_path_end = '\0'; - if (strlen(return_path_adr) != 0 && *return_path_adr != '\n') { - static char tmpbuf[MAXMSGLINELEN + 20]; - if (snprintf (tmpbuf, - sizeof(tmpbuf), - "Return-Path: %s\n", - return_path_adr) < MAXMSGLINELEN) { - pop_sendline (p,tmpbuf); - if (hangup) - return pop_msg (p, POP_FAILURE, - "SIGHUP or SIGPIPE flagged"); - return_path_sent++; - } - } - } - } -#endif - } - - /* Send the header of the message followed by a blank line */ - while (fgets(buffer,MAXMSGLINELEN,p->drop)) { -#ifdef RETURN_PATH_HANDLING - /* Don't send existing Return-Path-header if already sent own */ - if (!return_path_sent || strncasecmp(buffer, "Return-Path:", 12) != 0) -#endif - sent_nl = pop_sendline (p,buffer); - /* A single newline (blank line) signals the - end of the header. sendline() converts this to a NULL, - so that's what we look for. */ - if (*buffer == 0) break; - if (hangup) - return (pop_msg (p,POP_FAILURE,"SIGHUP or SIGPIPE flagged")); - } - /* Send the message body */ - { - int blank_line = 1; - while (fgets(buffer, MAXMSGLINELEN-1, p->drop)) { - /* Look for the start of the next message */ - if (!IS_MAILDIR(p) && blank_line && strncmp(buffer,"From ",5) == 0) - break; - blank_line = (strncmp(buffer, "\n", 1) == 0); - /* Decrement the lines sent (for a TOP command) */ - if (msg_lines >= 0 && msg_lines-- == 0) break; - sent_nl = pop_sendline(p,buffer); - if (hangup) - return (pop_msg (p,POP_FAILURE,"SIGHUP or SIGPIPE flagged")); - } - /* add missing newline at end */ - if(!sent_nl) - fputs("\r\n", p->output); - /* some pop-clients want a blank line at the end of the - message, we always add one here, but what the heck -- in - outer (white) space, no one can hear you scream */ - if(IS_MAILDIR(p)) - fputs("\r\n", p->output); - } - /* "." signals the end of a multi-line transmission */ - fputs(".\r\n",p->output); - fflush(p->output); - - return(POP_SUCCESS); -} diff --git a/crypto/heimdal/appl/popper/pop_stat.c b/crypto/heimdal/appl/popper/pop_stat.c deleted file mode 100644 index 9ab2800b0f97..000000000000 --- a/crypto/heimdal/appl/popper/pop_stat.c +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_stat.c,v 1.7 1997/05/11 11:04:35 assar Exp $"); - -/* - * stat: Display the status of a POP maildrop to its client - */ - -int -pop_stat (POP *p) -{ -#ifdef DEBUG - if (p->debug) pop_log(p,POP_DEBUG,"%d message(s) (%ld octets).", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted); -#endif /* DEBUG */ - return (pop_msg (p,POP_SUCCESS, - "%d %ld", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted)); -} diff --git a/crypto/heimdal/appl/popper/pop_uidl.c b/crypto/heimdal/appl/popper/pop_uidl.c deleted file mode 100644 index 42dc12deba11..000000000000 --- a/crypto/heimdal/appl/popper/pop_uidl.c +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -RCSID("$Id: pop_uidl.c,v 1.9 1999/12/02 16:58:33 joda Exp $"); - -#ifdef UIDL -/* - * uidl: Uidl the contents of a POP maildrop - */ - -int -pop_uidl (POP *p) -{ - MsgInfoList * mp; /* Pointer to message info list */ - int i; - int msg_num; - - /* Was a message number provided? */ - if (p->parm_count > 0) { - msg_num = atoi(p->pop_parm[1]); - - /* Is requested message out of range? */ - if ((msg_num < 1) || (msg_num > p->msg_count)) - return (pop_msg (p,POP_FAILURE, - "Message %d does not exist.",msg_num)); - - /* Get a pointer to the message in the message list */ - mp = &p->mlp[msg_num-1]; - - /* Is the message already flagged for deletion? */ - if (mp->flags & DEL_FLAG) - return (pop_msg (p,POP_FAILURE, - "Message %d has been deleted.",msg_num)); - - /* Display message information */ - return (pop_msg(p,POP_SUCCESS,"%u %s",msg_num,mp->msg_id)); - } - - /* Display the entire list of messages */ - pop_msg(p,POP_SUCCESS, - "%d messages (%ld octets)", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted); - - /* Loop through the message information list. Skip deleted messages */ - for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) { - if (!(mp->flags & DEL_FLAG)) - fprintf(p->output,"%u %s\r\n",mp->number,mp->msg_id); - } - - /* "." signals the end of a multi-line transmission */ - fprintf(p->output,".\r\n"); - fflush(p->output); - - return(POP_SUCCESS); -} -#endif /* UIDL */ diff --git a/crypto/heimdal/appl/popper/pop_updt.c b/crypto/heimdal/appl/popper/pop_updt.c deleted file mode 100644 index 013013257ddc..000000000000 --- a/crypto/heimdal/appl/popper/pop_updt.c +++ /dev/null @@ -1,199 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_updt.c,v 1.19 1998/04/23 18:36:51 joda Exp $"); - -static char standard_error[] = - "Error error updating primary drop. Mailbox unchanged"; - -/* - * updt: Apply changes to a user's POP maildrop - */ - -int -pop_updt (POP *p) -{ - FILE * md; /* Stream pointer for - the user's maildrop */ - int mfd; /* File descriptor for - above */ - char buffer[BUFSIZ]; /* Read buffer */ - - MsgInfoList * mp; /* Pointer to message - info list */ - int msg_num; /* Current message - counter */ - int status_written; /* Status header field - written */ - int nchar; /* Bytes read/written */ - - long offset; /* New mail offset */ - - int blank_line; - -#ifdef DEBUG - if (p->debug) { - pop_log(p,POP_DEBUG,"Performing maildrop update..."); - pop_log(p,POP_DEBUG,"Checking to see if all messages were deleted"); - } -#endif /* DEBUG */ - - if(IS_MAILDIR(p)) - return pop_maildir_update(p); - - if (p->msgs_deleted == p->msg_count) { - /* Truncate before close, to avoid race condition, DO NOT UNLINK! - Another process may have opened, and not yet tried to lock */ - ftruncate ((int)fileno(p->drop),0); - fclose(p->drop) ; - return (POP_SUCCESS); - } - -#ifdef DEBUG - if (p->debug) - pop_log(p,POP_DEBUG,"Opening mail drop \"%s\"",p->drop_name); -#endif /* DEBUG */ - - /* Open the user's real maildrop */ - if ((mfd = open(p->drop_name,O_RDWR|O_CREAT,0600)) == -1 || - (md = fdopen(mfd,"r+")) == NULL) { - return pop_msg(p,POP_FAILURE,standard_error); - } - - /* Lock the user's real mail drop */ - if ( flock(mfd, LOCK_EX) == -1 ) { - fclose(md) ; - return pop_msg(p,POP_FAILURE, "flock: '%s': %s", p->temp_drop, - strerror(errno)); - } - - /* Go to the right places */ - offset = lseek((int)fileno(p->drop),0,SEEK_END) ; - - /* Append any messages that may have arrived during the session - to the temporary maildrop */ - while ((nchar=read(mfd,buffer,BUFSIZ)) > 0) - if ( nchar != write((int)fileno(p->drop),buffer,nchar) ) { - nchar = -1; - break ; - } - if ( nchar != 0 ) { - fclose(md) ; - ftruncate((int)fileno(p->drop),(int)offset) ; - fclose(p->drop) ; - return pop_msg(p,POP_FAILURE,standard_error); - } - - rewind(md); - lseek(mfd,0,SEEK_SET); - ftruncate(mfd,0) ; - - /* Synch stdio and the kernel for the POP drop */ - rewind(p->drop); - lseek((int)fileno(p->drop),0,SEEK_SET); - - /* Transfer messages not flagged for deletion from the temporary - maildrop to the new maildrop */ -#ifdef DEBUG - if (p->debug) - pop_log(p,POP_DEBUG,"Creating new maildrop \"%s\" from \"%s\"", - p->drop_name,p->temp_drop); -#endif /* DEBUG */ - - for (msg_num = 0; msg_num < p->msg_count; ++msg_num) { - - int doing_body; - - /* Get a pointer to the message information list */ - mp = &p->mlp[msg_num]; - - if (mp->flags & DEL_FLAG) { -#ifdef DEBUG - if(p->debug) - pop_log(p,POP_DEBUG, - "Message %d flagged for deletion.",mp->number); -#endif /* DEBUG */ - continue; - } - - fseek(p->drop,mp->offset,0); - -#ifdef DEBUG - if(p->debug) - pop_log(p,POP_DEBUG,"Copying message %d.",mp->number); -#endif /* DEBUG */ - blank_line = 1; - for(status_written = doing_body = 0 ; - fgets(buffer,MAXMSGLINELEN,p->drop);) { - - if (doing_body == 0) { /* Header */ - - /* Update the message status */ - if (strncasecmp(buffer,"Status:",7) == 0) { - if (mp->flags & RETR_FLAG) - fputs("Status: RO\n",md); - else - fputs(buffer, md); - status_written++; - continue; - } - /* A blank line signals the end of the header. */ - if (*buffer == '\n') { - doing_body = 1; - if (status_written == 0) { - if (mp->flags & RETR_FLAG) - fputs("Status: RO\n\n",md); - else - fputs("Status: U\n\n",md); - } - else fputs ("\n", md); - continue; - } - /* Save another header line */ - fputs (buffer, md); - } - else { /* Body */ - if (blank_line && strncmp(buffer,"From ",5) == 0) break; - fputs (buffer, md); - blank_line = (*buffer == '\n'); - } - } - } - - /* flush and check for errors now! The new mail will writen - without stdio, since we need not separate messages */ - - fflush(md) ; - if (ferror(md)) { - ftruncate(mfd,0) ; - fclose(md) ; - fclose(p->drop) ; - return pop_msg(p,POP_FAILURE,standard_error); - } - - /* Go to start of new mail if any */ - lseek((int)fileno(p->drop),offset,SEEK_SET); - - while((nchar=read((int)fileno(p->drop),buffer,BUFSIZ)) > 0) - if ( nchar != write(mfd,buffer,nchar) ) { - nchar = -1; - break ; - } - if ( nchar != 0 ) { - ftruncate(mfd,0) ; - fclose(md) ; - fclose(p->drop) ; - return pop_msg(p,POP_FAILURE,standard_error); - } - - /* Close the maildrop and empty temporary maildrop */ - fclose(md); - ftruncate((int)fileno(p->drop),0); - fclose(p->drop); - - return(pop_quit(p)); -} diff --git a/crypto/heimdal/appl/popper/pop_user.c b/crypto/heimdal/appl/popper/pop_user.c deleted file mode 100644 index be771e690c30..000000000000 --- a/crypto/heimdal/appl/popper/pop_user.c +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: pop_user.c,v 1.15 1999/09/16 20:38:50 assar Exp $"); - -/* - * user: Prompt for the user name at the start of a POP session - */ - -int -pop_user (POP *p) -{ - char ss[256]; - - strlcpy(p->user, p->pop_parm[1], sizeof(p->user)); - -#ifdef OTP - if (otp_challenge (&p->otp_ctx, p->user, ss, sizeof(ss)) == 0) { - return pop_msg(p, POP_SUCCESS, "Password %s required for %s.", - ss, p->user); - } else -#endif - if (p->auth_level != AUTH_NONE) { - char *s = NULL; -#ifdef OTP - s = otp_error(&p->otp_ctx); -#endif - return pop_msg(p, POP_FAILURE, "Permission denied%s%s", - s ? ":" : "", s ? s : ""); - } else - return pop_msg(p, POP_SUCCESS, "Password required for %s.", p->user); -} diff --git a/crypto/heimdal/appl/popper/pop_xover.c b/crypto/heimdal/appl/popper/pop_xover.c deleted file mode 100644 index 94936f9839f7..000000000000 --- a/crypto/heimdal/appl/popper/pop_xover.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -RCSID("$Id: pop_xover.c,v 1.4 1998/04/23 17:39:31 joda Exp $"); - -int -pop_xover (POP *p) -{ -#ifdef XOVER - MsgInfoList * mp; /* Pointer to message info list */ - int i; - - pop_msg(p,POP_SUCCESS, - "%d messages (%ld octets)", - p->msg_count-p->msgs_deleted, - p->drop_size-p->bytes_deleted); - - /* Loop through the message information list. Skip deleted messages */ - for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) { - if (!(mp->flags & DEL_FLAG)) - fprintf(p->output,"%u\t%s\t%s\t%s\t%s\t%lu\t%u\r\n", - mp->number, - mp->subject, - mp->from, - mp->date, - mp->msg_id, - mp->length, - mp->lines); - } - - /* "." signals the end of a multi-line transmission */ - fprintf(p->output,".\r\n"); - fflush(p->output); - - return(POP_SUCCESS); -#else - return pop_msg(p, POP_FAILURE, "Command not implemented."); -#endif -} diff --git a/crypto/heimdal/appl/popper/popper.8 b/crypto/heimdal/appl/popper/popper.8 deleted file mode 100644 index 1493fd7c8e19..000000000000 --- a/crypto/heimdal/appl/popper/popper.8 +++ /dev/null @@ -1,90 +0,0 @@ -.\" $Id: popper.8,v 1.7 2002/08/20 16:37:05 joda Exp $ -.\" -.Dd August 13, 2001 -.Dt POPPER 8 -.Os HEIMDAL -.Sh NAME -.Nm popper -.Nd -POP3 server -.Sh SYNOPSIS -.Nm -.Op Fl k -.Op Fl a Ar none Ns \*(Ba Ns otp -.Op Fl t Ar file -.Op Fl T Ar seconds -.Op Fl d -.Op Fl i -.Op Fl p Ar port -.Op Fl -address-log= Ns Pa file -.Sh DESCRIPTION -.Nm -serves mail via the Post Office Protocol. Supported options include: -.Bl -tag -width Ds -.It Xo -.Fl a Ar none Ns \*(Ba Ns otp , -.Fl -auth-mode= Ns Ar none Ns \*(Ba Ns otp -.Xc -tells -.Nm -what authentication modes are acceptable, passing -.Ar otp -disables clear text passwords. This has only effect when not using -Kerberos authentication. -.It Xo -.Fl -address-log= Ns Pa file -.Xc -logs the addresses of all clients to the specified file -.It Xo -.Fl d , -.Fl -debug -.Xc -enables more verbose log messages -.It Xo -.Fl i , -.Fl -interactive -.Xc -when not started by inetd, this flag tells -.Nm -that it has to create a socket by itself -.It Xo -.Fl k , -.Fl -kerberos -.Xc -tells -.Nm -to use the Kerberos for authentication. -.It Xo -.Fl p Ar port , -.Fl -port= Ns Ar port -.Xc -port to listen to, in combination with -.Fl i -.It Xo -.Fl t Ar file , -.Fl -trace-file= Ns Ar file -.Xc -trace all command to file -.It Xo -.Fl T Ar seconds , -.Fl -timeout= Ns Ar seconds -.Xc -set timeout to something other than the default of 120 seconds -.El -.\".Sh ENVIRONMENT -.\".Sh FILES -.\".Sh EXAMPLES -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr push 8 , -.Xr movemail 8 -.Sh STANDARDS -RFC1939 (Post Office Protocol - Version 3) -.\" RFC2449 (POP3 Extension Mechanism) -.\".Sh HISTORY -.Sh AUTHORS -The server was initially developed at the University of California, -Berkeley. -.Pp -Many changes has been made as part of the KTH Kerberos distributions. -.\".Sh BUGS diff --git a/crypto/heimdal/appl/popper/popper.README.release b/crypto/heimdal/appl/popper/popper.README.release deleted file mode 100644 index c0b313ecd964..000000000000 --- a/crypto/heimdal/appl/popper/popper.README.release +++ /dev/null @@ -1,45 +0,0 @@ -Release Notes: - -popper-1.831beta is no longer beta 30 July 91 - Removed popper-1.7.tar.Z - -popper-1.831beta.tar.Z 03 April 91 - Changed mkstemp to mktemp for Ultrix. Sigh. - -popper-1.83beta.tar.Z 02 April 91 - - This version makes certain that while running as root we do nothing - at all destructive. - -popper-1.82beta.tar.Z 27 March 91 - - This version fixes problems on Encore MultiMax and some Sun releases - which wouldn't allow a user to ftruncate() a file from an open - file descripter unless the user owns the file. Now the user - owns the /usr/spool/mail/.userid.pop file. Thanks to Ben Levy - of FTP Software and Henry Holtzman of Apple. - -popper-1.81beta.tar.Z 20 March 91 - - This version of popper is supposed to fix three problems reported - with various versions of popper (all called 1.7 or 1.7something). - - 1) Dropped network connections meant lost mail files. Some 1.7 - versions also risked corrupting mail files. - - 2) Some versions of 1.7 created temporary drop files with world - read and write permissions. - - 3) Some versions of 1.7 were not careful about opening the temporary - drop file. - -popper-1.7.tar.Z 09 September 90 (updated 20 March 91) - - This version will exhibit the first problem listed above if it is - compiled with -DDEBUG and run without the "-d" (debug) flag. - - If it is compiled without -DDEBUG it will exhibit only the second - and third bug listed above. - -Cliff Frost poptest@nettlesome.berkeley.edu -UC Berkeley diff --git a/crypto/heimdal/appl/popper/popper.c b/crypto/heimdal/appl/popper/popper.c deleted file mode 100644 index 6aee29441ca7..000000000000 --- a/crypto/heimdal/appl/popper/popper.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#include -RCSID("$Id: popper.c,v 1.16 2002/07/04 14:09:25 joda Exp $"); - -int hangup = FALSE ; - -static RETSIGTYPE -catchSIGHUP(int sig) -{ - hangup = TRUE ; - - /* This should not be a problem on BSD systems */ - signal(SIGHUP, catchSIGHUP); - signal(SIGPIPE, catchSIGHUP); - SIGRETURN(0); -} - -int pop_timeout = POP_TIMEOUT; - -jmp_buf env; - -static RETSIGTYPE -ring(int sig) -{ - longjmp(env,1); -} - -/* - * fgets, but with a timeout - */ -static char * -tgets(char *str, int size, FILE *fp, int timeout) -{ - signal(SIGALRM, ring); - alarm(timeout); - if (setjmp(env)) - str = NULL; - else - str = fgets(str,size,fp); - alarm(0); - signal(SIGALRM,SIG_DFL); - return(str); -} - -/* - * popper: Handle a Post Office Protocol version 3 session - */ -int -main (int argc, char **argv) -{ - POP p; - state_table * s; - char message[MAXLINELEN]; - - signal(SIGHUP, catchSIGHUP); - signal(SIGPIPE, catchSIGHUP); - - /* Start things rolling */ - pop_init(&p,argc,argv); - - /* Tell the user that we are listenting */ - pop_msg(&p,POP_SUCCESS, "POP3 server ready"); - - /* State loop. The POP server is always in a particular state in - which a specific suite of commands can be executed. The following - loop reads a line from the client, gets the command, and processes - it in the current context (if allowed) or rejects it. This continues - until the client quits or an error occurs. */ - - for (p.CurrentState=auth1;p.CurrentState!=halt&&p.CurrentState!=error;) { - if (hangup) { - pop_msg(&p, POP_FAILURE, "POP hangup: %s", p.myhost); - if (p.CurrentState > auth2 && !pop_updt(&p)) - pop_msg(&p, POP_FAILURE, - "POP mailbox update failed: %s", p.myhost); - p.CurrentState = error; - } else if (tgets(message, MAXLINELEN, p.input, pop_timeout) == NULL) { - pop_msg(&p, POP_FAILURE, "POP timeout: %s", p.myhost); - if (p.CurrentState > auth2 && !pop_updt(&p)) - pop_msg(&p,POP_FAILURE, - "POP mailbox update failed: %s", p.myhost); - p.CurrentState = error; - } - else { - /* Search for the command in the command/state table */ - if ((s = pop_get_command(&p,message)) == NULL) continue; - - /* Call the function associated with this command in - the current state */ - if (s->function) p.CurrentState = s->result[(*s->function)(&p)]; - - /* Otherwise assume NOOP and send an OK message to the client */ - else { - p.CurrentState = s->success_state; - pop_msg(&p,POP_SUCCESS,NULL); - } - } - } - - /* Say goodbye to the client */ - pop_msg(&p,POP_SUCCESS,"Pop server at %s signing off.",p.myhost); - - /* Log the end of activity */ - pop_log(&p,POP_PRIORITY, - "(v%s) Ending request from \"%s\" at %s\n",VERSION,p.client,p.ipaddr); - - /* Stop logging */ - closelog(); - - return(0); -} diff --git a/crypto/heimdal/appl/popper/popper.h b/crypto/heimdal/appl/popper/popper.h deleted file mode 100644 index 7eac257c75d2..000000000000 --- a/crypto/heimdal/appl/popper/popper.h +++ /dev/null @@ -1,352 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - * - * static char copyright[] = "Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n"; - * static char SccsId[] = "@(#)@(#)popper.h 2.2 2.2 4/2/91"; - * - */ - -/* $Id: popper.h,v 1.51 2002/07/04 13:56:12 joda Exp $ */ - -/* - * Header file for the POP programs - */ - -#ifdef HAVE_CONFIG_H -#include -#define UIDL -#define XOVER -#define XDELE -#define DEBUG -#define RETURN_PATH_HANDLING -#endif - -/* Common include files */ - -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_IO_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_SYS_FILE_H -#include -#endif -#ifdef TIME_WITH_SYS_TIME -#include -#include -#elif defined(HAVE_SYS_TIME_H) -#include -#else -#include -#endif -#ifdef HAVE_SYS_RESOURCE_H -#include -#endif -#ifdef HAVE_SYS_WAIT_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef HAVE_NETINET6_IN6_H -#include -#endif - -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#ifdef _AIX -struct sockaddr_dl; /* AIX fun */ -struct ether_addr; -#endif -#include -#endif -#ifdef HAVE_SYSLOG_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_SYS_PARAM_H -#include -#endif -#include "version.h" - -#ifdef SOCKS -#include -#endif - -#include -#include -#include - -#ifdef KRB4 -#include -#include -#endif -#ifdef KRB5 -#include -#endif - -#define MAXUSERNAMELEN 65 -#define MAXLINELEN 1024 -#define MAXMSGLINELEN 1024 -#define MAXCMDLEN 4 -#define MAXPARMCOUNT 10 -#define MAXPARMLEN 10 -#define ALLOC_MSGS 20 -#define MAIL_COMMAND "/usr/lib/sendmail" - -#define POP_FACILITY LOG_LOCAL0 -#define POP_PRIORITY LOG_NOTICE -#define POP_DEBUG LOG_DEBUG -#define POP_INFO LOG_INFO -#define POP_LOGOPTS 0 - -#ifdef HAVE_PATHS_H -#include -#endif -#ifdef HAVE_MAILLOCK_H -#include -#endif - -#ifdef OTP -#include -#endif - -#if defined(KRB4_MAILDIR) -#define POP_MAILDIR KRB4_MAILDIR -#elif defined(_PATH_MAILDIR) -#define POP_MAILDIR _PATH_MAILDIR -#elif defined(MAILDIR) -#define POP_MAILDIR MAILDIR -#else -#define POP_MAILDIR "/usr/spool/mail" -#endif - -#define POP_DROP POP_MAILDIR "/.%s.pop" - /* POP_TMPSIZE needs to be big enough to hold the string - * defined by POP_TMPDROP. POP_DROP and POP_TMPDROP - * must be in the same filesystem. - */ -#define POP_TMPDROP POP_MAILDIR "/tmpXXXXXX" -#define POP_TMPSIZE 256 -#define POP_TMPXMIT "/tmp/xmitXXXXXX" -#define POP_OK "+OK" -#define POP_ERR "-ERR" -#define POP_SUCCESS 1 -#define POP_FAILURE 0 -#define POP_TERMINATE '.' -#define POP_TIMEOUT 120 /* timeout connection after this many secs */ - -extern int pop_timeout; - -extern int hangup; - -#define AUTH_NONE 0 -#define AUTH_OTP 1 - -#define pop_command pop_parm[0] /* POP command is first token */ -#define pop_subcommand pop_parm[1] /* POP XTND subcommand is the - second token */ - -typedef enum { /* POP processing states */ - auth1, /* Authorization: waiting for - USER command */ - auth2, /* Authorization: waiting for - PASS command */ - trans, /* Transaction */ - update, /* Update: session ended, - process maildrop changes */ - halt, /* (Halt): stop processing - and exit */ - error /* (Error): something really - bad happened */ -} state; - - -#define DEL_FLAG 1 -#define RETR_FLAG 2 -#define NEW_FLAG 4 - -typedef struct { /* Message information */ - int number; /* Message number relative to - the beginning of list */ - long length; /* Length of message in - bytes */ - int lines; /* Number of (null-terminated) lines in the message */ - long offset; /* Offset from beginning of - file */ - unsigned flags; - -#if defined(UIDL) || defined(XOVER) - char *msg_id; /* The POP UIDL uniqueifier */ -#endif -#ifdef XOVER - char *subject; - char *from; - char *date; -#endif - char *name; -} MsgInfoList; - -#define IS_MAILDIR(P) ((P)->temp_drop[0] == '\0') - -typedef struct { /* POP parameter block */ - int debug; /* Debugging requested */ - char * myname; /* The name of this POP - daemon program */ - char myhost[MaxHostNameLen]; /* The name of our host - computer */ - char client[MaxHostNameLen]; /* Canonical name of client - computer */ - char ipaddr[MaxHostNameLen]; /* Dotted-notation format of - client IP address */ - unsigned short ipport; /* Client port for privileged - operations */ - char user[MAXUSERNAMELEN]; /* Name of the POP user */ - state CurrentState; /* The current POP operational state */ - MsgInfoList * mlp; /* Message information list */ - int msg_count; /* Number of messages in - the maildrop */ - int msgs_deleted; /* Number of messages flagged - for deletion */ - int last_msg; /* Last message touched by - the user */ - long bytes_deleted; /* Number of maildrop bytes - flagged for deletion */ - char drop_name[MAXPATHLEN]; /* The name of the user's - maildrop */ - char temp_drop[MAXPATHLEN]; /* The name of the user's - temporary maildrop */ - long drop_size; /* Size of the maildrop in - bytes */ - FILE * drop; /* (Temporary) mail drop */ - FILE * input; /* Input TCP/IP communication - stream */ - FILE * output; /* Output TCP/IP communication stream */ - FILE * trace; /* Debugging trace file */ - char * pop_parm[MAXPARMCOUNT]; /* Parse POP parameter list */ - int parm_count; /* Number of parameters in - parsed list */ - int kerberosp; /* Using KPOP? */ -#ifdef KRB4 - AUTH_DAT kdata; -#endif -#ifdef KRB5 - krb5_context context; - krb5_principal principal; /* principal auth as */ - krb5_log_facility* logf; -#endif - int version; /* 4 or 5? */ - int auth_level; /* Dont allow cleartext */ -#ifdef OTP - OtpContext otp_ctx; /* OTP context */ -#endif - unsigned int flags; -#define POP_FLAG_CAPA 1 -} POP; - -typedef struct { /* State information for - each POP command */ - state ValidCurrentState; /* The operating state of - the command */ - char * command; /* The POP command */ - int min_parms; /* Minimum number of parms - for the command */ - int max_parms; /* Maximum number of parms - for the command */ - int (*function) (); /* The function that process - the command */ - state result[2]; /* The resulting state after - command processing */ -#define success_state result[0] /* State when a command - succeeds */ -} state_table; - -typedef struct { /* Table of extensions */ - char * subcommand; /* The POP XTND subcommand */ - int min_parms; /* Minimum number of parms for - the subcommand */ - int max_parms; /* Maximum number of parms for - the subcommand */ - int (*function) (); /* The function that processes - the subcommand */ -} xtnd_table; - -int pop_dele(POP *p); -int pop_dropcopy(POP *p, struct passwd *pwp); -int pop_dropinfo(POP *p); -int pop_init(POP *p,int argcount,char **argmessage); -int pop_last(POP *p); -int pop_list(POP *p); -int pop_parse(POP *p, char *buf); -int pop_pass(POP *p); -int pop_quit(POP *p); -int pop_rset(POP *p); -int pop_send(POP *p); -int pop_stat(POP *p); -int pop_updt(POP *p); -int pop_user(POP *p); -#ifdef UIDL -int pop_uidl(POP *p); -#endif -#ifdef XOVER -int pop_xover(POP *p); -#endif -#ifdef XDELE -int pop_xdele(POP *p); -#endif -int pop_help(POP *p); -state_table *pop_get_command(POP *p, char *mp); -void pop_lower(char *buf); - -int pop_log(POP *p, int stat, char *format, ...) -#ifdef __GNUC__ -__attribute__ ((format (printf, 3, 4))) -#endif -; - -int pop_msg(POP *p, int stat, char *format, ...) -#ifdef __GNUC__ -__attribute__ ((format (printf, 3, 4))) -#endif -; - -int pop_maildir_info (POP*); -int pop_maildir_open (POP*, MsgInfoList*); -int pop_maildir_update (POP*); - -int changeuser(POP*, struct passwd*); -void parse_header(MsgInfoList*, char*); -int add_missing_headers(POP*, MsgInfoList*); diff --git a/crypto/heimdal/appl/popper/version.h b/crypto/heimdal/appl/popper/version.h deleted file mode 100644 index 1b5d135cf46b..000000000000 --- a/crypto/heimdal/appl/popper/version.h +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright (c) 1989 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - * - * static char copyright[] = "Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n"; - * static char SccsId[] = "@(#)@(#)version.h 2.6 2.6 4/3/91"; - * - */ - -/* $Id: version.h,v 1.5 1997/08/08 22:50:13 assar Exp $ */ - -/* - * Current version of this POP implementation - */ - -#if 0 -#define VERSION krb4_version -#endif diff --git a/crypto/heimdal/appl/push/Makefile b/crypto/heimdal/appl/push/Makefile deleted file mode 100644 index da3d57b990a2..000000000000 --- a/crypto/heimdal/appl/push/Makefile +++ /dev/null @@ -1,725 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/push/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_hesiod) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_SCRIPTS = pfrom - -libexec_PROGRAMS = push - -push_SOURCES = push.c push_locl.h - -man_MANS = push.8 pfrom.1 - -CLEANFILES = pfrom - -EXTRA_DIST = pfrom.in $(man_MANS) - -LDADD = $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_hesiod) - -subdir = appl/push -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -libexec_PROGRAMS = push$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) - -am_push_OBJECTS = push.$(OBJEXT) -push_OBJECTS = $(am_push_OBJECTS) -push_LDADD = $(LDADD) -push_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#push_DEPENDENCIES = -push_LDFLAGS = -SCRIPTS = $(bin_SCRIPTS) - - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(push_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(push_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/push/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -push$(EXEEXT): $(push_OBJECTS) $(push_DEPENDENCIES) - @rm -f push$(EXEEXT) - $(LINK) $(push_LDFLAGS) $(push_OBJECTS) $(push_LDADD) $(LIBS) -binSCRIPT_INSTALL = $(INSTALL_SCRIPT) -install-binSCRIPTS: $(bin_SCRIPTS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f $$d$$p; then \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " $(binSCRIPT_INSTALL) $$d$$p $(DESTDIR)$(bindir)/$$f"; \ - $(binSCRIPT_INSTALL) $$d$$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libexecdir) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binSCRIPTS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binSCRIPTS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libexecPROGRAMS clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binSCRIPTS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-libexecPROGRAMS install-man \ - install-man1 install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binSCRIPTS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -pfrom: pfrom.in - sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@ - chmod +x $@ -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/push/pfrom.cat1 b/crypto/heimdal/appl/push/pfrom.cat1 deleted file mode 100644 index a9f31cd20e12..000000000000 --- a/crypto/heimdal/appl/push/pfrom.cat1 +++ /dev/null @@ -1,16 +0,0 @@ -PFROM(1) NetBSD Reference Manual PFROM(1) - -NNAAMMEE - ppffrroomm - fetch a list of the current mail via POP - -SSYYNNOOPPSSIISS - ppffrroomm [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--cc | ----ccoouunntt] - [----hheeaaddeerr] [--pp _p_o_r_t_-_s_p_e_c | ----ppoorrtt==_p_o_r_t_-_s_p_e_c] - -DDEESSCCRRIIPPTTIIOONN - ppffrroomm is a script that does push --from. - -SSEEEE AALLSSOO - push(8) - - HEIMDAL March 4, 2000 1 diff --git a/crypto/heimdal/appl/push/push.cat8 b/crypto/heimdal/appl/push/push.cat8 deleted file mode 100644 index 7ddb72dcdc62..000000000000 --- a/crypto/heimdal/appl/push/push.cat8 +++ /dev/null @@ -1,76 +0,0 @@ -PUSH(8) NetBSD System Manager's Manual PUSH(8) - -NNAAMMEE - ppuusshh - fetch mail via POP - -SSYYNNOOPPSSIISS - ppuusshh [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--ff | ----ffoorrkk] [--ll | - ----lleeaavvee] [----ffrroomm] [--cc | ----ccoouunntt] [----hheeaaddeerrss=_h_e_a_d_e_r_s] [--pp _p_o_r_t_-_s_p_e_c | - ----ppoorrtt=_p_o_r_t_-_s_p_e_c] _p_o_-_b_o_x _f_i_l_e_n_a_m_e - -DDEESSCCRRIIPPTTIIOONN - ppuusshh retrieves mail from the post office box _p_o_-_b_o_x, and stores the mail - in mbox format in _f_i_l_e_n_a_m_e. The _p_o_-_b_o_x can have any of the following - formats: - `hostname:username' - `po:hostname:username' - `username@hostname' - `po:username@hostname' - `hostname' - `po:username' - - If no username is specified, ppuusshh assumes that it's the same as on the - local machine; _h_o_s_t_n_a_m_e defaults to the value of the MAILHOST environment - variable. - - Supported options: - - --44, ----kkrrbb44 - use Kerberos 4 (if compiled with support for Kerberos 4) - - --55, ----kkrrbb55 - use Kerberos 5 (if compiled with support for Kerberos 5) - - --ff, ----ffoorrkk - fork before starting to delete messages - - --ll, ----lleeaavvee - don't delete fetched mail - - ----ffrroomm behave like from. - - --cc, ----ccoouunntt - first print how many messages and bytes there are. - - ----hheeaaddeerrss=_h_e_a_d_e_r_s - a list of comma-separated headers that should get printed. - - --pp _p_o_r_t_-_s_p_e_c, ----ppoorrtt=_p_o_r_t_-_s_p_e_c - use this port instead of the default `kpop' or `1109'. - - The default is to first try Kerberos 5 authentication and then, if that - fails, Kerberos 4. - -EENNVVIIRROONNMMEENNTT - MAILHOST - points to the post office, if no other hostname is specified. - -EEXXAAMMPPLLEESS - $ push cornfield:roosta ~/.emacs-mail-crash-box - - tries to fetch mail for the user _r_o_o_s_t_a from the post office at - ``cornfield'', and stores the mail in _~_/_._e_m_a_c_s_-_m_a_i_l_-_c_r_a_s_h_-_b_o_x (you are - using Gnus, aren't you?) - - $ push --from -5 havregryn - - tries to fetch FFrroomm:: lines for current user at post office ``havregryn'' - using Kerberos 5. - -SSEEEE AALLSSOO - from(1), pfrom(1), movemail(8), popper(8) - -HHIISSTTOORRYY - ppuusshh was written while waiting for mmoovveemmaaiill to finish getting the mail. - - HEIMDAL May 31, 1998 2 diff --git a/crypto/heimdal/appl/rcp/Makefile b/crypto/heimdal/appl/rcp/Makefile deleted file mode 100644 index 55cecb3028d8..000000000000 --- a/crypto/heimdal/appl/rcp/Makefile +++ /dev/null @@ -1,589 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/rcp/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = rcp - -rcp_SOURCES = rcp.c util.c - -LDADD = $(LIB_roken) -subdir = appl/rcp -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = rcp$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -am_rcp_OBJECTS = rcp.$(OBJEXT) util.$(OBJEXT) -rcp_OBJECTS = $(am_rcp_OBJECTS) -rcp_LDADD = $(LDADD) -rcp_DEPENDENCIES = -rcp_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(rcp_SOURCES) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(rcp_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/rcp/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -rcp$(EXEEXT): $(rcp_OBJECTS) $(rcp_DEPENDENCIES) - @rm -f rcp$(EXEEXT) - $(LINK) $(rcp_LDFLAGS) $(rcp_OBJECTS) $(rcp_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/rsh/Makefile b/crypto/heimdal/appl/rsh/Makefile deleted file mode 100644 index 06068f4737df..000000000000 --- a/crypto/heimdal/appl/rsh/Makefile +++ /dev/null @@ -1,782 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/rsh/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.17 2001/07/31 09:12:03 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -I$(srcdir)/../login - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = rsh - -man_MANS = rsh.1 rshd.8 - -libexec_PROGRAMS = rshd - -rsh_SOURCES = rsh.c common.c rsh_locl.h - -rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h - -LDADD = $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_kdfs) - -subdir = appl/rsh -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = rsh$(EXEEXT) -libexec_PROGRAMS = rshd$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) - -am_rsh_OBJECTS = rsh.$(OBJEXT) common.$(OBJEXT) -rsh_OBJECTS = $(am_rsh_OBJECTS) -rsh_LDADD = $(LDADD) -rsh_DEPENDENCIES = \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#rsh_DEPENDENCIES = -#rsh_DEPENDENCIES = \ -# $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -##rsh_DEPENDENCIES = \ -## $(top_builddir)/lib/kafs/libkafs.la -#rsh_DEPENDENCIES = \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la \ -# $(top_builddir)/lib/kdfs/libkdfs.la -##rsh_DEPENDENCIES = \ -## $(top_builddir)/lib/kdfs/libkdfs.la -##rsh_DEPENDENCIES = \ -## $(top_builddir)/lib/kafs/libkafs.la \ -## $(top_builddir)/lib/krb5/libkrb5.la \ -## $(top_builddir)/lib/asn1/libasn1.la \ -## $(top_builddir)/lib/kdfs/libkdfs.la -###rsh_DEPENDENCIES = \ -### $(top_builddir)/lib/kafs/libkafs.la \ -### $(top_builddir)/lib/kdfs/libkdfs.la -rsh_LDFLAGS = -am_rshd_OBJECTS = rshd.$(OBJEXT) common.$(OBJEXT) login_access.$(OBJEXT) -rshd_OBJECTS = $(am_rshd_OBJECTS) -rshd_LDADD = $(LDADD) -rshd_DEPENDENCIES = \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#rshd_DEPENDENCIES = -#rshd_DEPENDENCIES = \ -# $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -##rshd_DEPENDENCIES = \ -## $(top_builddir)/lib/kafs/libkafs.la -#rshd_DEPENDENCIES = \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la \ -# $(top_builddir)/lib/kdfs/libkdfs.la -##rshd_DEPENDENCIES = \ -## $(top_builddir)/lib/kdfs/libkdfs.la -##rshd_DEPENDENCIES = \ -## $(top_builddir)/lib/kafs/libkafs.la \ -## $(top_builddir)/lib/krb5/libkrb5.la \ -## $(top_builddir)/lib/asn1/libasn1.la \ -## $(top_builddir)/lib/kdfs/libkdfs.la -###rshd_DEPENDENCIES = \ -### $(top_builddir)/lib/kafs/libkafs.la \ -### $(top_builddir)/lib/kdfs/libkdfs.la -rshd_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(rsh_SOURCES) $(rshd_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(rsh_SOURCES) $(rshd_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/rsh/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -rsh$(EXEEXT): $(rsh_OBJECTS) $(rsh_DEPENDENCIES) - @rm -f rsh$(EXEEXT) - $(LINK) $(rsh_LDFLAGS) $(rsh_OBJECTS) $(rsh_LDADD) $(LIBS) -rshd$(EXEEXT): $(rshd_OBJECTS) $(rshd_DEPENDENCIES) - @rm -f rshd$(EXEEXT) - $(LINK) $(rshd_LDFLAGS) $(rshd_OBJECTS) $(rshd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(man1dir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am info \ - info-am install install-am install-binPROGRAMS install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man1 install-man8 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -login_access.c: - $(LN_S) $(srcdir)/../login/login_access.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/su/Makefile b/crypto/heimdal/appl/su/Makefile deleted file mode 100644 index f57d3c570001..000000000000 --- a/crypto/heimdal/appl/su/Makefile +++ /dev/null @@ -1,599 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/su/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.7 2001/08/28 08:31:22 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = su -bin_SUIDS = su -su_SOURCES = su.c - -LDADD = $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -subdir = appl/su -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = su$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -am_su_OBJECTS = su.$(OBJEXT) -su_OBJECTS = $(am_su_OBJECTS) -su_LDADD = $(LDADD) -#su_DEPENDENCIES = $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -su_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -su_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(su_SOURCES) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(su_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/su/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES) - @rm -f su$(EXEEXT) - $(LINK) $(su_LDFLAGS) $(su_OBJECTS) $(su_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/telnet/Makefile b/crypto/heimdal/appl/telnet/Makefile deleted file mode 100644 index 3debc7a56942..000000000000 --- a/crypto/heimdal/appl/telnet/Makefile +++ /dev/null @@ -1,611 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/telnet/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -SUBDIRS = libtelnet telnet telnetd - -EXTRA_DIST = README.ORIG telnet.state -subdir = appl/telnet -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = - -RECURSIVE_TARGETS = info-recursive dvi-recursive install-info-recursive \ - uninstall-info-recursive all-recursive install-data-recursive \ - install-exec-recursive installdirs-recursive install-recursive \ - uninstall-recursive check-recursive installcheck-recursive -DIST_COMMON = ChangeLog Makefile.am Makefile.in -DIST_SUBDIRS = $(SUBDIRS) -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/telnet/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d $(distdir)/$$subdir \ - || mkdir $(distdir)/$$subdir \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" \ - distdir=../$(distdir)/$$subdir \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: - -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -info: info-recursive - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) GTAGS all all-am all-local check check-am \ - check-local clean clean-generic clean-libtool clean-recursive \ - distclean distclean-generic distclean-libtool \ - distclean-recursive distclean-tags distdir dvi dvi-am \ - dvi-recursive info info-am info-recursive install install-am \ - install-data install-data-am install-data-local \ - install-data-recursive install-exec install-exec-am \ - install-exec-recursive install-info install-info-am \ - install-info-recursive install-man install-recursive \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am installdirs-recursive maintainer-clean \ - maintainer-clean-generic maintainer-clean-recursive mostlyclean \ - mostlyclean-generic mostlyclean-libtool mostlyclean-recursive \ - tags tags-recursive uninstall uninstall-am uninstall-info-am \ - uninstall-info-recursive uninstall-recursive - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -dist-hook: - $(mkinstalldirs) $(distdir)/arpa - $(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile b/crypto/heimdal/appl/telnet/libtelnet/Makefile deleted file mode 100644 index 90ade3e5f4f5..000000000000 --- a/crypto/heimdal/appl/telnet/libtelnet/Makefile +++ /dev/null @@ -1,580 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/telnet/libtelnet/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.9 2001/08/28 08:31:23 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -noinst_LIBRARIES = libtelnet.a - -libtelnet_a_SOURCES = \ - auth-proto.h \ - auth.c \ - auth.h \ - enc-proto.h \ - enc_des.c \ - encrypt.c \ - encrypt.h \ - genget.c \ - kerberos.c \ - kerberos5.c \ - misc-proto.h \ - misc.c \ - misc.h - - -EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c -subdir = appl/telnet/libtelnet -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LIBRARIES = $(noinst_LIBRARIES) - -libtelnet_a_AR = $(AR) cru -libtelnet_a_LIBADD = -am_libtelnet_a_OBJECTS = auth.$(OBJEXT) enc_des.$(OBJEXT) \ - encrypt.$(OBJEXT) genget.$(OBJEXT) kerberos.$(OBJEXT) \ - kerberos5.$(OBJEXT) misc.$(OBJEXT) -libtelnet_a_OBJECTS = $(am_libtelnet_a_OBJECTS) - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libtelnet_a_SOURCES) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(libtelnet_a_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/telnet/libtelnet/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -AR = ar - -clean-noinstLIBRARIES: - -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) -libtelnet.a: $(libtelnet_a_OBJECTS) $(libtelnet_a_DEPENDENCIES) - -rm -f libtelnet.a - $(libtelnet_a_AR) libtelnet.a $(libtelnet_a_OBJECTS) $(libtelnet_a_LIBADD) - $(RANLIB) libtelnet.a - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LIBRARIES) all-local - -installdirs: - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool clean-noinstLIBRARIES distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-man install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile b/crypto/heimdal/appl/telnet/telnet/Makefile deleted file mode 100644 index 7551baaa5f71..000000000000 --- a/crypto/heimdal/appl/telnet/telnet/Makefile +++ /dev/null @@ -1,661 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/telnet/telnet/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.16 2001/08/28 11:21:16 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = telnet - -CHECK_LOCAL = - -telnet_SOURCES = authenc.c commands.c main.c network.c ring.c \ - sys_bsd.c telnet.c terminal.c \ - utilities.c defines.h externs.h ring.h telnet_locl.h types.h - - -man_MANS = telnet.1 - -LDADD = ../libtelnet/libtelnet.a \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_tgetent) \ - $(LIB_kdfs) \ - $(LIB_roken) - -subdir = appl/telnet/telnet -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = telnet$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -am_telnet_OBJECTS = authenc.$(OBJEXT) commands.$(OBJEXT) main.$(OBJEXT) \ - network.$(OBJEXT) ring.$(OBJEXT) sys_bsd.$(OBJEXT) \ - telnet.$(OBJEXT) terminal.$(OBJEXT) utilities.$(OBJEXT) -telnet_OBJECTS = $(am_telnet_OBJECTS) -telnet_LDADD = $(LDADD) -telnet_DEPENDENCIES = ../libtelnet/libtelnet.a \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#telnet_DEPENDENCIES = ../libtelnet/libtelnet.a -#telnet_DEPENDENCIES = ../libtelnet/libtelnet.a \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la \ -# $(top_builddir)/lib/kdfs/libkdfs.la -##telnet_DEPENDENCIES = ../libtelnet/libtelnet.a \ -## $(top_builddir)/lib/kdfs/libkdfs.la -telnet_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(telnet_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(telnet_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/telnet/telnet/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -telnet$(EXEEXT): $(telnet_OBJECTS) $(telnet_DEPENDENCIES) - @rm -f telnet$(EXEEXT) - $(LINK) $(telnet_LDFLAGS) $(telnet_OBJECTS) $(telnet_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-man1 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-man uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.cat1 b/crypto/heimdal/appl/telnet/telnet/telnet.cat1 deleted file mode 100644 index 5bf4a649f97b..000000000000 --- a/crypto/heimdal/appl/telnet/telnet/telnet.cat1 +++ /dev/null @@ -1,714 +0,0 @@ -TELNET(1) NetBSD Reference Manual TELNET(1) - -NNAAMMEE - tteellnneett - user interface to the TELNET protocol - -SSYYNNOOPPSSIISS - tteellnneett [--7788EEFFKKLLaaccddffrrxx] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--ee _e_s_c_a_p_e_c_h_a_r] [--kk _r_e_a_l_m] - [--ll _u_s_e_r] [--nn _t_r_a_c_e_f_i_l_e] [_h_o_s_t [port]] - -DDEESSCCRRIIPPTTIIOONN - The tteellnneett command is used to communicate with another host using the - TELNET protocol. If tteellnneett is invoked without the _h_o_s_t argument, it en- - ters command mode, indicated by its prompt (tteellnneett>>). In this mode, it - accepts and executes the commands listed below. If it is invoked with - arguments, it performs an ooppeenn command with those arguments. - - Options: - - --88 Specifies an 8-bit data path. This causes an attempt to negoti- - ate the TELNET BINARY option on both input and output. - - --77 Do not try to negotiate TELNET BINARY option. - - --EE Stops any character from being recognized as an escape character. - - --FF If Kerberos V5 authentication is being used, the --FF option allows - the local credentials to be forwarded to the remote system, in- - cluding any credentials that have already been forwarded into the - local environment. - - --KK Specifies no automatic login to the remote system. - - --LL Specifies an 8-bit data path on output. This causes the BINARY - option to be negotiated on output. - - --SS _t_o_s Sets the IP type-of-service (TOS) option for the telnet connec- - tion to the value _t_o_s, which can be a numeric TOS value or, on - systems that support it, a symbolic TOS name found in the - /etc/iptos file. - - --XX _a_t_y_p_e - Disables the _a_t_y_p_e type of authentication. - - --aa Attempt automatic login. Currently, this sends the user name via - the USER variable of the ENVIRON option if supported by the re- - mote system. The name used is that of the current user as re- - turned by getlogin(2) if it agrees with the current user ID, oth- - erwise it is the name associated with the user ID. - - --cc Disables the reading of the user's _._t_e_l_n_e_t_r_c file. (See the - ttooggggllee sskkiipprrcc command on this man page.) - - --dd Sets the initial value of the ddeebbuugg toggle to TRUE - - --ee _e_s_c_a_p_e _c_h_a_r - Sets the initial tteellnneett tteellnneett escape character to _e_s_c_a_p_e _c_h_a_r. - If _e_s_c_a_p_e _c_h_a_r is omitted, then there will be no escape charac- - ter. - - --ff If Kerberos V5 authentication is being used, the --ff option allows - the local credentials to be forwarded to the remote system. - - --kk _r_e_a_l_m - If Kerberos authentication is being used, the --kk option requests - that telnet obtain tickets for the remote host in realm realm in- - stead of the remote host's realm, as determined by - krb_realmofhost(3). - - --ll _u_s_e_r - When connecting to the remote system, if the remote system under- - stands the ENVIRON option, then _u_s_e_r will be sent to the remote - system as the value for the variable USER. This option implies - the --aa option. This option may also be used with the ooppeenn com- - mand. - - --nn _t_r_a_c_e_f_i_l_e - Opens _t_r_a_c_e_f_i_l_e for recording trace information. See the sseett - ttrraacceeffiillee command below. - - --rr Specifies a user interface similar to rlogin(1). In this mode, - the escape character is set to the tilde (~) character, unless - modified by the -e option. - - --xx Turn on encryption of the data stream. When this option is - turned on, will exit with an error if authentication cannot be - negotiated or if encryption cannot be turned on. - - _h_o_s_t Indicates the official name, an alias, or the Internet address of - a remote host. - - _p_o_r_t Indicates a port number (address of an application). If a number - is not specified, the default tteellnneett port is used. - - When in rlogin mode, a line of the form ~. disconnects from the remote - host; ~ is the telnet escape character. Similarly, the line ~^Z suspends - the telnet session. The line ~^] escapes to the normal telnet escape - prompt. - - Once a connection has been opened, tteellnneett will attempt to enable the - TELNET LINEMODE option. If this fails, then tteellnneett will revert to one of - two input modes: either ``character at a time'' or ``old line by line'' - depending on what the remote system supports. - - When LINEMODE is enabled, character processing is done on the local sys- - tem, under the control of the remote system. When input editing or char- - acter echoing is to be disabled, the remote system will relay that infor- - mation. The remote system will also relay changes to any special charac- - ters that happen on the remote system, so that they can take effect on - the local system. - - In ``character at a time'' mode, most text typed is immediately sent to - the remote host for processing. - - In ``old line by line'' mode, all text is echoed locally, and (normally) - only completed lines are sent to the remote host. The ``local echo char- - acter'' (initially ``^E'') may be used to turn off and on the local echo - (this would mostly be used to enter passwords without the password being - echoed). - - If the LINEMODE option is enabled, or if the llooccaallcchhaarrss toggle is TRUE - (the default for ``old line by line``; see below), the user's qquuiitt, iinnttrr, - and fflluusshh characters are trapped locally, and sent as TELNET protocol se- - quences to the remote side. If LINEMODE has ever been enabled, then the - user's ssuusspp and eeooff are also sent as TELNET protocol sequences, and qquuiitt - is sent as a TELNET ABORT instead of BREAK There are options (see ttooggggllee - aauuttoofflluusshh and ttooggggllee aauuttoossyynncchh below) which cause this action to flush - subsequent output to the terminal (until the remote host acknowledges the - TELNET sequence) and flush previous terminal input (in the case of qquuiitt - and iinnttrr). - - While connected to a remote host, tteellnneett command mode may be entered by - typing the tteellnneett ``escape character'' (initially ``^]''). When in com- - mand mode, the normal terminal editing conventions are available. - - The following tteellnneett commands are available. Only enough of each command - to uniquely identify it need be typed (this is also true for arguments to - the mmooddee, sseett, ttooggggllee, uunnsseett, ssllcc, eennvviirroonn, and ddiissppllaayy commands). - - aauutthh _a_r_g_u_m_e_n_t _._._. - The auth command manipulates the information sent through the - TELNET AUTHENTICATE option. Valid arguments for the auth com- - mand are as follows: - - ddiissaabbllee _t_y_p_e Disables the specified type of authentication. - To obtain a list of available types, use the - aauutthh ddiissaabbllee ?? command. - - eennaabbllee _t_y_p_e Enables the specified type of authentication. - To obtain a list of available types, use the - aauutthh eennaabbllee ?? command. - - ssttaattuuss Lists the current status of the various types of - authentication. - - cclloossee Close a TELNET session and return to command mode. - - ddiissppllaayy _a_r_g_u_m_e_n_t _._._. - Displays all, or some, of the sseett and ttooggggllee values (see be- - low). - - eennccrryypptt _a_r_g_u_m_e_n_t _._._. - The encrypt command manipulates the information sent through - the TELNET ENCRYPT option. - - Note: Because of export controls, the TELNET ENCRYPT option - is not supported outside of the United States and Canada. - - Valid arguments for the encrypt command are as follows: - - ddiissaabbllee _t_y_p_e [iinnppuutt | oouuttppuutt] - Disables the specified type of encryption. If - you omit the input and output, both input and - output are disabled. To obtain a list of avail- - able types, use the eennccrryypptt ddiissaabbllee ?? command. - - eennaabbllee _t_y_p_e [iinnppuutt | oouuttppuutt] - Enables the specified type of encryption. If - you omit input and output, both input and output - are enabled. To obtain a list of available - types, use the eennccrryypptt eennaabbllee ?? command. - - iinnppuutt This is the same as the eennccrryypptt ssttaarrtt iinnppuutt com- - mand. - - --iinnppuutt This is the same as the eennccrryypptt ssttoopp iinnppuutt com- - mand. - - oouuttppuutt This is the same as the eennccrryypptt ssttaarrtt oouuttppuutt - command. - - --oouuttppuutt This is the same as the eennccrryypptt ssttoopp oouuttppuutt com- - mand. - - ssttaarrtt [iinnppuutt | oouuttppuutt] - Attempts to start encryption. If you omit iinnppuutt - and oouuttppuutt, both input and output are enabled. - To obtain a list of available types, use the - eennccrryypptt eennaabbllee ?? command. - - ssttaattuuss Lists the current status of encryption. - - ssttoopp [iinnppuutt | oouuttppuutt] - Stops encryption. If you omit input and output, - encryption is on both input and output. - - ttyyppee _t_y_p_e Sets the default type of encryption to be used - with later eennccrryypptt ssttaarrtt or eennccrryypptt ssttoopp com- - mands. - - eennvviirroonn _a_r_g_u_m_e_n_t_s _._._. - The eennvviirroonn command is used to manipulate the the variables - that my be sent through the TELNET ENVIRON option. The ini- - tial set of variables is taken from the users environment, - with only the DISPLAY and PRINTER variables being exported by - default. The USER variable is also exported if the --aa or --ll - options are used. - - Valid arguments for the eennvviirroonn command are: - - ddeeffiinnee _v_a_r_i_a_b_l_e _v_a_l_u_e - Define the variable _v_a_r_i_a_b_l_e to have a value of - _v_a_l_u_e. Any variables defined by this command are - automatically exported. The _v_a_l_u_e may be enclosed - in single or double quotes so that tabs and spaces - may be included. - - uunnddeeffiinnee _v_a_r_i_a_b_l_e - Remove _v_a_r_i_a_b_l_e from the list of environment vari- - ables. - - eexxppoorrtt _v_a_r_i_a_b_l_e - Mark the variable _v_a_r_i_a_b_l_e to be exported to the - remote side. - - uunneexxppoorrtt _v_a_r_i_a_b_l_e - Mark the variable _v_a_r_i_a_b_l_e to not be exported un- - less explicitly asked for by the remote side. - - lliisstt List the current set of environment variables. - Those marked with a ** will be sent automatically, - other variables will only be sent if explicitly - requested. - - ?? Prints out help information for the eennvviirroonn com- - mand. - - llooggoouutt Sends the TELNET LOGOUT option to the remote side. This com- - mand is similar to a cclloossee command; however, if the remote - side does not support the LOGOUT option, nothing happens. If, - however, the remote side does support the LOGOUT option, this - command should cause the remote side to close the TELNET con- - nection. If the remote side also supports the concept of sus- - pending a user's session for later reattachment, the logout - argument indicates that you should terminate the session imme- - diately. - - mmooddee _t_y_p_e _T_y_p_e is one of several options, depending on the state of the - TELNET session. The remote host is asked for permission to go - into the requested mode. If the remote host is capable of en- - tering that mode, the requested mode will be entered. - - cchhaarraacctteerr Disable the TELNET LINEMODE option, or, if the - remote side does not understand the LINEMODE op- - tion, then enter ``character at a time`` mode. - - lliinnee Enable the TELNET LINEMODE option, or, if the - remote side does not understand the LINEMODE op- - tion, then attempt to enter ``old-line-by-line`` - mode. - - iissiigg (--iissiigg) Attempt to enable (disable) the TRAPSIG mode of - the LINEMODE option. This requires that the - LINEMODE option be enabled. - - eeddiitt (--eeddiitt) Attempt to enable (disable) the EDIT mode of the - LINEMODE option. This requires that the - LINEMODE option be enabled. - - ssooffttttaabbss (--ssooffttttaabbss) - Attempt to enable (disable) the SOFT_TAB mode of - the LINEMODE option. This requires that the - LINEMODE option be enabled. - - lliitteecchhoo (--lliitteecchhoo) - Attempt to enable (disable) the LIT_ECHO mode of - the LINEMODE option. This requires that the - LINEMODE option be enabled. - - ?? Prints out help information for the mmooddee com- - mand. - - ooppeenn _h_o_s_t [--ll _u_s_e_r] [[--]_p_o_r_t] - Open a connection to the named host. If no port number is - specified, tteellnneett will attempt to contact a TELNET server at - the default port. The host specification may be either a host - name (see hosts(5)) or an Internet address specified in the - ``dot notation'' (see inet(3)). The [--ll] option may be used - to specify the user name to be passed to the remote system via - the ENVIRON option. When connecting to a non-standard port, - tteellnneett omits any automatic initiation of TELNET options. When - the port number is preceded by a minus sign, the initial op- - tion negotiation is done. After establishing a connection, - the file _._t_e_l_n_e_t_r_c in the users home directory is opened. - Lines beginning with a # are comment lines. Blank lines are - ignored. Lines that begin without white space are the start - of a machine entry. The first thing on the line is the name - of the machine that is being connected to. The rest of the - line, and successive lines that begin with white space are as- - sumed to be tteellnneett commands and are processed as if they had - been typed in manually to the tteellnneett command prompt. - - qquuiitt Close any open TELNET session and exit tteellnneett. An end of file - (in command mode) will also close a session and exit. - - sseenndd _a_r_g_u_m_e_n_t_s - Sends one or more special character sequences to the remote - host. The following are the arguments which may be specified - (more than one argument may be specified at a time): - - aabboorrtt Sends the TELNET ABORT (Abort processes) sequence. - - aaoo Sends the TELNET AO (Abort Output) sequence, which - should cause the remote system to flush all output - _f_r_o_m the remote system _t_o the user's terminal. - - aayytt Sends the TELNET AYT (Are You There) sequence, to - which the remote system may or may not choose to re- - spond. - - bbrrkk Sends the TELNET BRK (Break) sequence, which may have - significance to the remote system. - - eecc Sends the TELNET EC (Erase Character) sequence, which - should cause the remote system to erase the last char- - acter entered. - - eell Sends the TELNET EL (Erase Line) sequence, which - should cause the remote system to erase the line cur- - rently being entered. - - eeooff Sends the TELNET EOF (End Of File) sequence. - - eeoorr Sends the TELNET EOR (End of Record) sequence. - - eessccaappee Sends the current tteellnneett escape character (initially - ``^''). - - ggaa Sends the TELNET GA (Go Ahead) sequence, which likely - has no significance to the remote system. - - ggeettssttaattuuss - If the remote side supports the TELNET STATUS command, - ggeettssttaattuuss will send the subnegotiation to request that - the server send its current option status. - - iipp Sends the TELNET IP (Interrupt Process) sequence, - which should cause the remote system to abort the cur- - rently running process. - - nnoopp Sends the TELNET NOP (No OPeration) sequence. - - ssuusspp Sends the TELNET SUSP (SUSPend process) sequence. - - ssyynncchh Sends the TELNET SYNCH sequence. This sequence causes - the remote system to discard all previously typed (but - not yet read) input. This sequence is sent as TCP ur- - gent data (and may not work if the remote system is a - 4.2BSD system -- if it doesn't work, a lower case - ``r'' may be echoed on the terminal). - - ddoo _c_m_d - - ddoonntt _c_m_d - - wwiillll _c_m_d - - wwoonntt _c_m_d - Sends the TELNET DO _c_m_d sequence. _C_m_d can be either a - decimal number between 0 and 255, or a symbolic name - for a specific TELNET command. _C_m_d can also be either - hheellpp or ?? to print out help information, including a - list of known symbolic names. - - ?? Prints out help information for the sseenndd command. - - sseett _a_r_g_u_m_e_n_t _v_a_l_u_e - - uunnsseett _a_r_g_u_m_e_n_t _v_a_l_u_e - The sseett command will set any one of a number of tteellnneett vari- - ables to a specific value or to TRUE. The special value ooffff - turns off the function associated with the variable, this is - equivalent to using the uunnsseett command. The uunnsseett command will - disable or set to FALSE any of the specified functions. The - values of variables may be interrogated with the ddiissppllaayy com- - mand. The variables which may be set or unset, but not tog- - gled, are listed here. In addition, any of the variables for - the ttooggggllee command may be explicitly set or unset using the - sseett and uunnsseett commands. - - aayytt If TELNET is in localchars mode, or LINEMODE is en- - abled, and the status character is typed, a TELNET AYT - sequence (see sseenndd aayytt preceding) is sent to the re- - mote host. The initial value for the "Are You There" - character is the terminal's status character. - - eecchhoo This is the value (initially ``^E'') which, when in - ``line by line'' mode, toggles between doing local - echoing of entered characters (for normal processing), - and suppressing echoing of entered characters (for en- - tering, say, a password). - - eeooff If tteellnneett is operating in LINEMODE or ``old line by - line'' mode, entering this character as the first - character on a line will cause this character to be - sent to the remote system. The initial value of the - eof character is taken to be the terminal's eeooff char- - acter. - - eerraassee If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss - below), aanndd if tteellnneett is operating in ``character at a - time'' mode, then when this character is typed, a - TELNET EC sequence (see sseenndd eecc above) is sent to the - remote system. The initial value for the erase char- - acter is taken to be the terminal's eerraassee character. - - eessccaappee This is the tteellnneett escape character (initially ``^['') - which causes entry into tteellnneett command mode (when con- - nected to a remote system). - - fflluusshhoouuttppuutt - If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss - below) and the fflluusshhoouuttppuutt character is typed, a - TELNET AO sequence (see sseenndd aaoo above) is sent to the - remote host. The initial value for the flush charac- - ter is taken to be the terminal's fflluusshh character. - - ffoorrww11 - - ffoorrww22 If TELNET is operating in LINEMODE, these are the - characters that, when typed, cause partial lines to be - forwarded to the remote system. The initial value for - the forwarding characters are taken from the termi- - nal's eol and eol2 characters. - - iinntteerrrruupptt - If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss - below) and the iinntteerrrruupptt character is typed, a TELNET - IP sequence (see sseenndd iipp above) is sent to the remote - host. The initial value for the interrupt character - is taken to be the terminal's iinnttrr character. - - kkiillll If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss - below), aanndd if tteellnneett is operating in ``character at a - time'' mode, then when this character is typed, a - TELNET EL sequence (see sseenndd eell above) is sent to the - remote system. The initial value for the kill charac- - ter is taken to be the terminal's kkiillll character. - - llnneexxtt If tteellnneett is operating in LINEMODE or ``old line by - line`` mode, then this character is taken to be the - terminal's llnneexxtt character. The initial value for the - lnext character is taken to be the terminal's llnneexxtt - character. - - qquuiitt If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss - below) and the qquuiitt character is typed, a TELNET BRK - sequence (see sseenndd bbrrkk above) is sent to the remote - host. The initial value for the quit character is - taken to be the terminal's qquuiitt character. - - rreepprriinntt - If tteellnneett is operating in LINEMODE or ``old line by - line`` mode, then this character is taken to be the - terminal's rreepprriinntt character. The initial value for - the reprint character is taken to be the terminal's - rreepprriinntt character. - - rrllooggiinn This is the rlogin escape character. If set, the nor- - mal TELNET escape character is ignored unless it is - preceded by this character at the beginning of a line. - This character, at the beginning of a line followed by - a "." closes the connection; when followed by a ^Z it - suspends the telnet command. The initial state is to - disable the rlogin escape character. - - ssttaarrtt If the TELNET TOGGLE-FLOW-CONTROL option has been en- - abled, then this character is taken to be the termi- - nal's ssttaarrtt character. The initial value for the kill - character is taken to be the terminal's ssttaarrtt charac- - ter. - - ssttoopp If the TELNET TOGGLE-FLOW-CONTROL option has been en- - abled, then this character is taken to be the termi- - nal's ssttoopp character. The initial value for the kill - character is taken to be the terminal's ssttoopp charac- - ter. - - ssuusspp If tteellnneett is in llooccaallcchhaarrss mode, or LINEMODE is en- - abled, and the ssuussppeenndd character is typed, a TELNET - SUSP sequence (see sseenndd ssuusspp above) is sent to the re- - mote host. The initial value for the suspend charac- - ter is taken to be the terminal's ssuussppeenndd character. - - ttrraacceeffiillee - This is the file to which the output, caused by - nneettddaattaa or ooppttiioonn tracing being TRUE, will be written. - If it is set to ``--'', then tracing information will - be written to standard output (the default). - - wwoorrddeerraassee - If tteellnneett is operating in LINEMODE or ``old line by - line`` mode, then this character is taken to be the - terminal's wwoorrddeerraassee character. The initial value for - the worderase character is taken to be the terminal's - wwoorrddeerraassee character. - - ?? Displays the legal sseett (uunnsseett) commands. - - ssllcc _s_t_a_t_e The ssllcc command (Set Local Characters) is used to set or - change the state of the the special characters when the TELNET - LINEMODE option has been enabled. Special characters are - characters that get mapped to TELNET commands sequences (like - iipp or qquuiitt) or line editing characters (like eerraassee and kkiillll). - By default, the local special characters are exported. - - cchheecckk Verify the current settings for the current spe- - cial characters. The remote side is requested to - send all the current special character settings, - and if there are any discrepancies with the local - side, the local side will switch to the remote - value. - - eexxppoorrtt Switch to the local defaults for the special char- - acters. The local default characters are those of - the local terminal at the time when tteellnneett was - started. - - iimmppoorrtt Switch to the remote defaults for the special - characters. The remote default characters are - those of the remote system at the time when the - TELNET connection was established. - - ?? Prints out help information for the ssllcc command. - - ssttaattuuss Show the current status of tteellnneett. This includes the peer one - is connected to, as well as the current mode. - - ttooggggllee _a_r_g_u_m_e_n_t_s _._._. - Toggle (between TRUE and FALSE) various flags that control how - tteellnneett responds to events. These flags may be set explicitly - to TRUE or FALSE using the sseett and uunnsseett commands listed - above. More than one argument may be specified. The state of - these flags may be interrogated with the ddiissppllaayy command. - Valid arguments are: - - aauutthhddeebbuugg Turns on debugging information for the authenti- - cation code. - - aauuttoofflluusshh If aauuttoofflluusshh and llooccaallcchhaarrss are both TRUE, then - when the aaoo, or qquuiitt characters are recognized - (and transformed into TELNET sequences; see sseett - above for details), tteellnneett refuses to display - any data on the user's terminal until the remote - system acknowledges (via a TELNET TIMING MARK - option) that it has processed those TELNET se- - quences. The initial value for this toggle is - TRUE if the terminal user had not done an "stty - noflsh", otherwise FALSE (see stty(1)). - - aauuttooddeeccrryypptt When the TELNET ENCRYPT option is negotiated, by - default the actual encryption (decryption) of - the data stream does not start automatically. - The autoencrypt (autodecrypt) command states - that encryption of the output (input) stream - should be enabled as soon as possible. - - Note: Because of export controls, the TELNET - ENCRYPT option is not supported outside the - United States and Canada. - - aauuttoollooggiinn If the remote side supports the TELNET - AUTHENTICATION option TELNET attempts to use it - to perform automatic authentication. If the - AUTHENTICATION option is not supported, the us- - er's login name are propagated through the - TELNET ENVIRON option. This command is the same - as specifying _a option on the ooppeenn command. - - aauuttoossyynncchh If aauuttoossyynncchh and llooccaallcchhaarrss are both TRUE, then - when either the iinnttrr or qquuiitt characters is typed - (see sseett above for descriptions of the iinnttrr and - qquuiitt characters), the resulting TELNET sequence - sent is followed by the TELNET SYNCH sequence. - This procedure sshhoouulldd cause the remote system to - begin throwing away all previously typed input - until both of the TELNET sequences have been - read and acted upon. The initial value of this - toggle is FALSE. - - bbiinnaarryy Enable or disable the TELNET BINARY option on - both input and output. - - iinnbbiinnaarryy Enable or disable the TELNET BINARY option on - input. - - oouuttbbiinnaarryy Enable or disable the TELNET BINARY option on - output. - - ccrrllff If this is TRUE, then carriage returns will be - sent as . If this is FALSE, then car- - riage returns will be send as . The - initial value for this toggle is FALSE. - - ccrrmmoodd Toggle carriage return mode. When this mode is - enabled, most carriage return characters re- - ceived from the remote host will be mapped into - a carriage return followed by a line feed. This - mode does not affect those characters typed by - the user, only those received from the remote - host. This mode is not very useful unless the - remote host only sends carriage return, but nev- - er line feed. The initial value for this toggle - is FALSE. - - ddeebbuugg Toggles socket level debugging (useful only to - the ssuuppeerr uusseerr). The initial value for this - toggle is FALSE. - - eennccddeebbuugg Turns on debugging information for the encryp- - tion code. - - llooccaallcchhaarrss If this is TRUE, then the fflluusshh, iinntteerrrruupptt, - qquuiitt, eerraassee, and kkiillll characters (see sseett above) - are recognized locally, and transformed into - (hopefully) appropriate TELNET control sequences - (respectively aaoo, iipp, bbrrkk, eecc, and eell; see sseenndd - above). The initial value for this toggle is - TRUE in ``old line by line'' mode, and FALSE in - ``character at a time'' mode. When the LINEMODE - option is enabled, the value of llooccaallcchhaarrss is - ignored, and assumed to always be TRUE. If - LINEMODE has ever been enabled, then qquuiitt is - sent as aabboorrtt, and eeooff and ssuussppeenndd are sent as - eeooff and ssuusspp, see sseenndd above). - - nneettddaattaa Toggles the display of all network data (in hex- - adecimal format). The initial value for this - toggle is FALSE. - - ooppttiioonnss Toggles the display of some internal tteellnneett pro- - tocol processing (having to do with TELNET op- - tions). The initial value for this toggle is - FALSE. - - pprreettttyydduummpp When the nneettddaattaa toggle is enabled, if - pprreettttyydduummpp is enabled the output from the - nneettddaattaa command will be formatted in a more user - readable format. Spaces are put between each - character in the output, and the beginning of - any TELNET escape sequence is preceded by a '*' - to aid in locating them. - - sskkiipprrcc When the skiprc toggle is TRUE, TELNET skips the - reading of the _._t_e_l_n_e_t_r_c file in the users home - directory when connections are opened. The ini- - tial value for this toggle is FALSE. - - tteerrmmddaattaa Toggles the display of all terminal data (in - hexadecimal format). The initial value for this - toggle is FALSE. - - vveerrbboossee__eennccrryypptt - When the vveerrbboossee__eennccrryypptt toggle is TRUE, TELNET - prints out a message each time encryption is en- - abled or disabled. The initial value for this - toggle is FALSE. Note: Because of export con- - trols, data encryption is not supported outside - of the United States and Canada. - - ?? Displays the legal ttooggggllee commands. - - zz Suspend tteellnneett. This command only works when the user is us- - ing the csh(1). - - !! [_c_o_m_m_a_n_d] - Execute a single command in a subshell on the local system. - If ccoommmmaanndd is omitted, then an interactive subshell is in- - voked. - - ?? [_c_o_m_m_a_n_d] - Get help. With no arguments, tteellnneett prints a help summary. - If a command is specified, tteellnneett will print the help informa- - tion for just that command. - -EENNVVIIRROONNMMEENNTT - TTeellnneett uses at least the HOME, SHELL, DISPLAY, and TERM environment vari- - ables. Other environment variables may be propagated to the other side - via the TELNET ENVIRON option. - -FFIILLEESS - ~/.telnetrc user customized telnet startup values - -HHIISSTTOORRYY - The TTeellnneett command appeared in 4.2BSD. - -NNOOTTEESS - On some remote systems, echo has to be turned off manually when in ``old - line by line'' mode. - - In ``old line by line'' mode or LINEMODE the terminal's eeooff character is - only recognized (and sent to the remote system) when it is the first - character on a line. - -4.2 Berkeley Distribution June 1, 1994 11 diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile b/crypto/heimdal/appl/telnet/telnetd/Makefile deleted file mode 100644 index ba4aa6c14b4d..000000000000 --- a/crypto/heimdal/appl/telnet/telnetd/Makefile +++ /dev/null @@ -1,665 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/telnet/telnetd/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.18 2001/08/28 11:21:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -libexec_PROGRAMS = telnetd - -CHECK_LOCAL = - -telnetd_SOURCES = telnetd.c state.c termstat.c slc.c sys_term.c \ - utility.c global.c authenc.c defs.h ext.h telnetd.h - - -man_MANS = telnetd.8 - -LDADD = \ - ../libtelnet/libtelnet.a \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_tgetent) \ - $(LIB_logwtmp) \ - $(LIB_logout) \ - $(LIB_openpty) \ - $(LIB_kdfs) \ - $(LIB_roken) - -subdir = appl/telnet/telnetd -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -libexec_PROGRAMS = telnetd$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) - -am_telnetd_OBJECTS = telnetd.$(OBJEXT) state.$(OBJEXT) \ - termstat.$(OBJEXT) slc.$(OBJEXT) sys_term.$(OBJEXT) \ - utility.$(OBJEXT) global.$(OBJEXT) authenc.$(OBJEXT) -telnetd_OBJECTS = $(am_telnetd_OBJECTS) -telnetd_LDADD = $(LDADD) -telnetd_DEPENDENCIES = ../libtelnet/libtelnet.a \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#telnetd_DEPENDENCIES = ../libtelnet/libtelnet.a -#telnetd_DEPENDENCIES = ../libtelnet/libtelnet.a \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la \ -# $(top_builddir)/lib/kdfs/libkdfs.la -##telnetd_DEPENDENCIES = ../libtelnet/libtelnet.a \ -## $(top_builddir)/lib/kdfs/libkdfs.la -telnetd_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(telnetd_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(telnetd_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/telnet/telnetd/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -telnetd$(EXEEXT): $(telnetd_OBJECTS) $(telnetd_DEPENDENCIES) - @rm -f telnetd$(EXEEXT) - $(LINK) $(telnetd_LDFLAGS) $(telnetd_OBJECTS) $(telnetd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libexecdir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libexecPROGRAMS clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man8 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8 b/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8 deleted file mode 100644 index ce4c714fb85d..000000000000 --- a/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8 +++ /dev/null @@ -1,293 +0,0 @@ -TELNETD(8) NetBSD System Manager's Manual TELNETD(8) - -NNAAMMEE - tteellnneettdd - DARPA TELNET protocol server - -SSYYNNOOPPSSIISS - tteellnneettdd [--BBUUhhkkllnn] [--DD _d_e_b_u_g_m_o_d_e] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--aa _a_u_t_h_m_o_d_e] - [--rr_l_o_w_p_t_y_-_h_i_g_h_p_t_y] [--uu _l_e_n] [--ddeebbuugg] [--LL _/_b_i_n_/_l_o_g_i_n] [--yy] [_p_o_r_t] - -DDEESSCCRRIIPPTTIIOONN - The tteellnneettdd command is a server which supports the DARPA standard TELNET - virtual terminal protocol. TTeellnneettdd is normally invoked by the internet - server (see inetd(8)) for requests to connect to the TELNET port as indi- - cated by the _/_e_t_c_/_s_e_r_v_i_c_e_s file (see services(5)). The --ddeebbuugg option may - be used to start up tteellnneettdd manually, instead of through inetd(8). If - started up this way, _p_o_r_t may be specified to run tteellnneettdd on an alternate - TCP port number. - - The tteellnneettdd command accepts the following options: - - --aa _a_u_t_h_m_o_d_e This option may be used for specifying what mode should be - used for authentication. Note that this option is only use- - ful if tteellnneettdd has been compiled with support for the - AUTHENTICATION option. There are several valid values for - _a_u_t_h_m_o_d_e: - - debug Turns on authentication debugging code. - - user Only allow connections when the remote user can pro- - vide valid authentication information to identify the - remote user, and is allowed access to the specified - account without providing a password. - - valid Only allow connections when the remote user can pro- - vide valid authentication information to identify the - remote user. The login(1) command will provide any - additional user verification needed if the remote us- - er is not allowed automatic access to the specified - account. - - other Only allow connections that supply some authentica- - tion information. This option is currently not sup- - ported by any of the existing authentication mecha- - nisms, and is thus the same as specifying --aa vvaalliidd. - - otp Only allow authenticated connections (as with --aa - uusseerr) and also logins with one-time passwords (OTPs). - This option will call login with an option so that - only OTPs are accepted. The user can of course still - type secret information at the prompt. - - none This is the default state. Authentication informa- - tion is not required. If no or insufficient authen- - tication information is provided, then the login(1) - program will provide the necessary user verification. - - off This disables the authentication code. All user ver- - ification will happen through the login(1) program. - - --BB Ignored. - - --DD _d_e_b_u_g_m_o_d_e - This option may be used for debugging purposes. This allows - tteellnneettdd to print out debugging information to the connec- - tion, allowing the user to see what tteellnneettdd is doing. There - are several possible values for _d_e_b_u_g_m_o_d_e: - - ooppttiioonnss Prints information about the negotiation of TELNET - options. - - rreeppoorrtt Prints the ooppttiioonnss information, plus some addi- - tional information about what processing is going - on. - - nneettddaattaa Displays the data stream received by tteellnneettdd. - - ppttyyddaattaa Displays data written to the pty. - - eexxeerrcciissee Has not been implemented yet. - - --hh Disables the printing of host-specific information before - login has been completed. - - --kk - - --ll Ignored. - - --nn Disable TCP keep-alives. Normally tteellnneettdd enables the TCP - keep-alive mechanism to probe connections that have been - idle for some period of time to determine if the client is - still there, so that idle connections from machines that - have crashed or can no longer be reached may be cleaned up. - - --rr _l_o_w_p_t_y_-_h_i_g_h_p_t_y - This option is only enabled when tteellnneettdd is compiled for - UNICOS. It specifies an inclusive range of pseudo-terminal - devices to use. If the system has sysconf variable - _SC_CRAY_NPTY configured, the default pty search range is 0 - to _SC_CRAY_NPTY; otherwise, the default range is 0 to 128. - Either _l_o_w_p_t_y or _h_i_g_h_p_t_y may be omitted to allow changing - either end of the search range. If _l_o_w_p_t_y is omitted, the - - character is still required so that tteellnneettdd can differenti- - ate _h_i_g_h_p_t_y from _l_o_w_p_t_y. - - --SS _t_o_s - - --uu _l_e_n This option is used to specify the size of the field in the - utmp structure that holds the remote host name. If the re- - solved host name is longer than _l_e_n, the dotted decimal val- - ue will be used instead. This allows hosts with very long - host names that overflow this field to still be uniquely - identified. Specifying --uu00 indicates that only dotted deci- - mal addresses should be put into the _u_t_m_p file. - - --UU This option causes tteellnneettdd to refuse connections from ad- - dresses that cannot be mapped back into a symbolic name via - the gethostbyaddr(3) routine. - - --XX _a_u_t_h_t_y_p_e This option is only valid if tteellnneettdd has been built with - support for the authentication option. It disables the use - of _a_u_t_h_t_y_p_e authentication, and can be used to temporarily - disable a specific authentication type without having to re- - compile tteellnneettdd. - - --LL _p_a_t_h_n_a_m_e Specify pathname to an alternative login program. - - --yy Makes tteellnneettdd not warn when a user is trying to login with a - cleartext password. - - TTeellnneettdd operates by allocating a pseudo-terminal device (see pty(4)) for - a client, then creating a login process which has the slave side of the - pseudo-terminal as stdin, stdout and stderr. TTeellnneettdd manipulates the - master side of the pseudo-terminal, implementing the TELNET protocol and - passing characters between the remote client and the login process. - - When a TELNET session is started up, tteellnneettdd sends TELNET options to the - client side indicating a willingness to do the following TELNET options, - which are described in more detail below: - - DO AUTHENTICATION - WILL ENCRYPT - DO TERMINAL TYPE - DO TSPEED - DO XDISPLOC - DO NEW-ENVIRON - DO ENVIRON - WILL SUPPRESS GO AHEAD - DO ECHO - DO LINEMODE - DO NAWS - WILL STATUS - DO LFLOW - DO TIMING-MARK - - The pseudo-terminal allocated to the client is configured to operate in - ``cooked'' mode, and with XTABS and CRMOD enabled (see tty(4)). - - TTeellnneettdd has support for enabling locally the following TELNET options: - - WILL ECHO When the LINEMODE option is enabled, a WILL ECHO or - WONT ECHO will be sent to the client to indicate the - current state of terminal echoing. When terminal echo - is not desired, a WILL ECHO is sent to indicate that - telnetd will take care of echoing any data that needs - to be echoed to the terminal, and then nothing is - echoed. When terminal echo is desired, a WONT ECHO is - sent to indicate that telnetd will not be doing any - terminal echoing, so the client should do any terminal - echoing that is needed. - - WILL BINARY Indicates that the client is willing to send a 8 bits - of data, rather than the normal 7 bits of the Network - Virtual Terminal. - - WILL SGA Indicates that it will not be sending IAC GA, go - ahead, commands. - - WILL STATUS Indicates a willingness to send the client, upon re- - quest, of the current status of all TELNET options. - - WILL TIMING-MARK Whenever a DO TIMING-MARK command is received, it is - always responded to with a WILL TIMING-MARK - - WILL LOGOUT When a DO LOGOUT is received, a WILL LOGOUT is sent in - response, and the TELNET session is shut down. - - WILL ENCRYPT Only sent if tteellnneettdd is compiled with support for data - encryption, and indicates a willingness to decrypt the - data stream. - - TTeellnneettdd has support for enabling remotely the following TELNET options: - - DO BINARY Sent to indicate that telnetd is willing to receive an - 8 bit data stream. - - DO LFLOW Requests that the client handle flow control charac- - ters remotely. - - DO ECHO This is not really supported, but is sent to identify - a 4.2BSD telnet(1) client, which will improperly re- - spond with WILL ECHO. If a WILL ECHO is received, a - DONT ECHO will be sent in response. - - DO TERMINAL-TYPE Indicates a desire to be able to request the name of - the type of terminal that is attached to the client - side of the connection. - - DO SGA Indicates that it does not need to receive IAC GA, the - go ahead command. - - DO NAWS Requests that the client inform the server when the - window (display) size changes. - - DO TERMINAL-SPEED Indicates a desire to be able to request information - about the speed of the serial line to which the client - is attached. - - DO XDISPLOC Indicates a desire to be able to request the name of - the X windows display that is associated with the tel- - net client. - - DO NEW-ENVIRON Indicates a desire to be able to request environment - variable information, as described in RFC 1572. - - DO ENVIRON Indicates a desire to be able to request environment - variable information, as described in RFC 1408. - - DO LINEMODE Only sent if tteellnneettdd is compiled with support for - linemode, and requests that the client do line by line - processing. - - DO TIMING-MARK Only sent if tteellnneettdd is compiled with support for both - linemode and kludge linemode, and the client responded - with WONT LINEMODE. If the client responds with WILL - TM, the it is assumed that the client supports kludge - linemode. Note that the [--kk] option can be used to - disable this. - - DO AUTHENTICATION Only sent if tteellnneettdd is compiled with support for au- - thentication, and indicates a willingness to receive - authentication information for automatic login. - - DO ENCRYPT Only sent if tteellnneettdd is compiled with support for data - encryption, and indicates a willingness to decrypt the - data stream. - -FFIILLEESS - /etc/services - /etc/inittab (UNICOS systems only) - /etc/iptos (if supported) - -SSEEEE AALLSSOO - telnet(1), login(1) - -SSTTAANNDDAARRDDSS - RRFFCC--885544 TELNET PROTOCOL SPECIFICATION - RRFFCC--885555 TELNET OPTION SPECIFICATIONS - RRFFCC--885566 TELNET BINARY TRANSMISSION - RRFFCC--885577 TELNET ECHO OPTION - RRFFCC--885588 TELNET SUPPRESS GO AHEAD OPTION - RRFFCC--885599 TELNET STATUS OPTION - RRFFCC--886600 TELNET TIMING MARK OPTION - RRFFCC--886611 TELNET EXTENDED OPTIONS - LIST OPTION - RRFFCC--888855 TELNET END OF RECORD OPTION - RRFFCC--11007733 Telnet Window Size Option - RRFFCC--11007799 Telnet Terminal Speed Option - RRFFCC--11009911 Telnet Terminal-Type Option - RRFFCC--11009966 Telnet X Display Location Option - RRFFCC--11112233 Requirements for Internet Hosts -- Application and Support - RRFFCC--11118844 Telnet Linemode Option - RRFFCC--11337722 Telnet Remote Flow Control Option - RRFFCC--11441166 Telnet Authentication Option - RRFFCC--11441111 Telnet Authentication: Kerberos Version 4 - RRFFCC--11441122 Telnet Authentication: SPX - RRFFCC--11557711 Telnet Environment Option Interoperability Issues - RRFFCC--11557722 Telnet Environment Option - -BBUUGGSS - Some TELNET commands are only partially implemented. - - Because of bugs in the original 4.2 BSD telnet(1), tteellnneettdd performs some - dubious protocol exchanges to try to discover if the remote client is, in - fact, a 4.2 BSD telnet(1). - - Binary mode has no common interpretation except between similar operating - systems (Unix in this case). - - The terminal type name received from the remote client is converted to - lower case. - - TTeellnneettdd never sends TELNET IAC GA (go ahead) commands. - -4.2 Berkeley Distribution June 1, 1994 5 diff --git a/crypto/heimdal/appl/test/Makefile b/crypto/heimdal/appl/test/Makefile deleted file mode 100644 index af508b0d1702..000000000000 --- a/crypto/heimdal/appl/test/Makefile +++ /dev/null @@ -1,673 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/test/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \ - uu_server uu_client nt_gss_server nt_gss_client - - -tcp_client_SOURCES = tcp_client.c common.c test_locl.h - -tcp_server_SOURCES = tcp_server.c common.c test_locl.h - -gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \ - gss_common.h test_locl.h - - -gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \ - gss_common.h test_locl.h - - -uu_server_SOURCES = uu_server.c common.c test_locl.h - -uu_client_SOURCES = uu_client.c common.c test_locl.h - -gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD) - -gssapi_client_LDADD = $(gssapi_server_LDADD) - -nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c - -nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c - -nt_gss_client_LDADD = $(gssapi_server_LDADD) - -nt_gss_server_LDADD = $(nt_gss_client_LDADD) - -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -subdir = appl/test -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -noinst_PROGRAMS = tcp_client$(EXEEXT) tcp_server$(EXEEXT) \ - gssapi_server$(EXEEXT) gssapi_client$(EXEEXT) \ - uu_server$(EXEEXT) uu_client$(EXEEXT) nt_gss_server$(EXEEXT) \ - nt_gss_client$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -am_gssapi_client_OBJECTS = gssapi_client.$(OBJEXT) gss_common.$(OBJEXT) \ - common.$(OBJEXT) -gssapi_client_OBJECTS = $(am_gssapi_client_OBJECTS) -gssapi_client_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -gssapi_client_LDFLAGS = -am_gssapi_server_OBJECTS = gssapi_server.$(OBJEXT) gss_common.$(OBJEXT) \ - common.$(OBJEXT) -gssapi_server_OBJECTS = $(am_gssapi_server_OBJECTS) -gssapi_server_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -gssapi_server_LDFLAGS = -am_nt_gss_client_OBJECTS = nt_gss_client.$(OBJEXT) \ - nt_gss_common.$(OBJEXT) common.$(OBJEXT) -nt_gss_client_OBJECTS = $(am_nt_gss_client_OBJECTS) -nt_gss_client_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -nt_gss_client_LDFLAGS = -am_nt_gss_server_OBJECTS = nt_gss_server.$(OBJEXT) \ - nt_gss_common.$(OBJEXT) -nt_gss_server_OBJECTS = $(am_nt_gss_server_OBJECTS) -nt_gss_server_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -nt_gss_server_LDFLAGS = -am_tcp_client_OBJECTS = tcp_client.$(OBJEXT) common.$(OBJEXT) -tcp_client_OBJECTS = $(am_tcp_client_OBJECTS) -tcp_client_LDADD = $(LDADD) -tcp_client_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -tcp_client_LDFLAGS = -am_tcp_server_OBJECTS = tcp_server.$(OBJEXT) common.$(OBJEXT) -tcp_server_OBJECTS = $(am_tcp_server_OBJECTS) -tcp_server_LDADD = $(LDADD) -tcp_server_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -tcp_server_LDFLAGS = -am_uu_client_OBJECTS = uu_client.$(OBJEXT) common.$(OBJEXT) -uu_client_OBJECTS = $(am_uu_client_OBJECTS) -uu_client_LDADD = $(LDADD) -uu_client_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -uu_client_LDFLAGS = -am_uu_server_OBJECTS = uu_server.$(OBJEXT) common.$(OBJEXT) -uu_server_OBJECTS = $(am_uu_server_OBJECTS) -uu_server_LDADD = $(LDADD) -uu_server_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -uu_server_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) \ - $(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) \ - $(tcp_client_SOURCES) $(tcp_server_SOURCES) \ - $(uu_client_SOURCES) $(uu_server_SOURCES) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) $(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) $(tcp_client_SOURCES) $(tcp_server_SOURCES) $(uu_client_SOURCES) $(uu_server_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/test/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -gssapi_client$(EXEEXT): $(gssapi_client_OBJECTS) $(gssapi_client_DEPENDENCIES) - @rm -f gssapi_client$(EXEEXT) - $(LINK) $(gssapi_client_LDFLAGS) $(gssapi_client_OBJECTS) $(gssapi_client_LDADD) $(LIBS) -gssapi_server$(EXEEXT): $(gssapi_server_OBJECTS) $(gssapi_server_DEPENDENCIES) - @rm -f gssapi_server$(EXEEXT) - $(LINK) $(gssapi_server_LDFLAGS) $(gssapi_server_OBJECTS) $(gssapi_server_LDADD) $(LIBS) -nt_gss_client$(EXEEXT): $(nt_gss_client_OBJECTS) $(nt_gss_client_DEPENDENCIES) - @rm -f nt_gss_client$(EXEEXT) - $(LINK) $(nt_gss_client_LDFLAGS) $(nt_gss_client_OBJECTS) $(nt_gss_client_LDADD) $(LIBS) -nt_gss_server$(EXEEXT): $(nt_gss_server_OBJECTS) $(nt_gss_server_DEPENDENCIES) - @rm -f nt_gss_server$(EXEEXT) - $(LINK) $(nt_gss_server_LDFLAGS) $(nt_gss_server_OBJECTS) $(nt_gss_server_LDADD) $(LIBS) -tcp_client$(EXEEXT): $(tcp_client_OBJECTS) $(tcp_client_DEPENDENCIES) - @rm -f tcp_client$(EXEEXT) - $(LINK) $(tcp_client_LDFLAGS) $(tcp_client_OBJECTS) $(tcp_client_LDADD) $(LIBS) -tcp_server$(EXEEXT): $(tcp_server_OBJECTS) $(tcp_server_DEPENDENCIES) - @rm -f tcp_server$(EXEEXT) - $(LINK) $(tcp_server_LDFLAGS) $(tcp_server_OBJECTS) $(tcp_server_LDADD) $(LIBS) -uu_client$(EXEEXT): $(uu_client_OBJECTS) $(uu_client_DEPENDENCIES) - @rm -f uu_client$(EXEEXT) - $(LINK) $(uu_client_LDFLAGS) $(uu_client_OBJECTS) $(uu_client_LDADD) $(LIBS) -uu_server$(EXEEXT): $(uu_server_OBJECTS) $(uu_server_DEPENDENCIES) - @rm -f uu_server$(EXEEXT) - $(LINK) $(uu_server_LDFLAGS) $(uu_server_OBJECTS) $(uu_server_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) all-local - -installdirs: - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool clean-noinstPROGRAMS distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-man install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/xnlock/ChangeLog b/crypto/heimdal/appl/xnlock/ChangeLog deleted file mode 100644 index 13863a3d549b..000000000000 --- a/crypto/heimdal/appl/xnlock/ChangeLog +++ /dev/null @@ -1,76 +0,0 @@ -2002-08-23 Assar Westerlund - - * xnlock.c: add --version as a special case - -2001-06-24 Assar Westerlund - - * xnlock.c (verify_krb5): remove unused variable - -2001-03-15 Johan Danielsson - - * xnlock.c: don't explicitly set the krb4 ticket file - -2000-12-31 Assar Westerlund - - * xnlock.c (main): handle krb5_init_context failure consistently - -2000-07-17 Johan Danielsson - - * Makefile.am: use conditional for X - -2000-04-09 Assar Westerlund - - * xnlock.c (verfiy_krb5): get the v4-realm from the v5-ticket and - not from the default one. - * xnlock.c (verify_krb5): add obtainting of v4 tickets. - -1999-11-17 Assar Westerlund - - * Makefile.am: only build when we have X11. From: Simon Josefsson - - -Thu Mar 18 11:21:44 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Wed Mar 17 23:35:51 1999 Assar Westerlund - - * xnlock.c (verify): use KRB_VERIFY_SECURE instead of 1 - -Tue Mar 16 22:29:14 1999 Assar Westerlund - - * xnlock.c: krb_verify_user_multiple -> krb_verify_user - -Thu Mar 11 14:59:20 1999 Johan Danielsson - - * xnlock.c: add some if-braces to keep gcc happy - -Sun Nov 22 10:36:45 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Wed Jul 8 01:37:37 1998 Assar Westerlund - - * xnlock.c (main): create place-holder ticket file with - open(O_EXCL | O_CREAT) instead of creat - -Sat Mar 28 12:53:46 1998 Assar Westerlund - - * Makefile.in (install, uninstall): transform the man page - -Tue Mar 24 05:20:34 1998 Assar Westerlund - - * xnlock.c: remove redundant preprocessor stuff - -Sat Mar 21 14:36:21 1998 Assar Westerlund - - * xnlock.c (init_words): recognize both `-p' and `-prog' - -Sat Feb 7 10:08:07 1998 Assar Westerlund - - * xnlock.c: Don't use REALM_SZ + 1, just REALM_SZ - -Sat Nov 29 04:58:19 1997 Johan Danielsson - - * xnlock.c: Make it build w/o krb4. - diff --git a/crypto/heimdal/appl/xnlock/Makefile b/crypto/heimdal/appl/xnlock/Makefile deleted file mode 100644 index 6276ea6baf02..000000000000 --- a/crypto/heimdal/appl/xnlock/Makefile +++ /dev/null @@ -1,659 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# appl/xnlock/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.15 2000/11/15 22:51:12 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = - -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = xnlock -#bin_PROGRAMS = - -man_MANS = xnlock.1 - -EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \ - nose.down nose.front nose.left.front nose.right.front - - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS) - -subdir = appl/xnlock -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = xnlock$(EXEEXT) -#bin_PROGRAMS = -PROGRAMS = $(bin_PROGRAMS) - -xnlock_SOURCES = xnlock.c -xnlock_OBJECTS = xnlock.$(OBJEXT) -xnlock_LDADD = $(LDADD) -xnlock_DEPENDENCIES = \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -#xnlock_DEPENDENCIES = -#xnlock_DEPENDENCIES = \ -# $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -##xnlock_DEPENDENCIES = \ -## $(top_builddir)/lib/kafs/libkafs.la -xnlock_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = xnlock.c -MANS = $(man_MANS) -DIST_COMMON = README ChangeLog Makefile.am Makefile.in -SOURCES = xnlock.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/xnlock/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -xnlock$(EXEEXT): $(xnlock_OBJECTS) $(xnlock_DEPENDENCIES) - @rm -f xnlock$(EXEEXT) - $(LINK) $(xnlock_LDFLAGS) $(xnlock_OBJECTS) $(xnlock_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-man1 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-man uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/xnlock/Makefile.am b/crypto/heimdal/appl/xnlock/Makefile.am deleted file mode 100644 index a8e6440a93cd..000000000000 --- a/crypto/heimdal/appl/xnlock/Makefile.am +++ /dev/null @@ -1,30 +0,0 @@ -# $Id: Makefile.am,v 1.15 2000/11/15 22:51:12 assar Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) $(X_CFLAGS) - -WFLAGS += $(WFLAGS_NOIMPLICITINT) - -if HAVE_X - -bin_PROGRAMS = xnlock - -else - -bin_PROGRAMS = - -endif - -man_MANS = xnlock.1 - -EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \ - nose.down nose.front nose.left.front nose.right.front - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS) diff --git a/crypto/heimdal/appl/xnlock/Makefile.in b/crypto/heimdal/appl/xnlock/Makefile.in deleted file mode 100644 index 9ea65a786e75..000000000000 --- a/crypto/heimdal/appl/xnlock/Makefile.in +++ /dev/null @@ -1,659 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# @configure_input@ - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.15 2000/11/15 22:51:12 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AMTAR = @AMTAR@ -AS = @AS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ -ECHO = @ECHO@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = @INCLUDE_des@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LEX = @LEX@ - -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ - -WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS) - -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -@HAVE_X_TRUE@bin_PROGRAMS = xnlock -@HAVE_X_FALSE@bin_PROGRAMS = - -man_MANS = xnlock.1 - -EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \ - nose.down nose.front nose.left.front nose.right.front - - -LDADD = \ - $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS) - -subdir = appl/xnlock -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -@HAVE_X_TRUE@bin_PROGRAMS = xnlock$(EXEEXT) -@HAVE_X_FALSE@bin_PROGRAMS = -PROGRAMS = $(bin_PROGRAMS) - -xnlock_SOURCES = xnlock.c -xnlock_OBJECTS = xnlock.$(OBJEXT) -xnlock_LDADD = $(LDADD) -@KRB4_FALSE@@KRB5_TRUE@xnlock_DEPENDENCIES = \ -@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@KRB4_FALSE@@KRB5_FALSE@xnlock_DEPENDENCIES = -@KRB4_TRUE@@KRB5_TRUE@xnlock_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@KRB4_TRUE@@KRB5_FALSE@xnlock_DEPENDENCIES = \ -@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la -xnlock_LDFLAGS = - -DEFS = @DEFS@ -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = xnlock.c -MANS = $(man_MANS) -DIST_COMMON = README ChangeLog Makefile.am Makefile.in -SOURCES = xnlock.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/xnlock/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -xnlock$(EXEEXT): $(xnlock_OBJECTS) $(xnlock_DEPENDENCIES) - @rm -f xnlock$(EXEEXT) - $(LINK) $(xnlock_LDFLAGS) $(xnlock_OBJECTS) $(xnlock_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-binPROGRAMS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-man1 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-man uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/xnlock/README b/crypto/heimdal/appl/xnlock/README deleted file mode 100644 index 5b16c522fd6b..000000000000 --- a/crypto/heimdal/appl/xnlock/README +++ /dev/null @@ -1,21 +0,0 @@ -xnlock -- Dan Heller, 1990 -"nlock" is a "new lockscreen" type program... something that prevents -screen burnout by making most of it "black" while providing something -of interest to be displayed in case anyone is watching. The program -also provides added security. - -"xnlock" is the X11 version of the program. - -Original sunview version written by Dan Heller 1985 (not included). - -For a real description of how this program works, read the -man page or just try running it. - -The one major outstanding bug with this program is that every -once in a while, two horizontal lines appear below the little -figure that runs around the screen. If someone can find and -fix this bug, *please* let me know -- I don't have time to -look and if I waited till I had time, you'd never see this -program... It has something to do with the "looking down" -position and then directly moving up and right or left... - diff --git a/crypto/heimdal/appl/xnlock/nose.0.left b/crypto/heimdal/appl/xnlock/nose.0.left deleted file mode 100644 index cb3d152863a0..000000000000 --- a/crypto/heimdal/appl/xnlock/nose.0.left +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_0_left_width 64 -#define nose_0_left_height 64 -static unsigned char nose_0_left_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00, - 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40, - 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00, - 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00, - 0x08,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,0xf0,0x03,0x00,0x00,0x80,0x00, - 0x00,0x00,0x0e,0x0c,0x00,0x00,0x80,0x01,0x00,0x00,0x03,0x30,0x00,0x00,0x00, - 0x01,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x40,0x00,0xc0,0x00,0x00, - 0x00,0x02,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00, - 0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x08,0x00,0x00, - 0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x08,0x00, - 0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08, - 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00, - 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10, - 0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x01,0x00,0x00, - 0x18,0x00,0x20,0x00,0x00,0x01,0x00,0x00,0x08,0x00,0x40,0x00,0x80,0x00,0x00, - 0x00,0x08,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x0c,0x00,0x00,0x01,0x20,0x00, - 0x00,0x00,0x04,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x06,0x00,0x00,0xf8,0x07, - 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0x01,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x0f,0x00,0x00,0x00, - 0x00,0xff,0x00,0x04,0x10,0x00,0x00,0x00,0xc0,0x00,0x03,0x03,0x10,0x00,0x00, - 0x00,0x30,0x00,0x0c,0x01,0x20,0x00,0x00,0x00,0x08,0x00,0x98,0x00,0x20,0x00, - 0x00,0x00,0x0c,0x03,0x60,0x00,0x20,0x00,0x00,0x00,0xc2,0x00,0xc0,0x00,0x20, - 0x00,0x00,0x00,0x42,0x00,0x80,0x00,0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x01, - 0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x01,0x20,0x00,0x00,0x00,0x21,0x00,0x00, - 0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x01,0x00, - 0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x02, - 0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00, - 0x18,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x10,0x00,0x00, - 0x00,0xc0,0xff,0xff,0xff,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal/appl/xnlock/nose.0.right b/crypto/heimdal/appl/xnlock/nose.0.right deleted file mode 100644 index f387baa7304f..000000000000 --- a/crypto/heimdal/appl/xnlock/nose.0.right +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_0_right_width 64 -#define nose_0_right_height 64 -static unsigned char nose_0_right_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20, - 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00, - 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00, - 0x04,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x10,0x00, - 0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x01,0x00,0x00,0xc0,0x0f, - 0x00,0x00,0x80,0x01,0x00,0x00,0x30,0x70,0x00,0x00,0x80,0x00,0x00,0x00,0x0c, - 0xc0,0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x40,0x00,0x00,0x00, - 0x03,0x00,0x02,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x20,0x00,0x00, - 0x00,0x00,0x00,0x08,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x10,0x00, - 0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08, - 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00, - 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10, - 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00, - 0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x18,0x00,0x00,0x80,0x00, - 0x00,0x08,0x00,0x10,0x00,0x00,0x80,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00, - 0x01,0x00,0x02,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x20,0x00,0x00, - 0x00,0x04,0x80,0x00,0x00,0x60,0x00,0x00,0x00,0x18,0x60,0x00,0x00,0x40,0x00, - 0x00,0x00,0xe0,0x1f,0x00,0x00,0x80,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x1f,0x00,0x00,0x00,0x00,0x00, - 0x00,0x08,0x20,0x00,0xff,0x00,0x00,0x00,0x00,0x08,0xc0,0xc0,0x00,0x03,0x00, - 0x00,0x00,0x04,0x80,0x30,0x00,0x0c,0x00,0x00,0x00,0x04,0x00,0x19,0x00,0x10, - 0x00,0x00,0x00,0x04,0x00,0x06,0xc0,0x30,0x00,0x00,0x00,0x04,0x00,0x03,0x00, - 0x43,0x00,0x00,0x00,0x04,0x00,0x01,0x00,0x42,0x00,0x00,0x00,0x04,0x80,0x00, - 0x00,0x84,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0x84,0x00,0x00,0x00,0x04,0x00, - 0x00,0x00,0x84,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02, - 0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00, - 0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00, - 0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0e,0x00, - 0x00,0x00,0xf0,0xff,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal/appl/xnlock/nose.1.left b/crypto/heimdal/appl/xnlock/nose.1.left deleted file mode 100644 index 8a6b82952612..000000000000 --- a/crypto/heimdal/appl/xnlock/nose.1.left +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_1_left_width 64 -#define nose_1_left_height 64 -static unsigned char nose_1_left_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00, - 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40, - 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00, - 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00, - 0x08,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,0xf0,0x03,0x00,0x00,0x80,0x00, - 0x00,0x00,0x0e,0x0c,0x00,0x00,0x80,0x01,0x00,0x00,0x03,0x30,0x00,0x00,0x00, - 0x01,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x40,0x00,0xc0,0x00,0x00, - 0x00,0x02,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00, - 0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x08,0x00,0x00, - 0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x08,0x00, - 0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08, - 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00, - 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10, - 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x01,0x00,0x00, - 0x18,0x00,0x10,0x00,0x00,0x01,0x00,0x00,0x08,0x00,0x20,0x00,0x80,0x00,0x00, - 0x00,0x08,0x00,0x40,0x00,0x40,0x00,0x00,0x00,0x0c,0x00,0x80,0x00,0x20,0x00, - 0x00,0x00,0xe4,0x00,0x00,0x03,0x18,0x00,0x00,0x00,0x26,0x03,0x00,0xfc,0x07, - 0x00,0x00,0x00,0x12,0x0c,0x00,0x00,0xf8,0xff,0xff,0xff,0x11,0x10,0x80,0x1f, - 0x00,0x00,0x00,0x00,0x08,0x20,0x60,0x60,0xc0,0x07,0x00,0x00,0x04,0x40,0x10, - 0xc0,0x20,0x08,0x00,0x1f,0x02,0x40,0x08,0x00,0x21,0x10,0xc0,0x60,0x02,0x40, - 0x04,0x00,0x12,0x20,0x20,0x80,0x02,0x20,0xc2,0x00,0x14,0x40,0x18,0x00,0x03, - 0x20,0x22,0x00,0x0c,0x80,0x04,0x03,0x02,0x10,0x12,0x00,0x08,0x80,0x86,0x00, - 0x04,0x10,0x12,0x00,0x10,0x80,0x42,0x00,0x18,0x08,0x12,0x00,0x10,0x40,0x42, - 0x00,0x00,0x04,0x02,0x00,0x20,0x40,0x42,0x00,0x00,0x04,0x02,0x00,0x00,0x20, - 0x42,0x00,0x00,0x02,0x04,0x00,0x00,0x20,0x02,0x00,0x00,0x01,0x04,0x00,0x00, - 0x20,0x02,0x00,0x00,0x01,0x08,0x00,0x00,0x20,0x04,0x00,0x80,0x00,0x10,0x00, - 0x00,0x20,0x0c,0x00,0x80,0x00,0x60,0x00,0x00,0x10,0x08,0x00,0x40,0x00,0x80, - 0xff,0xff,0x0f,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0x0f,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal/appl/xnlock/nose.1.right b/crypto/heimdal/appl/xnlock/nose.1.right deleted file mode 100644 index f7c8962c0262..000000000000 --- a/crypto/heimdal/appl/xnlock/nose.1.right +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_1_right_width 64 -#define nose_1_right_height 64 -static unsigned char nose_1_right_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20, - 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00, - 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00, - 0x04,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x10,0x00, - 0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x01,0x00,0x00,0xc0,0x0f, - 0x00,0x00,0x80,0x01,0x00,0x00,0x30,0x70,0x00,0x00,0x80,0x00,0x00,0x00,0x0c, - 0xc0,0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x40,0x00,0x00,0x00, - 0x03,0x00,0x02,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x20,0x00,0x00, - 0x00,0x00,0x00,0x08,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x10,0x00, - 0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08, - 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00, - 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10, - 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00, - 0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x18,0x00,0x00,0x80,0x00, - 0x00,0x08,0x00,0x10,0x00,0x00,0x80,0x00,0x00,0x08,0x00,0x10,0x00,0x00,0x00, - 0x01,0x00,0x04,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x02,0x00,0x27,0x00,0x00, - 0x00,0x04,0x00,0x01,0xc0,0x64,0x00,0x00,0x00,0x18,0xc0,0x00,0x30,0x48,0x00, - 0x00,0x00,0xe0,0x3f,0x00,0x08,0x88,0xff,0xff,0xff,0x1f,0x00,0x00,0x04,0x10, - 0x00,0x00,0x00,0x00,0xf8,0x01,0x02,0x20,0x00,0x00,0xe0,0x03,0x06,0x06,0x02, - 0x40,0xf8,0x00,0x10,0x04,0x03,0x08,0x02,0x40,0x06,0x03,0x08,0x84,0x00,0x10, - 0x04,0x40,0x01,0x04,0x04,0x48,0x00,0x20,0x04,0xc0,0x00,0x18,0x02,0x28,0x00, - 0x43,0x08,0x40,0xc0,0x20,0x01,0x30,0x00,0x44,0x08,0x20,0x00,0x61,0x01,0x10, - 0x00,0x48,0x10,0x18,0x00,0x42,0x01,0x08,0x00,0x48,0x20,0x00,0x00,0x42,0x02, - 0x08,0x00,0x48,0x20,0x00,0x00,0x42,0x02,0x04,0x00,0x40,0x40,0x00,0x00,0x42, - 0x04,0x00,0x00,0x40,0x80,0x00,0x00,0x40,0x04,0x00,0x00,0x20,0x80,0x00,0x00, - 0x40,0x04,0x00,0x00,0x20,0x00,0x01,0x00,0x20,0x04,0x00,0x00,0x10,0x00,0x01, - 0x00,0x30,0x04,0x00,0x00,0x08,0x00,0x02,0x00,0x10,0x08,0x00,0x00,0x06,0x00, - 0x0c,0x00,0x0c,0xf0,0xff,0xff,0x01,0x00,0xf0,0xff,0x03,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal/appl/xnlock/nose.down b/crypto/heimdal/appl/xnlock/nose.down deleted file mode 100644 index e8bdba4f45b6..000000000000 --- a/crypto/heimdal/appl/xnlock/nose.down +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_down_width 64 -#define nose_down_height 64 -static unsigned char nose_down_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0xfc,0xff,0x01,0x00,0x00,0x00,0x00,0xc0,0x03,0x00,0x1e,0x00, - 0x00,0x00,0x00,0x38,0x00,0x00,0xe0,0x00,0x00,0x00,0x00,0x06,0x00,0x00,0x00, - 0x03,0x00,0x00,0x80,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x40,0x00,0x00,0x00, - 0x00,0x08,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x10,0x00,0x80, - 0x1f,0x00,0x40,0x00,0x00,0x08,0x00,0x60,0x60,0x00,0x80,0x00,0x00,0x08,0x00, - 0x10,0x80,0x00,0x80,0x00,0x00,0x04,0x00,0x08,0x00,0x01,0x00,0x01,0x00,0x04, - 0x00,0x08,0x00,0x01,0x00,0x01,0x00,0x02,0x00,0x18,0x80,0x01,0x00,0x02,0x00, - 0x02,0x00,0x68,0x60,0x01,0x00,0x02,0x00,0x02,0x00,0x88,0x1f,0x01,0x00,0x02, - 0x00,0x02,0x00,0x08,0x00,0x01,0x00,0x02,0x00,0x02,0x00,0x10,0x80,0x00,0x00, - 0x03,0x00,0x06,0x00,0x60,0x60,0x00,0x80,0x02,0x00,0x0c,0x00,0x80,0x1f,0x00, - 0x40,0x01,0x00,0x14,0x00,0x00,0x00,0x00,0x20,0x01,0x00,0x28,0x00,0x00,0x00, - 0x00,0x90,0x00,0x00,0x50,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0xa0,0x01,0x00, - 0x00,0x00,0x26,0x00,0x00,0x40,0x1e,0x00,0x00,0xc0,0x11,0x00,0x00,0x80,0xe1, - 0x03,0x00,0x3c,0x0c,0x00,0x00,0x00,0x0e,0xfc,0xff,0x83,0x03,0x00,0x00,0x00, - 0xf0,0x01,0x00,0x78,0x00,0x00,0x00,0x00,0x00,0xfe,0xff,0x0f,0x00,0x00,0x00, - 0x00,0x80,0x03,0x00,0x0c,0x00,0x00,0x00,0x00,0x80,0x02,0x00,0x14,0x00,0x00, - 0x00,0x00,0x60,0x04,0x00,0x12,0x00,0x00,0xc0,0x7f,0x10,0x04,0x00,0x22,0xe0, - 0x01,0x70,0xc0,0x18,0x08,0x00,0x61,0x1c,0x06,0x10,0x00,0x0f,0x30,0xc0,0x80, - 0x07,0x08,0x08,0x00,0x06,0xc0,0x3f,0x80,0x01,0x08,0x08,0x00,0x18,0x00,0x02, - 0xc0,0x00,0x10,0x04,0x00,0x30,0x00,0x05,0x30,0x00,0x10,0x04,0x00,0x00,0x80, - 0x08,0x18,0x00,0x20,0x04,0x00,0x00,0x80,0x08,0x00,0x00,0x20,0x04,0x00,0x00, - 0x40,0x10,0x00,0x00,0x20,0x24,0x00,0x00,0x40,0x10,0x00,0x00,0x22,0x24,0x00, - 0x00,0x40,0x10,0x00,0x00,0x22,0x44,0x00,0x00,0x40,0x10,0x00,0x00,0x11,0x84, - 0x01,0x00,0xc0,0x18,0x00,0xc0,0x10,0x08,0x00,0x00,0x80,0x08,0x00,0x00,0x08, - 0x30,0x00,0x00,0x80,0x08,0x00,0x00,0x04,0xe0,0xff,0xff,0xff,0xf8,0xff,0xff, - 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal/appl/xnlock/nose.front b/crypto/heimdal/appl/xnlock/nose.front deleted file mode 100644 index 64b82015c6a7..000000000000 --- a/crypto/heimdal/appl/xnlock/nose.front +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_front_width 64 -#define nose_front_height 64 -static unsigned char nose_front_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00, - 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40, - 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00, - 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00, - 0x08,0x00,0xc0,0x1f,0x00,0x20,0x00,0x00,0x08,0x00,0x30,0x60,0x00,0x20,0x00, - 0x00,0xf8,0xff,0x0f,0x80,0xff,0x3f,0x00,0x00,0x00,0x02,0x02,0x00,0x82,0x00, - 0x00,0x00,0x00,0x03,0x01,0x00,0x84,0x01,0x00,0x00,0x00,0x81,0x00,0x00,0x08, - 0x01,0x00,0x00,0x80,0x80,0x00,0x00,0x08,0x02,0x00,0x00,0x80,0x40,0x00,0x00, - 0x10,0x02,0x00,0x00,0x40,0x40,0x00,0x00,0x10,0x04,0x00,0x00,0x40,0x20,0x00, - 0x00,0x20,0x04,0x00,0x00,0x60,0x20,0x00,0x00,0x20,0x0c,0x00,0x00,0x20,0x20, - 0x00,0x00,0x20,0x08,0x00,0x00,0x20,0x20,0x00,0x00,0x20,0x08,0x00,0x00,0x10, - 0x20,0x00,0x00,0x20,0x10,0x00,0x00,0x10,0x20,0x00,0x00,0x20,0x10,0x00,0x00, - 0x10,0x20,0x00,0x00,0x20,0x10,0x00,0x00,0x10,0x40,0x00,0x00,0x10,0x10,0x00, - 0x00,0x10,0x40,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x80,0x00,0x00,0x08,0x10, - 0x00,0x00,0x10,0x80,0x00,0x00,0x08,0x10,0x00,0x00,0x30,0x00,0x01,0x00,0x04, - 0x18,0x00,0x00,0x20,0x00,0x02,0x00,0x02,0x08,0x00,0x00,0x20,0x00,0x0c,0x80, - 0x01,0x08,0x00,0x00,0x60,0x00,0x30,0x60,0x00,0x0c,0x00,0x00,0x40,0x00,0xc0, - 0x1f,0x00,0x04,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,0x01,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x0f,0xc0,0x0f,0x00,0x00,0x00, - 0x00,0x40,0x10,0x20,0x10,0x00,0x00,0x00,0x00,0x20,0x60,0x30,0x20,0x00,0x00, - 0x00,0x00,0x20,0xc0,0x18,0x20,0x00,0x00,0xc0,0x7f,0x10,0x80,0x0d,0x40,0xe0, - 0x01,0x70,0xc0,0x18,0x00,0x05,0x40,0x1c,0x06,0x10,0x00,0x0f,0x00,0x05,0x80, - 0x07,0x08,0x08,0x00,0x06,0x00,0x05,0x80,0x01,0x08,0x08,0x00,0x18,0x00,0x05, - 0xc0,0x00,0x10,0x04,0x00,0x30,0x00,0x05,0x30,0x00,0x10,0x04,0x00,0x00,0x80, - 0x08,0x18,0x00,0x20,0x04,0x00,0x00,0x80,0x08,0x00,0x00,0x20,0x04,0x00,0x00, - 0x40,0x10,0x00,0x00,0x20,0x24,0x00,0x00,0x40,0x10,0x00,0x00,0x22,0x24,0x00, - 0x00,0x40,0x10,0x00,0x00,0x22,0x44,0x00,0x00,0x40,0x10,0x00,0x00,0x11,0x84, - 0x01,0x00,0xc0,0x18,0x00,0xc0,0x10,0x08,0x00,0x00,0x80,0x08,0x00,0x00,0x08, - 0x30,0x00,0x00,0x80,0x08,0x00,0x00,0x04,0xe0,0xff,0xff,0xff,0xf8,0xff,0xff, - 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal/appl/xnlock/nose.left.front b/crypto/heimdal/appl/xnlock/nose.left.front deleted file mode 100644 index 3a871eaaa150..000000000000 --- a/crypto/heimdal/appl/xnlock/nose.left.front +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_left_front_width 64 -#define nose_left_front_height 64 -static unsigned char nose_left_front_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00, - 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40, - 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00, - 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00, - 0x08,0x00,0xe0,0x0f,0x00,0x20,0x00,0x00,0x08,0x00,0x18,0x30,0x00,0x20,0x00, - 0x00,0xf8,0xff,0x07,0xc0,0xff,0x3f,0x00,0x00,0x00,0x02,0x01,0x00,0x81,0x00, - 0x00,0x00,0x00,0x83,0x00,0x00,0x82,0x01,0x00,0x00,0x00,0x41,0x00,0x00,0x04, - 0x01,0x00,0x00,0x80,0x40,0x00,0x00,0x04,0x02,0x00,0x00,0x80,0x20,0x00,0x00, - 0x08,0x02,0x00,0x00,0x40,0x20,0x00,0x00,0x08,0x04,0x00,0x00,0x40,0x10,0x00, - 0x00,0x10,0x04,0x00,0x00,0x60,0x10,0x00,0x00,0x10,0x0c,0x00,0x00,0x20,0x10, - 0x00,0x00,0x10,0x08,0x00,0x00,0x30,0x10,0x00,0x00,0x10,0x08,0x00,0x00,0x10, - 0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00, - 0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x20,0x00,0x00,0x08,0x10,0x00, - 0x00,0x10,0x20,0x00,0x00,0x08,0x10,0x00,0x00,0x10,0x40,0x00,0x00,0x04,0x10, - 0x00,0x00,0x30,0x40,0x00,0x00,0x04,0x10,0x00,0x00,0x20,0x80,0x00,0x00,0x02, - 0x18,0x00,0x00,0x20,0x00,0x01,0x00,0x01,0x08,0x00,0x00,0x60,0x00,0x06,0xc0, - 0x00,0x08,0x00,0x00,0x80,0x00,0x18,0x30,0x00,0x0c,0x00,0x00,0x80,0x00,0xe0, - 0x0f,0x00,0x04,0x00,0x00,0x80,0x01,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,0x01,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x0f,0x00,0x00,0x00, - 0x00,0xff,0x00,0x04,0x10,0x00,0x00,0x00,0xe0,0x00,0x07,0x02,0x10,0x00,0x00, - 0x00,0x30,0x00,0x8c,0x01,0x20,0x00,0x00,0x00,0x0c,0x00,0x90,0x00,0x20,0x00, - 0x00,0x00,0x04,0x03,0x60,0x00,0x20,0x00,0x00,0x00,0xc2,0x00,0xc0,0x00,0x20, - 0x00,0x00,0x00,0x42,0x00,0x00,0x01,0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x02, - 0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x06,0x20,0x00,0x00,0x00,0x21,0x00,0x00, - 0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x03,0x00, - 0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x02, - 0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00, - 0x18,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x10,0x00,0x00, - 0x00,0xc0,0xff,0xff,0xff,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal/appl/xnlock/nose.right.front b/crypto/heimdal/appl/xnlock/nose.right.front deleted file mode 100644 index f8214174e87c..000000000000 --- a/crypto/heimdal/appl/xnlock/nose.right.front +++ /dev/null @@ -1,38 +0,0 @@ -#define nose_right_front_width 64 -#define nose_right_front_height 64 -static unsigned char nose_right_front_bits[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00, - 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20, - 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00, - 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00, - 0x04,0x00,0xf0,0x07,0x00,0x10,0x00,0x00,0x04,0x00,0x0c,0x18,0x00,0x10,0x00, - 0x00,0xfc,0xff,0x03,0xe0,0xff,0x1f,0x00,0x00,0x00,0x81,0x00,0x80,0x40,0x00, - 0x00,0x00,0x80,0x41,0x00,0x00,0xc1,0x00,0x00,0x00,0x80,0x20,0x00,0x00,0x82, - 0x00,0x00,0x00,0x40,0x20,0x00,0x00,0x02,0x01,0x00,0x00,0x40,0x10,0x00,0x00, - 0x04,0x01,0x00,0x00,0x20,0x10,0x00,0x00,0x04,0x02,0x00,0x00,0x20,0x08,0x00, - 0x00,0x08,0x02,0x00,0x00,0x30,0x08,0x00,0x00,0x08,0x06,0x00,0x00,0x10,0x08, - 0x00,0x00,0x08,0x04,0x00,0x00,0x10,0x08,0x00,0x00,0x08,0x0c,0x00,0x00,0x08, - 0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00, - 0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x10,0x00,0x00,0x04,0x08,0x00, - 0x00,0x08,0x10,0x00,0x00,0x04,0x08,0x00,0x00,0x08,0x20,0x00,0x00,0x02,0x08, - 0x00,0x00,0x08,0x20,0x00,0x00,0x02,0x0c,0x00,0x00,0x18,0x40,0x00,0x00,0x01, - 0x04,0x00,0x00,0x10,0x80,0x00,0x80,0x00,0x04,0x00,0x00,0x10,0x00,0x03,0x60, - 0x00,0x06,0x00,0x00,0x30,0x00,0x0c,0x18,0x00,0x01,0x00,0x00,0x20,0x00,0xf0, - 0x07,0x00,0x01,0x00,0x00,0x60,0x00,0x00,0x00,0x80,0x01,0x00,0x00,0x40,0x00, - 0x00,0x00,0x80,0x00,0x00,0x00,0x80,0xff,0xff,0xff,0x7f,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x1f,0x00,0x00,0x00,0x00,0x00, - 0x00,0x08,0x20,0x00,0xff,0x00,0x00,0x00,0x00,0x08,0x40,0xe0,0x00,0x07,0x00, - 0x00,0x00,0x04,0x80,0x31,0x00,0x0c,0x00,0x00,0x00,0x04,0x00,0x09,0x00,0x30, - 0x00,0x00,0x00,0x04,0x00,0x06,0xc0,0x20,0x00,0x00,0x00,0x04,0x00,0x03,0x00, - 0x43,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0x42,0x00,0x00,0x00,0x04,0x40,0x00, - 0x00,0x84,0x00,0x00,0x00,0x04,0x60,0x00,0x00,0x84,0x00,0x00,0x00,0x04,0x00, - 0x00,0x00,0x84,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02, - 0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00, - 0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00, - 0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0e,0x00, - 0x00,0x00,0xf0,0xff,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00}; diff --git a/crypto/heimdal/appl/xnlock/xnlock.1 b/crypto/heimdal/appl/xnlock/xnlock.1 deleted file mode 100644 index c62417d06228..000000000000 --- a/crypto/heimdal/appl/xnlock/xnlock.1 +++ /dev/null @@ -1,123 +0,0 @@ -.\" xnlock -- Dan Heller 1985 -.TH XNLOCK 1L "19 April 1990" -.SH NAME -xnlock \- amusing lock screen program with message for passers-by -.SH SYNOPSIS -.B xnlock -[ -\fIoptions\fP -] -[ -\fImessage\fP -] -.SH DESCRIPTION -.I xnlock -is a program that acts as a screen saver for workstations running X11. -It also "locks" the screen such that the workstation can be left -unattended without worry that someone else will walk up to it and -mess everything up. When \fIxnlock\fP is running, a little man with -a big nose and a hat runs around spewing out messages to the screen. -By default, the messages are "humorous", but that depends on your -sense of humor. -.LP -If a key or mouse button is pressed, a prompt is printed requesting the -user's password. If a RETURN is not typed within 30 seconds, -the little man resumes running around. -.LP -Text on the command line is used as the message. For example: -.br - % xnlock I\'m out to lunch for a couple of hours. -.br -Note the need to quote shell metacharacters. -.LP -In the absence of flags or text, \fIxnlock\fP displays random fortunes. -.SH OPTIONS -Command line options override all resource specifications. -All arguments that are not associated with a command line option -is taken to be message text that the little man will "say" every -once in a while. The resource \fBxnlock.text\fP may be set to -a string. -.TP -.BI \-fn " fontname" -The default font is the first 18 point font in the \fInew century schoolbook\fP -family. While larger fonts are recokmmended over smaller ones, any font -in the server's font list will work. The resource to use for this option -is \fBxnlock.font\fP. -.TP -.BI \-filename " filename" -Take the message to be displayed from the file \fIfilename\fP. -If \fIfilename\fP is not specified, \fI$HOME/.msgfile\fP is used. -If the contents of the file are changed during runtime, the most recent text -of the file is used (allowing the displayed message to be altered remotely). -Carriage returns within the text are allowed, but tabs or other control -characters are not translated and should not be used. -The resource available for this option is \fBxnlock.file\fP. -.TP -.BI \-ar -Accept root's password to unlock screen. This option is true by -default. The reason for this is so that someone's screen may be -unlocked by autorized users in case of emergency and the person -running the program is still out to lunch. The resource available -for specifying this option is \fBxnlock.acceptRootPasswd\fP. -.TP -.BI \-noar -Don't accept root's password. This option is for paranoids who -fear their peers might breakin using root's password and remove -their files anyway. Specifying this option on the command line -overrides the \fBxnlock.acceptRootPasswd\fP if set to True. -.TP -.BI \-ip -Ignore password prompt. -The resource available for this option is \fBxnlock.ignorePasswd\fP. -.TP -.BI \-noip -Don't ignore password prompt. This is available in order to -override the resource \fBignorePasswd\fP if set to True. -.TP -.BI -fg " color" -Specifies the foreground color. The resource available for this -is \fBxnlock.foreground\fP. -.TP -.BI -bg " color" -Specifies the background color. The resource available for this -is \fBxnlock.background\fP. -.TP -.BI \-rv -Reverse the foreground and background colors. -The resource for this is \fBxvnlock.reverseVideo\fP. -.TP -.BI \-norv -Don't use reverse video. This is available to override the reverseVideo -resource if set to True. -.TP -.BI \-prog " program" -Receive message text from the running program \fIprogram\fP. If there -are arguments to \fIprogram\fP, encase them with the name of the program in -quotes (e.g. xnlock -t "fortune -o"). -The resource for this is \fBxnlock.program\fP. -.SH RESOURCES -.br -xnlock.font: fontname -.br -xnlock.foreground: color -.br -xnlock.background: color -.br -xnlock.reverseVideo: True/False -.br -xnlock.text: Some random text string -.br -xnlock.program: program [args] -.br -xnlock.ignorePasswd: True/False -.br -xnlock.acceptRootPasswd: True/False -.SH FILES -\fIxnlock\fP executable file -.br -~/.msgfile default message file -.SH AUTHOR -Dan Heller Copyright (c) 1985, 1990. -.br -The original version of this program was written using pixrects on -a Sun 2 running SunOS 1.1. diff --git a/crypto/heimdal/appl/xnlock/xnlock.c b/crypto/heimdal/appl/xnlock/xnlock.c deleted file mode 100644 index acfff2f09d36..000000000000 --- a/crypto/heimdal/appl/xnlock/xnlock.c +++ /dev/null @@ -1,1135 +0,0 @@ -/* - * xnlock -- Dan Heller, 1990 - * "nlock" is a "new lockscreen" type program... something that prevents - * screen burnout by making most of it "black" while providing something - * of interest to be displayed in case anyone is watching. - * "xnlock" is the X11 version of the program. - * Original sunview version written by Dan Heller 1985 (not included here). - */ -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: xnlock.c,v 1.90 2002/08/23 19:29:38 assar Exp $"); -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef strerror -#undef strerror -#endif -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif - -#ifdef KRB5 -#include -#endif -#ifdef KRB4 -#include -#include -#endif - -#include -#include - -static char login[16]; -static char userprompt[128]; -#ifdef KRB4 -static char name[ANAME_SZ]; -static char inst[INST_SZ]; -static char realm[REALM_SZ]; -#endif -#ifdef KRB5 -static krb5_context context; -static krb5_principal client; -#endif - -#define font_height(font) (font->ascent + font->descent) - -static char *SPACE_STRING = " "; -static char STRING[] = "****************"; - -#define STRING_LENGTH (sizeof(STRING)) -#define MAX_PASSWD_LENGTH 256 -/* (sizeof(STRING)) */ - -#define PROMPT "Password: " -#define FAIL_MSG "Sorry, try again" -#define LEFT 001 -#define RIGHT 002 -#define DOWN 004 -#define UP 010 -#define FRONT 020 -#define X_INCR 3 -#define Y_INCR 2 -#define XNLOCK_CTRL 1 -#define XNLOCK_NOCTRL 0 - -static XtAppContext app; -static Display *dpy; -static unsigned short Width, Height; -static Widget widget; -static GC gc; -static XtIntervalId timeout_id; -static char *words; -static int x, y; -static Pixel Black, White; -static XFontStruct *font; -static char root_cpass[128]; -static char user_cpass[128]; -static int time_left, prompt_x, prompt_y, time_x, time_y; -static unsigned long interval; -static Pixmap left0, left1, right0, right1, left_front, - right_front, front, down; - -#define MAXLINES 40 - -#define IS_MOVING 1 -#define GET_PASSWD 2 -static int state; /* indicates states: walking or getting passwd */ - -static int ALLOW_LOGOUT = (60*10); /* Allow logout after nn seconds */ -#define LOGOUT_PASSWD "enuHDmTo5Lq4g" /* when given password "LOGOUT" */ -static time_t locked_at; - -struct appres_t { - Pixel bg; - Pixel fg; - XFontStruct *font; - Boolean ignore_passwd; - Boolean do_reverse; - Boolean accept_root; - char *text, *text_prog, *file, *logoutPasswd; - Boolean no_screensaver; - Boolean destroytickets; -} appres; - -static XtResource resources[] = { - { XtNbackground, XtCBackground, XtRPixel, sizeof(Pixel), - XtOffsetOf(struct appres_t, bg), XtRString, "black" }, - - { XtNforeground, XtCForeground, XtRPixel, sizeof(Pixel), - XtOffsetOf(struct appres_t, fg), XtRString, "white" }, - - { XtNfont, XtCFont, XtRFontStruct, sizeof (XFontStruct *), - XtOffsetOf(struct appres_t, font), - XtRString, "-*-new century schoolbook-*-*-*-18-*" }, - - { "ignorePasswd", "IgnorePasswd", XtRBoolean, sizeof(Boolean), - XtOffsetOf(struct appres_t,ignore_passwd),XtRImmediate,(XtPointer)False }, - - { "acceptRootPasswd", "AcceptRootPasswd", XtRBoolean, sizeof(Boolean), - XtOffsetOf(struct appres_t, accept_root), XtRImmediate, (XtPointer)True }, - - { "text", "Text", XtRString, sizeof(String), - XtOffsetOf(struct appres_t, text), XtRString, "I'm out running around." }, - - { "program", "Program", XtRString, sizeof(String), - XtOffsetOf(struct appres_t, text_prog), XtRImmediate, NULL }, - - { "file", "File", XtRString, sizeof(String), - XtOffsetOf(struct appres_t,file), XtRImmediate, NULL }, - - { "logoutPasswd", "logoutPasswd", XtRString, sizeof(String), - XtOffsetOf(struct appres_t, logoutPasswd), XtRString, LOGOUT_PASSWD }, - - { "noScreenSaver", "NoScreenSaver", XtRBoolean, sizeof(Boolean), - XtOffsetOf(struct appres_t,no_screensaver), XtRImmediate, (XtPointer)True }, - - { "destroyTickets", "DestroyTickets", XtRBoolean, sizeof(Boolean), - XtOffsetOf(struct appres_t,destroytickets), XtRImmediate, (XtPointer)True }, -}; - -static XrmOptionDescRec options[] = { - { "-fg", ".foreground", XrmoptionSepArg, NULL }, - { "-foreground", ".foreground", XrmoptionSepArg, NULL }, - { "-fn", ".font", XrmoptionSepArg, NULL }, - { "-font", ".font", XrmoptionSepArg, NULL }, - { "-ip", ".ignorePasswd", XrmoptionNoArg, "True" }, - { "-noip", ".ignorePasswd", XrmoptionNoArg, "False" }, - { "-ar", ".acceptRootPasswd", XrmoptionNoArg, "True" }, - { "-noar", ".acceptRootPasswd", XrmoptionNoArg, "False" }, - { "-nonoscreensaver", ".noScreenSaver", XrmoptionNoArg, "False" }, - { "-nodestroytickets", ".destroyTickets", XrmoptionNoArg, "False" }, -}; - -static char* -get_words(void) -{ - FILE *pp = NULL; - static char buf[512]; - long n; - - if (appres.text_prog) { - pp = popen(appres.text_prog, "r"); - if (!pp) { - warn("popen %s", appres.text_prog); - return appres.text; - } - n = fread(buf, 1, sizeof(buf) - 1, pp); - buf[n] = 0; - pclose(pp); - return buf; - } - if (appres.file) { - pp = fopen(appres.file, "r"); - if (!pp) { - warn("fopen %s", appres.file); - return appres.text; - } - n = fread(buf, 1, sizeof(buf) - 1, pp); - buf[n] = 0; - fclose(pp); - return buf; - } - - return appres.text; -} - -static void -usage(void) -{ - fprintf(stderr, "usage: %s [options] [message]\n", getprogname()); - fprintf(stderr, "-fg color foreground color\n"); - fprintf(stderr, "-bg color background color\n"); - fprintf(stderr, "-rv reverse foreground/background colors\n"); - fprintf(stderr, "-nrv no reverse video\n"); - fprintf(stderr, "-ip ignore passwd\n"); - fprintf(stderr, "-nip don't ignore passwd\n"); - fprintf(stderr, "-ar accept root's passwd to unlock\n"); - fprintf(stderr, "-nar don't accept root's passwd\n"); - fprintf(stderr, "-f [file] message is read from file or ~/.msgfile\n"); - fprintf(stderr, "-prog program text is gotten from executing `program'\n"); - fprintf(stderr, "-nodestroytickets keep kerberos tickets\n"); - exit(1); -} - -static void -init_words (int argc, char **argv) -{ - int i = 0; - - while(argv[i]) { - if(strcmp(argv[i], "-p") == 0 - || strcmp(argv[i], "-prog") == 0) { - i++; - if(argv[i]) { - appres.text_prog = argv[i]; - i++; - } else { - warnx ("-p requires an argument"); - usage(); - } - } else if(strcmp(argv[i], "-f") == 0) { - i++; - if(argv[i]) { - appres.file = argv[i]; - i++; - } else { - asprintf (&appres.file, - "%s/.msgfile", getenv("HOME")); - if (appres.file == NULL) - errx (1, "cannot allocate memory for message"); - } - } else if(strcmp(argv[i], "--version") == 0) { - print_version(NULL); - exit(0); - } else { - int j; - int len = 1; - for(j = i; argv[j]; j++) - len += strlen(argv[j]) + 1; - appres.text = malloc(len); - if (appres.text == NULL) - errx (1, "cannot allocate memory for message"); - appres.text[0] = 0; - for(; i < j; i++){ - strlcat(appres.text, argv[i], len); - strlcat(appres.text, " ", len); - } - } - } -} - -static void -ScreenSaver(int save) -{ - static int timeout, interval, prefer_blank, allow_exp; - if(!appres.no_screensaver){ - if (save) { - XGetScreenSaver(dpy, &timeout, &interval, - &prefer_blank, &allow_exp); - XSetScreenSaver(dpy, 0, interval, prefer_blank, allow_exp); - } else - /* restore state */ - XSetScreenSaver(dpy, timeout, interval, prefer_blank, allow_exp); - } -} - -/* Forward decls necessary */ -static void talk(int force_erase); -static unsigned long look(void); - -static int -zrefresh(void) -{ - switch (fork()) { - case -1: - warn ("zrefresh: fork"); - return -1; - case 0: - /* Child */ - execlp("zrefresh", "zrefresh", 0); - execl(BINDIR "/zrefresh", "zrefresh", 0); - return -1; - default: - /* Parent */ - break; - } - return 0; -} - -static void -leave(void) -{ - XUngrabPointer(dpy, CurrentTime); - XUngrabKeyboard(dpy, CurrentTime); - ScreenSaver(0); - XCloseDisplay(dpy); - zrefresh(); - exit(0); -} - -static void -walk(int dir) -{ - int incr = 0; - static int lastdir; - static int up = 1; - static Pixmap frame; - - XSetForeground(dpy, gc, White); - XSetBackground(dpy, gc, Black); - if (dir & (LEFT|RIGHT)) { /* left/right movement (mabye up/down too) */ - up = -up; /* bouncing effect (even if hit a wall) */ - if (dir & LEFT) { - incr = X_INCR; - frame = (up < 0) ? left0 : left1; - } else { - incr = -X_INCR; - frame = (up < 0) ? right0 : right1; - } - if ((lastdir == FRONT || lastdir == DOWN) && dir & UP) { - /* workaround silly bug that leaves screen dust when - * guy is facing forward or down and moves up-left/right. - */ - XCopyPlane(dpy, frame, XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L); - XFlush(dpy); - } - /* note that maybe neither UP nor DOWN is set! */ - if (dir & UP && y > Y_INCR) - y -= Y_INCR; - else if (dir & DOWN && y < (int)Height - 64) - y += Y_INCR; - } - /* Explicit up/down movement only (no left/right) */ - else if (dir == UP) - XCopyPlane(dpy, front, XtWindow(widget), gc, - 0,0, 64,64, x, y -= Y_INCR, 1L); - else if (dir == DOWN) - XCopyPlane(dpy, down, XtWindow(widget), gc, - 0,0, 64,64, x, y += Y_INCR, 1L); - else if (dir == FRONT && frame != front) { - if (up > 0) - up = -up; - if (lastdir & LEFT) - frame = left_front; - else if (lastdir & RIGHT) - frame = right_front; - else - frame = front; - XCopyPlane(dpy, frame, XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L); - } - if (dir & LEFT) - while(--incr >= 0) { - XCopyPlane(dpy, frame, XtWindow(widget), gc, - 0,0, 64,64, --x, y+up, 1L); - XFlush(dpy); - } - else if (dir & RIGHT) - while(++incr <= 0) { - XCopyPlane(dpy, frame, XtWindow(widget), gc, - 0,0, 64,64, ++x, y+up, 1L); - XFlush(dpy); - } - lastdir = dir; -} - -static long -my_random (void) -{ -#ifdef HAVE_RANDOM - return random(); -#else - return rand(); -#endif -} - -static int -think(void) -{ - if (my_random() & 1) - walk(FRONT); - if (my_random() & 1) { - words = get_words(); - return 1; - } - return 0; -} - -static void -move(XtPointer _p, XtIntervalId *_id) -{ - static int length, dir; - - if (!length) { - int tries = 0; - dir = 0; - if ((my_random() & 1) && think()) { - talk(0); /* sets timeout to itself */ - return; - } - if (!(my_random() % 3) && (interval = look())) { - timeout_id = XtAppAddTimeOut(app, interval, move, NULL); - return; - } - interval = 20 + my_random() % 100; - do { - if (!tries) - length = Width/100 + my_random() % 90, tries = 8; - else - tries--; - switch (my_random() % 8) { - case 0: - if (x - X_INCR*length >= 5) - dir = LEFT; - case 1: - if (x + X_INCR*length <= (int)Width - 70) - dir = RIGHT; - case 2: - if (y - (Y_INCR*length) >= 5) - dir = UP, interval = 40; - case 3: - if (y + Y_INCR*length <= (int)Height - 70) - dir = DOWN, interval = 20; - case 4: - if (x - X_INCR*length >= 5 && y - (Y_INCR*length) >= 5) - dir = (LEFT|UP); - case 5: - if (x + X_INCR * length <= (int)Width - 70 && - y-Y_INCR * length >= 5) - dir = (RIGHT|UP); - case 6: - if (x - X_INCR * length >= 5 && - y + Y_INCR * length <= (int)Height - 70) - dir = (LEFT|DOWN); - case 7: - if (x + X_INCR*length <= (int)Width - 70 && - y + Y_INCR*length <= (int)Height - 70) - dir = (RIGHT|DOWN); - } - } while (!dir); - } - walk(dir); - --length; - timeout_id = XtAppAddTimeOut(app, interval, move, NULL); -} - -static void -post_prompt_box(Window window) -{ - int width = (Width / 3); - int height = font_height(font) * 6; - int box_x, box_y; - - /* make sure the entire nose icon fits in the box */ - if (height < 100) - height = 100; - - if(width < 105 + font->max_bounds.width*STRING_LENGTH) - width = 105 + font->max_bounds.width*STRING_LENGTH; - box_x = (Width - width) / 2; - time_x = prompt_x = box_x + 105; - - time_y = prompt_y = Height / 2; - box_y = prompt_y - 3 * font_height(font); - - /* erase current guy -- text message may still exist */ - XSetForeground(dpy, gc, Black); - XFillRectangle(dpy, window, gc, x, y, 64, 64); - talk(1); /* forcefully erase message if one is being displayed */ - /* Clear area in middle of screen for prompt box */ - XSetForeground(dpy, gc, White); - XFillRectangle(dpy, window, gc, box_x, box_y, width, height); - - /* make a box that's 5 pixels thick. Then add a thin box inside it */ - XSetForeground(dpy, gc, Black); - XSetLineAttributes(dpy, gc, 5, 0, 0, 0); - XDrawRectangle(dpy, window, gc, box_x+5, box_y+5, width-10, height-10); - XSetLineAttributes(dpy, gc, 0, 0, 0, 0); - XDrawRectangle(dpy, window, gc, box_x+12, box_y+12, width-23, height-23); - - XDrawString(dpy, window, gc, - prompt_x, prompt_y-font_height(font), - userprompt, strlen(userprompt)); - XDrawString(dpy, window, gc, prompt_x, prompt_y, PROMPT, strlen(PROMPT)); - /* set background for copyplane and DrawImageString; need reverse video */ - XSetBackground(dpy, gc, White); - XCopyPlane(dpy, right0, window, gc, 0,0, 64,64, - box_x + 20, box_y + (height - 64)/2, 1L); - prompt_x += XTextWidth(font, PROMPT, strlen(PROMPT)); - time_y += 2*font_height(font); -} - -static void -RaiseWindow(Widget w, XEvent *ev, String *s, Cardinal *n) -{ - Widget x; - if(!XtIsRealized(w)) - return; - x = XtParent(w); - XRaiseWindow(dpy, XtWindow(x)); -} - - -static void -ClearWindow(Widget w, XEvent *_event, String *_s, Cardinal *_n) -{ - XExposeEvent *event = (XExposeEvent *)_event; - if (!XtIsRealized(w)) - return; - XClearArea(dpy, XtWindow(w), event->x, event->y, - event->width, event->height, False); - if (state == GET_PASSWD) - post_prompt_box(XtWindow(w)); - if (timeout_id == 0 && event->count == 0) { - timeout_id = XtAppAddTimeOut(app, 1000L, move, NULL); - /* first grab the input focus */ - XSetInputFocus(dpy, XtWindow(w), RevertToPointerRoot, CurrentTime); - /* now grab the pointer and keyboard and contrain to this window */ - XGrabPointer(dpy, XtWindow(w), TRUE, 0, GrabModeAsync, - GrabModeAsync, XtWindow(w), None, CurrentTime); - } -} - -static void -countdown(XtPointer _t, XtIntervalId *_d) -{ - int *timeout = (int *)_t; - char buf[128]; - time_t seconds; - - if (--(*timeout) < 0) { - XExposeEvent event; - XtRemoveTimeOut(timeout_id); - state = IS_MOVING; - event.x = event.y = 0; - event.width = Width, event.height = Height; - ClearWindow(widget, (XEvent *)&event, 0, 0); - timeout_id = XtAppAddTimeOut(app, 200L, move, NULL); - return; - } - seconds = time(0) - locked_at; - if (seconds >= 3600) - snprintf(buf, sizeof(buf), - "Locked for %d:%02d:%02d ", - (int)seconds/3600, (int)seconds/60%60, (int)seconds%60); - else - snprintf(buf, sizeof(buf), - "Locked for %2d:%02d ", - (int)seconds/60, (int)seconds%60); - - XDrawImageString(dpy, XtWindow(widget), gc, - time_x, time_y, buf, strlen(buf)); - XtAppAddTimeOut(app, 1000L, countdown, timeout); - return; -} - -#ifdef KRB5 -static int -verify_krb5(const char *password) -{ - krb5_error_code ret; - krb5_ccache id; - - krb5_cc_default(context, &id); - ret = krb5_verify_user(context, - client, - id, - password, - 0, - NULL); - if (ret == 0){ -#ifdef KRB4 - if (krb5_config_get_bool(context, NULL, - "libdefaults", - "krb4_get_tickets", - NULL)) { - CREDENTIALS c; - krb5_creds mcred, cred; - - krb5_make_principal(context, &mcred.server, - client->realm, - "krbtgt", - client->realm, - NULL); - ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); - if(ret == 0) { - ret = krb524_convert_creds_kdc_ccache(context, id, &cred, &c); - if(ret == 0) - tf_setup(&c, c.pname, c.pinst); - memset(&c, 0, sizeof(c)); - krb5_free_creds_contents(context, &cred); - } - krb5_free_principal(context, mcred.server); - } - if (k_hasafs()) - krb5_afslog(context, id, NULL, NULL); -#endif - return 0; - } - if (ret != KRB5KRB_AP_ERR_MODIFIED) - krb5_warn(context, ret, "verify_krb5"); - - return -1; -} -#endif - -static int -verify(char *password) -{ - int ret; - - /* - * First try with root password, if allowed. - */ - if ( appres.accept_root - && strcmp(crypt(password, root_cpass), root_cpass) == 0) - return 0; - - /* - * Password that log out user - */ - if (getuid() != 0 && - geteuid() != 0 && - (time(0) - locked_at) > ALLOW_LOGOUT && - strcmp(crypt(password, appres.logoutPasswd), appres.logoutPasswd) == 0) - { - signal(SIGHUP, SIG_IGN); - kill(-1, SIGHUP); - sleep(5); - /* If the X-server shut down then so will we, else - * continue */ - signal(SIGHUP, SIG_DFL); - } - - /* - * Try copy of users password. - */ - if (strcmp(crypt(password, user_cpass), user_cpass) == 0) - return 0; - - /* - * Try to verify as user in case password change. - */ - if (unix_verify_user(login, password) == 0) - return 0; - -#ifdef KRB5 - /* - * Try to verify as user with kerberos 5. - */ - if(verify_krb5(password) == 0) - return 0; -#endif - -#ifdef KRB4 - /* - * Try to verify as user with kerberos 4. - */ - ret = krb_verify_user(name, inst, realm, password, - KRB_VERIFY_NOT_SECURE, NULL); - if (ret == KSUCCESS){ - if (k_hasafs()) - krb_afslog(NULL, NULL); - return 0; - } - if (ret != INTK_BADPW) - warnx ("warning: %s", - (ret < 0) ? strerror(ret) : krb_get_err_text(ret)); -#endif - - return -1; -} - - -static void -GetPasswd(Widget w, XEvent *_event, String *_s, Cardinal *_n) -{ - XKeyEvent *event = (XKeyEvent *)_event; - static char passwd[MAX_PASSWD_LENGTH]; - static int cnt; - static int is_ctrl = XNLOCK_NOCTRL; - char c; - KeySym keysym; - int echolen; - int old_state = state; - - if (event->type == ButtonPress) { - x = event->x, y = event->y; - return; - } - if (state == IS_MOVING) { - /* guy is running around--change to post prompt box. */ - XtRemoveTimeOut(timeout_id); - state = GET_PASSWD; - if (appres.ignore_passwd || !strlen(user_cpass)) - leave(); - post_prompt_box(XtWindow(w)); - cnt = 0; - time_left = 30; - countdown((XtPointer)&time_left, 0); - } - if (event->type == KeyRelease) { - keysym = XLookupKeysym(event, 0); - if (keysym == XK_Control_L || keysym == XK_Control_R) { - is_ctrl = XNLOCK_NOCTRL; - } - } - if (event->type != KeyPress) - return; - - time_left = 30; - - keysym = XLookupKeysym(event, 0); - if (keysym == XK_Control_L || keysym == XK_Control_R) { - is_ctrl = XNLOCK_CTRL; - return; - } - if (!XLookupString(event, &c, 1, &keysym, 0)) - return; - if (keysym == XK_Return || keysym == XK_Linefeed) { - passwd[cnt] = 0; - if(old_state == IS_MOVING) - return; - XtRemoveTimeOut(timeout_id); - - if(verify(passwd) == 0) - leave(); - - cnt = 0; - - XDrawImageString(dpy, XtWindow(widget), gc, - time_x, time_y, FAIL_MSG, strlen(FAIL_MSG)); - time_left = 0; - timeout_id = XtAppAddTimeOut(app, 2000L, countdown, &time_left); - return; - } - if (keysym == XK_BackSpace || keysym == XK_Delete || keysym == XK_Left) { - if (cnt) - passwd[cnt--] = ' '; - } else if (keysym == XK_u && is_ctrl == XNLOCK_CTRL) { - while (cnt) { - passwd[cnt--] = ' '; - echolen = min(cnt, STRING_LENGTH); - XDrawImageString(dpy, XtWindow(w), gc, - prompt_x, prompt_y, STRING, echolen); - XDrawImageString(dpy, XtWindow(w), gc, - prompt_x + XTextWidth(font, STRING, echolen), - prompt_y, SPACE_STRING, STRING_LENGTH - echolen + 1); - } - } else if (isprint(c)) { - if ((cnt + 1) >= MAX_PASSWD_LENGTH) - XBell(dpy, 50); - else - passwd[cnt++] = c; - } else - return; - echolen = min(cnt, STRING_LENGTH); - XDrawImageString(dpy, XtWindow(w), gc, - prompt_x, prompt_y, STRING, echolen); - XDrawImageString(dpy, XtWindow(w), gc, - prompt_x + XTextWidth(font, STRING, echolen), - prompt_y, SPACE_STRING, STRING_LENGTH - echolen +1); -} - -#include "nose.0.left" -#include "nose.1.left" -#include "nose.0.right" -#include "nose.1.right" -#include "nose.left.front" -#include "nose.right.front" -#include "nose.front" -#include "nose.down" - -static void -init_images(void) -{ - static Pixmap *images[] = { - &left0, &left1, &right0, &right1, - &left_front, &right_front, &front, &down - }; - static unsigned char *bits[] = { - nose_0_left_bits, nose_1_left_bits, nose_0_right_bits, - nose_1_right_bits, nose_left_front_bits, nose_right_front_bits, - nose_front_bits, nose_down_bits - }; - int i; - - for (i = 0; i < XtNumber(images); i++) - if (!(*images[i] = - XCreatePixmapFromBitmapData(dpy, DefaultRootWindow(dpy), - (char*)(bits[i]), 64, 64, 1, 0, 1))) - XtError("Can't load nose images"); -} - -static void -talk(int force_erase) -{ - int width = 0, height, Z, total = 0; - static int X, Y, talking; - static struct { int x, y, width, height; } s_rect; - char *p, *p2; - char buf[BUFSIZ], args[MAXLINES][256]; - - /* clear what we've written */ - if (talking || force_erase) { - if (!talking) - return; - if (talking == 2) { - XSetForeground(dpy, gc, Black); - XDrawString(dpy, XtWindow(widget), gc, X, Y, words, strlen(words)); - } else if (talking == 1) { - XSetForeground(dpy, gc, Black); - XFillRectangle(dpy, XtWindow(widget), gc, s_rect.x-5, s_rect.y-5, - s_rect.width+10, s_rect.height+10); - } - talking = 0; - if (!force_erase) - timeout_id = XtAppAddTimeOut(app, 40L, - (XtTimerCallbackProc)move, - NULL); - return; - } - XSetForeground(dpy, gc, White); - talking = 1; - walk(FRONT); - strlcpy (buf, words, sizeof(buf)); - p = buf; - - /* possibly avoid a lot of work here - * if no CR or only one, then just print the line - */ - if (!(p2 = strchr(p, '\n')) || !p2[1]) { - int w; - - if (p2) - *p2 = 0; - w = XTextWidth(font, words, strlen(words)); - X = x + 32 - w/2; - Y = y - 5 - font_height(font); - /* give us a nice 5 pixel margin */ - if (X < 5) - X = 5; - else if (X + w + 15 > (int)Width + 5) - X = Width - w - 5; - if (Y < 5) - Y = y + 64 + 5 + font_height(font); - XDrawString(dpy, XtWindow(widget), gc, X, Y, words, strlen(words)); - timeout_id = XtAppAddTimeOut(app, 5000L, (XtTimerCallbackProc)talk, - NULL); - talking++; - return; - } - - /* p2 now points to the first '\n' */ - for (height = 0; p; height++) { - int w; - *p2 = 0; - if ((w = XTextWidth(font, p, p2 - p)) > width) - width = w; - total += p2 - p; /* total chars; count to determine reading time */ - strlcpy(args[height], p, sizeof(args[height])); - if (height == MAXLINES - 1) { - puts("Message too long!"); - break; - } - p = p2+1; - if (!(p2 = strchr(p, '\n'))) - break; - } - height++; - - /* Figure out the height and width in pixels (height, width) extend - * the new box by 15 pixels on the sides (30 total) top and bottom. - */ - s_rect.width = width + 30; - s_rect.height = height * font_height(font) + 30; - if (x - s_rect.width - 10 < 5) - s_rect.x = 5; - else - if ((s_rect.x = x+32-(s_rect.width+15)/2) - + s_rect.width+15 > (int)Width-5) - s_rect.x = Width - 15 - s_rect.width; - if (y - s_rect.height - 10 < 5) - s_rect.y = y + 64 + 5; - else - s_rect.y = y - 5 - s_rect.height; - - XSetForeground(dpy, gc, White); - XFillRectangle(dpy, XtWindow(widget), gc, - s_rect.x-5, s_rect.y-5, s_rect.width+10, s_rect.height+10); - - /* make a box that's 5 pixels thick. Then add a thin box inside it */ - XSetForeground(dpy, gc, Black); - XSetLineAttributes(dpy, gc, 5, 0, 0, 0); - XDrawRectangle(dpy, XtWindow(widget), gc, - s_rect.x, s_rect.y, s_rect.width-1, s_rect.height-1); - XSetLineAttributes(dpy, gc, 0, 0, 0, 0); - XDrawRectangle(dpy, XtWindow(widget), gc, - s_rect.x + 7, s_rect.y + 7, s_rect.width - 15, - s_rect.height - 15); - - X = 15; - Y = 15 + font_height(font); - - /* now print each string in reverse order (start at bottom of box) */ - for (Z = 0; Z < height; Z++) { - XDrawString(dpy, XtWindow(widget), gc, s_rect.x+X, s_rect.y+Y, - args[Z], strlen(args[Z])); - Y += font_height(font); - } - timeout_id = XtAppAddTimeOut(app, (total/15) * 1000, - (XtTimerCallbackProc)talk, NULL); -} - -static unsigned long -look(void) -{ - XSetForeground(dpy, gc, White); - XSetBackground(dpy, gc, Black); - if (my_random() % 3) { - XCopyPlane(dpy, (my_random() & 1)? down : front, XtWindow(widget), gc, - 0, 0, 64,64, x, y, 1L); - return 1000L; - } - if (!(my_random() % 5)) - return 0; - if (my_random() % 3) { - XCopyPlane(dpy, (my_random() & 1)? left_front : right_front, - XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L); - return 1000L; - } - if (!(my_random() % 5)) - return 0; - XCopyPlane(dpy, (my_random() & 1)? left0 : right0, XtWindow(widget), gc, - 0, 0, 64,64, x, y, 1L); - return 1000L; -} - -int -main (int argc, char **argv) -{ - int i; - Widget override; - XGCValues gcvalues; - - setprogname (argv[0]); - - /* - * Must be setuid root to read /etc/shadow, copy encrypted - * passwords here and then switch to sane uid. - */ - { - struct passwd *pw; - uid_t uid = getuid(); - if (!(pw = k_getpwuid(0))) - errx (1, "can't get root's passwd!"); - strlcpy(root_cpass, pw->pw_passwd, sizeof(root_cpass)); - - if (!(pw = k_getpwuid(uid))) - errx (1, "Can't get your password entry!"); - strlcpy(user_cpass, pw->pw_passwd, sizeof(user_cpass)); - setuid(uid); - if (uid != 0 && setuid(0) != -1) { - fprintf(stderr, "Failed to drop privileges!\n"); - exit(1); - } - /* Now we're no longer running setuid root. */ - strlcpy(login, pw->pw_name, sizeof(login)); - } - -#if defined(HAVE_SRANDOMDEV) - srandomdev(); -#elif defined(HAVE_RANDOM) - srandom(time(NULL)); -#else - srand (time(NULL)); -#endif - for (i = 0; i < STRING_LENGTH; i++) - STRING[i] = ((unsigned long)my_random() % ('~' - ' ')) + ' '; - - locked_at = time(0); - - snprintf(userprompt, sizeof(userprompt), "User: %s", login); -#ifdef KRB4 - krb_get_default_principal(name, inst, realm); - snprintf(userprompt, sizeof(userprompt), "User: %s", - krb_unparse_name_long(name, inst, realm)); -#endif -#ifdef KRB5 - { - krb5_error_code ret; - char *str; - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - krb5_get_default_principal(context, &client); - krb5_unparse_name(context, client, &str); - snprintf(userprompt, sizeof(userprompt), "User: %s", str); - free(str); - } -#endif - - override = XtVaAppInitialize(&app, "XNlock", options, XtNumber(options), - (Cardinal*)&argc, argv, NULL, - XtNoverrideRedirect, True, - NULL); - - XtVaGetApplicationResources(override,(XtPointer)&appres, - resources,XtNumber(resources), - NULL); - /* the background is black and the little guy is white */ - Black = appres.bg; - White = appres.fg; - - if (appres.destroytickets) { -#ifdef KRB4 - int fd; - - dest_tkt(); /* Nuke old ticket file */ - /* but keep a place holder */ - fd = open (TKT_FILE, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd >= 0) - close (fd); -#endif - } - - dpy = XtDisplay(override); - - if (dpy == 0) - errx (1, "Error: Can't open display"); - - Width = DisplayWidth(dpy, DefaultScreen(dpy)) + 2; - Height = DisplayHeight(dpy, DefaultScreen(dpy)) + 2; - - for(i = 0; i < ScreenCount(dpy); i++){ - Widget shell, core; - - struct xxx{ - Pixel bg; - }res; - - XtResource Res[] = { - { XtNbackground, XtCBackground, XtRPixel, sizeof(Pixel), - XtOffsetOf(struct xxx, bg), XtRString, "black" } - }; - - if(i == DefaultScreen(dpy)) - continue; - - shell = XtVaAppCreateShell(NULL,NULL, applicationShellWidgetClass, dpy, - XtNscreen, ScreenOfDisplay(dpy, i), - XtNoverrideRedirect, True, - XtNx, -1, - XtNy, -1, - NULL); - - XtVaGetApplicationResources(shell, (XtPointer)&res, - Res, XtNumber(Res), - NULL); - - core = XtVaCreateManagedWidget("_foo", widgetClass, shell, - XtNwidth, DisplayWidth(dpy, i), - XtNheight, DisplayHeight(dpy, i), - XtNbackground, res.bg, - NULL); - XtRealizeWidget(shell); - } - - widget = XtVaCreateManagedWidget("_foo", widgetClass, override, - XtNwidth, Width, - XtNheight, Height, - XtNbackground, Black, - NULL); - - init_words(--argc, ++argv); - init_images(); - - gcvalues.foreground = Black; - gcvalues.background = White; - - - font = appres.font; - gcvalues.font = font->fid; - gcvalues.graphics_exposures = False; - gc = XCreateGC(dpy, DefaultRootWindow(dpy), - GCForeground | GCBackground | GCGraphicsExposures | GCFont, - &gcvalues); - - x = Width / 2; - y = Height / 2; - srand (time(0)); - state = IS_MOVING; - - { - static XtActionsRec actions[] = { - { "ClearWindow", ClearWindow }, - { "GetPasswd", GetPasswd }, - { "RaiseWindow", RaiseWindow }, - }; - XtAppAddActions(app, actions, XtNumber(actions)); - XtOverrideTranslations(widget, - XtParseTranslationTable( - ": ClearWindow() \n" - ": GetPasswd() \n" - ": RaiseWindow() \n" - ": GetPasswd() \n" - ": GetPasswd()")); - } - - XtRealizeWidget(override); - if((i = XGrabPointer(dpy, XtWindow(widget), True, 0, GrabModeAsync, - GrabModeAsync, XtWindow(widget), - None, CurrentTime)) != 0) - errx(1, "Failed to grab pointer (%d)", i); - - if((i = XGrabKeyboard(dpy, XtWindow(widget), True, GrabModeAsync, - GrabModeAsync, CurrentTime)) != 0) - errx(1, "Failed to grab keyboard (%d)", i); - ScreenSaver(1); - XtAppMainLoop(app); - exit(0); -} - diff --git a/crypto/heimdal/appl/xnlock/xnlock.cat1 b/crypto/heimdal/appl/xnlock/xnlock.cat1 deleted file mode 100644 index d358eee405b6..000000000000 --- a/crypto/heimdal/appl/xnlock/xnlock.cat1 +++ /dev/null @@ -1,123 +0,0 @@ -XNLOCK(1L) XNLOCK(1L) - - - -NNAAMMEE - xnlock - amusing lock screen program with message for - passers-by - -SSYYNNOOPPSSIISS - xxnnlloocckk [ _o_p_t_i_o_n_s ] [ _m_e_s_s_a_g_e ] - -DDEESSCCRRIIPPTTIIOONN - _x_n_l_o_c_k is a program that acts as a screen saver for work- - stations running X11. It also "locks" the screen such - that the workstation can be left unattended without worry - that someone else will walk up to it and mess everything - up. When _x_n_l_o_c_k is running, a little man with a big nose - and a hat runs around spewing out messages to the screen. - By default, the messages are "humorous", but that depends - on your sense of humor. - - If a key or mouse button is pressed, a prompt is printed - requesting the user's password. If a RETURN is not typed - within 30 seconds, the little man resumes running around. - - Text on the command line is used as the message. For - example: - % xnlock I'm out to lunch for a couple of hours. - Note the need to quote shell metacharacters. - - In the absence of flags or text, _x_n_l_o_c_k displays random - fortunes. - -OOPPTTIIOONNSS - Command line options override all resource specifications. - All arguments that are not associated with a command line - option is taken to be message text that the little man - will "say" every once in a while. The resource - xxnnlloocckk..tteexxtt may be set to a string. - - --ffnn _f_o_n_t_n_a_m_e - The default font is the first 18 point font in the - _n_e_w _c_e_n_t_u_r_y _s_c_h_o_o_l_b_o_o_k family. While larger fonts - are recokmmended over smaller ones, any font in the - server's font list will work. The resource to use - for this option is xxnnlloocckk..ffoonntt. - - --ffiilleennaammee _f_i_l_e_n_a_m_e - Take the message to be displayed from the file - _f_i_l_e_n_a_m_e. If _f_i_l_e_n_a_m_e is not specified, - _$_H_O_M_E_/_._m_s_g_f_i_l_e is used. If the contents of the - file are changed during runtime, the most recent - text of the file is used (allowing the displayed - message to be altered remotely). Carriage returns - within the text are allowed, but tabs or other con- - trol characters are not translated and should not - be used. The resource available for this option is - xxnnlloocckk..ffiillee. - - --aarr Accept root's password to unlock screen. This - option is true by default. The reason for this is - so that someone's screen may be unlocked by autor- - ized users in case of emergency and the person run- - ning the program is still out to lunch. The - resource available for specifying this option is - xxnnlloocckk..aacccceeppttRRoooottPPaasssswwdd. - - --nnooaarr Don't accept root's password. This option is for - paranoids who fear their peers might breakin using - root's password and remove their files anyway. - Specifying this option on the command line over- - rides the xxnnlloocckk..aacccceeppttRRoooottPPaasssswwdd if set to True. - - --iipp Ignore password prompt. The resource available for - this option is xxnnlloocckk..iiggnnoorreePPaasssswwdd. - - --nnooiipp Don't ignore password prompt. This is available in - order to override the resource iiggnnoorreePPaasssswwdd if set - to True. - - --ffgg _c_o_l_o_r - Specifies the foreground color. The resource - available for this is xxnnlloocckk..ffoorreeggrroouunndd. - - --bbgg _c_o_l_o_r - Specifies the background color. The resource - available for this is xxnnlloocckk..bbaacckkggrroouunndd. - - --rrvv Reverse the foreground and background colors. The - resource for this is xxvvnnlloocckk..rreevveerrsseeVViiddeeoo. - - --nnoorrvv Don't use reverse video. This is available to - override the reverseVideo resource if set to True. - - --pprroogg _p_r_o_g_r_a_m - Receive message text from the running program _p_r_o_- - _g_r_a_m. If there are arguments to _p_r_o_g_r_a_m, encase - them with the name of the program in quotes (e.g. - xnlock -t "fortune -o"). The resource for this is - xxnnlloocckk..pprrooggrraamm. - -RREESSOOUURRCCEESS - xnlock.font: fontname - xnlock.foreground: color - xnlock.background: color - xnlock.reverseVideo: True/False - xnlock.text: Some random text string - xnlock.program: program [args] - xnlock.ignorePasswd: True/False - xnlock.acceptRootPasswd: True/False - -FFIILLEESS - _x_n_l_o_c_k executable file - ~/.msgfile default message file - -AAUUTTHHOORR - Dan Heller Copyright (c) 1985, 1990. - The original version of this program was written using - pixrects on a Sun 2 running SunOS 1.1. - - - - 19 April 1990 XNLOCK(1L) diff --git a/crypto/heimdal/cf/grok-type.m4 b/crypto/heimdal/cf/grok-type.m4 deleted file mode 100644 index 5bc6a66241fb..000000000000 --- a/crypto/heimdal/cf/grok-type.m4 +++ /dev/null @@ -1,38 +0,0 @@ -dnl $Id: grok-type.m4,v 1.4 1999/11/29 11:16:48 joda Exp $ -dnl -AC_DEFUN(AC_GROK_TYPE, [ -AC_CACHE_VAL(ac_cv_type_$1, -AC_TRY_COMPILE([ -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif -], -$i x; -, -eval ac_cv_type_$1=yes, -eval ac_cv_type_$1=no))]) - -AC_DEFUN(AC_GROK_TYPES, [ -for i in $1; do - AC_MSG_CHECKING(for $i) - AC_GROK_TYPE($i) - eval ac_res=\$ac_cv_type_$i - if test "$ac_res" = yes; then - type=HAVE_[]upcase($i) - AC_DEFINE_UNQUOTED($type) - fi - AC_MSG_RESULT($ac_res) -done -]) diff --git a/crypto/heimdal/cf/krb-find-db.m4 b/crypto/heimdal/cf/krb-find-db.m4 deleted file mode 100644 index 5d38f2e2a718..000000000000 --- a/crypto/heimdal/cf/krb-find-db.m4 +++ /dev/null @@ -1,100 +0,0 @@ -dnl $Id: krb-find-db.m4,v 1.6 2000/08/16 03:58:51 assar Exp $ -dnl -dnl find a suitable database library -dnl -dnl AC_FIND_DB(libraries) -AC_DEFUN(KRB_FIND_DB, [ - -lib_dbm=no -lib_db=no - -for i in $1; do - - if test "$i"; then - m="lib$i" - l="-l$i" - else - m="libc" - l="" - fi - - AC_MSG_CHECKING(for dbm_open in $m) - AC_CACHE_VAL(ac_cv_krb_dbm_open_$m, [ - - save_LIBS="$LIBS" - LIBS="$l $LIBS" - AC_TRY_RUN([ -#include -#include -#if defined(HAVE_NDBM_H) -#include -#elif defined(HAVE_GDBM_NDBM_H) -#include -#elif defined(HAVE_DBM_H) -#include -#elif defined(HAVE_RPCSVC_DBM_H) -#include -#elif defined(HAVE_DB_H) -#define DB_DBM_HSEARCH 1 -#include -#endif -int main() -{ - DBM *d; - - d = dbm_open("conftest", O_RDWR | O_CREAT, 0666); - if(d == NULL) - return 1; - dbm_close(d); - return 0; -}], [ - if test -f conftest.db; then - ac_res=db - else - ac_res=dbm - fi], ac_res=no, ac_res=no) - - LIBS="$save_LIBS" - - eval ac_cv_krb_dbm_open_$m=$ac_res]) - eval ac_res=\$ac_cv_krb_dbm_open_$m - AC_MSG_RESULT($ac_res) - - if test "$lib_dbm" = no -a $ac_res = dbm; then - lib_dbm="$l" - elif test "$lib_db" = no -a $ac_res = db; then - lib_db="$l" - break - fi -done - -AC_MSG_CHECKING(for NDBM library) -ac_ndbm=no -if test "$lib_db" != no; then - LIB_DBM="$lib_db" - ac_ndbm=yes - AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files ending in .db).]) - if test "$LIB_DBM"; then - ac_res="yes, $LIB_DBM" - else - ac_res=yes - fi -elif test "$lib_dbm" != no; then - LIB_DBM="$lib_dbm" - ac_ndbm=yes - if test "$LIB_DBM"; then - ac_res="yes, $LIB_DBM" - else - ac_res=yes - fi -else - LIB_DBM="" - ac_res=no -fi -test "$ac_ndbm" = yes && AC_DEFINE(NDBM, 1, [Define if you have NDBM (and not DBM)])dnl -AC_SUBST(LIB_DBM) -DBLIB="$LIB_DBM" -AC_SUBST(DBLIB) -AC_MSG_RESULT($ac_res) - -]) diff --git a/crypto/heimdal/cf/krb-irix.m4 b/crypto/heimdal/cf/krb-irix.m4 deleted file mode 100644 index cdde69c147b0..000000000000 --- a/crypto/heimdal/cf/krb-irix.m4 +++ /dev/null @@ -1,12 +0,0 @@ -dnl -dnl $Id: krb-irix.m4,v 1.2 2000/12/13 12:48:45 assar Exp $ -dnl - -dnl requires AC_CANONICAL_HOST -AC_DEFUN(KRB_IRIX,[ -irix=no -case "$host_os" in -irix*) irix=yes ;; -esac -AM_CONDITIONAL(IRIX, test "$irix" != no)dnl -]) diff --git a/crypto/heimdal/cf/shared-libs.m4 b/crypto/heimdal/cf/shared-libs.m4 deleted file mode 100644 index bddc1211abca..000000000000 --- a/crypto/heimdal/cf/shared-libs.m4 +++ /dev/null @@ -1,192 +0,0 @@ -dnl -dnl $Id: shared-libs.m4,v 1.6 2000/11/17 02:59:27 assar Exp $ -dnl -dnl Shared library stuff has to be different everywhere -dnl - -AC_DEFUN(AC_SHARED_LIBS, [ - -dnl Check if we want to use shared libraries -AC_ARG_ENABLE(shared, -[ --enable-shared create shared libraries for Kerberos]) - -AC_SUBST(CFLAGS)dnl -AC_SUBST(LDFLAGS)dnl - -case ${enable_shared} in - yes ) enable_shared=yes;; - no ) enable_shared=no;; - * ) enable_shared=no;; -esac - -# NOTE: Building shared libraries may not work if you do not use gcc! -# -# OS $SHLIBEXT -# HP-UX sl -# Linux so -# NetBSD so -# FreeBSD so -# OSF so -# SunOS5 so -# SunOS4 so.0.5 -# Irix so -# -# LIBEXT is the extension we should build (.a or $SHLIBEXT) -LINK='$(CC)' -AC_SUBST(LINK) -lib_deps=yes -REAL_PICFLAGS="-fpic" -LDSHARED='$(CC) $(PICFLAGS) -shared' -LIBPREFIX=lib -build_symlink_command=@true -install_symlink_command=@true -install_symlink_command2=@true -REAL_SHLIBEXT=so -changequote({,})dnl -SHLIB_VERSION=`echo $VERSION | sed 's/\([0-9.]*\).*/\1/'` -SHLIB_SONAME=`echo $VERSION | sed 's/\([0-9]*\).*/\1/'` -changequote([,])dnl -case "${host}" in -*-*-hpux*) - REAL_SHLIBEXT=sl - REAL_LD_FLAGS='-Wl,+b$(libdir)' - if test -z "$GCC"; then - LDSHARED="ld -b" - REAL_PICFLAGS="+z" - fi - lib_deps=no - ;; -*-*-linux*) - LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}" - REAL_LD_FLAGS='-Wl,-rpath,$(libdir)' - REAL_SHLIBEXT=so.$SHLIB_VERSION - build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so' - install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so' - install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so' - ;; -changequote(,)dnl -*-*-freebsd[345]* | *-*-freebsdelf[345]*) -changequote([,])dnl - REAL_SHLIBEXT=so.$SHLIB_VERSION - REAL_LD_FLAGS='-Wl,-R$(libdir)' - build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so' - install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so' - install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so' - ;; -*-*-*bsd*) - REAL_SHLIBEXT=so.$SHLIB_VERSION - LDSHARED='ld -Bshareable' - REAL_LD_FLAGS='-Wl,-R$(libdir)' - ;; -*-*-osf*) - REAL_LD_FLAGS='-Wl,-rpath,$(libdir)' - REAL_PICFLAGS= - LDSHARED='ld -shared -expect_unresolved \*' - ;; -*-*-solaris2*) - LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}" - REAL_SHLIBEXT=so.$SHLIB_VERSION - build_symlink_command='$(LN_S) [$][@] $(LIBNAME).so' - install_symlink_command='$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so' - install_symlink_command2='$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so' - REAL_LD_FLAGS='-Wl,-R$(libdir)' - if test -z "$GCC"; then - LDSHARED='$(CC) -G -h$(LIBNAME).so.'"${SHLIB_SONAME}" - REAL_PICFLAGS="-Kpic" - fi - ;; -*-fujitsu-uxpv*) - REAL_LD_FLAGS='' # really: LD_RUN_PATH=$(libdir) cc -o ... - REAL_LINK='LD_RUN_PATH=$(libdir) $(CC)' - LDSHARED='$(CC) -G' - REAL_PICFLAGS="-Kpic" - lib_deps=no # fails in mysterious ways - ;; -*-*-sunos*) - REAL_SHLIBEXT=so.$SHLIB_VERSION - REAL_LD_FLAGS='-Wl,-L$(libdir)' - lib_deps=no - ;; -*-*-irix*) - libdir="${libdir}${abilibdirext}" - REAL_LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)" - LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)" - LDSHARED="\$(CC) -shared ${abi}" - REAL_PICFLAGS= - CFLAGS="${abi} ${CFLAGS}" - ;; -*-*-os2*) - LIBPREFIX= - EXECSUFFIX='.exe' - RANLIB=EMXOMF - LD_FLAGS=-Zcrtdll - REAL_SHLIBEXT=nobuild - ;; -*-*-cygwin32*) - EXECSUFFIX='.exe' - REAL_SHLIBEXT=nobuild - ;; -*) REAL_SHLIBEXT=nobuild - REAL_PICFLAGS= - ;; -esac - -if test "${enable_shared}" != "yes" ; then - PICFLAGS="" - SHLIBEXT="nobuild" - LIBEXT="a" - build_symlink_command=@true - install_symlink_command=@true - install_symlink_command2=@true -else - PICFLAGS="$REAL_PICFLAGS" - SHLIBEXT="$REAL_SHLIBEXT" - LIBEXT="$SHLIBEXT" - AC_MSG_CHECKING(whether to use -rpath) - case "$libdir" in - /lib | /usr/lib | /usr/local/lib) - AC_MSG_RESULT(no) - REAL_LD_FLAGS= - LD_FLAGS= - ;; - *) - LD_FLAGS="$REAL_LD_FLAGS" - test "$REAL_LINK" && LINK="$REAL_LINK" - AC_MSG_RESULT($LD_FLAGS) - ;; - esac -fi - -if test "$lib_deps" = yes; then - lib_deps_yes="" - lib_deps_no="# " -else - lib_deps_yes="# " - lib_deps_no="" -fi -AC_SUBST(lib_deps_yes) -AC_SUBST(lib_deps_no) - -# use supplied ld-flags, or none if `no' -if test "$with_ld_flags" = no; then - LD_FLAGS= -elif test -n "$with_ld_flags"; then - LD_FLAGS="$with_ld_flags" -fi - -AC_SUBST(REAL_PICFLAGS) dnl -AC_SUBST(REAL_SHLIBEXT) dnl -AC_SUBST(REAL_LD_FLAGS) dnl - -AC_SUBST(PICFLAGS) dnl -AC_SUBST(SHLIBEXT) dnl -AC_SUBST(LDSHARED) dnl -AC_SUBST(LD_FLAGS) dnl -AC_SUBST(LIBEXT) dnl -AC_SUBST(LIBPREFIX) dnl -AC_SUBST(EXECSUFFIX) dnl - -AC_SUBST(build_symlink_command)dnl -AC_SUBST(install_symlink_command)dnl -AC_SUBST(install_symlink_command2)dnl -]) diff --git a/crypto/heimdal/config.log b/crypto/heimdal/config.log deleted file mode 100644 index ee5052a9ca87..000000000000 --- a/crypto/heimdal/config.log +++ /dev/null @@ -1,8316 +0,0 @@ -This file contains any messages produced by compilers while -running configure, to aid debugging if configure makes a mistake. - -It was created by Heimdal configure 0.4f, which was -generated by GNU Autoconf 2.53. Invocation command line was - - $ ./configure --enable-shared - -## --------- ## -## Platform. ## -## --------- ## - -hostname = shade.nectar.cc -uname -m = i386 -uname -r = 5.0-CURRENT -uname -s = FreeBSD -uname -v = FreeBSD 5.0-CURRENT #30: Thu Aug 22 12:04:07 CDT 2002 nectar@shade.nectar.cc:/usr/obj/usr/src/sys/SHADE - -/usr/bin/uname -p = i386 -/bin/uname -X = unknown - -/bin/arch = unknown -/usr/bin/arch -k = unknown -/usr/convex/getsysinfo = unknown -hostinfo = unknown -/bin/machine = unknown -/usr/bin/oslevel = unknown -/bin/universe = unknown - -PATH: /usr/local/bin -PATH: /usr/local/sbin -PATH: /usr/X11R6/bin -PATH: /usr/X11R6/sbin -PATH: /usr/bin -PATH: /usr/sbin -PATH: /bin -PATH: /sbin -PATH: /usr/games -PATH: /home/nectar/bin - - -## ----------- ## -## Core tests. ## -## ----------- ## - -configure:1473: checking for gcc -configure:1489: found /usr/bin/gcc -configure:1499: result: gcc -configure:1743: checking for C compiler version -configure:1746: gcc --version &5 -gcc (GCC) 3.1 [FreeBSD] 20020509 (prerelease) -Copyright (C) 2002 Free Software Foundation, Inc. -This is free software; see the source for copying conditions. There is NO -warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - -configure:1749: $? = 0 -configure:1751: gcc -v &5 -Using built-in specs. -Configured with: FreeBSD/i386 system compiler -Thread model: posix -gcc version 3.1 [FreeBSD] 20020509 (prerelease) -configure:1754: $? = 0 -configure:1756: gcc -V &5 -gcc: argument to `-V' is missing -configure:1759: $? = 1 -configure:1785: checking for C compiler default output -configure:1788: gcc conftest.c >&5 -configure:1791: $? = 0 -configure:1824: result: a.out -configure:1829: checking whether the C compiler works -configure:1835: ./a.out -configure:1838: $? = 0 -configure:1853: result: yes -configure:1860: checking whether we are cross compiling -configure:1862: result: no -configure:1865: checking for suffix of executables -configure:1867: gcc -o conftest conftest.c >&5 -configure:1870: $? = 0 -configure:1892: result: -configure:1898: checking for suffix of object files -configure:1922: gcc -c conftest.c >&5 -configure:1925: $? = 0 -configure:1944: result: o -configure:1948: checking whether we are using the GNU C compiler -configure:1975: gcc -c conftest.c >&5 -configure:1978: $? = 0 -configure:1981: test -s conftest.o -configure:1984: $? = 0 -configure:1996: result: yes -configure:2002: checking whether gcc accepts -g -configure:2026: gcc -c -g conftest.c >&5 -configure:2029: $? = 0 -configure:2032: test -s conftest.o -configure:2035: $? = 0 -configure:2045: result: yes -configure:2072: gcc -c -g -O2 conftest.c >&5 -conftest.c:2: syntax error before "me" -configure:2075: $? = 1 -configure: failed program was: -#ifndef __cplusplus - choke me -#endif -configure:2190: checking how to run the C preprocessor -configure:2216: gcc -E conftest.c -configure:2222: $? = 0 -configure:2249: gcc -E conftest.c -configure:2246:28: ac_nonexistent.h: No such file or directory -configure:2255: $? = 1 -configure: failed program was: -#line 2245 "configure" -#include "confdefs.h" -#include -configure:2292: result: gcc -E -configure:2307: gcc -E conftest.c -configure:2313: $? = 0 -configure:2340: gcc -E conftest.c -configure:2337:28: ac_nonexistent.h: No such file or directory -configure:2346: $? = 1 -configure: failed program was: -#line 2336 "configure" -#include "confdefs.h" -#include -configure:2386: checking for gcc option to accept ANSI C -configure:2449: gcc -c -g -O2 conftest.c >&5 -configure:2452: $? = 0 -configure:2455: test -s conftest.o -configure:2458: $? = 0 -configure:2475: result: none needed -configure:2522: checking for a BSD-compatible install -configure:2576: result: /usr/bin/install -c -configure:2587: checking whether build environment is sane -configure:2630: result: yes -configure:2663: checking for gawk -configure:2679: found /usr/bin/gawk -configure:2689: result: gawk -configure:2699: checking whether make sets ${MAKE} -configure:2719: result: yes -configure:2748: checking for style of include used by make -configure:2776: result: GNU -configure:2938: checking dependency style of gcc -configure:3000: result: none -configure:3018: checking build system type -configure:3036: result: i386-unknown-freebsd5.0 -configure:3044: checking host system type -configure:3058: result: i386-unknown-freebsd5.0 -configure:3082: checking for bison -configure:3098: found /usr/local/bin/bison -configure:3108: result: bison -y -configure:3123: checking for flex -configure:3139: found /usr/bin/flex -configure:3149: result: flex -configure:3162: checking for yywrap in -lfl -configure:3195: gcc -o conftest -g -O2 conftest.c -lfl >&5 -configure:3198: $? = 0 -configure:3201: test -s conftest -configure:3204: $? = 0 -configure:3215: result: yes -configure:3284: checking lex output file root -configure:3295: flex conftest.l -configure:3298: $? = 0 -configure:3310: result: lex.yy -configure:3315: checking whether yytext is a pointer -configure:3331: gcc -o conftest -g -O2 conftest.c -lfl >&5 -configure:3334: $? = 0 -configure:3337: test -s conftest -configure:3340: $? = 0 -configure:3352: result: yes -configure:3370: checking for gawk -configure:3396: result: gawk -configure:3406: checking for ln -s or something else -configure:3427: result: ln -s -configure:3603: checking for __attribute__ -configure:3638: gcc -c -g -O2 conftest.c >&5 -configure:3641: $? = 0 -configure:3644: test -s conftest.o -configure:3647: $? = 0 -configure:3665: result: yes -configure:3757: checking for ld used by GCC -configure:3820: result: /usr/libexec/elf/ld -configure:3829: checking if the linker (/usr/libexec/elf/ld) is GNU ld -GNU ld version 2.12.0 [FreeBSD] 2002-04-10 -configure:3841: result: yes -configure:3846: checking for /usr/libexec/elf/ld option to reload object files -configure:3853: result: -r -configure:3858: checking for BSD-compatible nm -configure:3894: result: /usr/bin/nm -B -configure:3897: checking whether ln -s works -configure:3901: result: yes -configure:3908: checking how to recognise dependant libraries -configure:4086: result: pass_all -configure:4096: checking command to parse /usr/bin/nm -B output -configure:4177: gcc -c -g -O2 conftest.c >&5 -configure:4180: $? = 0 -configure:4184: /usr/bin/nm -B conftest.o \| sed -n -e 's/^.*[ ]\([ABCDGISTW][ABCDGISTW]*\)[ ][ ]*\(\)\([_A-Za-z][_A-Za-z0-9]*\)$/\1 \2\3 \3/p' \> conftest.nm -configure:4187: $? = 0 -configure:4239: gcc -o conftest -g -O2 conftest.c conftstm.o >&5 -configure:4242: $? = 0 -configure:4286: result: ok -configure:4291: checking for ANSI C header files -configure:4305: gcc -E conftest.c -configure:4311: $? = 0 -configure:4398: gcc -o conftest -g -O2 conftest.c >&5 -configure:4401: $? = 0 -configure:4403: ./conftest -configure:4406: $? = 0 -configure:4420: result: yes -configure:4444: checking for sys/types.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4444: checking for sys/stat.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4444: checking for stdlib.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4444: checking for string.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4444: checking for memory.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4444: checking for strings.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4444: checking for inttypes.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4444: checking for stdint.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4444: checking for unistd.h -configure:4457: gcc -c -g -O2 conftest.c >&5 -configure:4460: $? = 0 -configure:4463: test -s conftest.o -configure:4466: $? = 0 -configure:4476: result: yes -configure:4502: checking dlfcn.h usability -configure:4511: gcc -c -g -O2 conftest.c >&5 -configure:4514: $? = 0 -configure:4517: test -s conftest.o -configure:4520: $? = 0 -configure:4529: result: yes -configure:4533: checking dlfcn.h presence -configure:4540: gcc -E conftest.c -configure:4546: $? = 0 -configure:4564: result: yes -configure:4582: checking for dlfcn.h -configure:4589: result: yes -configure:4786: checking for ranlib -configure:4802: found /usr/bin/ranlib -configure:4813: result: ranlib -configure:4866: checking for strip -configure:4882: found /usr/bin/strip -configure:4893: result: strip -configure:5104: checking for objdir -configure:5115: result: .libs -configure:5132: checking for gcc option to produce PIC -configure:5282: result: -fPIC -configure:5286: checking if gcc PIC flag -fPIC works -configure:5312: gcc -c -g -O2 -fPIC -DPIC conftest.c >&5 -configure:5315: $? = 0 -configure:5318: test -s conftest.o -configure:5321: $? = 0 -configure:5358: result: yes -configure:5374: checking if gcc static flag -static works -configure:5401: gcc -o conftest -g -O2 -static conftest.c >&5 -configure:5404: $? = 0 -configure:5407: test -s conftest -configure:5410: $? = 0 -configure:5425: result: yes -configure:5437: checking if gcc supports -c -o file.o -configure:5457: gcc -c -g -O2 -o out/conftest2.o conftest.c >&5 -configure:5481: result: yes -configure:5486: checking if gcc supports -c -o file.lo -configure:5516: gcc -c -g -O2 -c -o conftest.lo conftest.c >&5 -configure:5519: $? = 0 -configure:5522: test -s conftest.lo -configure:5525: $? = 0 -configure:5546: result: yes -configure:5577: checking if gcc supports -fno-rtti -fno-exceptions -configure:5602: gcc -c -g -O2 -fno-rtti -fno-exceptions -c conftest.c conftest.c >&5 -configure:5605: $? = 0 -configure:5608: test -s conftest.o -configure:5611: $? = 0 -configure:5627: result: yes -configure:5638: checking whether the linker (/usr/libexec/elf/ld) supports shared libraries -configure:6318: result: yes -configure:6323: checking how to hardcode library paths into programs -configure:6347: result: immediate -configure:6352: checking whether stripping libraries is possible -configure:6357: result: yes -configure:6368: checking dynamic linker characteristics -configure:6761: result: freebsd5.0 ld.so -configure:6766: checking if libtool supports shared libraries -configure:6768: result: yes -configure:6771: checking whether to build shared libraries -configure:6792: result: yes -configure:6795: checking whether to build static libraries -configure:6799: result: yes -configure:7461: checking whether -lc should be explicitly linked in -configure:7469: gcc -c -g -O2 conftest.c >&5 -configure:7472: $? = 0 -configure:7486: gcc -shared conftest.o -v -Wl,-soname -Wl,conftest -o conftest 2\>\&1 \| grep -lc \>/dev/null 2\>\&1 -configure:7489: $? = 1 -configure:7502: result: yes -configure:8123: checking db4/db.h usability -configure:8132: gcc -c -g -O2 conftest.c >&5 -configure:8161:20: db4/db.h: No such file or directory -configure:8135: $? = 1 -configure: failed program was: -#line 8126 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:8150: result: no -configure:8154: checking db4/db.h presence -configure:8161: gcc -E conftest.c -configure:8158:20: db4/db.h: No such file or directory -configure:8167: $? = 1 -configure: failed program was: -#line 8157 "configure" -#include "confdefs.h" -#include -configure:8185: result: no -configure:8203: checking for db4/db.h -configure:8210: result: no -configure:8123: checking db3/db.h usability -configure:8132: gcc -c -g -O2 conftest.c >&5 -configure:8161:20: db3/db.h: No such file or directory -configure:8135: $? = 1 -configure: failed program was: -#line 8126 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:8150: result: no -configure:8154: checking db3/db.h presence -configure:8161: gcc -E conftest.c -configure:8158:20: db3/db.h: No such file or directory -configure:8167: $? = 1 -configure: failed program was: -#line 8157 "configure" -#include "confdefs.h" -#include -configure:8185: result: no -configure:8203: checking for db3/db.h -configure:8210: result: no -configure:8123: checking db.h usability -configure:8132: gcc -c -g -O2 conftest.c >&5 -configure:8135: $? = 0 -configure:8138: test -s conftest.o -configure:8141: $? = 0 -configure:8150: result: yes -configure:8154: checking db.h presence -configure:8161: gcc -E conftest.c -configure:8167: $? = 0 -configure:8185: result: yes -configure:8203: checking for db.h -configure:8210: result: yes -configure:8123: checking db_185.h usability -configure:8132: gcc -c -g -O2 conftest.c >&5 -configure:8161:20: db_185.h: No such file or directory -configure:8135: $? = 1 -configure: failed program was: -#line 8126 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:8150: result: no -configure:8154: checking db_185.h presence -configure:8161: gcc -E conftest.c -configure:8158:20: db_185.h: No such file or directory -configure:8167: $? = 1 -configure: failed program was: -#line 8157 "configure" -#include "confdefs.h" -#include -configure:8185: result: no -configure:8203: checking for db_185.h -configure:8210: result: no -configure:8228: checking for db_create -configure:8273: gcc -o conftest -g -O2 conftest.c >&5 -/var/tmp//ccHtREmr.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:8266: undefined reference to `db_create' -configure:8276: $? = 1 -configure: failed program was: -#line 8246 "configure" -#include "confdefs.h" - - #include - #ifdef HAVE_DB4_DB_H - #include - #elif defined(HAVE_DB3_DB_H) - #include - #else - #include - #endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -db_create(NULL, NULL, 0) - ; - return 0; -} -configure:8273: gcc -o conftest -g -O2 conftest.c -ldb4 >&5 -/usr/libexec/elf/ld: cannot find -ldb4 -configure:8276: $? = 1 -configure: failed program was: -#line 8246 "configure" -#include "confdefs.h" - - #include - #ifdef HAVE_DB4_DB_H - #include - #elif defined(HAVE_DB3_DB_H) - #include - #else - #include - #endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -db_create(NULL, NULL, 0) - ; - return 0; -} -configure:8273: gcc -o conftest -g -O2 conftest.c -ldb3 >&5 -/usr/libexec/elf/ld: cannot find -ldb3 -configure:8276: $? = 1 -configure: failed program was: -#line 8246 "configure" -#include "confdefs.h" - - #include - #ifdef HAVE_DB4_DB_H - #include - #elif defined(HAVE_DB3_DB_H) - #include - #else - #include - #endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -db_create(NULL, NULL, 0) - ; - return 0; -} -configure:8273: gcc -o conftest -g -O2 conftest.c -ldb >&5 -/usr/libexec/elf/ld: cannot find -ldb -configure:8276: $? = 1 -configure: failed program was: -#line 8246 "configure" -#include "confdefs.h" - - #include - #ifdef HAVE_DB4_DB_H - #include - #elif defined(HAVE_DB3_DB_H) - #include - #else - #include - #endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -db_create(NULL, NULL, 0) - ; - return 0; -} -configure:8397: result: no -configure:8436: checking for dbopen -configure:8483: gcc -o conftest -g -O2 conftest.c >&5 -configure:8486: $? = 0 -configure:8489: test -s conftest -configure:8492: $? = 0 -configure:8601: result: yes -configure:8647: checking for dbm_firstkey -configure:8688: gcc -o conftest -g -O2 conftest.c >&5 -configure:8670: syntax error before '*' token -configure:8670: warning: data definition has no type or storage class -configure:8691: $? = 1 -configure: failed program was: -#line 8665 "configure" -#include "confdefs.h" - - #include - #define DB_DBM_HSEARCH 1 - #include - DBM *dbm; - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dbm_firstkey(NULL) - ; - return 0; -} -configure:8812: result: no -configure:8877: checking dbm.h usability -configure:8886: gcc -c -g -O2 conftest.c >&5 -configure:8915:17: dbm.h: No such file or directory -configure:8889: $? = 1 -configure: failed program was: -#line 8880 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:8904: result: no -configure:8908: checking dbm.h presence -configure:8915: gcc -E conftest.c -configure:8912:17: dbm.h: No such file or directory -configure:8921: $? = 1 -configure: failed program was: -#line 8911 "configure" -#include "confdefs.h" -#include -configure:8939: result: no -configure:8957: checking for dbm.h -configure:8964: result: no -configure:8877: checking ndbm.h usability -configure:8886: gcc -c -g -O2 conftest.c >&5 -configure:8889: $? = 0 -configure:8892: test -s conftest.o -configure:8895: $? = 0 -configure:8904: result: yes -configure:8908: checking ndbm.h presence -configure:8915: gcc -E conftest.c -configure:8921: $? = 0 -configure:8939: result: yes -configure:8957: checking for ndbm.h -configure:8964: result: yes -configure:8981: checking for dbm_firstkey -configure:9025: gcc -o conftest -g -O2 conftest.c >&5 -configure:9028: $? = 0 -configure:9031: test -s conftest -configure:9034: $? = 0 -configure:9143: result: yes -configure:9516: checking if ndbm is implemented with db -configure:9548: gcc -o conftest -g -O2 conftest.c >&5 -configure:9551: $? = 0 -configure:9553: ./conftest -configure:9556: $? = 0 -configure:9560: result: yes -configure:9617: checking for inline -configure:9634: gcc -c -g -O2 conftest.c >&5 -configure:9637: $? = 0 -configure:9640: test -s conftest.o -configure:9643: $? = 0 -configure:9654: result: inline -configure:9669: checking for an ANSI C-conforming const -configure:9739: gcc -c -g -O2 conftest.c >&5 -configure:9742: $? = 0 -configure:9745: test -s conftest.o -configure:9748: $? = 0 -configure:9758: result: yes -configure:9768: checking for size_t -configure:9795: gcc -c -g -O2 conftest.c >&5 -configure:9798: $? = 0 -configure:9801: test -s conftest.o -configure:9804: $? = 0 -configure:9814: result: yes -configure:9826: checking for pid_t -configure:9853: gcc -c -g -O2 conftest.c >&5 -configure:9856: $? = 0 -configure:9859: test -s conftest.o -configure:9862: $? = 0 -configure:9872: result: yes -configure:9884: checking for uid_t in sys/types.h -configure:9904: result: yes -configure:9920: checking return type of signal handlers -configure:9954: gcc -c -g -O2 conftest.c >&5 -configure:9957: $? = 0 -configure:9960: test -s conftest.o -configure:9963: $? = 0 -configure:9973: result: void -configure:9992: checking whether time.h and sys/time.h may both be included -configure:10020: gcc -c -g -O2 conftest.c >&5 -configure:10023: $? = 0 -configure:10026: test -s conftest.o -configure:10029: $? = 0 -configure:10039: result: yes -configure:10064: checking standards.h usability -configure:10073: gcc -c -g -O2 conftest.c >&5 -configure:10102:23: standards.h: No such file or directory -configure:10076: $? = 1 -configure: failed program was: -#line 10067 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10091: result: no -configure:10095: checking standards.h presence -configure:10102: gcc -E conftest.c -configure:10099:23: standards.h: No such file or directory -configure:10108: $? = 1 -configure: failed program was: -#line 10098 "configure" -#include "confdefs.h" -#include -configure:10126: result: no -configure:10144: checking for standards.h -configure:10151: result: no -configure:10168: checking for netinet/ip.h -configure:10183: gcc -E conftest.c -configure:10189: $? = 0 -configure:10208: result: yes -configure:10168: checking for netinet/tcp.h -configure:10183: gcc -E conftest.c -configure:10189: $? = 0 -configure:10208: result: yes -configure:10343: checking for getlogin -configure:10386: gcc -o conftest -g -O2 conftest.c >&5 -configure:10389: $? = 0 -configure:10392: test -s conftest -configure:10395: $? = 0 -configure:10405: result: yes -configure:10343: checking for setlogin -configure:10386: gcc -o conftest -g -O2 conftest.c >&5 -configure:10389: $? = 0 -configure:10392: test -s conftest -configure:10395: $? = 0 -configure:10405: result: yes -configure:10416: checking if getlogin is posix -configure:10429: result: no -configure:10441: checking if realloc if broken -configure:10465: gcc -o conftest -g -O2 conftest.c >&5 -configure:10468: $? = 0 -configure:10470: ./conftest -configure:10473: $? = 0 -configure:10487: result: no -configure:10541: checking for ssize_t -configure:10570: gcc -c -g -O2 conftest.c >&5 -configure:10573: $? = 0 -configure:10576: test -s conftest.o -configure:10579: $? = 0 -configure:10590: result: yes -configure:10665: checking for long long -configure:10694: gcc -c -g -O2 conftest.c >&5 -configure:10697: $? = 0 -configure:10700: test -s conftest.o -configure:10703: $? = 0 -configure:10714: result: yes -configure:10892: checking arpa/inet.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking arpa/inet.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for arpa/inet.h -configure:10979: result: yes -configure:10892: checking arpa/nameser.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking arpa/nameser.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for arpa/nameser.h -configure:10979: result: yes -configure:10892: checking config.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10930:20: config.h: No such file or directory -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking config.h presence -configure:10930: gcc -E conftest.c -configure:10927:20: config.h: No such file or directory -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for config.h -configure:10979: result: no -configure:10892: checking crypt.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10930:19: crypt.h: No such file or directory -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking crypt.h presence -configure:10930: gcc -E conftest.c -configure:10927:19: crypt.h: No such file or directory -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for crypt.h -configure:10979: result: no -configure:10892: checking dirent.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking dirent.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for dirent.h -configure:10979: result: yes -configure:10892: checking errno.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking errno.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for errno.h -configure:10979: result: yes -configure:10892: checking err.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking err.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for err.h -configure:10979: result: yes -configure:10892: checking fcntl.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking fcntl.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for fcntl.h -configure:10979: result: yes -configure:10892: checking grp.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking grp.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for grp.h -configure:10979: result: yes -configure:10892: checking ifaddrs.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking ifaddrs.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for ifaddrs.h -configure:10979: result: yes -configure:10892: checking net/if.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -In file included from configure:10930: -/usr/include/net/if.h:225: field `ifru_addr' has incomplete type -/usr/include/net/if.h:226: field `ifru_dstaddr' has incomplete type -/usr/include/net/if.h:227: field `ifru_broadaddr' has incomplete type -/usr/include/net/if.h:259: field `ifra_addr' has incomplete type -/usr/include/net/if.h:260: field `ifra_broadaddr' has incomplete type -/usr/include/net/if.h:261: field `ifra_mask' has incomplete type -/usr/include/net/if.h:262: confused by earlier errors, bailing out -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking net/if.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10965: WARNING: net/if.h: present but cannot be compiled -configure:10967: WARNING: net/if.h: check for missing prerequisite headers? -configure:10969: WARNING: net/if.h: proceeding with the preprocessor's result -configure:10972: checking for net/if.h -configure:10979: result: yes -configure:10892: checking netdb.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking netdb.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for netdb.h -configure:10979: result: yes -configure:10892: checking netinet/in.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking netinet/in.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for netinet/in.h -configure:10979: result: yes -configure:10892: checking netinet/in6.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10930:25: netinet/in6.h: No such file or directory -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking netinet/in6.h presence -configure:10930: gcc -E conftest.c -configure:10927:25: netinet/in6.h: No such file or directory -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for netinet/in6.h -configure:10979: result: no -configure:10892: checking netinet/in_systm.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking netinet/in_systm.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for netinet/in_systm.h -configure:10979: result: yes -configure:10892: checking netinet6/in6.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -In file included from configure:10930: -/usr/include/netinet6/in6.h:69:2: #error "do not include netinet6/in6.h directly, include netinet/in.h. see RFC2553" -In file included from configure:10930: -/usr/include/netinet6/in6.h:151: syntax error before "sa_family_t" -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking netinet6/in6.h presence -configure:10930: gcc -E conftest.c -In file included from configure:10927: -/usr/include/netinet6/in6.h:69:2: #error "do not include netinet6/in6.h directly, include netinet/in.h. see RFC2553" -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for netinet6/in6.h -configure:10979: result: no -configure:10892: checking netinet6/in6_var.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -In file included from configure:10930: -/usr/include/netinet6/in6_var.h:94: field `ia_ifa' has incomplete type -/usr/include/netinet6/in6_var.h:97: field `ia_addr' has incomplete type -/usr/include/netinet6/in6_var.h:98: field `ia_net' has incomplete type -/usr/include/netinet6/in6_var.h:99: field `ia_dstaddr' has incomplete type -/usr/include/netinet6/in6_var.h:100: field `ia_prefixmask' has incomplete type -/usr/include/netinet6/in6_var.h:111: confused by earlier errors, bailing out -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking netinet6/in6_var.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10965: WARNING: netinet6/in6_var.h: present but cannot be compiled -configure:10967: WARNING: netinet6/in6_var.h: check for missing prerequisite headers? -configure:10969: WARNING: netinet6/in6_var.h: proceeding with the preprocessor's result -configure:10972: checking for netinet6/in6_var.h -configure:10979: result: yes -configure:10892: checking paths.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking paths.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for paths.h -configure:10979: result: yes -configure:10892: checking pwd.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking pwd.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for pwd.h -configure:10979: result: yes -configure:10892: checking resolv.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -In file included from configure:10930: -/usr/include/resolv.h:104: field `nsaddr_list' has incomplete type -/usr/include/resolv.h:114: field `addr' has incomplete type -/usr/include/resolv.h:116: confused by earlier errors, bailing out -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking resolv.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10965: WARNING: resolv.h: present but cannot be compiled -configure:10967: WARNING: resolv.h: check for missing prerequisite headers? -configure:10969: WARNING: resolv.h: proceeding with the preprocessor's result -configure:10972: checking for resolv.h -configure:10979: result: yes -configure:10892: checking rpcsvc/ypclnt.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking rpcsvc/ypclnt.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for rpcsvc/ypclnt.h -configure:10979: result: yes -configure:10892: checking shadow.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10930:20: shadow.h: No such file or directory -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking shadow.h presence -configure:10930: gcc -E conftest.c -configure:10927:20: shadow.h: No such file or directory -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for shadow.h -configure:10979: result: no -configure:10892: checking sys/bswap.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10930:23: sys/bswap.h: No such file or directory -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking sys/bswap.h presence -configure:10930: gcc -E conftest.c -configure:10927:23: sys/bswap.h: No such file or directory -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for sys/bswap.h -configure:10979: result: no -configure:10892: checking sys/ioctl.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/ioctl.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/ioctl.h -configure:10979: result: yes -configure:10892: checking sys/param.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/param.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/param.h -configure:10979: result: yes -configure:10892: checking sys/proc.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -In file included from /usr/include/sys/proc.h:58, - from configure:10930: -/usr/include/sys/ucred.h:81: `NGROUPS' undeclared here (not in a function) -/usr/include/sys/ucred.h:83: confused by earlier errors, bailing out -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking sys/proc.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10965: WARNING: sys/proc.h: present but cannot be compiled -configure:10967: WARNING: sys/proc.h: check for missing prerequisite headers? -configure:10969: WARNING: sys/proc.h: proceeding with the preprocessor's result -configure:10972: checking for sys/proc.h -configure:10979: result: yes -configure:10892: checking sys/resource.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/resource.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/resource.h -configure:10979: result: yes -configure:10892: checking sys/socket.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/socket.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/socket.h -configure:10979: result: yes -configure:10892: checking sys/sockio.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/sockio.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/sockio.h -configure:10979: result: yes -configure:10883: checking for sys/stat.h -configure:10888: result: yes -configure:10892: checking sys/sysctl.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/sysctl.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/sysctl.h -configure:10979: result: yes -configure:10892: checking sys/time.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/time.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/time.h -configure:10979: result: yes -configure:10892: checking sys/tty.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/tty.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/tty.h -configure:10979: result: yes -configure:10883: checking for sys/types.h -configure:10888: result: yes -configure:10892: checking sys/uio.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/uio.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/uio.h -configure:10979: result: yes -configure:10892: checking sys/utsname.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/utsname.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/utsname.h -configure:10979: result: yes -configure:10892: checking sys/wait.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking sys/wait.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for sys/wait.h -configure:10979: result: yes -configure:10892: checking syslog.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking syslog.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for syslog.h -configure:10979: result: yes -configure:10892: checking termios.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking termios.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for termios.h -configure:10979: result: yes -configure:10883: checking for unistd.h -configure:10888: result: yes -configure:10892: checking userconf.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10930:22: userconf.h: No such file or directory -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking userconf.h presence -configure:10930: gcc -E conftest.c -configure:10927:22: userconf.h: No such file or directory -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for userconf.h -configure:10979: result: no -configure:10892: checking usersec.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10930:21: usersec.h: No such file or directory -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking usersec.h presence -configure:10930: gcc -E conftest.c -configure:10927:21: usersec.h: No such file or directory -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for usersec.h -configure:10979: result: no -configure:10892: checking util.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10930:18: util.h: No such file or directory -configure:10904: $? = 1 -configure: failed program was: -#line 10895 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:10919: result: no -configure:10923: checking util.h presence -configure:10930: gcc -E conftest.c -configure:10927:18: util.h: No such file or directory -configure:10936: $? = 1 -configure: failed program was: -#line 10926 "configure" -#include "confdefs.h" -#include -configure:10954: result: no -configure:10972: checking for util.h -configure:10979: result: no -configure:10892: checking vis.h usability -configure:10901: gcc -c -g -O2 conftest.c >&5 -configure:10904: $? = 0 -configure:10907: test -s conftest.o -configure:10910: $? = 0 -configure:10919: result: yes -configure:10923: checking vis.h presence -configure:10930: gcc -E conftest.c -configure:10936: $? = 0 -configure:10954: result: yes -configure:10972: checking for vis.h -configure:10979: result: yes -configure:11041: checking for socket -configure:11077: gcc -o conftest -g -O2 conftest.c >&5 -configure:11080: $? = 0 -configure:11083: test -s conftest -configure:11086: $? = 0 -configure:11195: result: yes -configure:11229: checking for gethostbyname -configure:11265: gcc -o conftest -g -O2 conftest.c >&5 -configure:11268: $? = 0 -configure:11271: test -s conftest -configure:11274: $? = 0 -configure:11383: result: yes -configure:11417: checking for syslog -configure:11453: gcc -o conftest -g -O2 conftest.c >&5 -configure:11456: $? = 0 -configure:11459: test -s conftest -configure:11462: $? = 0 -configure:11571: result: yes -configure:11613: checking for IPv6 stack type -configure:11627:45: /usr/local/v6/include/sys/types.h: No such file or directory -configure:11740: result: kame -configure:11743: checking for IPv6 -configure:11791: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:11794: $? = 0 -configure:11797: test -s conftest -configure:11800: $? = 0 -configure:11810: result: yes -configure:11823: checking for in6addr_loopback -configure:11863: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:11866: $? = 0 -configure:11869: test -s conftest -configure:11872: $? = 0 -configure:11882: result: yes -configure:11898: checking for gethostbyname2 -configure:11934: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:11937: $? = 0 -configure:11940: test -s conftest -configure:11943: $? = 0 -configure:12052: result: yes -configure:12087: checking for res_search -configure:12137: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:12140: $? = 0 -configure:12143: test -s conftest -configure:12146: $? = 0 -configure:12255: result: yes -configure:12290: checking for dn_expand -configure:12340: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:12343: $? = 0 -configure:12346: test -s conftest -configure:12349: $? = 0 -configure:12458: result: yes -configure:12490: checking for _res -configure:12516: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:12519: $? = 0 -configure:12522: test -s conftest -configure:12525: $? = 0 -configure:12538: result: yes -configure:12547: checking if _res is properly declared -configure:12585: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:12568: conflicting types for `_res' -/usr/include/resolv.h:201: previous declaration of `_res' -configure:12588: $? = 1 -configure: failed program was: -#line 12554 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif -extern struct { int foo; } _res; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -_res.foo = 1; - ; - return 0; -} -configure:12609: result: yes -configure:12625: checking for working snprintf -configure:12648: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:12651: $? = 0 -configure:12653: ./conftest -configure:12656: $? = 0 -configure:12669: result: yes -configure:12682: checking if snprintf needs a prototype -configure:12709: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:12700: conflicting types for `snprintf' -/usr/include/stdio.h:261: previous declaration of `snprintf' -configure:12700: warning: extern declaration of `snprintf' doesn't match global one -configure:12712: $? = 1 -configure: failed program was: -#line 12688 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int snprintf (struct foo*); -snprintf(&xx); - - ; - return 0; -} -configure:12728: result: no -configure:12742: checking for working vsnprintf -configure:12776: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:12779: $? = 0 -configure:12781: ./conftest -configure:12784: $? = 0 -configure:12797: result: yes -configure:12810: checking if vsnprintf needs a prototype -configure:12837: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:12828: conflicting types for `vsnprintf' -/usr/include/stdio.h:263: previous declaration of `vsnprintf' -configure:12828: warning: extern declaration of `vsnprintf' doesn't match global one -configure:12840: $? = 1 -configure: failed program was: -#line 12816 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int vsnprintf (struct foo*); -vsnprintf(&xx); - - ; - return 0; -} -configure:12856: result: no -configure:12871: checking for working glob -configure:12907: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:12910: $? = 0 -configure:12913: test -s conftest -configure:12916: $? = 0 -configure:12926: result: yes -configure:12939: checking if glob needs a prototype -configure:12967: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:12958: conflicting types for `glob' -/usr/include/glob.h:99: previous declaration of `glob' -configure:12958: warning: extern declaration of `glob' doesn't match global one -configure:12970: $? = 1 -configure: failed program was: -#line 12945 "configure" -#include "confdefs.h" -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int glob (struct foo*); -glob(&xx); - - ; - return 0; -} -configure:12986: result: no -configure:13070: checking for asnprintf -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cc2TZ5om.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:13104: undefined reference to `asnprintf' -configure:13116: $? = 1 -configure: failed program was: -#line 13076 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char asnprintf (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char asnprintf (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_asnprintf) || defined (__stub___asnprintf) -choke me -#else -f = asnprintf; -#endif - - ; - return 0; -} -configure:13132: result: no -configure:13070: checking for asprintf -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for atexit -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for cgetent -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for getconfattr -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccN38noV.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:13104: undefined reference to `getconfattr' -configure:13116: $? = 1 -configure: failed program was: -#line 13076 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getconfattr (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getconfattr (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getconfattr) || defined (__stub___getconfattr) -choke me -#else -f = getconfattr; -#endif - - ; - return 0; -} -configure:13132: result: no -configure:13070: checking for getprogname -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for getrlimit -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for getspnam -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccuTNlTk.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:13104: undefined reference to `getspnam' -configure:13116: $? = 1 -configure: failed program was: -#line 13076 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getspnam (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getspnam (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getspnam) || defined (__stub___getspnam) -choke me -#else -f = getspnam; -#endif - - ; - return 0; -} -configure:13132: result: no -configure:13070: checking for initstate -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for issetugid -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for on_exit -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccDJIDL2.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:13104: undefined reference to `on_exit' -configure:13116: $? = 1 -configure: failed program was: -#line 13076 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char on_exit (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char on_exit (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_on_exit) || defined (__stub___on_exit) -choke me -#else -f = on_exit; -#endif - - ; - return 0; -} -configure:13132: result: no -configure:13070: checking for random -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for setprogname -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for setstate -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for strsvis -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cc79BzAP.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:13104: undefined reference to `strsvis' -configure:13116: $? = 1 -configure: failed program was: -#line 13076 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strsvis (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strsvis (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strsvis) || defined (__stub___strsvis) -choke me -#else -f = strsvis; -#endif - - ; - return 0; -} -configure:13132: result: no -configure:13070: checking for strunvis -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for strvis -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for strvisx -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for svis -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cc44iOXX.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:13104: undefined reference to `svis' -configure:13116: $? = 1 -configure: failed program was: -#line 13076 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char svis (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char svis (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_svis) || defined (__stub___svis) -choke me -#else -f = svis; -#endif - - ; - return 0; -} -configure:13132: result: no -configure:13070: checking for sysconf -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for sysctl -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for uname -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for unvis -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for vasnprintf -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccwNpsOz.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:13104: undefined reference to `vasnprintf' -configure:13116: $? = 1 -configure: failed program was: -#line 13076 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char vasnprintf (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char vasnprintf (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_vasnprintf) || defined (__stub___vasnprintf) -choke me -#else -f = vasnprintf; -#endif - - ; - return 0; -} -configure:13132: result: no -configure:13070: checking for vasprintf -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13070: checking for vis -configure:13113: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13116: $? = 0 -configure:13119: test -s conftest -configure:13122: $? = 0 -configure:13132: result: yes -configure:13152: checking for getsockopt -configure:13193: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13196: $? = 0 -configure:13199: test -s conftest -configure:13202: $? = 0 -configure:13311: result: yes -configure:13340: checking for setsockopt -configure:13381: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13384: $? = 0 -configure:13387: test -s conftest -configure:13390: $? = 0 -configure:13499: result: yes -configure:13530: checking for hstrerror -configure:13568: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:13571: $? = 0 -configure:13574: test -s conftest -configure:13577: $? = 0 -configure:13686: result: yes -configure:13722: checking if hstrerror needs a prototype -configure:13752: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:13743: conflicting types for `hstrerror' -/usr/include/netdb.h:229: previous declaration of `hstrerror' -configure:13743: warning: extern declaration of `hstrerror' doesn't match global one -configure:13755: $? = 1 -configure: failed program was: -#line 13728 "configure" -#include "confdefs.h" - -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int hstrerror (struct foo*); -hstrerror(&xx); - - ; - return 0; -} -configure:13771: result: no -configure:13785: checking if asprintf needs a prototype -configure:13814: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:13805: conflicting types for `asprintf' -/usr/include/stdio.h:318: previous declaration of `asprintf' -configure:13805: warning: extern declaration of `asprintf' doesn't match global one -configure:13817: $? = 1 -configure: failed program was: -#line 13791 "configure" -#include "confdefs.h" - - #include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int asprintf (struct foo*); -asprintf(&xx); - - ; - return 0; -} -configure:13833: result: no -configure:13845: checking if vasprintf needs a prototype -configure:13874: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:13865: conflicting types for `vasprintf' -/usr/include/stdio.h:331: previous declaration of `vasprintf' -configure:13865: warning: extern declaration of `vasprintf' doesn't match global one -configure:13877: $? = 1 -configure: failed program was: -#line 13851 "configure" -#include "confdefs.h" - - #include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int vasprintf (struct foo*); -vasprintf(&xx); - - ; - return 0; -} -configure:13893: result: no -configure:13905: checking if asnprintf needs a prototype -configure:13934: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:13937: $? = 0 -configure:13940: test -s conftest.o -configure:13943: $? = 0 -configure:13953: result: yes -configure:13965: checking if vasnprintf needs a prototype -configure:13994: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:13997: $? = 0 -configure:14000: test -s conftest.o -configure:14003: $? = 0 -configure:14013: result: yes -configure:14028: checking for bswap16 -configure:14066: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccFKdMFM.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:14059: undefined reference to `bswap16' -configure:14069: $? = 1 -configure: failed program was: -#line 14046 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_BSWAP_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -bswap16(0) - ; - return 0; -} -configure:14190: result: no -configure:14214: checking for bswap32 -configure:14252: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccoPpl5z.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:14245: undefined reference to `bswap32' -configure:14255: $? = 1 -configure: failed program was: -#line 14232 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_BSWAP_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -bswap32(0) - ; - return 0; -} -configure:14376: result: no -configure:14400: checking for pidfile -configure:14438: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccyQOns0.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:14431: undefined reference to `pidfile' -configure:14441: $? = 1 -configure: failed program was: -#line 14418 "configure" -#include "confdefs.h" -#ifdef HAVE_UTIL_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -pidfile(0) - ; - return 0; -} -configure:14438: gcc -o conftest -DINET6 -g -O2 conftest.c -lutil >&5 -/var/tmp//ccs6tJX7.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:14431: undefined reference to `pidfile' -configure:14441: $? = 1 -configure: failed program was: -#line 14418 "configure" -#include "confdefs.h" -#ifdef HAVE_UTIL_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -pidfile(0) - ; - return 0; -} -configure:14562: result: no -configure:14587: checking for getaddrinfo -configure:14625: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:14628: $? = 0 -configure:14631: test -s conftest -configure:14634: $? = 0 -configure:14743: result: yes -configure:14782: checking for getnameinfo -configure:14820: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:14823: $? = 0 -configure:14826: test -s conftest -configure:14829: $? = 0 -configure:14938: result: yes -configure:14977: checking for freeaddrinfo -configure:15015: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:15018: $? = 0 -configure:15021: test -s conftest -configure:15024: $? = 0 -configure:15133: result: yes -configure:15172: checking for gai_strerror -configure:15210: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:15213: $? = 0 -configure:15216: test -s conftest -configure:15219: $? = 0 -configure:15328: result: yes -configure:15363: checking for chown -configure:15406: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:15409: $? = 0 -configure:15412: test -s conftest -configure:15415: $? = 0 -configure:15425: result: yes -configure:15436: checking for copyhostent -configure:15479: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccL6rDNd.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:15470: undefined reference to `copyhostent' -configure:15482: $? = 1 -configure: failed program was: -#line 15442 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char copyhostent (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char copyhostent (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_copyhostent) || defined (__stub___copyhostent) -choke me -#else -f = copyhostent; -#endif - - ; - return 0; -} -configure:15498: result: no -configure:15509: checking for daemon -configure:15552: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:15555: $? = 0 -configure:15558: test -s conftest -configure:15561: $? = 0 -configure:15571: result: yes -configure:15582: checking for ecalloc -configure:15625: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccbL9aKG.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:15616: undefined reference to `ecalloc' -configure:15628: $? = 1 -configure: failed program was: -#line 15588 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char ecalloc (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char ecalloc (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_ecalloc) || defined (__stub___ecalloc) -choke me -#else -f = ecalloc; -#endif - - ; - return 0; -} -configure:15644: result: no -configure:15655: checking for emalloc -configure:15698: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccuYlSdk.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:15689: undefined reference to `emalloc' -configure:15701: $? = 1 -configure: failed program was: -#line 15661 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char emalloc (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char emalloc (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_emalloc) || defined (__stub___emalloc) -choke me -#else -f = emalloc; -#endif - - ; - return 0; -} -configure:15717: result: no -configure:15728: checking for erealloc -configure:15771: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cchEY2y8.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:15762: undefined reference to `erealloc' -configure:15774: $? = 1 -configure: failed program was: -#line 15734 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char erealloc (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char erealloc (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_erealloc) || defined (__stub___erealloc) -choke me -#else -f = erealloc; -#endif - - ; - return 0; -} -configure:15790: result: no -configure:15801: checking for estrdup -configure:15844: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccKg2EqN.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:15835: undefined reference to `estrdup' -configure:15847: $? = 1 -configure: failed program was: -#line 15807 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char estrdup (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char estrdup (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_estrdup) || defined (__stub___estrdup) -choke me -#else -f = estrdup; -#endif - - ; - return 0; -} -configure:15863: result: no -configure:15874: checking for err -configure:15917: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:15920: $? = 0 -configure:15923: test -s conftest -configure:15926: $? = 0 -configure:15936: result: yes -configure:15947: checking for errx -configure:15990: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:15993: $? = 0 -configure:15996: test -s conftest -configure:15999: $? = 0 -configure:16009: result: yes -configure:16020: checking for fchown -configure:16063: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16066: $? = 0 -configure:16069: test -s conftest -configure:16072: $? = 0 -configure:16082: result: yes -configure:16093: checking for flock -configure:16136: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16139: $? = 0 -configure:16142: test -s conftest -configure:16145: $? = 0 -configure:16155: result: yes -configure:16166: checking for fnmatch -configure:16209: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16212: $? = 0 -configure:16215: test -s conftest -configure:16218: $? = 0 -configure:16228: result: yes -configure:16239: checking for freehostent -configure:16282: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16285: $? = 0 -configure:16288: test -s conftest -configure:16291: $? = 0 -configure:16301: result: yes -configure:16312: checking for getcwd -configure:16355: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16358: $? = 0 -configure:16361: test -s conftest -configure:16364: $? = 0 -configure:16374: result: yes -configure:16385: checking for getdtablesize -configure:16428: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16431: $? = 0 -configure:16434: test -s conftest -configure:16437: $? = 0 -configure:16447: result: yes -configure:16458: checking for getegid -configure:16501: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16504: $? = 0 -configure:16507: test -s conftest -configure:16510: $? = 0 -configure:16520: result: yes -configure:16531: checking for geteuid -configure:16574: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16577: $? = 0 -configure:16580: test -s conftest -configure:16583: $? = 0 -configure:16593: result: yes -configure:16604: checking for getgid -configure:16647: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16650: $? = 0 -configure:16653: test -s conftest -configure:16656: $? = 0 -configure:16666: result: yes -configure:16677: checking for gethostname -configure:16720: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16723: $? = 0 -configure:16726: test -s conftest -configure:16729: $? = 0 -configure:16739: result: yes -configure:16750: checking for getifaddrs -configure:16793: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16796: $? = 0 -configure:16799: test -s conftest -configure:16802: $? = 0 -configure:16812: result: yes -configure:16823: checking for getipnodebyaddr -configure:16866: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16869: $? = 0 -configure:16872: test -s conftest -configure:16875: $? = 0 -configure:16885: result: yes -configure:16896: checking for getipnodebyname -configure:16939: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:16942: $? = 0 -configure:16945: test -s conftest -configure:16948: $? = 0 -configure:16958: result: yes -configure:16969: checking for getopt -configure:17012: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17015: $? = 0 -configure:17018: test -s conftest -configure:17021: $? = 0 -configure:17031: result: yes -configure:17042: checking for gettimeofday -configure:17085: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17088: $? = 0 -configure:17091: test -s conftest -configure:17094: $? = 0 -configure:17104: result: yes -configure:17115: checking for getuid -configure:17158: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17161: $? = 0 -configure:17164: test -s conftest -configure:17167: $? = 0 -configure:17177: result: yes -configure:17188: checking for getusershell -configure:17231: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17234: $? = 0 -configure:17237: test -s conftest -configure:17240: $? = 0 -configure:17250: result: yes -configure:17261: checking for initgroups -configure:17304: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17307: $? = 0 -configure:17310: test -s conftest -configure:17313: $? = 0 -configure:17323: result: yes -configure:17334: checking for innetgr -configure:17377: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17380: $? = 0 -configure:17383: test -s conftest -configure:17386: $? = 0 -configure:17396: result: yes -configure:17407: checking for iruserok -configure:17450: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17453: $? = 0 -configure:17456: test -s conftest -configure:17459: $? = 0 -configure:17469: result: yes -configure:17480: checking for localtime_r -configure:17523: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17526: $? = 0 -configure:17529: test -s conftest -configure:17532: $? = 0 -configure:17542: result: yes -configure:17553: checking for lstat -configure:17596: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17599: $? = 0 -configure:17602: test -s conftest -configure:17605: $? = 0 -configure:17615: result: yes -configure:17626: checking for memmove -configure:17669: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17672: $? = 0 -configure:17675: test -s conftest -configure:17678: $? = 0 -configure:17688: result: yes -configure:17699: checking for mkstemp -configure:17742: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17745: $? = 0 -configure:17748: test -s conftest -configure:17751: $? = 0 -configure:17761: result: yes -configure:17772: checking for putenv -configure:17815: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17818: $? = 0 -configure:17821: test -s conftest -configure:17824: $? = 0 -configure:17834: result: yes -configure:17845: checking for rcmd -configure:17888: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17891: $? = 0 -configure:17894: test -s conftest -configure:17897: $? = 0 -configure:17907: result: yes -configure:17918: checking for readv -configure:17961: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:17964: $? = 0 -configure:17967: test -s conftest -configure:17970: $? = 0 -configure:17980: result: yes -configure:17991: checking for recvmsg -configure:18034: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18037: $? = 0 -configure:18040: test -s conftest -configure:18043: $? = 0 -configure:18053: result: yes -configure:18064: checking for sendmsg -configure:18107: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18110: $? = 0 -configure:18113: test -s conftest -configure:18116: $? = 0 -configure:18126: result: yes -configure:18137: checking for setegid -configure:18180: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18183: $? = 0 -configure:18186: test -s conftest -configure:18189: $? = 0 -configure:18199: result: yes -configure:18210: checking for setenv -configure:18253: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18256: $? = 0 -configure:18259: test -s conftest -configure:18262: $? = 0 -configure:18272: result: yes -configure:18283: checking for seteuid -configure:18326: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18329: $? = 0 -configure:18332: test -s conftest -configure:18335: $? = 0 -configure:18345: result: yes -configure:18356: checking for strcasecmp -configure:18399: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18402: $? = 0 -configure:18405: test -s conftest -configure:18408: $? = 0 -configure:18418: result: yes -configure:18429: checking for strdup -configure:18472: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18475: $? = 0 -configure:18478: test -s conftest -configure:18481: $? = 0 -configure:18491: result: yes -configure:18502: checking for strerror -configure:18545: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18548: $? = 0 -configure:18551: test -s conftest -configure:18554: $? = 0 -configure:18564: result: yes -configure:18575: checking for strftime -configure:18618: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18621: $? = 0 -configure:18624: test -s conftest -configure:18627: $? = 0 -configure:18637: result: yes -configure:18648: checking for strlcat -configure:18691: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18694: $? = 0 -configure:18697: test -s conftest -configure:18700: $? = 0 -configure:18710: result: yes -configure:18721: checking for strlcpy -configure:18764: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18767: $? = 0 -configure:18770: test -s conftest -configure:18773: $? = 0 -configure:18783: result: yes -configure:18794: checking for strlwr -configure:18837: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccBM87Cq.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:18828: undefined reference to `strlwr' -configure:18840: $? = 1 -configure: failed program was: -#line 18800 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strlwr (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strlwr (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strlwr) || defined (__stub___strlwr) -choke me -#else -f = strlwr; -#endif - - ; - return 0; -} -configure:18856: result: no -configure:18867: checking for strncasecmp -configure:18910: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:18913: $? = 0 -configure:18916: test -s conftest -configure:18919: $? = 0 -configure:18929: result: yes -configure:18940: checking for strndup -configure:18983: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccbddYKQ.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:18974: undefined reference to `strndup' -configure:18986: $? = 1 -configure: failed program was: -#line 18946 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strndup (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strndup (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strndup) || defined (__stub___strndup) -choke me -#else -f = strndup; -#endif - - ; - return 0; -} -configure:19002: result: no -configure:19013: checking for strnlen -configure:19056: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccRSFIIo.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:19047: undefined reference to `strnlen' -configure:19059: $? = 1 -configure: failed program was: -#line 19019 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strnlen (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strnlen (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strnlen) || defined (__stub___strnlen) -choke me -#else -f = strnlen; -#endif - - ; - return 0; -} -configure:19075: result: no -configure:19086: checking for strptime -configure:19129: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19132: $? = 0 -configure:19135: test -s conftest -configure:19138: $? = 0 -configure:19148: result: yes -configure:19159: checking for strsep -configure:19202: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19205: $? = 0 -configure:19208: test -s conftest -configure:19211: $? = 0 -configure:19221: result: yes -configure:19232: checking for strsep_copy -configure:19275: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccoUfjlx.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:19266: undefined reference to `strsep_copy' -configure:19278: $? = 1 -configure: failed program was: -#line 19238 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strsep_copy (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strsep_copy (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strsep_copy) || defined (__stub___strsep_copy) -choke me -#else -f = strsep_copy; -#endif - - ; - return 0; -} -configure:19294: result: no -configure:19305: checking for strtok_r -configure:19348: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19351: $? = 0 -configure:19354: test -s conftest -configure:19357: $? = 0 -configure:19367: result: yes -configure:19378: checking for strupr -configure:19421: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccd3Onrk.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:19412: undefined reference to `strupr' -configure:19424: $? = 1 -configure: failed program was: -#line 19384 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strupr (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strupr (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strupr) || defined (__stub___strupr) -choke me -#else -f = strupr; -#endif - - ; - return 0; -} -configure:19440: result: no -configure:19451: checking for swab -configure:19494: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19497: $? = 0 -configure:19500: test -s conftest -configure:19503: $? = 0 -configure:19513: result: yes -configure:19524: checking for unsetenv -configure:19567: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19570: $? = 0 -configure:19573: test -s conftest -configure:19576: $? = 0 -configure:19586: result: yes -configure:19597: checking for verr -configure:19640: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19643: $? = 0 -configure:19646: test -s conftest -configure:19649: $? = 0 -configure:19659: result: yes -configure:19670: checking for verrx -configure:19713: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19716: $? = 0 -configure:19719: test -s conftest -configure:19722: $? = 0 -configure:19732: result: yes -configure:19743: checking for vsyslog -configure:19786: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19789: $? = 0 -configure:19792: test -s conftest -configure:19795: $? = 0 -configure:19805: result: yes -configure:19816: checking for vwarn -configure:19859: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19862: $? = 0 -configure:19865: test -s conftest -configure:19868: $? = 0 -configure:19878: result: yes -configure:19889: checking for vwarnx -configure:19932: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:19935: $? = 0 -configure:19938: test -s conftest -configure:19941: $? = 0 -configure:19951: result: yes -configure:19962: checking for warn -configure:20005: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:20008: $? = 0 -configure:20011: test -s conftest -configure:20014: $? = 0 -configure:20024: result: yes -configure:20035: checking for warnx -configure:20078: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:20081: $? = 0 -configure:20084: test -s conftest -configure:20087: $? = 0 -configure:20097: result: yes -configure:20108: checking for writev -configure:20151: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:20154: $? = 0 -configure:20157: test -s conftest -configure:20160: $? = 0 -configure:20170: result: yes -configure:20185: checking if strndup needs a prototype -configure:20212: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:20215: $? = 0 -configure:20218: test -s conftest.o -configure:20221: $? = 0 -configure:20231: result: yes -configure:20243: checking if strsep needs a prototype -configure:20270: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:20261: conflicting types for `strsep' -/usr/include/string.h:100: previous declaration of `strsep' -configure:20261: warning: extern declaration of `strsep' doesn't match global one -configure:20273: $? = 1 -configure: failed program was: -#line 20249 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strsep (struct foo*); -strsep(&xx); - - ; - return 0; -} -configure:20289: result: no -configure:20301: checking if strtok_r needs a prototype -configure:20328: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:20319: conflicting types for `strtok_r' -/usr/include/string.h:87: previous declaration of `strtok_r' -configure:20319: warning: extern declaration of `strtok_r' doesn't match global one -configure:20331: $? = 1 -configure: failed program was: -#line 20307 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strtok_r (struct foo*); -strtok_r(&xx); - - ; - return 0; -} -configure:20347: result: no -configure:20361: checking if strsvis needs a prototype -configure:20390: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:20393: $? = 0 -configure:20396: test -s conftest.o -configure:20399: $? = 0 -configure:20409: result: yes -configure:20421: checking if strunvis needs a prototype -configure:20450: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:20441: conflicting types for `strunvis' -/usr/include/vis.h:89: previous declaration of `strunvis' -configure:20441: warning: extern declaration of `strunvis' doesn't match global one -configure:20453: $? = 1 -configure: failed program was: -#line 20427 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strunvis (struct foo*); -strunvis(&xx); - - ; - return 0; -} -configure:20469: result: no -configure:20481: checking if strvis needs a prototype -configure:20510: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:20501: conflicting types for `strvis' -/usr/include/vis.h:87: previous declaration of `strvis' -configure:20501: warning: extern declaration of `strvis' doesn't match global one -configure:20513: $? = 1 -configure: failed program was: -#line 20487 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strvis (struct foo*); -strvis(&xx); - - ; - return 0; -} -configure:20529: result: no -configure:20541: checking if strvisx needs a prototype -configure:20570: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:20561: conflicting types for `strvisx' -/usr/include/vis.h:88: previous declaration of `strvisx' -configure:20561: warning: extern declaration of `strvisx' doesn't match global one -configure:20573: $? = 1 -configure: failed program was: -#line 20547 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strvisx (struct foo*); -strvisx(&xx); - - ; - return 0; -} -configure:20589: result: no -configure:20601: checking if svis needs a prototype -configure:20630: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:20633: $? = 0 -configure:20636: test -s conftest.o -configure:20639: $? = 0 -configure:20649: result: yes -configure:20661: checking if unvis needs a prototype -configure:20690: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:20681: conflicting types for `unvis' -/usr/include/vis.h:91: previous declaration of `unvis' -configure:20681: warning: extern declaration of `unvis' doesn't match global one -configure:20693: $? = 1 -configure: failed program was: -#line 20667 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int unvis (struct foo*); -unvis(&xx); - - ; - return 0; -} -configure:20709: result: no -configure:20721: checking if vis needs a prototype -configure:20750: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:20741: conflicting types for `vis' -/usr/include/vis.h:86: previous declaration of `vis' -configure:20741: warning: extern declaration of `vis' doesn't match global one -configure:20753: $? = 1 -configure: failed program was: -#line 20727 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int vis (struct foo*); -vis(&xx); - - ; - return 0; -} -configure:20769: result: no -configure:20781: checking for inet_aton -configure:20825: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:20828: $? = 0 -configure:20831: test -s conftest -configure:20834: $? = 0 -configure:20851: result: yes -configure:20859: checking for inet_ntop -configure:20903: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:20906: $? = 0 -configure:20909: test -s conftest -configure:20912: $? = 0 -configure:20929: result: yes -configure:20937: checking for inet_pton -configure:20981: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:20984: $? = 0 -configure:20987: test -s conftest -configure:20990: $? = 0 -configure:21007: result: yes -configure:21017: checking for sa_len in struct sockaddr -configure:21043: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:21046: $? = 0 -configure:21049: test -s conftest.o -configure:21052: $? = 0 -configure:21062: result: yes -configure:21078: checking if getnameinfo is broken -configure:21115: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:21118: $? = 0 -configure:21120: ./conftest -configure:21123: $? = 0 -configure:21136: result: no -configure:21145: checking if getaddrinfo handles numeric services -configure:21178: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:21181: $? = 0 -configure:21183: ./conftest -configure:21186: $? = 0 -configure:21199: result: yes -configure:21209: checking if setenv needs a prototype -configure:21236: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:21227: conflicting types for `setenv' -/usr/include/stdlib.h:134: previous declaration of `setenv' -configure:21227: warning: extern declaration of `setenv' doesn't match global one -configure:21239: $? = 1 -configure: failed program was: -#line 21215 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int setenv (struct foo*); -setenv(&xx); - - ; - return 0; -} -configure:21255: result: no -configure:21268: checking if unsetenv needs a prototype -configure:21295: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:21286: conflicting types for `unsetenv' -/usr/include/stdlib.h:211: previous declaration of `unsetenv' -configure:21286: warning: extern declaration of `unsetenv' doesn't match global one -configure:21298: $? = 1 -configure: failed program was: -#line 21274 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int unsetenv (struct foo*); -unsetenv(&xx); - - ; - return 0; -} -configure:21314: result: no -configure:21327: checking if gethostname needs a prototype -configure:21354: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:21345: conflicting types for `gethostname' -/usr/include/unistd.h:167: previous declaration of `gethostname' -configure:21345: warning: extern declaration of `gethostname' doesn't match global one -configure:21357: $? = 1 -configure: failed program was: -#line 21333 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int gethostname (struct foo*); -gethostname(&xx); - - ; - return 0; -} -configure:21373: result: no -configure:21386: checking if mkstemp needs a prototype -configure:21413: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:21404: conflicting types for `mkstemp' -/usr/include/unistd.h:257: previous declaration of `mkstemp' -configure:21404: warning: extern declaration of `mkstemp' doesn't match global one -configure:21416: $? = 1 -configure: failed program was: -#line 21392 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int mkstemp (struct foo*); -mkstemp(&xx); - - ; - return 0; -} -configure:21432: result: no -configure:21445: checking if getusershell needs a prototype -configure:21472: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:21463: conflicting types for `getusershell' -/usr/include/unistd.h:250: previous declaration of `getusershell' -configure:21463: warning: extern declaration of `getusershell' doesn't match global one -configure:21475: $? = 1 -configure: failed program was: -#line 21451 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int getusershell (struct foo*); -getusershell(&xx); - - ; - return 0; -} -configure:21491: result: no -configure:21505: checking if inet_aton needs a prototype -configure:21544: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:21535: conflicting types for `__inet_aton' -/usr/include/arpa/inet.h:149: previous declaration of `__inet_aton' -configure:21535: warning: extern declaration of `__inet_aton' doesn't match global one -configure:21547: $? = 1 -configure: failed program was: -#line 21511 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int inet_aton (struct foo*); -inet_aton(&xx); - - ; - return 0; -} -configure:21563: result: no -configure:21578: checking for crypt -configure:21614: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccbTCVBM.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:21607: undefined reference to `crypt' -configure:21617: $? = 1 -configure: failed program was: -#line 21596 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -crypt() - ; - return 0; -} -configure:21614: gcc -o conftest -DINET6 -g -O2 conftest.c -lcrypt >&5 -configure:21617: $? = 0 -configure:21620: test -s conftest -configure:21623: $? = 0 -configure:21752: result: yes, in -lcrypt -configure:21762: checking if gethostbyname is compatible with system prototype -configure:21802: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:21805: $? = 0 -configure:21808: test -s conftest.o -configure:21811: $? = 0 -configure:21821: result: yes -configure:21835: checking if gethostbyaddr is compatible with system prototype -configure:21875: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:21868: conflicting types for `gethostbyaddr' -/usr/include/netdb.h:212: previous declaration of `gethostbyaddr' -configure:21868: warning: extern declaration of `gethostbyaddr' doesn't match global one -configure:21878: $? = 1 -configure: failed program was: -#line 21841 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct hostent *gethostbyaddr(const void *, size_t, int); - ; - return 0; -} -configure:21894: result: no -configure:21908: checking if getservbyname is compatible with system prototype -configure:21948: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:21951: $? = 0 -configure:21954: test -s conftest.o -configure:21957: $? = 0 -configure:21967: result: yes -configure:21981: checking if getsockname is compatible with system prototype -configure:22012: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22015: $? = 0 -configure:22018: test -s conftest.o -configure:22021: $? = 0 -configure:22031: result: yes -configure:22045: checking if openlog is compatible with system prototype -configure:22073: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22076: $? = 0 -configure:22079: test -s conftest.o -configure:22082: $? = 0 -configure:22092: result: yes -configure:22107: checking if crypt needs a prototype -configure:22141: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:22132: conflicting types for `crypt' -/usr/include/unistd.h:198: previous declaration of `crypt' -configure:22132: warning: extern declaration of `crypt' doesn't match global one -configure:22144: $? = 1 -configure: failed program was: -#line 22113 "configure" -#include "confdefs.h" - -#ifdef HAVE_CRYPT_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int crypt (struct foo*); -crypt(&xx); - - ; - return 0; -} -configure:22160: result: no -configure:22174: checking for h_errno -configure:22200: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:22203: $? = 0 -configure:22206: test -s conftest -configure:22209: $? = 0 -configure:22222: result: yes -configure:22231: checking if h_errno is properly declared -configure:22262: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22245: conflicting types for `h_errno' -/usr/include/netdb.h:85: previous declaration of `h_errno' -configure:22265: $? = 1 -configure: failed program was: -#line 22238 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -extern struct { int foo; } h_errno; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -h_errno.foo = 1; - ; - return 0; -} -configure:22286: result: yes -configure:22301: checking for h_errlist -configure:22327: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:22330: $? = 0 -configure:22333: test -s conftest -configure:22336: $? = 0 -configure:22349: result: yes -configure:22358: checking if h_errlist is properly declared -configure:22386: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22389: $? = 0 -configure:22392: test -s conftest.o -configure:22395: $? = 0 -configure:22410: result: no -configure:22425: checking for h_nerr -configure:22451: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:22454: $? = 0 -configure:22457: test -s conftest -configure:22460: $? = 0 -configure:22473: result: yes -configure:22482: checking if h_nerr is properly declared -configure:22510: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22513: $? = 0 -configure:22516: test -s conftest.o -configure:22519: $? = 0 -configure:22534: result: no -configure:22549: checking for __progname -configure:22575: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:22578: $? = 0 -configure:22581: test -s conftest -configure:22584: $? = 0 -configure:22597: result: yes -configure:22606: checking if __progname is properly declared -configure:22634: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22637: $? = 0 -configure:22640: test -s conftest.o -configure:22643: $? = 0 -configure:22658: result: no -configure:22673: checking if optarg is properly declared -configure:22702: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22685: conflicting types for `optarg' -/usr/include/unistd.h:142: previous declaration of `optarg' -configure:22705: $? = 1 -configure: failed program was: -#line 22680 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_UNISTD_H -#include -#endif -extern struct { int foo; } optarg; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -optarg.foo = 1; - ; - return 0; -} -configure:22726: result: yes -configure:22738: checking if optind is properly declared -configure:22767: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22750: conflicting types for `optind' -/usr/include/unistd.h:143: previous declaration of `optind' -configure:22770: $? = 1 -configure: failed program was: -#line 22745 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_UNISTD_H -#include -#endif -extern struct { int foo; } optind; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -optind.foo = 1; - ; - return 0; -} -configure:22791: result: yes -configure:22803: checking if opterr is properly declared -configure:22832: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22815: conflicting types for `opterr' -/usr/include/unistd.h:143: previous declaration of `opterr' -configure:22835: $? = 1 -configure: failed program was: -#line 22810 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_UNISTD_H -#include -#endif -extern struct { int foo; } opterr; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -opterr.foo = 1; - ; - return 0; -} -configure:22856: result: yes -configure:22868: checking if optopt is properly declared -configure:22897: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22880: conflicting types for `optopt' -/usr/include/unistd.h:143: previous declaration of `optopt' -configure:22900: $? = 1 -configure: failed program was: -#line 22875 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_UNISTD_H -#include -#endif -extern struct { int foo; } optopt; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -optopt.foo = 1; - ; - return 0; -} -configure:22921: result: yes -configure:22934: checking if environ is properly declared -configure:22960: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:22963: $? = 0 -configure:22966: test -s conftest.o -configure:22969: $? = 0 -configure:22984: result: no -configure:22999: checking for tm_gmtoff in struct tm -configure:23024: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:23027: $? = 0 -configure:23030: test -s conftest.o -configure:23033: $? = 0 -configure:23043: result: yes -configure:23058: checking for tm_zone in struct tm -configure:23083: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:23086: $? = 0 -configure:23089: test -s conftest.o -configure:23092: $? = 0 -configure:23102: result: yes -configure:23118: checking for timezone -configure:23144: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:23147: $? = 0 -configure:23150: test -s conftest -configure:23153: $? = 0 -configure:23166: result: yes -configure:23175: checking if timezone is properly declared -configure:23201: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:23184: `timezone' redeclared as different kind of symbol -/usr/include/time.h:152: previous declaration of `timezone' -configure:23204: $? = 1 -configure: failed program was: -#line 23182 "configure" -#include "confdefs.h" -#include -extern struct { int foo; } timezone; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -timezone.foo = 1; - ; - return 0; -} -configure:23225: result: yes -configure:23239: checking for altzone -configure:23265: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cc8HiFRW.o: In function `foo': -/usr/home/nectar/devel/heimdal/configure:23248: undefined reference to `altzone' -configure:23268: $? = 1 -configure: failed program was: -#line 23246 "configure" -#include "confdefs.h" -extern int altzone; -int foo() { return altzone; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -foo() - ; - return 0; -} -configure:23287: result: no -configure:23363: checking for sa_family_t -configure:23392: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:23395: $? = 0 -configure:23398: test -s conftest.o -configure:23401: $? = 0 -configure:23412: result: yes -configure:23485: checking for socklen_t -configure:23514: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:23517: $? = 0 -configure:23520: test -s conftest.o -configure:23523: $? = 0 -configure:23534: result: yes -configure:23607: checking for struct sockaddr -configure:23636: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:23639: $? = 0 -configure:23642: test -s conftest.o -configure:23645: $? = 0 -configure:23656: result: yes -configure:23729: checking for struct sockaddr_storage -configure:23758: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:23761: $? = 0 -configure:23764: test -s conftest.o -configure:23767: $? = 0 -configure:23778: result: yes -configure:23851: checking for struct addrinfo -configure:23880: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:23883: $? = 0 -configure:23886: test -s conftest.o -configure:23889: $? = 0 -configure:23900: result: yes -configure:23973: checking for struct ifaddrs -configure:24002: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:24005: $? = 0 -configure:24008: test -s conftest.o -configure:24011: $? = 0 -configure:24022: result: yes -configure:24095: checking for struct iovec -configure:24127: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:24130: $? = 0 -configure:24133: test -s conftest.o -configure:24136: $? = 0 -configure:24147: result: yes -configure:24220: checking for struct msghdr -configure:24252: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:24255: $? = 0 -configure:24258: test -s conftest.o -configure:24261: $? = 0 -configure:24272: result: yes -configure:24345: checking for struct winsize -configure:24375: result: yes -configure:24413: checking for struct spwd -configure:24441: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:24434: storage size of `foo' isn't known -configure:24444: $? = 1 -configure: failed program was: -#line 24420 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_SHADOW_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct spwd foo; - ; - return 0; -} -configure:24462: result: no -configure:24520: checking for openldap -configure:24725: result: no -configure:24777: checking for krb4 -configure:24979: result: no -configure:26329: checking whether to enable OTP library -configure:26331: result: yes -configure:26364: checking for nroff -configure:26382: found /usr/bin/nroff -configure:26394: result: /usr/bin/nroff -configure:26403: checking for groff -configure:26421: found /usr/bin/groff -configure:26433: result: /usr/bin/groff -configure:26440: checking how to format man pages -configure:26477: result: /usr/bin/nroff -mdoc $< > $@ -configure:26493: checking extension of pre-formatted manual pages -configure:26505: result: number -configure:26555: checking for readline -configure:26760: result: no -configure:26808: checking for hesiod -configure:27010: result: no -configure:27029: checking whether byte order is known at compile time -configure:27058: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:27061: $? = 0 -configure:27064: test -s conftest.o -configure:27067: $? = 0 -configure:27077: result: yes -configure:27079: checking whether byte ordering is bigendian -configure:27110: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure: In function `main': -configure:27102: syntax error before "big" -configure:27113: $? = 1 -configure: failed program was: -#line 27087 "configure" -#include "confdefs.h" - -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -#if BYTE_ORDER != BIG_ENDIAN - not big endian -#endif - ; - return 0; -} -configure:27172: result: no -configure:27189: checking for inline -configure:27226: result: inline -configure:27246: checking for dlopen -configure:27282: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:27285: $? = 0 -configure:27288: test -s conftest -configure:27291: $? = 0 -configure:27400: result: yes -configure:27746: checking for X -configure:27962: result: libraries /usr/X11R6/lib, headers /usr/X11R6/include -configure:28120: gcc -o conftest -DINET6 -g -O2 conftest.c -L/usr/X11R6/lib -lX11 >&5 -configure:28123: $? = 0 -configure:28126: test -s conftest -configure:28129: $? = 0 -configure:28267: checking for gethostbyname -configure:28329: result: yes -configure:28462: checking for connect -configure:28505: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:28508: $? = 0 -configure:28511: test -s conftest -configure:28514: $? = 0 -configure:28524: result: yes -configure:28590: checking for remove -configure:28633: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:28636: $? = 0 -configure:28639: test -s conftest -configure:28642: $? = 0 -configure:28652: result: yes -configure:28718: checking for shmat -configure:28761: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:28764: $? = 0 -configure:28767: test -s conftest -configure:28770: $? = 0 -configure:28780: result: yes -configure:28855: checking for IceConnectionNumber in -lICE -configure:28888: gcc -o conftest -DINET6 -g -O2 -L/usr/X11R6/lib conftest.c -lICE >&5 -configure:28891: $? = 0 -configure:28894: test -s conftest -configure:28897: $? = 0 -configure:28908: result: yes -configure:28922: checking for special X linker flags -configure:28971: gcc -o conftest -DINET6 -g -O2 -I/usr/X11R6/include conftest.c -L/usr/X11R6/lib -lSM -lICE -lX11 >&5 -configure:28974: $? = 0 -configure:28976: ./conftest -configure:28979: $? = 0 -configure:28996: result: -configure:29025: checking for XauWriteAuth -configure:29061: gcc -o conftest -I/usr/X11R6/include -DINET6 -g -O2 -L/usr/X11R6/lib conftest.c -lSM -lICE >&5 -/var/tmp//ccT4SKor.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:29054: undefined reference to `XauWriteAuth' -configure:29064: $? = 1 -configure: failed program was: -#line 29043 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -XauWriteAuth() - ; - return 0; -} -configure:29061: gcc -o conftest -I/usr/X11R6/include -DINET6 -g -O2 -L/usr/X11R6/lib conftest.c -lX11 -lSM -lICE >&5 -/var/tmp//ccPjS8Km.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:29054: undefined reference to `XauWriteAuth' -configure:29064: $? = 1 -configure: failed program was: -#line 29043 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -XauWriteAuth() - ; - return 0; -} -configure:29061: gcc -o conftest -I/usr/X11R6/include -DINET6 -g -O2 -L/usr/X11R6/lib conftest.c -lXau -lSM -lICE >&5 -configure:29064: $? = 0 -configure:29067: test -s conftest -configure:29070: $? = 0 -configure:29199: result: yes, in -lXau -configure:29210: checking for XauReadAuth -configure:29246: gcc -o conftest -I/usr/X11R6/include -DINET6 -g -O2 -L/usr/X11R6/lib conftest.c -lXau -lSM -lICE >&5 -configure:29249: $? = 0 -configure:29252: test -s conftest -configure:29255: $? = 0 -configure:29364: result: yes -configure:29394: checking for XauFileName -configure:29430: gcc -o conftest -I/usr/X11R6/include -DINET6 -g -O2 -L/usr/X11R6/lib conftest.c -lXau -lSM -lICE >&5 -configure:29433: $? = 0 -configure:29436: test -s conftest -configure:29439: $? = 0 -configure:29548: result: yes -configure:29623: checking for an ANSI C-conforming const -configure:29712: result: yes -configure:29722: checking for off_t -configure:29749: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:29752: $? = 0 -configure:29755: test -s conftest.o -configure:29758: $? = 0 -configure:29768: result: yes -configure:29780: checking for mode_t -configure:29804: result: yes -configure:29814: checking for sig_atomic_t -configure:29838: result: yes -configure:29851: checking for long long -configure:29900: result: yes -configure:29970: checking whether time.h and sys/time.h may both be included -configure:30017: result: yes -configure:30027: checking whether struct tm is in sys/time.h or time.h -configure:30053: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30056: $? = 0 -configure:30059: test -s conftest.o -configure:30062: $? = 0 -configure:30072: result: time.h -configure:30083: checking for ANSI C header files -configure:30212: result: yes -configure:30333: checking arpa/ftp.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking arpa/ftp.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for arpa/ftp.h -configure:30420: result: yes -configure:30333: checking arpa/telnet.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking arpa/telnet.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for arpa/telnet.h -configure:30420: result: yes -configure:30333: checking bind/bitypes.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:26: bind/bitypes.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking bind/bitypes.h presence -configure:30371: gcc -E conftest.c -configure:30368:26: bind/bitypes.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for bind/bitypes.h -configure:30420: result: no -configure:30333: checking bsdsetjmp.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:23: bsdsetjmp.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking bsdsetjmp.h presence -configure:30371: gcc -E conftest.c -configure:30368:23: bsdsetjmp.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for bsdsetjmp.h -configure:30420: result: no -configure:30333: checking curses.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking curses.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for curses.h -configure:30420: result: yes -configure:30324: checking for dlfcn.h -configure:30329: result: yes -configure:30333: checking fnmatch.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking fnmatch.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for fnmatch.h -configure:30420: result: yes -configure:30324: checking for inttypes.h -configure:30329: result: yes -configure:30333: checking io.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:16: io.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking io.h presence -configure:30371: gcc -E conftest.c -configure:30368:16: io.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for io.h -configure:30420: result: no -configure:30333: checking libutil.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking libutil.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for libutil.h -configure:30420: result: yes -configure:30333: checking limits.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking limits.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for limits.h -configure:30420: result: yes -configure:30333: checking maillock.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:22: maillock.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking maillock.h presence -configure:30371: gcc -E conftest.c -configure:30368:22: maillock.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for maillock.h -configure:30420: result: no -configure:30333: checking netinet/in6_machtypes.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:35: netinet/in6_machtypes.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking netinet/in6_machtypes.h presence -configure:30371: gcc -E conftest.c -configure:30368:35: netinet/in6_machtypes.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for netinet/in6_machtypes.h -configure:30420: result: no -configure:30333: checking netinfo/ni.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:24: netinfo/ni.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking netinfo/ni.h presence -configure:30371: gcc -E conftest.c -configure:30368:24: netinfo/ni.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for netinfo/ni.h -configure:30420: result: no -configure:30333: checking pthread.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking pthread.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for pthread.h -configure:30420: result: yes -configure:30333: checking pty.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:17: pty.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking pty.h presence -configure:30371: gcc -E conftest.c -configure:30368:17: pty.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for pty.h -configure:30420: result: no -configure:30333: checking sac.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:17: sac.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sac.h presence -configure:30371: gcc -E conftest.c -configure:30368:17: sac.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sac.h -configure:30420: result: no -configure:30333: checking security/pam_modules.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking security/pam_modules.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for security/pam_modules.h -configure:30420: result: yes -configure:30333: checking sgtty.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sgtty.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sgtty.h -configure:30420: result: yes -configure:30333: checking siad.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:18: siad.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking siad.h presence -configure:30371: gcc -E conftest.c -configure:30368:18: siad.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for siad.h -configure:30420: result: no -configure:30333: checking signal.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking signal.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for signal.h -configure:30420: result: yes -configure:30333: checking stropts.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:21: stropts.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking stropts.h presence -configure:30371: gcc -E conftest.c -configure:30368:21: stropts.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for stropts.h -configure:30420: result: no -configure:30333: checking sys/bitypes.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:25: sys/bitypes.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/bitypes.h presence -configure:30371: gcc -E conftest.c -configure:30368:25: sys/bitypes.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/bitypes.h -configure:30420: result: no -configure:30333: checking sys/category.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:26: sys/category.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/category.h presence -configure:30371: gcc -E conftest.c -configure:30368:26: sys/category.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/category.h -configure:30420: result: no -configure:30333: checking sys/file.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sys/file.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sys/file.h -configure:30420: result: yes -configure:30333: checking sys/filio.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sys/filio.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sys/filio.h -configure:30420: result: yes -configure:30333: checking sys/ioccom.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sys/ioccom.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sys/ioccom.h -configure:30420: result: yes -configure:30333: checking sys/pty.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:21: sys/pty.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/pty.h presence -configure:30371: gcc -E conftest.c -configure:30368:21: sys/pty.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/pty.h -configure:30420: result: no -configure:30333: checking sys/ptyio.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:23: sys/ptyio.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/ptyio.h presence -configure:30371: gcc -E conftest.c -configure:30368:23: sys/ptyio.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/ptyio.h -configure:30420: result: no -configure:30333: checking sys/ptyvar.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:24: sys/ptyvar.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/ptyvar.h presence -configure:30371: gcc -E conftest.c -configure:30368:24: sys/ptyvar.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/ptyvar.h -configure:30420: result: no -configure:30333: checking sys/select.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sys/select.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sys/select.h -configure:30420: result: yes -configure:30333: checking sys/str_tty.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:25: sys/str_tty.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/str_tty.h presence -configure:30371: gcc -E conftest.c -configure:30368:25: sys/str_tty.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/str_tty.h -configure:30420: result: no -configure:30333: checking sys/stream.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:24: sys/stream.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/stream.h presence -configure:30371: gcc -E conftest.c -configure:30368:24: sys/stream.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/stream.h -configure:30420: result: no -configure:30333: checking sys/stropts.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:25: sys/stropts.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/stropts.h presence -configure:30371: gcc -E conftest.c -configure:30368:25: sys/stropts.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/stropts.h -configure:30420: result: no -configure:30333: checking sys/strtty.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:24: sys/strtty.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/strtty.h presence -configure:30371: gcc -E conftest.c -configure:30368:24: sys/strtty.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/strtty.h -configure:30420: result: no -configure:30333: checking sys/syscall.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sys/syscall.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sys/syscall.h -configure:30420: result: yes -configure:30333: checking sys/termio.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:24: sys/termio.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking sys/termio.h presence -configure:30371: gcc -E conftest.c -configure:30368:24: sys/termio.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for sys/termio.h -configure:30420: result: no -configure:30333: checking sys/timeb.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sys/timeb.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sys/timeb.h -configure:30420: result: yes -configure:30333: checking sys/times.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sys/times.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sys/times.h -configure:30420: result: yes -configure:30333: checking sys/un.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking sys/un.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for sys/un.h -configure:30420: result: yes -configure:30333: checking term.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking term.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for term.h -configure:30420: result: yes -configure:30333: checking termcap.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking termcap.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for termcap.h -configure:30420: result: yes -configure:30333: checking termio.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:20: termio.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking termio.h presence -configure:30371: gcc -E conftest.c -configure:30368:20: termio.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for termio.h -configure:30420: result: no -configure:30333: checking time.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking time.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for time.h -configure:30420: result: yes -configure:30333: checking tmpdir.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:20: tmpdir.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking tmpdir.h presence -configure:30371: gcc -E conftest.c -configure:30368:20: tmpdir.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for tmpdir.h -configure:30420: result: no -configure:30333: checking udb.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:17: udb.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking udb.h presence -configure:30371: gcc -E conftest.c -configure:30368:17: udb.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for udb.h -configure:30420: result: no -configure:30333: checking utmp.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30345: $? = 0 -configure:30348: test -s conftest.o -configure:30351: $? = 0 -configure:30360: result: yes -configure:30364: checking utmp.h presence -configure:30371: gcc -E conftest.c -configure:30377: $? = 0 -configure:30395: result: yes -configure:30413: checking for utmp.h -configure:30420: result: yes -configure:30333: checking utmpx.h usability -configure:30342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:30371:19: utmpx.h: No such file or directory -configure:30345: $? = 1 -configure: failed program was: -#line 30336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:30360: result: no -configure:30364: checking utmpx.h presence -configure:30371: gcc -E conftest.c -configure:30368:19: utmpx.h: No such file or directory -configure:30377: $? = 1 -configure: failed program was: -#line 30367 "configure" -#include "confdefs.h" -#include -configure:30395: result: no -configure:30413: checking for utmpx.h -configure:30420: result: no -configure:30452: checking for logwtmp -configure:30488: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cc8xptXg.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:30481: undefined reference to `logwtmp' -configure:30491: $? = 1 -configure: failed program was: -#line 30470 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -logwtmp() - ; - return 0; -} -configure:30488: gcc -o conftest -DINET6 -g -O2 conftest.c -lutil >&5 -configure:30491: $? = 0 -configure:30494: test -s conftest -configure:30497: $? = 0 -configure:30626: result: yes, in -lutil -configure:30635: checking for logout -configure:30671: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cc52FYG1.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:30664: undefined reference to `logout' -configure:30674: $? = 1 -configure: failed program was: -#line 30653 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -logout() - ; - return 0; -} -configure:30671: gcc -o conftest -DINET6 -g -O2 conftest.c -lutil >&5 -configure:30674: $? = 0 -configure:30677: test -s conftest -configure:30680: $? = 0 -configure:30809: result: yes, in -lutil -configure:30818: checking for openpty -configure:30854: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccTqE1Vi.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:30847: undefined reference to `openpty' -configure:30857: $? = 1 -configure: failed program was: -#line 30836 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -openpty() - ; - return 0; -} -configure:30854: gcc -o conftest -DINET6 -g -O2 conftest.c -lutil >&5 -configure:30857: $? = 0 -configure:30860: test -s conftest -configure:30863: $? = 0 -configure:30992: result: yes, in -lutil -configure:31001: checking for tgetent -configure:31037: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccgIQ9hT.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31030: undefined reference to `tgetent' -configure:31040: $? = 1 -configure: failed program was: -#line 31019 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -tgetent() - ; - return 0; -} -configure:31037: gcc -o conftest -DINET6 -g -O2 conftest.c -ltermcap >&5 -configure:31040: $? = 0 -configure:31043: test -s conftest -configure:31046: $? = 0 -configure:31175: result: yes, in -ltermcap -configure:31243: checking for _getpty -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cclw3hBa.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31277: undefined reference to `_getpty' -configure:31289: $? = 1 -configure: failed program was: -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char _getpty (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char _getpty (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub__getpty) || defined (__stub____getpty) -choke me -#else -f = _getpty; -#endif - - ; - return 0; -} -configure:31305: result: no -configure:31243: checking for _scrsize -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccjKOSKA.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31277: undefined reference to `_scrsize' -configure:31289: $? = 1 -configure: failed program was: -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char _scrsize (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char _scrsize (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub__scrsize) || defined (__stub____scrsize) -choke me -#else -f = _scrsize; -#endif - - ; - return 0; -} -configure:31305: result: no -configure:31243: checking for fcntl -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for grantpt -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccGn22zp.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31277: undefined reference to `grantpt' -configure:31289: $? = 1 -configure: failed program was: -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char grantpt (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char grantpt (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_grantpt) || defined (__stub___grantpt) -choke me -#else -f = grantpt; -#endif - - ; - return 0; -} -configure:31305: result: no -configure:31243: checking for mktime -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for ptsname -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccdMhxaz.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31277: undefined reference to `ptsname' -configure:31289: $? = 1 -configure: failed program was: -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char ptsname (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char ptsname (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_ptsname) || defined (__stub___ptsname) -choke me -#else -f = ptsname; -#endif - - ; - return 0; -} -configure:31305: result: no -configure:31243: checking for rand -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for revoke -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for select -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setitimer -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setpcred -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cconK9tz.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31277: undefined reference to `setpcred' -configure:31289: $? = 1 -configure: failed program was: -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char setpcred (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char setpcred (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_setpcred) || defined (__stub___setpcred) -choke me -#else -f = setpcred; -#endif - - ; - return 0; -} -configure:31305: result: no -configure:31243: checking for setpgid -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setproctitle -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setregid -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setresgid -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setresuid -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setreuid -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setsid -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for setutent -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccpb7Gmc.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31277: undefined reference to `setutent' -configure:31289: $? = 1 -configure: failed program was: -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char setutent (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char setutent (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_setutent) || defined (__stub___setutent) -choke me -#else -f = setutent; -#endif - - ; - return 0; -} -configure:31305: result: no -configure:31243: checking for sigaction -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for strstr -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31259: warning: conflicting types for built-in function `strstr' -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for timegm -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for ttyname -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for ttyslot -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for umask -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31243: checking for unlockpt -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccOVHBbb.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31277: undefined reference to `unlockpt' -configure:31289: $? = 1 -configure: failed program was: -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char unlockpt (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char unlockpt (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_unlockpt) || defined (__stub___unlockpt) -choke me -#else -f = unlockpt; -#endif - - ; - return 0; -} -configure:31305: result: no -configure:31243: checking for vhangup -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccf5smP1.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31277: undefined reference to `vhangup' -configure:31289: $? = 1 -configure: failed program was: -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char vhangup (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char vhangup (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_vhangup) || defined (__stub___vhangup) -choke me -#else -f = vhangup; -#endif - - ; - return 0; -} -configure:31305: result: no -configure:31243: checking for yp_get_default_domain -configure:31286: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:31289: $? = 0 -configure:31292: test -s conftest -configure:31295: $? = 0 -configure:31305: result: yes -configure:31333: checking capability.h usability -configure:31342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:31371:24: capability.h: No such file or directory -configure:31345: $? = 1 -configure: failed program was: -#line 31336 "configure" -#include "confdefs.h" -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -configure:31360: result: no -configure:31364: checking capability.h presence -configure:31371: gcc -E conftest.c -configure:31368:24: capability.h: No such file or directory -configure:31377: $? = 1 -configure: failed program was: -#line 31367 "configure" -#include "confdefs.h" -#include -configure:31395: result: no -configure:31413: checking for capability.h -configure:31420: result: no -configure:31333: checking sys/capability.h usability -configure:31342: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:31345: $? = 0 -configure:31348: test -s conftest.o -configure:31351: $? = 0 -configure:31360: result: yes -configure:31364: checking sys/capability.h presence -configure:31371: gcc -E conftest.c -configure:31377: $? = 0 -configure:31395: result: yes -configure:31413: checking for sys/capability.h -configure:31420: result: yes -configure:31439: checking for sgi_getcapabilitybyname -configure:31482: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//cckTepo7.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31473: undefined reference to `sgi_getcapabilitybyname' -configure:31485: $? = 1 -configure: failed program was: -#line 31445 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char sgi_getcapabilitybyname (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char sgi_getcapabilitybyname (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_sgi_getcapabilitybyname) || defined (__stub___sgi_getcapabilitybyname) -choke me -#else -f = sgi_getcapabilitybyname; -#endif - - ; - return 0; -} -configure:31501: result: no -configure:31439: checking for cap_set_proc -configure:31482: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccrfpAWB.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31473: undefined reference to `cap_set_proc' -configure:31485: $? = 1 -configure: failed program was: -#line 31445 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char cap_set_proc (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char cap_set_proc (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_cap_set_proc) || defined (__stub___cap_set_proc) -choke me -#else -f = cap_set_proc; -#endif - - ; - return 0; -} -configure:31501: result: no -configure:31517: checking for getpwnam_r -configure:31553: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccSvSC7w.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31546: undefined reference to `getpwnam_r' -configure:31556: $? = 1 -configure: failed program was: -#line 31535 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -getpwnam_r() - ; - return 0; -} -configure:31553: gcc -o conftest -DINET6 -g -O2 conftest.c -lc_r >&5 -/var/tmp//ccyJuZdq.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31546: undefined reference to `getpwnam_r' -configure:31556: $? = 1 -configure: failed program was: -#line 31535 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -getpwnam_r() - ; - return 0; -} -configure:31677: result: no -configure:31760: checking for getudbnam -configure:31803: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccb4fP3j.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31794: undefined reference to `getudbnam' -configure:31806: $? = 1 -configure: failed program was: -#line 31766 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getudbnam (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getudbnam (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getudbnam) || defined (__stub___getudbnam) -choke me -#else -f = getudbnam; -#endif - - ; - return 0; -} -configure:31822: result: no -configure:31760: checking for setlim -configure:31803: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccXMI3QU.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:31794: undefined reference to `setlim' -configure:31806: $? = 1 -configure: failed program was: -#line 31766 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char setlim (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char setlim (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_setlim) || defined (__stub___setlim) -choke me -#else -f = setlim; -#endif - - ; - return 0; -} -configure:31822: result: no -configure:31837: checking for ut_addr in struct utmp -configure:31862: gcc -c -DINET6 -g -O2 conftest.c >&5 -In file included from configure:31845: -/usr/include/utmp.h:54: syntax error before "int32_t" -/usr/include/utmp.h:63: syntax error before "int32_t" -configure: In function `main': -configure:31855: structure has no member named `ut_addr' -configure:31865: $? = 1 -configure: failed program was: -#line 31844 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_addr; - ; - return 0; -} -configure:31881: result: no -configure:31896: checking for ut_host in struct utmp -configure:31921: gcc -c -DINET6 -g -O2 conftest.c >&5 -In file included from configure:31904: -/usr/include/utmp.h:54: syntax error before "int32_t" -/usr/include/utmp.h:63: syntax error before "int32_t" -configure:31924: $? = 1 -configure: failed program was: -#line 31903 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_host; - ; - return 0; -} -configure:31940: result: no -configure:31955: checking for ut_id in struct utmp -configure:31980: gcc -c -DINET6 -g -O2 conftest.c >&5 -In file included from configure:31963: -/usr/include/utmp.h:54: syntax error before "int32_t" -/usr/include/utmp.h:63: syntax error before "int32_t" -configure: In function `main': -configure:31973: structure has no member named `ut_id' -configure:31983: $? = 1 -configure: failed program was: -#line 31962 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_id; - ; - return 0; -} -configure:31999: result: no -configure:32014: checking for ut_pid in struct utmp -configure:32039: gcc -c -DINET6 -g -O2 conftest.c >&5 -In file included from configure:32022: -/usr/include/utmp.h:54: syntax error before "int32_t" -/usr/include/utmp.h:63: syntax error before "int32_t" -configure: In function `main': -configure:32032: structure has no member named `ut_pid' -configure:32042: $? = 1 -configure: failed program was: -#line 32021 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_pid; - ; - return 0; -} -configure:32058: result: no -configure:32073: checking for ut_type in struct utmp -configure:32098: gcc -c -DINET6 -g -O2 conftest.c >&5 -In file included from configure:32081: -/usr/include/utmp.h:54: syntax error before "int32_t" -/usr/include/utmp.h:63: syntax error before "int32_t" -configure: In function `main': -configure:32091: structure has no member named `ut_type' -configure:32101: $? = 1 -configure: failed program was: -#line 32080 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_type; - ; - return 0; -} -configure:32117: result: no -configure:32132: checking for ut_user in struct utmp -configure:32157: gcc -c -DINET6 -g -O2 conftest.c >&5 -In file included from configure:32140: -/usr/include/utmp.h:54: syntax error before "int32_t" -/usr/include/utmp.h:63: syntax error before "int32_t" -configure: In function `main': -configure:32150: structure has no member named `ut_user' -configure:32160: $? = 1 -configure: failed program was: -#line 32139 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_user; - ; - return 0; -} -configure:32176: result: no -configure:32191: checking for ut_exit in struct utmpx -configure:32216: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32199:19: utmpx.h: No such file or directory -configure: In function `main': -configure:32209: storage size of `x' isn't known -configure:32219: $? = 1 -configure: failed program was: -#line 32198 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmpx x; x.ut_exit; - ; - return 0; -} -configure:32235: result: no -configure:32250: checking for ut_syslen in struct utmpx -configure:32275: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32258:19: utmpx.h: No such file or directory -configure: In function `main': -configure:32268: storage size of `x' isn't known -configure:32278: $? = 1 -configure: failed program was: -#line 32257 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmpx x; x.ut_syslen; - ; - return 0; -} -configure:32294: result: no -configure:32308: checking for int8_t -configure:32352: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32355: $? = 0 -configure:32358: test -s conftest.o -configure:32361: $? = 0 -configure:32371: result: yes -configure:32381: checking for int16_t -configure:32425: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32428: $? = 0 -configure:32431: test -s conftest.o -configure:32434: $? = 0 -configure:32444: result: yes -configure:32454: checking for int32_t -configure:32498: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32501: $? = 0 -configure:32504: test -s conftest.o -configure:32507: $? = 0 -configure:32517: result: yes -configure:32527: checking for int64_t -configure:32571: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32574: $? = 0 -configure:32577: test -s conftest.o -configure:32580: $? = 0 -configure:32590: result: yes -configure:32600: checking for u_int8_t -configure:32644: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32647: $? = 0 -configure:32650: test -s conftest.o -configure:32653: $? = 0 -configure:32663: result: yes -configure:32673: checking for u_int16_t -configure:32717: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32720: $? = 0 -configure:32723: test -s conftest.o -configure:32726: $? = 0 -configure:32736: result: yes -configure:32746: checking for u_int32_t -configure:32790: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32793: $? = 0 -configure:32796: test -s conftest.o -configure:32799: $? = 0 -configure:32809: result: yes -configure:32819: checking for u_int64_t -configure:32863: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32866: $? = 0 -configure:32869: test -s conftest.o -configure:32872: $? = 0 -configure:32882: result: yes -configure:32892: checking for uint8_t -configure:32936: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:32939: $? = 0 -configure:32942: test -s conftest.o -configure:32945: $? = 0 -configure:32955: result: yes -configure:32965: checking for uint16_t -configure:33009: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:33012: $? = 0 -configure:33015: test -s conftest.o -configure:33018: $? = 0 -configure:33028: result: yes -configure:33038: checking for uint32_t -configure:33082: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:33085: $? = 0 -configure:33088: test -s conftest.o -configure:33091: $? = 0 -configure:33101: result: yes -configure:33111: checking for uint64_t -configure:33155: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:33158: $? = 0 -configure:33161: test -s conftest.o -configure:33164: $? = 0 -configure:33174: result: yes -configure:33238: checking for crypto library -configure:33297: gcc -o conftest -DINET6 -g -O2 conftest.c -lcrypto >&5 -configure:33300: $? = 0 -configure:33303: test -s conftest -configure:33306: $? = 0 -configure:33310: result: libcrypto -configure:33618: checking for el_init -configure:33654: gcc -o conftest -DINET6 -g -O2 conftest.c -ltermcap >&5 -/var/tmp//cc0a06cs.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:33647: undefined reference to `el_init' -configure:33657: $? = 1 -configure: failed program was: -#line 33636 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -el_init() - ; - return 0; -} -configure:33654: gcc -o conftest -DINET6 -g -O2 conftest.c -ledit -ltermcap >&5 -configure:33657: $? = 0 -configure:33660: test -s conftest -configure:33663: $? = 0 -configure:33792: result: yes, in -ledit -configure:33799: checking for four argument el_init -configure:33825: gcc -c -DINET6 -g -O2 conftest.c >&5 -configure:33828: $? = 0 -configure:33831: test -s conftest.o -configure:33834: $? = 0 -configure:33844: result: yes -configure:33922: checking for getmsg -configure:33965: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -/var/tmp//ccNHXtL8.o: In function `main': -/usr/home/nectar/devel/heimdal/configure:33956: undefined reference to `getmsg' -configure:33968: $? = 1 -configure: failed program was: -#line 33928 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getmsg (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getmsg (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getmsg) || defined (__stub___getmsg) -choke me -#else -f = getmsg; -#endif - - ; - return 0; -} -configure:33984: result: no -configure:34061: checking for compile_et -configure:34077: found /usr/bin/compile_et -configure:34087: result: compile_et -configure:34098: checking whether compile_et has the features we need -configure:34130: gcc -o conftest -DINET6 -g -O2 conftest.c >&5 -configure:34133: $? = 0 -configure:34135: ./conftest -configure:34138: $? = 0 -configure:34151: result: yes -configure:34159: checking for com_err -configure:34183: gcc -o conftest -DINET6 -g -O2 conftest.c -lcom_err >&5 -configure:34186: $? = 0 -configure:34189: test -s conftest -configure:34192: $? = 0 -configure:34201: result: yes -configure:34213: Using the already-installed com_err -configure:34232: checking which authentication modules should be built -configure:34256: result: -configure:34593: creating ./config.status - -## ---------------------- ## -## Running config.status. ## -## ---------------------- ## - -This file was extended by Heimdal config.status 0.4f, which was -generated by GNU Autoconf 2.53. Invocation command line was - - CONFIG_FILES = - CONFIG_HEADERS = - CONFIG_LINKS = - CONFIG_COMMANDS = - $ ./config.status - -on shade.nectar.cc - -config.status:35438: creating Makefile -config.status:35438: creating include/Makefile -config.status:35438: creating include/kadm5/Makefile -config.status:35438: creating lib/Makefile -config.status:35438: creating lib/45/Makefile -config.status:35438: creating lib/auth/Makefile -config.status:35438: creating lib/auth/afskauthlib/Makefile -config.status:35438: creating lib/auth/pam/Makefile -config.status:35438: creating lib/auth/sia/Makefile -config.status:35438: creating lib/asn1/Makefile -config.status:35438: creating lib/com_err/Makefile -config.status:35438: creating lib/des/Makefile -config.status:35474: error: cannot find input file: lib/des/Makefile.in - -## ---------------- ## -## Cache variables. ## -## ---------------- ## - -ac_cv_type_u_int8_t=yes -ac_cv_header_sys_pty_h=no -ac_cv_var_optarg_declaration=yes -ac_cv_func_unsetenv_noproto=no -ac_cv_func_strtok_r_noproto=no -ac_cv_func_gethostname=yes -ac_cv_func_strunvis=yes -ac_cv_func_asprintf=yes -ac_cv_func_glob_noproto=no -ac_cv_type_size_t=yes -am_cv_CC_dependencies_compiler_type=none -ac_cv_func_sgi_getcapabilitybyname=no -ac_cv_header_libutil_h=yes -ac_cv_var_optind_declaration=yes -ac_cv_func_warnx=yes -ac_cv_func_seteuid=yes -ac_cv_func_getcwd=yes -ac_cv_func_vasprintf=yes -ac_cv_var__res=yes -ac_cv_header_netinet_in_h=yes -ac_cv_header_crypt_h=no -ac_cv_lib_fl_yywrap=yes -ac_cv_type_struct_utmp_ut_type=no -ac_cv_type_struct_utmp_ut_addr=no -ac_cv_func_getudbnam=no -ac_cv_header_sys_times_h=yes -ac_cv_var_h_errlist=yes -ac_cv_funclib_crypt=-lcrypt -ac_cv_func_vwarnx=yes -ac_cv_func_getconfattr=no -ac_cv_header_util_h=no -ac_cv_header_grp_h=yes -ac_cv_header_err_h=yes -ac_cv_func_select=yes -ac_cv_lib_crypt=yes -ac_cv_func_crypt=yes -ac_cv_func_initgroups=yes -ac_cv_func_getusershell=yes -ac_cv_header_netdb_h=yes -ac_cv_header_netinet_ip_h=yes -ac_cv_header_stdlib_h=yes -lt_cv_file_magic_cmd='$MAGIC_CMD' -ac_cv_lib_util=yes -ac_cv_header_stropts_h=no -ac_cv_funclib_XauFileName=yes -ac_cv_funclib_XauWriteAuth=-lXau -ac_cv_funclib_dlopen=yes -ac_cv_var___progname_declaration=no -ac_cv_func_strncasecmp=yes -ac_cv_func_memmove=yes -ac_cv_func_err=yes -ac_cv_funclib_bswap32=no -ac_cv_func_random=yes -ac_cv_func_on_exit=no -ac_cv_header_sys_tty_h=yes -ac_cv_header_sys_time_h=yes -ac_cv_header_pwd_h=yes -ac_cv_want_pam_krb4=no -ac_cv_func_cap_set_proc=no -ac_cv_func_XauFileName=yes -ac_cv_func_XauWriteAuth=yes -ac_cv_func_dlopen=yes -ac_cv_type_struct_sockaddr_sa_len=yes -ac_cv_func_verr=yes -ac_cv_func_recvmsg=yes -ac_cv_func_innetgr=yes -ac_cv_func_getuid=yes -ac_cv_func_getdtablesize=yes -ac_cv_func_bswap32=no -ac_cv_func_strsvis=no -ac_cv___attribute__=yes -ac_cv_prog_cc_g=yes -ac_cv_env_LDFLAGS_set= -ac_cv_type_u_int32_t=yes -ac_cv_func_timegm=yes -ac_cv_func_ptsname=no -ac_cv_header_sys_category_h=no -ac_cv_header_io_h=no -ac_cv_funclib_bswap16=no -ac_cv_func_unvis=yes -ac_cv_func_setstate=yes -ac_cv_func_setprogname=yes -ac_cv_var__res_declaration=yes -ac_cv_header_usersec_h=no -lt_cv_prog_cc_can_build_shared=yes -ac_cv_path_install='/usr/bin/install -c' -ac_cv_c_compiler_gnu=yes -ac_cv_exeext= -ac_cv_env_CFLAGS_set= -ac_cv_header_sys_capability_h=yes -ac_cv_func_vhangup=no -ac_cv_var_h_errlist_declaration=no -ac_cv_func_setenv_noproto=no -ac_cv_func_strftime=yes -ac_cv_func_flock=yes -ac_cv_func_errx=yes -ac_cv_func_erealloc=no -ac_cv_func_bswap16=no -ac_cv_func_strvis=yes -ac_cv_header_shadow_h=no -ac_cv_header_dirent_h=yes -ac_cv_header_db_185_h=no -ac_cv_type_u_int16_t=yes -ac_cv_funclib_tgetent=-ltermcap -ac_cv_func_verrx=yes -ac_cv_func_freehostent=yes -ac_cv_func_fchown=yes -ac_cv_func_ecalloc=no -ac_cv_funclib_getpwnam_r=no -ac_cv_func_unlockpt=no -ac_cv_func_tgetent=yes -ac_cv_path_GROFF=/usr/bin/groff -ac_cv_header_sys_proc_h=yes -ac_cv_header_netinet_in_systm_h=yes -ac_cv_func_getmsg=no -ac_cv_func_getpwnam_r=no -ac_cv_func_ttyslot=yes -ac_cv_func_mktime=yes -ac_cv_func__getpty=no -ac_cv_header_utmp_h=yes -ac_cv_header_sgtty_h=yes -ac_cv_header_maillock_h=no -ac_cv_func_strlwr=no -ac_cv_func_readv=yes -ac_cv_func_strvisx=yes -ac_cv_header_sys_wait_h=yes -ac_cv_funclib_db_create=no -ac_cv_env_CPP_value= -ac_cv_env_CPPFLAGS_set= -ac_cv_type_u_int64_t=yes -ac_cv_header_arpa_ftp_h=yes -ac_cv_func_strlcat=yes -ac_cv_func_strcasecmp=yes -ac_cv_func_svis=no -ac_cv_funclib_socket=yes -ac_cv_header_vis_h=yes -ac_cv_func_db_create=no -lt_cv_prog_cc_static_works=yes -lt_cv_prog_cc_no_builtin= -ac_cv_func_sigaction=yes -ac_cv_header_sys_ioccom_h=yes -ac_cv_header_siad_h=no -krb_cv_c_bigendian=no -ac_cv_func_gethostbyaddr_proto_compat=no -ac_cv_func_inet_aton=yes -ac_cv_func_strupr=no -ac_cv_func_socket=yes -ac_cv_header_ndbm_h=yes -lt_cv_prog_cc_shlib= -ac_cv_header_utmpx_h=no -ac_cv_header_bind_bitypes_h=no -ac_cv_var_h_errno=yes -ac_cv_func_strndup_noproto=yes -ac_cv_func_iruserok=yes -ac_cv_func_vis=yes -ac_cv_header_sys_sysctl_h=yes -ac_cv_header_fcntl_h=yes -ac_cv_header_standards_h=no -lt_cv_prog_cc_static=-static -ac_cv_env_host_alias_set= -ac_cv_func_yp_get_default_domain=yes -ac_cv_func_strstr=yes -ac_cv_func_setproctitle=yes -ac_cv_func_grantpt=no -ac_cv_func_getegid=yes -ac_cv_funclib_getaddrinfo=yes -ac_cv_funclib_hstrerror=yes -ac_cv_func_uname=yes -ac_cv_c_const=yes -ac_cv_prog_YACC='bison -y' -ac_cv_func_setsid=yes -ac_cv_func_revoke=yes -ac_cv_func_fcntl=yes -ac_cv_header_sys_str_tty_h=no -krb_cv_sys_x_libs=' -L/usr/X11R6/lib' -ac_cv_var_opterr_declaration=yes -ac_cv_func_mkstemp=yes -ac_cv_func_getaddrinfo=yes -ac_cv_func_asnprintf_noproto=yes -ac_cv_func_hstrerror=yes -ac_cv_header_termios_h=yes -lt_cv_ld_reload_flag=-r -ac_cv_func_ttyname=yes -ac_cv_lib_Xau=yes -ac_cv_path_NROFF=/usr/bin/nroff -ac_cv_func_getnameinfo_broken=no -ac_cv_func_getipnodebyaddr=yes -ac_cv_func_vasnprintf_noproto=yes -ac_cv_header_sys_resource_h=yes -ac_cv_header_netinet_in6_h=no -ac_cv_header_ifaddrs_h=yes -lt_cv_sys_path_separator=: -ac_cv_func_setlim=no -ac_cv_header_tmpdir_h=no -ac_cv_header_termio_h=no -ac_cv_header_sys_ptyvar_h=no -ac_cv_type_mode_t=yes -ac_cv_funclib_XauReadAuth=yes -ac_cv_func_remove=yes -ac_cv_func_unsetenv=yes -ac_cv_func_strtok_r=yes -ac_cv_func_strptime=yes -ac_cv_funclib_pidfile=no -lt_cv_archive_cmds_need_lc=yes -ac_cv_header_sys_stat_h=yes -lt_cv_prog_gnu_ld=yes -ac_cv_prog_lex_root=lex.yy -ac_cv_env_build_alias_set= -ac_cv_func_el_init_four=yes -ac_cv_func_rand=yes -ac_cv_header_sys_select_h=yes -ac_cv_func_XauReadAuth=yes -ac_cv_var_h_errno_declaration=yes -ac_cv_func_gethostbyname_proto_compat=yes -ac_cv_func_emalloc=no -ac_cv_func_pidfile=no -ac_cv_func_atexit=yes -ac_cv_func_realloc_broken=no -ac_cv_lib_edit=yes -ac_cv_header_limits_h=yes -ac_cv_struct_spwd=no -ac_cv_type_struct_sockaddr_storage=yes -ac_cv_var_h_nerr=yes -ac_cv_func_getsockname_proto_compat=yes -ac_cv_func_strsep_noproto=no -ac_cv_func_rcmd=yes -ac_cv_func_localtime_r=yes -ac_cv_func_sysconf=yes -ac_cv_func_snprintf_working=yes -ac_cv_header_dbm_h=no -ac_cv_prog_LN_S='ln -s' -ac_cv_env_LDFLAGS_value= -ac_cv_env_target_alias_set= -ac_cv_header_fnmatch_h=yes -ac_cv_func_getservbyname_proto_compat=yes -ac_cv_func_strnlen=no -ac_cv_funclib_getnameinfo=yes -ac_cv_func_vsnprintf_working=yes -ac_cv_func_getlogin_posix=no -ac_cv_header_db3_db_h=no -ac_cv_host_alias=i386-unknown-freebsd5.0 -ac_cv_prog_cc_stdc= -ac_cv_env_CFLAGS_value= -ac_cv_env_CC_set= -ac_cv_func_setutent=no -ac_cv_func_setresgid=yes -ac_cv_header_sys_stropts_h=no -ac_cv_header_sys_ptyio_h=no -ac_cv_header_bsdsetjmp_h=no -ac_cv_header_arpa_telnet_h=yes -ac_cv_func_shmat=yes -ac_cv_have_x='have_x=yes ac_x_includes=/usr/X11R6/include ac_x_libraries=/usr/X11R6/lib' -ac_cv_type_struct_addrinfo=yes -ac_cv_func_gettimeofday=yes -ac_cv_func_estrdup=no -ac_cv_func_getnameinfo=yes -ac_cv_funclib_dbm_firstkey=yes -ac_cv_header_db4_db_h=no -lt_cv_prog_cc_wl=-Wl, -ac_cv_header_sys_types_h=yes -ac_cv_header_stdc=yes -krb_cv_com_err=yes -ac_cv_type_uint8_t=yes -ac_cv_type_int8_t=yes -ac_cv_header_pty_h=no -ac_cv_header_curses_h=yes -ac_cv_type_struct_msghdr=yes -ac_cv_var_timezone=yes -ac_cv_func_gethostname_noproto=no -ac_cv_func_strunvis_noproto=no -ac_cv_func_getopt=yes -ac_cv_func_getipnodebyname=yes -ac_cv_func_fnmatch=yes -ac_cv_func_asprintf_noproto=no -ac_cv_header_paths_h=yes -ac_cv_header_time=yes -ac_cv_func_dbm_firstkey=yes -ac_cv_header_strings_h=yes -ac_cv_func_setregid=yes -ac_cv_funclib_logwtmp=-lutil -ac_cv_header_sac_h=no -ac_cv_func_chown=yes -ac_cv_func_vasprintf_noproto=no -ac_cv_func_glob_working=yes -ac_cv_funclib_gethostbyname=yes -ac_cv_header_sys_uio_h=yes -ac_cv_type_signal=void -ac_cv_header_stdint_h=yes -ac_cv_header_inttypes_h=yes -ac_cv_prog_make_make_set=yes -krb_cv_compile_et=yes -ac_cv_funclib_el_init=-ledit -ac_cv_func_logwtmp=yes -ac_cv_header_sys_timeb_h=yes -ac_cv_header_sys_syscall_h=yes -ac_cv_var_h_nerr_declaration=no -ac_cv_func_setenv=yes -ac_cv_funclib_getsockopt=yes -ac_cv_var_in6addr_loopback=yes -ac_cv_func_gethostbyname=yes -ac_cv_header_sys_param_h=yes -ac_cv_c_inline=inline -ac_cv_header_unistd_h=yes -ac_cv_header_string_h=yes -lt_cv_global_symbol_to_cdecl='sed -n -e '\''s/^. .* \(.*\)$/extern char \1;/p'\''' -lt_cv_path_LD=/usr/libexec/elf/ld -ac_cv_build_alias=i386-unknown-freebsd5.0 -ac_cv_env_CPPFLAGS_value= -krb_cv_save_LIBS= -ac_cv_func_el_init=yes -ac_cv_type_struct_utmp_ut_pid=no -ac_cv_func_umask=yes -ac_cv_type_struct_sockaddr=yes -ac_cv_var_optopt_declaration=yes -ac_cv_func_crypt_noproto=no -ac_cv_func_getusershell_noproto=no -ac_cv_func_getsockopt=yes -ac_cv_lib_ipv6=yes -ac_cv_func_getlogin=yes -ac_cv_func_setpcred=no -ac_cv_header_time_h=yes -ac_cv_header_sys_filio_h=yes -ac_cv_func_swab=yes -ac_cv_func_setegid=yes -ac_cv_func_getifaddrs=yes -ac_cv_header_sys_utsname_h=yes -ac_cv_header_sys_sockio_h=yes -ac_cv_header_netinet6_in6_var_h=yes -ac_cv_prog_ac_ct_RANLIB=ranlib -ac_cv_header_memory_h=yes -ac_cv_prog_COMPILE_ET=compile_et -ac_cv_header_udb_h=no -ac_cv_header_pthread_h=yes -ac_cv_type_sig_atomic_t=yes -ac_cv_var_timezone_declaration=yes -ac_cv_func_inet_pton=yes -ac_cv_func_inet_ntop=yes -ac_cv_func_strsvis_noproto=yes -ac_cv_funclib_res_search=yes -ac_cv_header_sys_socket_h=yes -ac_cv_header_db_h=yes -ac_cv_prog_ac_ct_STRIP=strip -ac_cv_host=i386-unknown-freebsd5.0 -ac_cv_env_host_alias_value= -ac_cv_type_uint32_t=yes -ac_cv_type_int32_t=yes -ac_cv_funclib_openpty=-lutil -ac_cv_funclib_logout=-lutil -ac_cv_header_sys_file_h=yes -ac_cv_type_off_t=yes -ac_cv_type_struct_iovec=yes -ac_cv_func_unvis_noproto=no -ac_cv_func_strsep_copy=no -ac_cv_func_strerror=yes -ac_cv_func_geteuid=yes -ac_cv_func_issetugid=yes -ac_cv_func_getrlimit=yes -ac_cv_func_res_search=yes -ac_cv_header_resolv_h=yes -ac_cv_header_errno_h=yes -ac_cv_header_capability_h=no -ac_cv_func_openpty=yes -ac_cv_func_logout=yes -ac_cv_header_sys_bitypes_h=no -krb_cv_sys_x_libs_rpath= -ac_cv_var_altzone=no -ac_cv_func_strvis_noproto=no -ac_cv_header_net_if_h=yes -lt_cv_global_symbol_to_c_name_address='sed -n -e '\''s/^: \([^ ]*\) $/ {\"\1\", (lt_ptr) 0},/p'\'' -e '\''s/^[BCDEGRST] \([^ ]*\) \([^ ]*\)$/ {"\2", (lt_ptr) \&\2},/p'\''' -ac_cv_type_uint16_t=yes -ac_cv_type_int16_t=yes -ac_cv_type_struct_utmpx_ut_syslen=no -ac_cv_type_struct_utmp_ut_id=no -ac_cv_header_sys_stream_h=no -ac_cv_func_strndup=no -ac_cv_func_getgid=yes -ac_cv_func_daemon=yes -ac_cv_header_config_h=no -ac_cv_type_pid_t=yes -lt_cv_compiler_c_o=yes -lt_cv_prog_cc_pic_works=yes -lt_cv_file_magic_test_file= -ac_cv_header_termcap_h=yes -ac_cv_func_connect=yes -ac_cv_func_strlcpy=yes -ac_cv_func_getspnam=no -ac_cv_func_cgetent=yes -ac_cv_header_netinet6_in6_h=no -ac_cv_build=i386-unknown-freebsd5.0 -ac_cv_prog_AWK=gawk -ac_cv_prog_CPP='gcc -E' -ac_cv_env_build_alias_value= -ac_cv_header_netinet_in6_machtypes_h=no -ac_cv_struct_tm=time.h -ac_cv_type_struct_ifaddrs=yes -ac_cv_type_struct_tm_tm_zone=yes -ac_cv_func_strvisx_noproto=no -ac_cv_func_lstat=yes -ac_cv_func_initstate=yes -ac_cv_func_asnprintf=no -ac_cv_type_long_long=yes -lt_cv_prog_cc_pic=' -fPIC' -lt_cv_sys_global_symbol_pipe='sed -n -e '\''s/^.*[ ]\([ABCDGISTW][ABCDGISTW]*\)[ ][ ]*\(\)\([_A-Za-z][_A-Za-z0-9]*\)$/\1 \2\3 \3/p'\''' -lt_cv_deplibs_check_method=pass_all -ac_cv_prog_lex_yytext_pointer=yes -ac_cv_prog_ac_ct_CC=gcc -ac_cv_type_uint64_t=yes -ac_cv_type_int64_t=yes -ac_cv_func_setitimer=yes -ac_cv_lib_termcap=yes -krb_cv_c_bigendian_compile=yes -ac_cv_func_svis_noproto=yes -ac_cv_func_copyhostent=no -ac_cv_func_vasnprintf=no -ac_cv_func_getprogname=yes -ac_cv_funclib_dbopen=yes -lt_cv_compiler_o_lo=yes -ac_cv_env_target_alias_value= -ac_cv_func__scrsize=no -ac_cv_header_sys_un_h=yes -ac_cv_header_sys_termio_h=no -ac_cv_sys_catman_ext=number -ac_cv_sys_man_format='/usr/bin/nroff -mdoc $< > $@' -ac_cv_func_inet_aton_noproto=no -ac_cv_funclib_freeaddrinfo=yes -ac_cv_funclib_dn_expand=yes -ac_cv_funclib_gethostbyname2=yes -ac_cv_header_syslog_h=yes -ac_cv_header_sys_ioctl_h=yes -ac_cv_func_dbopen=yes -ac_cv_env_CC_value= -ac_cv_func_setresuid=yes -ac_cv_header_term_h=yes -ac_cv_type_socklen_t=yes -ac_cv_func_openlog_proto_compat=yes -ac_cv_func_vis_noproto=no -ac_cv_func_freeaddrinfo=yes -ac_cv_func_snprintf_noproto=no -ac_cv_func_dn_expand=yes -ac_cv_func_gethostbyname2=yes -ac_cv_funclib_syslog=yes -ac_cv_header_userconf_h=no -ac_cv_header_arpa_inet_h=yes -ac_cv_header_netinet_tcp_h=yes -ac_cv_type_uid_t=yes -lt_cv_path_NM='/usr/bin/nm -B' -ac_cv_env_CPP_set= -ac_cv_type_struct_utmpx_ut_exit=no -ac_cv_header_security_pam_modules_h=yes -ac_cv_header_netinfo_ni_h=no -ac_cv_type_struct_tm_tm_gmtoff=yes -ac_cv_func_getaddrinfo_numserv=yes -ac_cv_func_writev=yes -ac_cv_func_strsep=yes -ac_cv_funclib_setsockopt=yes -ac_cv_func_vsnprintf_noproto=no -ac_cv_func_syslog=yes -ac_cv_header_sys_bswap_h=no -ac_cv_header_dlfcn_h=yes -ac_cv_type_struct_utmp_ut_host=no -ac_cv_func_setreuid=yes -ac_cv_func_setpgid=yes -ac_cv_header_sys_strtty_h=no -ac_cv_lib_ICE_IceConnectionNumber=yes -ac_cv_func_mkstemp_noproto=no -ac_cv_func_warn=yes -ac_cv_func_vsyslog=yes -ac_cv_func_strdup=yes -ac_cv_func_putenv=yes -ac_cv_funclib_gai_strerror=yes -ac_cv_func_hstrerror_noproto=no -ac_cv_func_setsockopt=yes -ac_cv_func_sysctl=yes -ac_cv_type_ssize_t=yes -ac_cv_func_setlogin=yes -ac_cv_prog_LEX=flex -ac_cv_type_struct_utmp_ut_user=no -ac_cv_header_signal_h=yes -ac_cv_struct_winsize=yes -ac_cv_type_sa_family_t=yes -ac_cv_var_environ_declaration=no -ac_cv_var___progname=yes -ac_cv_func_vwarn=yes -ac_cv_func_sendmsg=yes -ac_cv_func_gai_strerror=yes -ac_cv_header_rpcsvc_ypclnt_h=yes -ac_cv_header_arpa_nameser_h=yes -ac_cv_objext=o - -## ----------- ## -## confdefs.h. ## -## ----------- ## - -#define PACKAGE_NAME "Heimdal" -#define PACKAGE_TARNAME "heimdal" -#define PACKAGE_VERSION "0.4f" -#define PACKAGE_STRING "Heimdal 0.4f" -#define PACKAGE_BUGREPORT "heimdal-bugs@pdc.kth.se" -#define PACKAGE "heimdal" -#define VERSION "0.4f" -#define _GNU_SOURCE 1 -#define YYTEXT_POINTER 1 -#define HAVE___ATTRIBUTE__ 1 -#define STDC_HEADERS 1 -#define HAVE_SYS_TYPES_H 1 -#define HAVE_SYS_STAT_H 1 -#define HAVE_STDLIB_H 1 -#define HAVE_STRING_H 1 -#define HAVE_MEMORY_H 1 -#define HAVE_STRINGS_H 1 -#define HAVE_INTTYPES_H 1 -#define HAVE_STDINT_H 1 -#define HAVE_UNISTD_H 1 -#define HAVE_DLFCN_H 1 -#define HAVE_DB_H 1 -#define HAVE_DBOPEN 1 -#define HAVE_DB1 1 -#define HAVE_NDBM_H 1 -#define HAVE_DBM_FIRSTKEY 1 -#define HAVE_NDBM 1 -#define HAVE_NEW_DB 1 -#define RETSIGTYPE void -#define VOID_RETSIGTYPE 1 -#define TIME_WITH_SYS_TIME 1 -#define HAVE_NETINET_IP_H 1 -#define HAVE_NETINET_TCP_H 1 -#define HAVE_GETLOGIN 1 -#define HAVE_SETLOGIN 1 -#define HAVE_SSIZE_T 1 -#define HAVE_LONG_LONG 1 -#define HAVE_ARPA_INET_H 1 -#define HAVE_ARPA_NAMESER_H 1 -#define HAVE_DIRENT_H 1 -#define HAVE_ERRNO_H 1 -#define HAVE_ERR_H 1 -#define HAVE_FCNTL_H 1 -#define HAVE_GRP_H 1 -#define HAVE_IFADDRS_H 1 -#define HAVE_NET_IF_H 1 -#define HAVE_NETDB_H 1 -#define HAVE_NETINET_IN_H 1 -#define HAVE_NETINET_IN_SYSTM_H 1 -#define HAVE_NETINET6_IN6_VAR_H 1 -#define HAVE_PATHS_H 1 -#define HAVE_PWD_H 1 -#define HAVE_RESOLV_H 1 -#define HAVE_RPCSVC_YPCLNT_H 1 -#define HAVE_SYS_IOCTL_H 1 -#define HAVE_SYS_PARAM_H 1 -#define HAVE_SYS_PROC_H 1 -#define HAVE_SYS_RESOURCE_H 1 -#define HAVE_SYS_SOCKET_H 1 -#define HAVE_SYS_SOCKIO_H 1 -#define HAVE_SYS_STAT_H 1 -#define HAVE_SYS_SYSCTL_H 1 -#define HAVE_SYS_TIME_H 1 -#define HAVE_SYS_TTY_H 1 -#define HAVE_SYS_TYPES_H 1 -#define HAVE_SYS_UIO_H 1 -#define HAVE_SYS_UTSNAME_H 1 -#define HAVE_SYS_WAIT_H 1 -#define HAVE_SYSLOG_H 1 -#define HAVE_TERMIOS_H 1 -#define HAVE_UNISTD_H 1 -#define HAVE_VIS_H 1 -#define HAVE_SOCKET 1 -#define HAVE_GETHOSTBYNAME 1 -#define HAVE_SYSLOG 1 -#define HAVE_IPV6 1 -#define HAVE_IN6ADDR_LOOPBACK 1 -#define HAVE_GETHOSTBYNAME2 1 -#define HAVE_RES_SEARCH 1 -#define HAVE_DN_EXPAND 1 -#define HAVE__RES 1 -#define HAVE__RES_DECLARATION 1 -#define HAVE_SNPRINTF 1 -#define HAVE_VSNPRINTF 1 -#define HAVE_GLOB 1 -#define HAVE_ASPRINTF 1 -#define HAVE_ATEXIT 1 -#define HAVE_CGETENT 1 -#define HAVE_GETPROGNAME 1 -#define HAVE_GETRLIMIT 1 -#define HAVE_INITSTATE 1 -#define HAVE_ISSETUGID 1 -#define HAVE_RANDOM 1 -#define HAVE_SETPROGNAME 1 -#define HAVE_SETSTATE 1 -#define HAVE_STRUNVIS 1 -#define HAVE_STRVIS 1 -#define HAVE_STRVISX 1 -#define HAVE_SYSCONF 1 -#define HAVE_SYSCTL 1 -#define HAVE_UNAME 1 -#define HAVE_UNVIS 1 -#define HAVE_VASPRINTF 1 -#define HAVE_VIS 1 -#define HAVE_GETSOCKOPT 1 -#define HAVE_SETSOCKOPT 1 -#define HAVE_HSTRERROR 1 -#define NEED_ASNPRINTF_PROTO 1 -#define NEED_VASNPRINTF_PROTO 1 -#define HAVE_GETADDRINFO 1 -#define HAVE_GETNAMEINFO 1 -#define HAVE_FREEADDRINFO 1 -#define HAVE_GAI_STRERROR 1 -#define HAVE_CHOWN 1 -#define HAVE_DAEMON 1 -#define HAVE_ERR 1 -#define HAVE_ERRX 1 -#define HAVE_FCHOWN 1 -#define HAVE_FLOCK 1 -#define HAVE_FNMATCH 1 -#define HAVE_FREEHOSTENT 1 -#define HAVE_GETCWD 1 -#define HAVE_GETDTABLESIZE 1 -#define HAVE_GETEGID 1 -#define HAVE_GETEUID 1 -#define HAVE_GETGID 1 -#define HAVE_GETHOSTNAME 1 -#define HAVE_GETIFADDRS 1 -#define HAVE_GETIPNODEBYADDR 1 -#define HAVE_GETIPNODEBYNAME 1 -#define HAVE_GETOPT 1 -#define HAVE_GETTIMEOFDAY 1 -#define HAVE_GETUID 1 -#define HAVE_GETUSERSHELL 1 -#define HAVE_INITGROUPS 1 -#define HAVE_INNETGR 1 -#define HAVE_IRUSEROK 1 -#define HAVE_LOCALTIME_R 1 -#define HAVE_LSTAT 1 -#define HAVE_MEMMOVE 1 -#define HAVE_MKSTEMP 1 -#define HAVE_PUTENV 1 -#define HAVE_RCMD 1 -#define HAVE_READV 1 -#define HAVE_RECVMSG 1 -#define HAVE_SENDMSG 1 -#define HAVE_SETEGID 1 -#define HAVE_SETENV 1 -#define HAVE_SETEUID 1 -#define HAVE_STRCASECMP 1 -#define HAVE_STRDUP 1 -#define HAVE_STRERROR 1 -#define HAVE_STRFTIME 1 -#define HAVE_STRLCAT 1 -#define HAVE_STRLCPY 1 -#define HAVE_STRNCASECMP 1 -#define HAVE_STRPTIME 1 -#define HAVE_STRSEP 1 -#define HAVE_STRTOK_R 1 -#define HAVE_SWAB 1 -#define HAVE_UNSETENV 1 -#define HAVE_VERR 1 -#define HAVE_VERRX 1 -#define HAVE_VSYSLOG 1 -#define HAVE_VWARN 1 -#define HAVE_VWARNX 1 -#define HAVE_WARN 1 -#define HAVE_WARNX 1 -#define HAVE_WRITEV 1 -#define NEED_STRNDUP_PROTO 1 -#define NEED_STRSVIS_PROTO 1 -#define NEED_SVIS_PROTO 1 -#define HAVE_INET_ATON 1 -#define HAVE_INET_NTOP 1 -#define HAVE_INET_PTON 1 -#define HAVE_STRUCT_SOCKADDR_SA_LEN 1 -#define HAVE_CRYPT 1 -#define HAVE_LIBCRYPT 1 -#define GETHOSTBYNAME_PROTO_COMPATIBLE 1 -#define GETSERVBYNAME_PROTO_COMPATIBLE 1 -#define GETSOCKNAME_PROTO_COMPATIBLE 1 -#define OPENLOG_PROTO_COMPATIBLE 1 -#define HAVE_H_ERRNO 1 -#define HAVE_H_ERRNO_DECLARATION 1 -#define HAVE_H_ERRLIST 1 -#define HAVE_H_NERR 1 -#define HAVE___PROGNAME 1 -#define HAVE_OPTARG_DECLARATION 1 -#define HAVE_OPTIND_DECLARATION 1 -#define HAVE_OPTERR_DECLARATION 1 -#define HAVE_OPTOPT_DECLARATION 1 -#define HAVE_STRUCT_TM_TM_GMTOFF 1 -#define HAVE_STRUCT_TM_TM_ZONE 1 -#define HAVE_TIMEZONE 1 -#define HAVE_TIMEZONE_DECLARATION 1 -#define HAVE_SA_FAMILY_T 1 -#define HAVE_SOCKLEN_T 1 -#define HAVE_STRUCT_SOCKADDR 1 -#define HAVE_STRUCT_SOCKADDR_STORAGE 1 -#define HAVE_STRUCT_ADDRINFO 1 -#define HAVE_STRUCT_IFADDRS 1 -#define HAVE_STRUCT_IOVEC 1 -#define HAVE_STRUCT_MSGHDR 1 -#define HAVE_STRUCT_WINSIZE 1 -#define HAVE_WS_XPIXEL 1 -#define HAVE_WS_YPIXEL 1 -#define KRB5 1 -#define OTP 1 -#define ENDIANESS_IN_SYS_PARAM_H 1 -#define HAVE_DLOPEN 1 -#define HAVE_XAUWRITEAUTH 1 -#define HAVE_LIBXAU 1 -#define HAVE_XAUREADAUTH 1 -#define HAVE_XAUFILENAME 1 -#define HAVE_LONG_LONG 1 -#define TIME_WITH_SYS_TIME 1 -#define STDC_HEADERS 1 -#define HAVE_ARPA_FTP_H 1 -#define HAVE_ARPA_TELNET_H 1 -#define HAVE_CURSES_H 1 -#define HAVE_DLFCN_H 1 -#define HAVE_FNMATCH_H 1 -#define HAVE_INTTYPES_H 1 -#define HAVE_LIBUTIL_H 1 -#define HAVE_LIMITS_H 1 -#define HAVE_PTHREAD_H 1 -#define HAVE_SECURITY_PAM_MODULES_H 1 -#define HAVE_SGTTY_H 1 -#define HAVE_SIGNAL_H 1 -#define HAVE_SYS_FILE_H 1 -#define HAVE_SYS_FILIO_H 1 -#define HAVE_SYS_IOCCOM_H 1 -#define HAVE_SYS_SELECT_H 1 -#define HAVE_SYS_SYSCALL_H 1 -#define HAVE_SYS_TIMEB_H 1 -#define HAVE_SYS_TIMES_H 1 -#define HAVE_SYS_UN_H 1 -#define HAVE_TERM_H 1 -#define HAVE_TERMCAP_H 1 -#define HAVE_TIME_H 1 -#define HAVE_UTMP_H 1 -#define HAVE_LOGWTMP 1 -#define HAVE_LIBUTIL 1 -#define HAVE_LOGOUT 1 -#define HAVE_LIBUTIL 1 -#define HAVE_OPENPTY 1 -#define HAVE_LIBUTIL 1 -#define HAVE_TGETENT 1 -#define HAVE_LIBTERMCAP 1 -#define HAVE_FCNTL 1 -#define HAVE_MKTIME 1 -#define HAVE_RAND 1 -#define HAVE_REVOKE 1 -#define HAVE_SELECT 1 -#define HAVE_SETITIMER 1 -#define HAVE_SETPGID 1 -#define HAVE_SETPROCTITLE 1 -#define HAVE_SETREGID 1 -#define HAVE_SETRESGID 1 -#define HAVE_SETRESUID 1 -#define HAVE_SETREUID 1 -#define HAVE_SETSID 1 -#define HAVE_SIGACTION 1 -#define HAVE_STRSTR 1 -#define HAVE_TIMEGM 1 -#define HAVE_TTYNAME 1 -#define HAVE_TTYSLOT 1 -#define HAVE_UMASK 1 -#define HAVE_YP_GET_DEFAULT_DOMAIN 1 -#define HAVE_SYS_CAPABILITY_H 1 -#define HAVE_INT8_T 1 -#define HAVE_INT16_T 1 -#define HAVE_INT32_T 1 -#define HAVE_INT64_T 1 -#define HAVE_U_INT8_T 1 -#define HAVE_U_INT16_T 1 -#define HAVE_U_INT32_T 1 -#define HAVE_U_INT64_T 1 -#define HAVE_UINT8_T 1 -#define HAVE_UINT16_T 1 -#define HAVE_UINT32_T 1 -#define HAVE_UINT64_T 1 -#define HAVE_OPENSSL 1 -#define HAVE_EL_INIT 1 -#define HAVE_LIBEDIT 1 -#define HAVE_FOUR_VALUED_EL_INIT 1 -#define HAVE_READLINE 1 -#define AUTHENTICATION 1 -#define ENCRYPTION 1 -#define DES_ENCRYPTION 1 -#define DIAGNOSTICS 1 -#define OLD_ENVIRON 1 -#define BINDIR "/usr/heimdal/bin" -#define LIBDIR "/usr/heimdal/lib" -#define LIBEXECDIR "/usr/heimdal/libexec" -#define LOCALSTATEDIR "/var/heimdal" -#define SBINDIR "/usr/heimdal/sbin" -#define SYSCONFDIR "/etc" - -configure: exit 1 - -## ---------------------- ## -## Running config.status. ## -## ---------------------- ## - -This file was extended by Heimdal config.status 0.4f, which was -generated by GNU Autoconf 2.53. Invocation command line was - - CONFIG_FILES = - CONFIG_HEADERS = - CONFIG_LINKS = - CONFIG_COMMANDS = - $ ./config.status - -on shade.nectar.cc - -config.status:35438: creating Makefile -config.status:35438: creating include/Makefile -config.status:35438: creating include/kadm5/Makefile -config.status:35438: creating lib/Makefile -config.status:35438: creating lib/45/Makefile -config.status:35438: creating lib/auth/Makefile -config.status:35438: creating lib/auth/afskauthlib/Makefile -config.status:35438: creating lib/auth/pam/Makefile -config.status:35438: creating lib/auth/sia/Makefile -config.status:35438: creating lib/asn1/Makefile -config.status:35438: creating lib/com_err/Makefile -config.status:35438: creating lib/editline/Makefile -config.status:35438: creating lib/gssapi/Makefile -config.status:35438: creating lib/hdb/Makefile -config.status:35438: creating lib/kadm5/Makefile -config.status:35438: creating lib/kafs/Makefile -config.status:35438: creating lib/kdfs/Makefile -config.status:35474: error: cannot find input file: lib/kdfs/Makefile.in - -## ---------------------- ## -## Running config.status. ## -## ---------------------- ## - -This file was extended by Heimdal config.status 0.4f, which was -generated by GNU Autoconf 2.53. Invocation command line was - - CONFIG_FILES = - CONFIG_HEADERS = - CONFIG_LINKS = - CONFIG_COMMANDS = - $ ./config.status - -on shade.nectar.cc - -config.status:35438: creating Makefile -config.status:35438: creating include/Makefile -config.status:35438: creating include/kadm5/Makefile -config.status:35438: creating lib/Makefile -config.status:35438: creating lib/45/Makefile -config.status:35438: creating lib/auth/Makefile -config.status:35438: creating lib/auth/afskauthlib/Makefile -config.status:35438: creating lib/auth/pam/Makefile -config.status:35438: creating lib/auth/sia/Makefile -config.status:35438: creating lib/asn1/Makefile -config.status:35438: creating lib/com_err/Makefile -config.status:35438: creating lib/editline/Makefile -config.status:35438: creating lib/gssapi/Makefile -config.status:35438: creating lib/hdb/Makefile -config.status:35438: creating lib/kadm5/Makefile -config.status:35438: creating lib/kafs/Makefile -config.status:35438: creating lib/krb5/Makefile -config.status:35438: creating lib/otp/Makefile -config.status:35438: creating lib/roken/Makefile -config.status:35438: creating lib/sl/Makefile -config.status:35438: creating lib/vers/Makefile -config.status:35438: creating kuser/Makefile -config.status:35438: creating kpasswd/Makefile -config.status:35438: creating kadmin/Makefile -config.status:35438: creating admin/Makefile -config.status:35438: creating kdc/Makefile -config.status:35438: creating appl/Makefile -config.status:35438: creating appl/afsutil/Makefile -config.status:35438: creating appl/ftp/Makefile -config.status:35438: creating appl/ftp/common/Makefile -config.status:35438: creating appl/ftp/ftp/Makefile -config.status:35438: creating appl/ftp/ftpd/Makefile -config.status:35438: creating appl/kx/Makefile -config.status:35438: creating appl/login/Makefile -config.status:35438: creating appl/otp/Makefile -config.status:35438: creating appl/popper/Makefile -config.status:35438: creating appl/push/Makefile -config.status:35438: creating appl/rsh/Makefile -config.status:35438: creating appl/rcp/Makefile -config.status:35438: creating appl/su/Makefile -config.status:35438: creating appl/xnlock/Makefile -config.status:35438: creating appl/telnet/Makefile -config.status:35438: creating appl/telnet/libtelnet/Makefile -config.status:35438: creating appl/telnet/telnet/Makefile -config.status:35438: creating appl/telnet/telnetd/Makefile -config.status:35438: creating appl/test/Makefile -config.status:35438: creating appl/kf/Makefile -config.status:35438: creating appl/dceutils/Makefile -config.status:35438: creating doc/Makefile -config.status:35438: creating tools/Makefile -config.status:35541: creating include/config.h -config.status:35785: executing depfiles commands diff --git a/crypto/heimdal/config.status b/crypto/heimdal/config.status deleted file mode 100755 index feb84b6d5608..000000000000 --- a/crypto/heimdal/config.status +++ /dev/null @@ -1,1885 +0,0 @@ -#! /bin/sh -# Generated by configure. -# Run this file to recreate the current configuration. -# Compiler output produced by configure, useful for debugging -# configure, is in config.log if it exists. - -debug=false -SHELL=${CONFIG_SHELL-/bin/sh} - -## --------------------- ## -## M4sh Initialization. ## -## --------------------- ## - -# Be Bourne compatible -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: -elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then - set -o posix -fi - -# NLS nuisances. -# Support unset when possible. -if (FOO=FOO; unset FOO) >/dev/null 2>&1; then - as_unset=unset -else - as_unset=false -fi - -(set +x; test -n "`(LANG=C; export LANG) 2>&1`") && - { $as_unset LANG || test "${LANG+set}" != set; } || - { LANG=C; export LANG; } -(set +x; test -n "`(LC_ALL=C; export LC_ALL) 2>&1`") && - { $as_unset LC_ALL || test "${LC_ALL+set}" != set; } || - { LC_ALL=C; export LC_ALL; } -(set +x; test -n "`(LC_TIME=C; export LC_TIME) 2>&1`") && - { $as_unset LC_TIME || test "${LC_TIME+set}" != set; } || - { LC_TIME=C; export LC_TIME; } -(set +x; test -n "`(LC_CTYPE=C; export LC_CTYPE) 2>&1`") && - { $as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set; } || - { LC_CTYPE=C; export LC_CTYPE; } -(set +x; test -n "`(LANGUAGE=C; export LANGUAGE) 2>&1`") && - { $as_unset LANGUAGE || test "${LANGUAGE+set}" != set; } || - { LANGUAGE=C; export LANGUAGE; } -(set +x; test -n "`(LC_COLLATE=C; export LC_COLLATE) 2>&1`") && - { $as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set; } || - { LC_COLLATE=C; export LC_COLLATE; } -(set +x; test -n "`(LC_NUMERIC=C; export LC_NUMERIC) 2>&1`") && - { $as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set; } || - { LC_NUMERIC=C; export LC_NUMERIC; } -(set +x; test -n "`(LC_MESSAGES=C; export LC_MESSAGES) 2>&1`") && - { $as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set; } || - { LC_MESSAGES=C; export LC_MESSAGES; } - - -# Name of the executable. -as_me=`(basename "$0") 2>/dev/null || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)$' \| \ - . : '\(.\)' 2>/dev/null || -echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; } - /^X\/\(\/\/\)$/{ s//\1/; q; } - /^X\/\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - -# PATH needs CR, and LINENO needs CR and PATH. -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - -# The user is always right. -if test "${PATH_SEPARATOR+set}" != set; then - echo "#! /bin/sh" >conftest.sh - echo "exit 0" >>conftest.sh - chmod +x conftest.sh - if (PATH=".;."; conftest.sh) >/dev/null 2>&1; then - PATH_SEPARATOR=';' - else - PATH_SEPARATOR=: - fi - rm -f conftest.sh -fi - - - as_lineno_1=34688 - as_lineno_2=34689 - as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x$as_lineno_3" = "x$as_lineno_2" || { - # Find who we are. Look in the path if we contain no path at all - # relative or not. - case $0 in - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -done - - ;; - esac - # We did not find ourselves, most probably we were run as `sh COMMAND' - # in which case we are not to be found in the path. - if test "x$as_myself" = x; then - as_myself=$0 - fi - if test ! -f "$as_myself"; then - { { echo "$as_me:34713: error: cannot find myself; rerun with an absolute path" >&5 -echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;} - { (exit 1); exit 1; }; } - fi - case $CONFIG_SHELL in - '') - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for as_base in sh bash ksh sh5; do - case $as_dir in - /*) - if ("$as_dir/$as_base" -c ' - as_lineno_1=34728 - as_lineno_2=34729 - as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x$as_lineno_3" = "x$as_lineno_2" ') 2>/dev/null; then - CONFIG_SHELL=$as_dir/$as_base - export CONFIG_SHELL - exec "$CONFIG_SHELL" "$0" ${1+"$@"} - fi;; - esac - done -done -;; - esac - - # Create $as_me.lineno as a copy of $as_myself, but with 34743 - # uniformly replaced by the line number. The first 'sed' inserts a - # line-number line before each line; the second 'sed' does the real - # work. The second script uses 'N' to pair each line-number line - # with the numbered line, and appends trailing '-' during - # substitution so that 34748 is not a special case at line end. - # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the - # second 'sed' script. Blame Lee E. McMahon for sed's syntax. :-) - sed '=' <$as_myself | - sed ' - N - s,$,-, - : loop - s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3, - t loop - s,-$,, - s,^['$as_cr_digits']*\n,, - ' >$as_me.lineno && - chmod +x $as_me.lineno || - { { echo "$as_me:34762: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5 -echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;} - { (exit 1); exit 1; }; } - - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensible to this). - . ./$as_me.lineno - # Exit status is that of the last command. - exit -} - - -case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in - *c*,-n*) ECHO_N= ECHO_C=' -' ECHO_T=' ' ;; - *c*,* ) ECHO_N=-n ECHO_C= ECHO_T= ;; - *) ECHO_N= ECHO_C='\c' ECHO_T= ;; -esac - -if expr a : '\(a\)' >/dev/null 2>&1; then - as_expr=expr -else - as_expr=false -fi - -rm -f conf$$ conf$$.exe conf$$.file -echo >conf$$.file -if ln -s conf$$.file conf$$ 2>/dev/null; then - # We could just check for DJGPP; but this test a) works b) is more generic - # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04). - if test -f conf$$.exe; then - # Don't use ln at all; we don't have any links - as_ln_s='cp -p' - else - as_ln_s='ln -s' - fi -elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln -else - as_ln_s='cp -p' -fi -rm -f conf$$ conf$$.exe conf$$.file - -as_executable_p="test -f" - -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="sed y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" - -# Sed expression to map a string onto a valid variable name. -as_tr_sh="sed y%*+%pp%;s%[^_$as_cr_alnum]%_%g" - - -# IFS -# We need space, tab and new line, in precisely that order. -as_nl=' -' -IFS=" $as_nl" - -# CDPATH. -$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=$PATH_SEPARATOR; export CDPATH; } - -exec 6>&1 - -# Open the log real soon, to keep \$[0] and so on meaningful, and to -# report actual input values of CONFIG_FILES etc. instead of their -# values after options handling. Logging --version etc. is OK. -exec 5>>config.log -{ - echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX -## Running $as_me. ## -_ASBOX -} >&5 -cat >&5 <<_CSEOF - -This file was extended by Heimdal $as_me 0.4f, which was -generated by GNU Autoconf 2.53. Invocation command line was - - CONFIG_FILES = $CONFIG_FILES - CONFIG_HEADERS = $CONFIG_HEADERS - CONFIG_LINKS = $CONFIG_LINKS - CONFIG_COMMANDS = $CONFIG_COMMANDS - $ $0 $@ - -_CSEOF -echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5 -echo >&5 -config_files=" Makefile include/Makefile include/kadm5/Makefile lib/Makefile lib/45/Makefile lib/auth/Makefile lib/auth/afskauthlib/Makefile lib/auth/pam/Makefile lib/auth/sia/Makefile lib/asn1/Makefile lib/com_err/Makefile lib/editline/Makefile lib/gssapi/Makefile lib/hdb/Makefile lib/kadm5/Makefile lib/kafs/Makefile lib/krb5/Makefile lib/otp/Makefile lib/roken/Makefile lib/sl/Makefile lib/vers/Makefile kuser/Makefile kpasswd/Makefile kadmin/Makefile admin/Makefile kdc/Makefile appl/Makefile appl/afsutil/Makefile appl/ftp/Makefile appl/ftp/common/Makefile appl/ftp/ftp/Makefile appl/ftp/ftpd/Makefile appl/kx/Makefile appl/login/Makefile appl/otp/Makefile appl/popper/Makefile appl/push/Makefile appl/rsh/Makefile appl/rcp/Makefile appl/su/Makefile appl/xnlock/Makefile appl/telnet/Makefile appl/telnet/libtelnet/Makefile appl/telnet/telnet/Makefile appl/telnet/telnetd/Makefile appl/test/Makefile appl/kf/Makefile appl/dceutils/Makefile doc/Makefile tools/Makefile" -config_headers=" include/config.h" -config_commands=" depfiles" - -ac_cs_usage="\ -\`$as_me' instantiates files from templates according to the -current configuration. - -Usage: $0 [OPTIONS] [FILE]... - - -h, --help print this help, then exit - -V, --version print version number, then exit - -d, --debug don't remove temporary files - --recheck update $as_me by reconfiguring in the same conditions - --file=FILE[:TEMPLATE] - instantiate the configuration file FILE - --header=FILE[:TEMPLATE] - instantiate the configuration header FILE - -Configuration files: -$config_files - -Configuration headers: -$config_headers - -Configuration commands: -$config_commands - -Report bugs to ." -ac_cs_version="\ -Heimdal config.status 0.4f -configured by ./configure, generated by GNU Autoconf 2.53, - with options \"'--enable-shared'\" - -Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001 -Free Software Foundation, Inc. -This config.status script is free software; the Free Software Foundation -gives unlimited permission to copy, distribute and modify it." -srcdir=. -INSTALL="/usr/bin/install -c" -# If no file are specified by the user, then we need to provide default -# value. By we need to know if files were specified by the user. -ac_need_defaults=: -while test $# != 0 -do - case $1 in - --*=*) - ac_option=`expr "x$1" : 'x\([^=]*\)='` - ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'` - shift - set dummy "$ac_option" "$ac_optarg" ${1+"$@"} - shift - ;; - -*);; - *) # This is not an option, so the user has probably given explicit - # arguments. - ac_need_defaults=false;; - esac - - case $1 in - # Handling of the options. - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - echo "running /bin/sh ./configure " '--enable-shared' " --no-create --no-recursion" - exec /bin/sh ./configure '--enable-shared' --no-create --no-recursion ;; - --version | --vers* | -V ) - echo "$ac_cs_version"; exit 0 ;; - --he | --h) - # Conflict between --help and --header - { { echo "$as_me:34945: error: ambiguous option: $1 -Try \`$0 --help' for more information." >&5 -echo "$as_me: error: ambiguous option: $1 -Try \`$0 --help' for more information." >&2;} - { (exit 1); exit 1; }; };; - --help | --hel | -h ) - echo "$ac_cs_usage"; exit 0 ;; - --debug | --d* | -d ) - debug=: ;; - --file | --fil | --fi | --f ) - shift - CONFIG_FILES="$CONFIG_FILES $1" - ac_need_defaults=false;; - --header | --heade | --head | --hea ) - shift - CONFIG_HEADERS="$CONFIG_HEADERS $1" - ac_need_defaults=false;; - - # This is an error. - -*) { { echo "$as_me:34964: error: unrecognized option: $1 -Try \`$0 --help' for more information." >&5 -echo "$as_me: error: unrecognized option: $1 -Try \`$0 --help' for more information." >&2;} - { (exit 1); exit 1; }; } ;; - - *) ac_config_targets="$ac_config_targets $1" ;; - - esac - shift -done - -# -# INIT-COMMANDS section. -# - -AMDEP_TRUE="" ac_aux_dir="." - -for ac_config_target in $ac_config_targets -do - case "$ac_config_target" in - # Handling of arguments. - "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;; - "include/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/Makefile" ;; - "include/kadm5/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/kadm5/Makefile" ;; - "lib/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;; - "lib/45/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/45/Makefile" ;; - "lib/auth/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/Makefile" ;; - "lib/auth/afskauthlib/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/afskauthlib/Makefile" ;; - "lib/auth/pam/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/pam/Makefile" ;; - "lib/auth/sia/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/sia/Makefile" ;; - "lib/asn1/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/asn1/Makefile" ;; - "lib/com_err/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/com_err/Makefile" ;; - "lib/editline/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/editline/Makefile" ;; - "lib/gssapi/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/gssapi/Makefile" ;; - "lib/hdb/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/hdb/Makefile" ;; - "lib/kadm5/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/kadm5/Makefile" ;; - "lib/kafs/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/kafs/Makefile" ;; - "lib/krb5/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/krb5/Makefile" ;; - "lib/otp/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/otp/Makefile" ;; - "lib/roken/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/roken/Makefile" ;; - "lib/sl/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/sl/Makefile" ;; - "lib/vers/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/vers/Makefile" ;; - "kuser/Makefile" ) CONFIG_FILES="$CONFIG_FILES kuser/Makefile" ;; - "kpasswd/Makefile" ) CONFIG_FILES="$CONFIG_FILES kpasswd/Makefile" ;; - "kadmin/Makefile" ) CONFIG_FILES="$CONFIG_FILES kadmin/Makefile" ;; - "admin/Makefile" ) CONFIG_FILES="$CONFIG_FILES admin/Makefile" ;; - "kdc/Makefile" ) CONFIG_FILES="$CONFIG_FILES kdc/Makefile" ;; - "appl/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/Makefile" ;; - "appl/afsutil/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/afsutil/Makefile" ;; - "appl/ftp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/Makefile" ;; - "appl/ftp/common/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/common/Makefile" ;; - "appl/ftp/ftp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftp/Makefile" ;; - "appl/ftp/ftpd/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftpd/Makefile" ;; - "appl/kx/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/kx/Makefile" ;; - "appl/login/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/login/Makefile" ;; - "appl/otp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/otp/Makefile" ;; - "appl/popper/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/popper/Makefile" ;; - "appl/push/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/push/Makefile" ;; - "appl/rsh/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/rsh/Makefile" ;; - "appl/rcp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/rcp/Makefile" ;; - "appl/su/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/su/Makefile" ;; - "appl/xnlock/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/xnlock/Makefile" ;; - "appl/telnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/Makefile" ;; - "appl/telnet/libtelnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/libtelnet/Makefile" ;; - "appl/telnet/telnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnet/Makefile" ;; - "appl/telnet/telnetd/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnetd/Makefile" ;; - "appl/test/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/test/Makefile" ;; - "appl/kf/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/kf/Makefile" ;; - "appl/dceutils/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/dceutils/Makefile" ;; - "doc/Makefile" ) CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; - "tools/Makefile" ) CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; - "depfiles" ) CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; - "include/config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS include/config.h" ;; - *) { { echo "$as_me:35048: error: invalid argument: $ac_config_target" >&5 -echo "$as_me: error: invalid argument: $ac_config_target" >&2;} - { (exit 1); exit 1; }; };; - esac -done - -# If the user did not use the arguments to specify the items to instantiate, -# then the envvar interface is used. Set only those that are not. -# We use the long form for the default assignment because of an extremely -# bizarre bug on SunOS 4.1.3. -if $ac_need_defaults; then - test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files - test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers - test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands -fi - -# Create a temporary directory, and hook for its removal unless debugging. -$debug || -{ - trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0 - trap '{ (exit 1); exit 1; }' 1 2 13 15 -} - -# Create a (secure) tmp directory for tmp files. -: ${TMPDIR=/tmp} -{ - tmp=`(umask 077 && mktemp -d -q "$TMPDIR/csXXXXXX") 2>/dev/null` && - test -n "$tmp" && test -d "$tmp" -} || -{ - tmp=$TMPDIR/cs$$-$RANDOM - (umask 077 && mkdir $tmp) -} || -{ - echo "$me: cannot create a temporary directory in $TMPDIR" >&2 - { (exit 1); exit 1; } -} - - -# -# CONFIG_FILES section. -# - -# No need to generate the scripts if there are no CONFIG_FILES. -# This happens for instance when ./config.status config.h -if test -n "$CONFIG_FILES"; then - # Protect against being on the right side of a sed subst in config.status. - sed 's/,@/@@/; s/@,/@@/; s/,;t t$/@;t t/; /@;t t$/s/[\\&,]/\\&/g; - s/@@/,@/; s/@@/@,/; s/@;t t$/,;t t/' >$tmp/subs.sed <<\CEOF -s,@SHELL@,/bin/sh,;t t -s,@PATH_SEPARATOR@,:,;t t -s,@PACKAGE_NAME@,Heimdal,;t t -s,@PACKAGE_TARNAME@,heimdal,;t t -s,@PACKAGE_VERSION@,0.4f,;t t -s,@PACKAGE_STRING@,Heimdal 0.4f,;t t -s,@PACKAGE_BUGREPORT@,heimdal-bugs@pdc.kth.se,;t t -s,@exec_prefix@,${prefix},;t t -s,@prefix@,/usr/heimdal,;t t -s,@program_transform_name@,s,x,x,,;t t -s,@bindir@,${exec_prefix}/bin,;t t -s,@sbindir@,${exec_prefix}/sbin,;t t -s,@libexecdir@,${exec_prefix}/libexec,;t t -s,@datadir@,${prefix}/share,;t t -s,@sysconfdir@,/etc,;t t -s,@sharedstatedir@,${prefix}/com,;t t -s,@localstatedir@,/var/heimdal,;t t -s,@libdir@,${exec_prefix}/lib,;t t -s,@includedir@,${prefix}/include,;t t -s,@oldincludedir@,/usr/include,;t t -s,@infodir@,${prefix}/info,;t t -s,@mandir@,${prefix}/man,;t t -s,@build_alias@,,;t t -s,@host_alias@,,;t t -s,@target_alias@,,;t t -s,@DEFS@,-DHAVE_CONFIG_H,;t t -s,@ECHO_C@,,;t t -s,@ECHO_N@,-n,;t t -s,@ECHO_T@,,;t t -s,@LIBS@,,;t t -s,@CC@,gcc ,;t t -s,@CFLAGS@,-DINET6 -g -O2,;t t -s,@LDFLAGS@,,;t t -s,@CPPFLAGS@,,;t t -s,@ac_ct_CC@,gcc,;t t -s,@EXEEXT@,,;t t -s,@OBJEXT@,o,;t t -s,@CPP@,gcc -E,;t t -s,@INSTALL_PROGRAM@,${INSTALL},;t t -s,@INSTALL_SCRIPT@,${INSTALL},;t t -s,@INSTALL_DATA@,${INSTALL} -m 644,;t t -s,@PACKAGE@,heimdal,;t t -s,@VERSION@,0.4f,;t t -s,@ACLOCAL@,${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6,;t t -s,@AUTOCONF@,${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf,;t t -s,@AUTOMAKE@,${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6,;t t -s,@AUTOHEADER@,${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader,;t t -s,@MAKEINFO@,${SHELL} /usr/home/nectar/devel/heimdal/missing --run makeinfo,;t t -s,@AMTAR@,${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar,;t t -s,@install_sh@,/usr/home/nectar/devel/heimdal/install-sh,;t t -s,@STRIP@,strip,;t t -s,@ac_ct_STRIP@,strip,;t t -s,@INSTALL_STRIP_PROGRAM@,${SHELL} $(install_sh) -c -s,;t t -s,@AWK@,gawk,;t t -s,@SET_MAKE@,,;t t -s,@DEPDIR@,.deps,;t t -s,@am__include@,include,;t t -s,@am__quote@,,;t t -s,@AMDEP_TRUE@,,;t t -s,@AMDEP_FALSE@,#,;t t -s,@AMDEPBACKSLASH@,\,;t t -s,@CCDEPMODE@,depmode=none,;t t -s,@build@,i386-unknown-freebsd5.0,;t t -s,@build_cpu@,i386,;t t -s,@build_vendor@,unknown,;t t -s,@build_os@,freebsd5.0,;t t -s,@host@,i386-unknown-freebsd5.0,;t t -s,@host_cpu@,i386,;t t -s,@host_vendor@,unknown,;t t -s,@host_os@,freebsd5.0,;t t -s,@CANONICAL_HOST@,i386-unknown-freebsd5.0,;t t -s,@YACC@,bison -y,;t t -s,@LEX@,flex,;t t -s,@LEXLIB@,-lfl,;t t -s,@LEX_OUTPUT_ROOT@,lex.yy,;t t -s,@LN_S@,ln -s,;t t -s,@ECHO@,echo,;t t -s,@RANLIB@,ranlib,;t t -s,@ac_ct_RANLIB@,ranlib,;t t -s,@LIBTOOL@,$(SHELL) $(top_builddir)/libtool,;t t -s,@WFLAGS@,-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs,;t t -s,@WFLAGS_NOUNUSED@,,;t t -s,@WFLAGS_NOIMPLICITINT@,,;t t -s,@LIB_db_create@,,;t t -s,@LIB_dbopen@,,;t t -s,@LIB_dbm_firstkey@,,;t t -s,@HAVE_DB1_TRUE@,,;t t -s,@HAVE_DB1_FALSE@,#,;t t -s,@HAVE_DB3_TRUE@,#,;t t -s,@HAVE_DB3_FALSE@,,;t t -s,@HAVE_NDBM_TRUE@,#,;t t -s,@HAVE_NDBM_FALSE@,,;t t -s,@DBLIB@, ,;t t -s,@LIB_NDBM@,,;t t -s,@VOID_RETSIGTYPE@,,;t t -s,@have_err_h_TRUE@,,;t t -s,@have_err_h_FALSE@,#,;t t -s,@have_fnmatch_h_TRUE@,#,;t t -s,@have_fnmatch_h_FALSE@,,;t t -s,@have_ifaddrs_h_TRUE@,,;t t -s,@have_ifaddrs_h_FALSE@,#,;t t -s,@have_vis_h_TRUE@,,;t t -s,@have_vis_h_FALSE@,#,;t t -s,@LIB_socket@,,;t t -s,@LIB_gethostbyname@,,;t t -s,@LIB_syslog@,,;t t -s,@LIB_gethostbyname2@,,;t t -s,@LIB_res_search@,,;t t -s,@LIB_dn_expand@,,;t t -s,@LIBOBJS@, copyhostent.o ecalloc.o emalloc.o erealloc.o estrdup.o strlwr.o strndup.o strnlen.o strsep_copy.o strupr.o,;t t -s,@have_glob_h_TRUE@,,;t t -s,@have_glob_h_FALSE@,#,;t t -s,@LIB_getsockopt@,,;t t -s,@LIB_setsockopt@,,;t t -s,@LIB_hstrerror@,,;t t -s,@LIB_bswap16@,,;t t -s,@LIB_bswap32@,,;t t -s,@LIB_pidfile@,,;t t -s,@LIB_getaddrinfo@,,;t t -s,@LIB_getnameinfo@,,;t t -s,@LIB_freeaddrinfo@,,;t t -s,@LIB_gai_strerror@,,;t t -s,@LIB_crypt@,-lcrypt,;t t -s,@DIR_roken@,roken,;t t -s,@LIB_roken@,$(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen),;t t -s,@INCLUDES_roken@,-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken,;t t -s,@INCLUDE_openldap@,,;t t -s,@LIB_openldap@,,;t t -s,@INCLUDE_krb4@,,;t t -s,@LIB_krb4@,,;t t -s,@EXTRA_LIB45@,,;t t -s,@LIB_krb_enable_debug@,,;t t -s,@LIB_krb_disable_debug@,,;t t -s,@LIB_krb_get_our_ip_for_realm@,,;t t -s,@LIB_krb_kdctimeofday@,,;t t -s,@LIB_krb_get_kdc_time_diff@,,;t t -s,@KRB4_TRUE@,#,;t t -s,@KRB4_FALSE@,,;t t -s,@KRB5_TRUE@,,;t t -s,@KRB5_FALSE@,#,;t t -s,@do_roken_rename_TRUE@,,;t t -s,@do_roken_rename_FALSE@,#,;t t -s,@LIB_kdb@,,;t t -s,@DCE_TRUE@,#,;t t -s,@DCE_FALSE@,,;t t -s,@dpagaix_cflags@,-D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce,;t t -s,@dpagaix_ldadd@,-L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r,;t t -s,@dpagaix_ldflags@,-Wl,-bI:dfspag.exp,;t t -s,@LIB_otp@,$(top_builddir)/lib/otp/libotp.la,;t t -s,@OTP_TRUE@,,;t t -s,@OTP_FALSE@,#,;t t -s,@LIB_security@,,;t t -s,@NROFF@,/usr/bin/nroff,;t t -s,@GROFF@,/usr/bin/groff,;t t -s,@CATMAN@,/usr/bin/nroff -mdoc $< > $@,;t t -s,@CATMAN_TRUE@,,;t t -s,@CATMAN_FALSE@,#,;t t -s,@CATMANEXT@,$$section,;t t -s,@INCLUDE_readline@,,;t t -s,@LIB_readline@,$(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent),;t t -s,@INCLUDE_hesiod@,,;t t -s,@LIB_hesiod@,,;t t -s,@AIX_TRUE@,#,;t t -s,@AIX_FALSE@,,;t t -s,@AIX4_TRUE@,#,;t t -s,@AIX4_FALSE@,,;t t -s,@LIB_dlopen@,,;t t -s,@HAVE_DLOPEN_TRUE@,,;t t -s,@HAVE_DLOPEN_FALSE@,#,;t t -s,@LIB_loadquery@,,;t t -s,@AIX_DYNAMIC_AFS_TRUE@,,;t t -s,@AIX_DYNAMIC_AFS_FALSE@,#,;t t -s,@AIX_EXTRA_KAFS@,,;t t -s,@IRIX_TRUE@,#,;t t -s,@IRIX_FALSE@,,;t t -s,@X_CFLAGS@, -I/usr/X11R6/include,;t t -s,@X_PRE_LIBS@, -lSM -lICE,;t t -s,@X_LIBS@, -L/usr/X11R6/lib,;t t -s,@X_EXTRA_LIBS@,,;t t -s,@HAVE_X_TRUE@,,;t t -s,@HAVE_X_FALSE@,#,;t t -s,@LIB_XauWriteAuth@,-lXau,;t t -s,@LIB_XauReadAuth@,-lXau,;t t -s,@LIB_XauFileName@,,;t t -s,@NEED_WRITEAUTH_TRUE@,#,;t t -s,@NEED_WRITEAUTH_FALSE@,,;t t -s,@LIB_logwtmp@,-lutil,;t t -s,@LIB_logout@,-lutil,;t t -s,@LIB_openpty@,-lutil,;t t -s,@LIB_tgetent@,-ltermcap,;t t -s,@LIB_getpwnam_r@,,;t t -s,@HAVE_OPENSSL_TRUE@,,;t t -s,@HAVE_OPENSSL_FALSE@,#,;t t -s,@DIR_des@,,;t t -s,@INCLUDE_des@,,;t t -s,@LIB_des@, -lcrypto,;t t -s,@LIB_des_a@, -lcrypto,;t t -s,@LIB_des_so@, -lcrypto,;t t -s,@LIB_des_appl@, -lcrypto,;t t -s,@LIB_el_init@,-ledit,;t t -s,@el_compat_TRUE@,,;t t -s,@el_compat_FALSE@,#,;t t -s,@COMPILE_ET@,compile_et,;t t -s,@DIR_com_err@,,;t t -s,@LIB_com_err@,-lcom_err,;t t -s,@LIB_com_err_a@,,;t t -s,@LIB_com_err_so@,,;t t -s,@LIB_AUTH_SUBDIRS@,,;t t -s,@LTLIBOBJS@, copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo,;t t -CEOF - - # Split the substitutions into bite-sized pieces for seds with - # small command number limits, like on Digital OSF/1 and HP-UX. - ac_max_sed_lines=48 - ac_sed_frag=1 # Number of current file. - ac_beg=1 # First line for current file. - ac_end=$ac_max_sed_lines # Line after last line for current file. - ac_more_lines=: - ac_sed_cmds= - while $ac_more_lines; do - if test $ac_beg -gt 1; then - sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag - else - sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag - fi - if test ! -s $tmp/subs.frag; then - ac_more_lines=false - else - # The purpose of the label and of the branching condition is to - # speed up the sed processing (if there are no `@' at all, there - # is no need to browse any of the substitutions). - # These are the two extra sed commands mentioned above. - (echo ':t - /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed - if test -z "$ac_sed_cmds"; then - ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed" - else - ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed" - fi - ac_sed_frag=`expr $ac_sed_frag + 1` - ac_beg=$ac_end - ac_end=`expr $ac_end + $ac_max_sed_lines` - fi - done - if test -z "$ac_sed_cmds"; then - ac_sed_cmds=cat - fi -fi # test -n "$CONFIG_FILES" - -for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue - # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". - case $ac_file in - - | *:- | *:-:* ) # input from stdin - cat >$tmp/stdin - ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; - *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; - * ) ac_file_in=$ac_file.in ;; - esac - - # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories. - ac_dir=`(dirname "$ac_file") 2>/dev/null || -$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - { case "$ac_dir" in - [\\/]* | ?:[\\/]* ) as_incr_dir=;; - *) as_incr_dir=.;; -esac -as_dummy="$ac_dir" -for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do - case $as_mkdir_dir in - # Skip DOS drivespec - ?:) as_incr_dir=$as_mkdir_dir ;; - *) - as_incr_dir=$as_incr_dir/$as_mkdir_dir - test -d "$as_incr_dir" || - mkdir "$as_incr_dir" || - { { echo "$as_me:35392: error: cannot create \"$ac_dir\"" >&5 -echo "$as_me: error: cannot create \"$ac_dir\"" >&2;} - { (exit 1); exit 1; }; } - ;; - esac -done; } - - ac_builddir=. - -if test "$ac_dir" != .; then - ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` - # A "../" for each directory in $ac_dir_suffix. - ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'` -else - ac_dir_suffix= ac_top_builddir= -fi - -case $srcdir in - .) # No --srcdir option. We are building in place. - ac_srcdir=. - if test -z "$ac_top_builddir"; then - ac_top_srcdir=. - else - ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'` - fi ;; - [\\/]* | ?:[\\/]* ) # Absolute path. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir ;; - *) # Relative path. - ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_builddir$srcdir ;; -esac -# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be -# absolute. -ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd` -ac_abs_top_builddir=`cd "$ac_dir" && cd $ac_top_builddir && pwd` -ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd` -ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd` - - - case $INSTALL in - [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; - *) ac_INSTALL=$ac_top_builddir$INSTALL ;; - esac - - if test x"$ac_file" != x-; then - { echo "$as_me:35438: creating $ac_file" >&5 -echo "$as_me: creating $ac_file" >&6;} - rm -f "$ac_file" - fi - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ - if test x"$ac_file" = x-; then - configure_input= - else - configure_input="$ac_file. " - fi - configure_input=$configure_input"Generated from `echo $ac_file_in | - sed 's,.*/,,'` by configure." - - # First look for the input files in the build tree, otherwise in the - # src tree. - ac_file_inputs=`IFS=: - for f in $ac_file_in; do - case $f in - -) echo $tmp/stdin ;; - [\\/$]*) - # Absolute (can't be DOS-style, as IFS=:) - test -f "$f" || { { echo "$as_me:35461: error: cannot find input file: $f" >&5 -echo "$as_me: error: cannot find input file: $f" >&2;} - { (exit 1); exit 1; }; } - echo $f;; - *) # Relative - if test -f "$f"; then - # Build tree - echo $f - elif test -f "$srcdir/$f"; then - # Source tree - echo $srcdir/$f - else - # /dev/null tree - { { echo "$as_me:35474: error: cannot find input file: $f" >&5 -echo "$as_me: error: cannot find input file: $f" >&2;} - { (exit 1); exit 1; }; } - fi;; - esac - done` || { (exit 1); exit 1; } - sed "/^[ ]*VPATH[ ]*=/{ -s/:*\$(srcdir):*/:/; -s/:*\${srcdir}:*/:/; -s/:*@srcdir@:*/:/; -s/^\([^=]*=[ ]*\):*/\1/; -s/:*$//; -s/^[^=]*=[ ]*$//; -} - -:t -/@[a-zA-Z_][a-zA-Z_0-9]*@/!b -s,@configure_input@,$configure_input,;t t -s,@srcdir@,$ac_srcdir,;t t -s,@abs_srcdir@,$ac_abs_srcdir,;t t -s,@top_srcdir@,$ac_top_srcdir,;t t -s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t -s,@builddir@,$ac_builddir,;t t -s,@abs_builddir@,$ac_abs_builddir,;t t -s,@top_builddir@,$ac_top_builddir,;t t -s,@abs_top_builddir@,$ac_abs_top_builddir,;t t -s,@INSTALL@,$ac_INSTALL,;t t -" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out - rm -f $tmp/stdin - if test x"$ac_file" != x-; then - mv $tmp/out $ac_file - else - cat $tmp/out - rm -f $tmp/out - fi - -done - -# -# CONFIG_HEADER section. -# - -# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where -# NAME is the cpp macro being defined and VALUE is the value it is being given. -# -# ac_d sets the value in "#define NAME VALUE" lines. -ac_dA='s,^\([ ]*\)#\([ ]*define[ ][ ]*\)' -ac_dB='[ ].*$,\1#\2' -ac_dC=' ' -ac_dD=',;t' -# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE". -ac_uA='s,^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)' -ac_uB='$,\1#\2define\3' -ac_uC=' ' -ac_uD=',;t' - -for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue - # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". - case $ac_file in - - | *:- | *:-:* ) # input from stdin - cat >$tmp/stdin - ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; - *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; - * ) ac_file_in=$ac_file.in ;; - esac - - test x"$ac_file" != x- && { echo "$as_me:35541: creating $ac_file" >&5 -echo "$as_me: creating $ac_file" >&6;} - - # First look for the input files in the build tree, otherwise in the - # src tree. - ac_file_inputs=`IFS=: - for f in $ac_file_in; do - case $f in - -) echo $tmp/stdin ;; - [\\/$]*) - # Absolute (can't be DOS-style, as IFS=:) - test -f "$f" || { { echo "$as_me:35552: error: cannot find input file: $f" >&5 -echo "$as_me: error: cannot find input file: $f" >&2;} - { (exit 1); exit 1; }; } - echo $f;; - *) # Relative - if test -f "$f"; then - # Build tree - echo $f - elif test -f "$srcdir/$f"; then - # Source tree - echo $srcdir/$f - else - # /dev/null tree - { { echo "$as_me:35565: error: cannot find input file: $f" >&5 -echo "$as_me: error: cannot find input file: $f" >&2;} - { (exit 1); exit 1; }; } - fi;; - esac - done` || { (exit 1); exit 1; } - # Remove the trailing spaces. - sed 's/[ ]*$//' $ac_file_inputs >$tmp/in - - # Handle all the #define templates only if necessary. - if egrep "^[ ]*#[ ]*define" $tmp/in >/dev/null; then - # If there are no defines, we may have an empty if/fi - : - cat >$tmp/defines.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/defines.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/defines.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/defines.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/defines.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/defines.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/defines.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/defines.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - fi # egrep - - # Handle all the #undef templates - cat >$tmp/undefs.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/undefs.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/undefs.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/undefs.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/undefs.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/undefs.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/undefs.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - cat >$tmp/undefs.sed <$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in - - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ - if test x"$ac_file" = x-; then - echo "/* Generated by configure. */" >$tmp/config.h - else - echo "/* $ac_file. Generated by configure. */" >$tmp/config.h - fi - cat $tmp/in >>$tmp/config.h - rm -f $tmp/in - if test x"$ac_file" != x-; then - if cmp -s $ac_file $tmp/config.h 2>/dev/null; then - { echo "$as_me:35682: $ac_file is unchanged" >&5 -echo "$as_me: $ac_file is unchanged" >&6;} - else - ac_dir=`(dirname "$ac_file") 2>/dev/null || -$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - { case "$ac_dir" in - [\\/]* | ?:[\\/]* ) as_incr_dir=;; - *) as_incr_dir=.;; -esac -as_dummy="$ac_dir" -for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do - case $as_mkdir_dir in - # Skip DOS drivespec - ?:) as_incr_dir=$as_mkdir_dir ;; - *) - as_incr_dir=$as_incr_dir/$as_mkdir_dir - test -d "$as_incr_dir" || - mkdir "$as_incr_dir" || - { { echo "$as_me:35710: error: cannot create \"$ac_dir\"" >&5 -echo "$as_me: error: cannot create \"$ac_dir\"" >&2;} - { (exit 1); exit 1; }; } - ;; - esac -done; } - - rm -f $ac_file - mv $tmp/config.h $ac_file - fi - else - cat $tmp/config.h - rm -f $tmp/config.h - fi - # Run the commands associated with the file. - case $ac_file in - include/config.h ) # update the timestamp -echo 'timestamp for include/config.h' >"include/stamp-h1" - ;; - esac -done - -# -# CONFIG_COMMANDS section. -# -for ac_file in : $CONFIG_COMMANDS; do test "x$ac_file" = x: && continue - ac_dest=`echo "$ac_file" | sed 's,:.*,,'` - ac_source=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_dir=`(dirname "$ac_dest") 2>/dev/null || -$as_expr X"$ac_dest" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_dest" : 'X\(//\)[^/]' \| \ - X"$ac_dest" : 'X\(//\)$' \| \ - X"$ac_dest" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$ac_dest" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - ac_builddir=. - -if test "$ac_dir" != .; then - ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` - # A "../" for each directory in $ac_dir_suffix. - ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'` -else - ac_dir_suffix= ac_top_builddir= -fi - -case $srcdir in - .) # No --srcdir option. We are building in place. - ac_srcdir=. - if test -z "$ac_top_builddir"; then - ac_top_srcdir=. - else - ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'` - fi ;; - [\\/]* | ?:[\\/]* ) # Absolute path. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir ;; - *) # Relative path. - ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_builddir$srcdir ;; -esac -# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be -# absolute. -ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd` -ac_abs_top_builddir=`cd "$ac_dir" && cd $ac_top_builddir && pwd` -ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd` -ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd` - - - { echo "$as_me:35785: executing $ac_dest commands" >&5 -echo "$as_me: executing $ac_dest commands" >&6;} - case $ac_dest in - depfiles ) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do - # Strip MF so we end up with the name of the file. - mf=`echo "$mf" | sed -e 's/:.*$//'` - # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named `Makefile.in', but - # some people rename them; so instead we look at the file content. - # Grep'ing the first line is not enough: some people post-process - # each Makefile.in and add a new line on top of each file to say so. - # So let's grep whole file. - if grep '^#.*generated by automake' $mf > /dev/null 2>&1; then - dirpart=`(dirname "$mf") 2>/dev/null || -$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$mf" : 'X\(//\)[^/]' \| \ - X"$mf" : 'X\(//\)$' \| \ - X"$mf" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$mf" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - else - continue - fi - grep '^DEP_FILES *= *[^ #]' < "$mf" > /dev/null || continue - # Extract the definition of DEP_FILES from the Makefile without - # running `make'. - DEPDIR=`sed -n -e '/^DEPDIR = / s///p' < "$mf"` - test -z "$DEPDIR" && continue - # When using ansi2knr, U may be empty or an underscore; expand it - U=`sed -n -e '/^U = / s///p' < "$mf"` - test -d "$dirpart/$DEPDIR" || mkdir "$dirpart/$DEPDIR" - # We invoke sed twice because it is the simplest approach to - # changing $(DEPDIR) to its actual value in the expansion. - for file in `sed -n -e ' - /^DEP_FILES = .*\\\\$/ { - s/^DEP_FILES = // - :loop - s/\\\\$// - p - n - /\\\\$/ b loop - p - } - /^DEP_FILES = / s/^DEP_FILES = //p' < "$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do - # Make sure the directory exists. - test -f "$dirpart/$file" && continue - fdir=`(dirname "$file") 2>/dev/null || -$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$file" : 'X\(//\)[^/]' \| \ - X"$file" : 'X\(//\)$' \| \ - X"$file" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - { case $dirpart/$fdir in - [\\/]* | ?:[\\/]* ) as_incr_dir=;; - *) as_incr_dir=.;; -esac -as_dummy=$dirpart/$fdir -for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do - case $as_mkdir_dir in - # Skip DOS drivespec - ?:) as_incr_dir=$as_mkdir_dir ;; - *) - as_incr_dir=$as_incr_dir/$as_mkdir_dir - test -d "$as_incr_dir" || - mkdir "$as_incr_dir" || - { { echo "$as_me:35862: error: cannot create $dirpart/$fdir" >&5 -echo "$as_me: error: cannot create $dirpart/$fdir" >&2;} - { (exit 1); exit 1; }; } - ;; - esac -done; } - - # echo "creating $dirpart/$file" - echo '# dummy' > "$dirpart/$file" - done -done - ;; - esac -done - -{ (exit 0); exit 0; } diff --git a/crypto/heimdal/configure.lineno b/crypto/heimdal/configure.lineno deleted file mode 100755 index 107d11a87b50..000000000000 --- a/crypto/heimdal/configure.lineno +++ /dev/null @@ -1,35921 +0,0 @@ -#! /bin/sh -# From configure.in Revision: 1.320 . -# Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.53 for Heimdal 0.4f. -# -# Report bugs to . -# -# Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This configure script is free software; the Free Software Foundation -# gives unlimited permission to copy, distribute and modify it. - -# Find the correct PATH separator. Usually this is `:', but -# DJGPP uses `;' like DOS. -if test "X${PATH_SEPARATOR+set}" != Xset; then - UNAME=${UNAME-`uname 2>/dev/null`} - case X$UNAME in - *-DOS) lt_cv_sys_path_separator=';' ;; - *) lt_cv_sys_path_separator=':' ;; - esac - PATH_SEPARATOR=$lt_cv_sys_path_separator -fi - - -# Check that we are running under the correct shell. -SHELL=${CONFIG_SHELL-/bin/sh} - -case X$ECHO in -X*--fallback-echo) - # Remove one level of quotation (which was required for Make). - ECHO=`echo "$ECHO" | sed 's,\\\\\$\\$0,'$0','` - ;; -esac - -echo=${ECHO-echo} -if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X$1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then - # Yippee, $echo works! - : -else - # Restart under the correct shell. - exec $SHELL "$0" --no-reexec ${1+"$@"} -fi - -if test "X$1" = X--fallback-echo; then - # used as fallback echo - shift - cat </dev/null && - echo_test_string="`eval $cmd`" && - (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null - then - break - fi - done -fi - -if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - : -else - # The Solaris, AIX, and Digital Unix default echo programs unquote - # backslashes. This makes it impossible to quote backslashes using - # echo "$something" | sed 's/\\/\\\\/g' - # - # So, first we look for a working echo in the user's PATH. - - IFS="${IFS= }"; save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for dir in $PATH /usr/ucb; do - if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && - test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$dir/echo" - break - fi - done - IFS="$save_ifs" - - if test "X$echo" = Xecho; then - # We didn't find a better echo, so look for alternatives. - if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # This shell has a builtin print -r that does the trick. - echo='print -r' - elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) && - test "X$CONFIG_SHELL" != X/bin/ksh; then - # If we have ksh, try running configure again with it. - ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh} - export ORIGINAL_CONFIG_SHELL - CONFIG_SHELL=/bin/ksh - export CONFIG_SHELL - exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"} - else - # Try using printf. - echo='printf %s\n' - if test "X`($echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # Cool, printf works - : - elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL - export CONFIG_SHELL - SHELL="$CONFIG_SHELL" - export SHELL - echo="$CONFIG_SHELL $0 --fallback-echo" - elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - echo="$CONFIG_SHELL $0 --fallback-echo" - else - # maybe with a smaller string... - prev=: - - for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do - if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null - then - break - fi - prev="$cmd" - done - - if test "$prev" != 'sed 50q "$0"'; then - echo_test_string=`eval $prev` - export echo_test_string - exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"} - else - # Oops. We lost completely, so just stick with echo. - echo=echo - fi - fi - fi - fi -fi -fi - -# Copy echo and quote the copy suitably for passing to libtool from -# the Makefile, instead of quoting the original, which is used later. -ECHO=$echo -if test "X$ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then - ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo" -fi - - - -if expr a : '\(a\)' >/dev/null 2>&1; then - as_expr=expr -else - as_expr=false -fi - - -## --------------------- ## -## M4sh Initialization. ## -## --------------------- ## - -# Be Bourne compatible -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: -elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then - set -o posix -fi - -# NLS nuisances. -# Support unset when possible. -if (FOO=FOO; unset FOO) >/dev/null 2>&1; then - as_unset=unset -else - as_unset=false -fi - -(set +x; test -n "`(LANG=C; export LANG) 2>&1`") && - { $as_unset LANG || test "${LANG+set}" != set; } || - { LANG=C; export LANG; } -(set +x; test -n "`(LC_ALL=C; export LC_ALL) 2>&1`") && - { $as_unset LC_ALL || test "${LC_ALL+set}" != set; } || - { LC_ALL=C; export LC_ALL; } -(set +x; test -n "`(LC_TIME=C; export LC_TIME) 2>&1`") && - { $as_unset LC_TIME || test "${LC_TIME+set}" != set; } || - { LC_TIME=C; export LC_TIME; } -(set +x; test -n "`(LC_CTYPE=C; export LC_CTYPE) 2>&1`") && - { $as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set; } || - { LC_CTYPE=C; export LC_CTYPE; } -(set +x; test -n "`(LANGUAGE=C; export LANGUAGE) 2>&1`") && - { $as_unset LANGUAGE || test "${LANGUAGE+set}" != set; } || - { LANGUAGE=C; export LANGUAGE; } -(set +x; test -n "`(LC_COLLATE=C; export LC_COLLATE) 2>&1`") && - { $as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set; } || - { LC_COLLATE=C; export LC_COLLATE; } -(set +x; test -n "`(LC_NUMERIC=C; export LC_NUMERIC) 2>&1`") && - { $as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set; } || - { LC_NUMERIC=C; export LC_NUMERIC; } -(set +x; test -n "`(LC_MESSAGES=C; export LC_MESSAGES) 2>&1`") && - { $as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set; } || - { LC_MESSAGES=C; export LC_MESSAGES; } - - -# Name of the executable. -as_me=`(basename "$0") 2>/dev/null || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)$' \| \ - . : '\(.\)' 2>/dev/null || -echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; } - /^X\/\(\/\/\)$/{ s//\1/; q; } - /^X\/\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - -# PATH needs CR, and LINENO needs CR and PATH. -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - -# The user is always right. -if test "${PATH_SEPARATOR+set}" != set; then - echo "#! /bin/sh" >conftest.sh - echo "exit 0" >>conftest.sh - chmod +x conftest.sh - if (PATH=".;."; conftest.sh) >/dev/null 2>&1; then - PATH_SEPARATOR=';' - else - PATH_SEPARATOR=: - fi - rm -f conftest.sh -fi - - - as_lineno_1=259 - as_lineno_2=260 - as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x$as_lineno_3" = "x$as_lineno_2" || { - # Find who we are. Look in the path if we contain no path at all - # relative or not. - case $0 in - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -done - - ;; - esac - # We did not find ourselves, most probably we were run as `sh COMMAND' - # in which case we are not to be found in the path. - if test "x$as_myself" = x; then - as_myself=$0 - fi - if test ! -f "$as_myself"; then - { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2 - { (exit 1); exit 1; }; } - fi - case $CONFIG_SHELL in - '') - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for as_base in sh bash ksh sh5; do - case $as_dir in - /*) - if ("$as_dir/$as_base" -c ' - as_lineno_1=298 - as_lineno_2=299 - as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x$as_lineno_3" = "x$as_lineno_2" ') 2>/dev/null; then - CONFIG_SHELL=$as_dir/$as_base - export CONFIG_SHELL - exec "$CONFIG_SHELL" "$0" ${1+"$@"} - fi;; - esac - done -done -;; - esac - - # Create $as_me.lineno as a copy of $as_myself, but with 313 - # uniformly replaced by the line number. The first 'sed' inserts a - # line-number line before each line; the second 'sed' does the real - # work. The second script uses 'N' to pair each line-number line - # with the numbered line, and appends trailing '-' during - # substitution so that 318 is not a special case at line end. - # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the - # second 'sed' script. Blame Lee E. McMahon for sed's syntax. :-) - sed '=' <$as_myself | - sed ' - N - s,$,-, - : loop - s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3, - t loop - s,-$,, - s,^['$as_cr_digits']*\n,, - ' >$as_me.lineno && - chmod +x $as_me.lineno || - { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 - { (exit 1); exit 1; }; } - - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensible to this). - . ./$as_me.lineno - # Exit status is that of the last command. - exit -} - - -case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in - *c*,-n*) ECHO_N= ECHO_C=' -' ECHO_T=' ' ;; - *c*,* ) ECHO_N=-n ECHO_C= ECHO_T= ;; - *) ECHO_N= ECHO_C='\c' ECHO_T= ;; -esac - -if expr a : '\(a\)' >/dev/null 2>&1; then - as_expr=expr -else - as_expr=false -fi - -rm -f conf$$ conf$$.exe conf$$.file -echo >conf$$.file -if ln -s conf$$.file conf$$ 2>/dev/null; then - # We could just check for DJGPP; but this test a) works b) is more generic - # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04). - if test -f conf$$.exe; then - # Don't use ln at all; we don't have any links - as_ln_s='cp -p' - else - as_ln_s='ln -s' - fi -elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln -else - as_ln_s='cp -p' -fi -rm -f conf$$ conf$$.exe conf$$.file - -as_executable_p="test -f" - -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="sed y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" - -# Sed expression to map a string onto a valid variable name. -as_tr_sh="sed y%*+%pp%;s%[^_$as_cr_alnum]%_%g" - - -# IFS -# We need space, tab and new line, in precisely that order. -as_nl=' -' -IFS=" $as_nl" - -# CDPATH. -$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=$PATH_SEPARATOR; export CDPATH; } - - -# Name of the host. -# hostname on some systems (SVR3.2, Linux) returns a bogus exit status, -# so uname gets run too. -ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` - -exec 6>&1 - -# -# Initializations. -# -ac_default_prefix=/usr/local -cross_compiling=no -subdirs= -MFLAGS= -MAKEFLAGS= -SHELL=${CONFIG_SHELL-/bin/sh} - -# Maximum number of lines to put in a shell here document. -# This variable seems obsolete. It should probably be removed, and -# only ac_max_sed_lines should be used. -: ${ac_max_here_lines=38} - -# Identity of this package. -PACKAGE_NAME='Heimdal' -PACKAGE_TARNAME='heimdal' -PACKAGE_VERSION='0.4f' -PACKAGE_STRING='Heimdal 0.4f' -PACKAGE_BUGREPORT='heimdal-bugs@pdc.kth.se' - -ac_default_prefix=/usr/heimdal -# Factoring default headers for most tests. -ac_includes_default="\ -#include -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_STAT_H -# include -#endif -#if STDC_HEADERS -# include -# include -#else -# if HAVE_STDLIB_H -# include -# endif -#endif -#if HAVE_STRING_H -# if !STDC_HEADERS && HAVE_MEMORY_H -# include -# endif -# include -#endif -#if HAVE_STRINGS_H -# include -#endif -#if HAVE_INTTYPES_H -# include -#else -# if HAVE_STDINT_H -# include -# endif -#endif -#if HAVE_UNISTD_H -# include -#endif" - - -# Initialize some variables set by options. -ac_init_help= -ac_init_version=false -# The variables have the same names as the options, with -# dashes changed to underlines. -cache_file=/dev/null -exec_prefix=NONE -no_create= -no_recursion= -prefix=NONE -program_prefix=NONE -program_suffix=NONE -program_transform_name=s,x,x, -silent= -site= -srcdir= -verbose= -x_includes=NONE -x_libraries=NONE - -# Installation directory options. -# These are left unexpanded so users can "make install exec_prefix=/foo" -# and all the variables that are supposed to be based on exec_prefix -# by default will actually change. -# Use braces instead of parens because sh, perl, etc. also accept them. -bindir='${exec_prefix}/bin' -sbindir='${exec_prefix}/sbin' -libexecdir='${exec_prefix}/libexec' -datadir='${prefix}/share' -sysconfdir='${prefix}/etc' -sharedstatedir='${prefix}/com' -localstatedir='${prefix}/var' -libdir='${exec_prefix}/lib' -includedir='${prefix}/include' -oldincludedir='/usr/include' -infodir='${prefix}/info' -mandir='${prefix}/man' - -ac_prev= -for ac_option -do - # If the previous option needs an argument, assign it. - if test -n "$ac_prev"; then - eval "$ac_prev=\$ac_option" - ac_prev= - continue - fi - - ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'` - - # Accept the important Cygnus configure options, so we can diagnose typos. - - case $ac_option in - - -bindir | --bindir | --bindi | --bind | --bin | --bi) - ac_prev=bindir ;; - -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) - bindir=$ac_optarg ;; - - -build | --build | --buil | --bui | --bu) - ac_prev=build_alias ;; - -build=* | --build=* | --buil=* | --bui=* | --bu=*) - build_alias=$ac_optarg ;; - - -cache-file | --cache-file | --cache-fil | --cache-fi \ - | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) - ac_prev=cache_file ;; - -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ - | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) - cache_file=$ac_optarg ;; - - --config-cache | -C) - cache_file=config.cache ;; - - -datadir | --datadir | --datadi | --datad | --data | --dat | --da) - ac_prev=datadir ;; - -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \ - | --da=*) - datadir=$ac_optarg ;; - - -disable-* | --disable-*) - ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid feature name: $ac_feature" >&2 - { (exit 1); exit 1; }; } - ac_feature=`echo $ac_feature | sed 's/-/_/g'` - eval "enable_$ac_feature=no" ;; - - -enable-* | --enable-*) - ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid feature name: $ac_feature" >&2 - { (exit 1); exit 1; }; } - ac_feature=`echo $ac_feature | sed 's/-/_/g'` - case $ac_option in - *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;; - *) ac_optarg=yes ;; - esac - eval "enable_$ac_feature='$ac_optarg'" ;; - - -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ - | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ - | --exec | --exe | --ex) - ac_prev=exec_prefix ;; - -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ - | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ - | --exec=* | --exe=* | --ex=*) - exec_prefix=$ac_optarg ;; - - -gas | --gas | --ga | --g) - # Obsolete; use --with-gas. - with_gas=yes ;; - - -help | --help | --hel | --he | -h) - ac_init_help=long ;; - -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) - ac_init_help=recursive ;; - -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) - ac_init_help=short ;; - - -host | --host | --hos | --ho) - ac_prev=host_alias ;; - -host=* | --host=* | --hos=* | --ho=*) - host_alias=$ac_optarg ;; - - -includedir | --includedir | --includedi | --included | --include \ - | --includ | --inclu | --incl | --inc) - ac_prev=includedir ;; - -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ - | --includ=* | --inclu=* | --incl=* | --inc=*) - includedir=$ac_optarg ;; - - -infodir | --infodir | --infodi | --infod | --info | --inf) - ac_prev=infodir ;; - -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) - infodir=$ac_optarg ;; - - -libdir | --libdir | --libdi | --libd) - ac_prev=libdir ;; - -libdir=* | --libdir=* | --libdi=* | --libd=*) - libdir=$ac_optarg ;; - - -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ - | --libexe | --libex | --libe) - ac_prev=libexecdir ;; - -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ - | --libexe=* | --libex=* | --libe=*) - libexecdir=$ac_optarg ;; - - -localstatedir | --localstatedir | --localstatedi | --localstated \ - | --localstate | --localstat | --localsta | --localst \ - | --locals | --local | --loca | --loc | --lo) - ac_prev=localstatedir ;; - -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ - | --localstate=* | --localstat=* | --localsta=* | --localst=* \ - | --locals=* | --local=* | --loca=* | --loc=* | --lo=*) - localstatedir=$ac_optarg ;; - - -mandir | --mandir | --mandi | --mand | --man | --ma | --m) - ac_prev=mandir ;; - -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) - mandir=$ac_optarg ;; - - -nfp | --nfp | --nf) - # Obsolete; use --without-fp. - with_fp=no ;; - - -no-create | --no-create | --no-creat | --no-crea | --no-cre \ - | --no-cr | --no-c | -n) - no_create=yes ;; - - -no-recursion | --no-recursion | --no-recursio | --no-recursi \ - | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) - no_recursion=yes ;; - - -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ - | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ - | --oldin | --oldi | --old | --ol | --o) - ac_prev=oldincludedir ;; - -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ - | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ - | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) - oldincludedir=$ac_optarg ;; - - -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) - ac_prev=prefix ;; - -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) - prefix=$ac_optarg ;; - - -program-prefix | --program-prefix | --program-prefi | --program-pref \ - | --program-pre | --program-pr | --program-p) - ac_prev=program_prefix ;; - -program-prefix=* | --program-prefix=* | --program-prefi=* \ - | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) - program_prefix=$ac_optarg ;; - - -program-suffix | --program-suffix | --program-suffi | --program-suff \ - | --program-suf | --program-su | --program-s) - ac_prev=program_suffix ;; - -program-suffix=* | --program-suffix=* | --program-suffi=* \ - | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) - program_suffix=$ac_optarg ;; - - -program-transform-name | --program-transform-name \ - | --program-transform-nam | --program-transform-na \ - | --program-transform-n | --program-transform- \ - | --program-transform | --program-transfor \ - | --program-transfo | --program-transf \ - | --program-trans | --program-tran \ - | --progr-tra | --program-tr | --program-t) - ac_prev=program_transform_name ;; - -program-transform-name=* | --program-transform-name=* \ - | --program-transform-nam=* | --program-transform-na=* \ - | --program-transform-n=* | --program-transform-=* \ - | --program-transform=* | --program-transfor=* \ - | --program-transfo=* | --program-transf=* \ - | --program-trans=* | --program-tran=* \ - | --progr-tra=* | --program-tr=* | --program-t=*) - program_transform_name=$ac_optarg ;; - - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil) - silent=yes ;; - - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) - ac_prev=sbindir ;; - -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ - | --sbi=* | --sb=*) - sbindir=$ac_optarg ;; - - -sharedstatedir | --sharedstatedir | --sharedstatedi \ - | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ - | --sharedst | --shareds | --shared | --share | --shar \ - | --sha | --sh) - ac_prev=sharedstatedir ;; - -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ - | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ - | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ - | --sha=* | --sh=*) - sharedstatedir=$ac_optarg ;; - - -site | --site | --sit) - ac_prev=site ;; - -site=* | --site=* | --sit=*) - site=$ac_optarg ;; - - -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) - ac_prev=srcdir ;; - -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) - srcdir=$ac_optarg ;; - - -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ - | --syscon | --sysco | --sysc | --sys | --sy) - ac_prev=sysconfdir ;; - -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ - | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) - sysconfdir=$ac_optarg ;; - - -target | --target | --targe | --targ | --tar | --ta | --t) - ac_prev=target_alias ;; - -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) - target_alias=$ac_optarg ;; - - -v | -verbose | --verbose | --verbos | --verbo | --verb) - verbose=yes ;; - - -version | --version | --versio | --versi | --vers | -V) - ac_init_version=: ;; - - -with-* | --with-*) - ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid package name: $ac_package" >&2 - { (exit 1); exit 1; }; } - ac_package=`echo $ac_package| sed 's/-/_/g'` - case $ac_option in - *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;; - *) ac_optarg=yes ;; - esac - eval "with_$ac_package='$ac_optarg'" ;; - - -without-* | --without-*) - ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid package name: $ac_package" >&2 - { (exit 1); exit 1; }; } - ac_package=`echo $ac_package | sed 's/-/_/g'` - eval "with_$ac_package=no" ;; - - --x) - # Obsolete; use --with-x. - with_x=yes ;; - - -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ - | --x-incl | --x-inc | --x-in | --x-i) - ac_prev=x_includes ;; - -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ - | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) - x_includes=$ac_optarg ;; - - -x-libraries | --x-libraries | --x-librarie | --x-librari \ - | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) - ac_prev=x_libraries ;; - -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ - | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) - x_libraries=$ac_optarg ;; - - -*) { echo "$as_me: error: unrecognized option: $ac_option -Try \`$0 --help' for more information." >&2 - { (exit 1); exit 1; }; } - ;; - - *=*) - ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` - # Reject names that are not valid shell variable names. - expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null && - { echo "$as_me: error: invalid variable name: $ac_envvar" >&2 - { (exit 1); exit 1; }; } - ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` - eval "$ac_envvar='$ac_optarg'" - export $ac_envvar ;; - - *) - # FIXME: should be removed in autoconf 3.0. - echo "$as_me: WARNING: you should use --build, --host, --target" >&2 - expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && - echo "$as_me: WARNING: invalid host type: $ac_option" >&2 - : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option} - ;; - - esac -done - -if test -n "$ac_prev"; then - ac_option=--`echo $ac_prev | sed 's/_/-/g'` - { echo "$as_me: error: missing argument to $ac_option" >&2 - { (exit 1); exit 1; }; } -fi - -# Be sure to have absolute paths. -for ac_var in exec_prefix prefix -do - eval ac_val=$`echo $ac_var` - case $ac_val in - [\\/$]* | ?:[\\/]* | NONE | '' ) ;; - *) { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 - { (exit 1); exit 1; }; };; - esac -done - -# Be sure to have absolute paths. -for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \ - localstatedir libdir includedir oldincludedir infodir mandir -do - eval ac_val=$`echo $ac_var` - case $ac_val in - [\\/$]* | ?:[\\/]* ) ;; - *) { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 - { (exit 1); exit 1; }; };; - esac -done - -# There might be people who depend on the old broken behavior: `$host' -# used to hold the argument of --host etc. -# FIXME: To remove some day. -build=$build_alias -host=$host_alias -target=$target_alias - -# FIXME: To remove some day. -if test "x$host_alias" != x; then - if test "x$build_alias" = x; then - cross_compiling=maybe - echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host. - If a cross compiler is detected then cross compile mode will be used." >&2 - elif test "x$build_alias" != "x$host_alias"; then - cross_compiling=yes - fi -fi - -ac_tool_prefix= -test -n "$host_alias" && ac_tool_prefix=$host_alias- - -test "$silent" = yes && exec 6>/dev/null - - -# Find the source files, if location was not specified. -if test -z "$srcdir"; then - ac_srcdir_defaulted=yes - # Try the directory containing this script, then its parent. - ac_confdir=`(dirname "$0") 2>/dev/null || -$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$0" : 'X\(//\)[^/]' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$0" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - srcdir=$ac_confdir - if test ! -r $srcdir/$ac_unique_file; then - srcdir=.. - fi -else - ac_srcdir_defaulted=no -fi -if test ! -r $srcdir/$ac_unique_file; then - if test "$ac_srcdir_defaulted" = yes; then - { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2 - { (exit 1); exit 1; }; } - else - { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 - { (exit 1); exit 1; }; } - fi -fi -srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'` -ac_env_build_alias_set=${build_alias+set} -ac_env_build_alias_value=$build_alias -ac_cv_env_build_alias_set=${build_alias+set} -ac_cv_env_build_alias_value=$build_alias -ac_env_host_alias_set=${host_alias+set} -ac_env_host_alias_value=$host_alias -ac_cv_env_host_alias_set=${host_alias+set} -ac_cv_env_host_alias_value=$host_alias -ac_env_target_alias_set=${target_alias+set} -ac_env_target_alias_value=$target_alias -ac_cv_env_target_alias_set=${target_alias+set} -ac_cv_env_target_alias_value=$target_alias -ac_env_CC_set=${CC+set} -ac_env_CC_value=$CC -ac_cv_env_CC_set=${CC+set} -ac_cv_env_CC_value=$CC -ac_env_CFLAGS_set=${CFLAGS+set} -ac_env_CFLAGS_value=$CFLAGS -ac_cv_env_CFLAGS_set=${CFLAGS+set} -ac_cv_env_CFLAGS_value=$CFLAGS -ac_env_LDFLAGS_set=${LDFLAGS+set} -ac_env_LDFLAGS_value=$LDFLAGS -ac_cv_env_LDFLAGS_set=${LDFLAGS+set} -ac_cv_env_LDFLAGS_value=$LDFLAGS -ac_env_CPPFLAGS_set=${CPPFLAGS+set} -ac_env_CPPFLAGS_value=$CPPFLAGS -ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set} -ac_cv_env_CPPFLAGS_value=$CPPFLAGS -ac_env_CPP_set=${CPP+set} -ac_env_CPP_value=$CPP -ac_cv_env_CPP_set=${CPP+set} -ac_cv_env_CPP_value=$CPP - -# -# Report the --help message. -# -if test "$ac_init_help" = "long"; then - # Omit some internal or obsolete options to make the list less imposing. - # This message is too long to be a string in the A/UX 3.1 sh. - cat <<_ACEOF -\`configure' configures Heimdal 0.4f to adapt to many kinds of systems. - -Usage: $0 [OPTION]... [VAR=VALUE]... - -To assign environment variables (e.g., CC, CFLAGS...), specify them as -VAR=VALUE. See below for descriptions of some of the useful variables. - -Defaults for the options are specified in brackets. - -Configuration: - -h, --help display this help and exit - --help=short display options specific to this package - --help=recursive display the short help of all the included packages - -V, --version display version information and exit - -q, --quiet, --silent do not print \`checking...' messages - --cache-file=FILE cache test results in FILE [disabled] - -C, --config-cache alias for \`--cache-file=config.cache' - -n, --no-create do not create output files - --srcdir=DIR find the sources in DIR [configure dir or \`..'] - -_ACEOF - - cat <<_ACEOF -Installation directories: - --prefix=PREFIX install architecture-independent files in PREFIX - [$ac_default_prefix] - --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX - [PREFIX] - -By default, \`make install' will install all the files in -\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify -an installation prefix other than \`$ac_default_prefix' using \`--prefix', -for instance \`--prefix=\$HOME'. - -For better control, use the options below. - -Fine tuning of the installation directories: - --bindir=DIR user executables [EPREFIX/bin] - --sbindir=DIR system admin executables [EPREFIX/sbin] - --libexecdir=DIR program executables [EPREFIX/libexec] - --datadir=DIR read-only architecture-independent data [PREFIX/share] - --sysconfdir=DIR read-only single-machine data [PREFIX/etc] - --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] - --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --libdir=DIR object code libraries [EPREFIX/lib] - --includedir=DIR C header files [PREFIX/include] - --oldincludedir=DIR C header files for non-gcc [/usr/include] - --infodir=DIR info documentation [PREFIX/info] - --mandir=DIR man documentation [PREFIX/man] -_ACEOF - - cat <<\_ACEOF - -Program names: - --program-prefix=PREFIX prepend PREFIX to installed program names - --program-suffix=SUFFIX append SUFFIX to installed program names - --program-transform-name=PROGRAM run sed PROGRAM on installed program names - -X features: - --x-includes=DIR X include files are in DIR - --x-libraries=DIR X library files are in DIR - -System types: - --build=BUILD configure for building on BUILD [guessed] - --host=HOST cross-compile to build programs to run on HOST [BUILD] -_ACEOF -fi - -if test -n "$ac_init_help"; then - case $ac_init_help in - short | recursive ) echo "Configuration of Heimdal 0.4f:";; - esac - cat <<\_ACEOF - -Optional Features: - --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) - --enable-FEATURE[=ARG] include FEATURE [ARG=yes] - --disable-dependency-tracking Speeds up one-time builds - --enable-dependency-tracking Do not reject slow dependency extractors - --enable-shared=PKGS build shared libraries default=no - --enable-static=PKGS build static libraries default=yes - --enable-fast-install=PKGS optimize for fast installation default=yes - --disable-libtool-lock avoid locking (might break parallel builds) - --disable-berkeley-db if you don't want berkeley db - --enable-dce if you want support for DCE/DFS PAG's - --disable-otp if you don't want OTP support - --enable-osfc2 enable some OSF C2 support - --enable-bigendian the target is big endian - --enable-littleendian the target is little endian - --disable-dynamic-afs do not use loaded AFS library with AIX - --enable-netinfo enable netinfo for configuration lookup - -Optional Packages: - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] - --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) - --with-mips-abi=abi ABI to use for IRIX (32, n32, or 64) - --with-gnu-ld assume the C compiler uses GNU ld default=no - --with-pic try to use only PIC/non-PIC objects default=use both - --without-ipv6 do not enable IPv6 support - --with-openldap=dir use openldap in dir - --with-openldap-lib=dir use openldap libraries in dir - --with-openldap-include=dir - use openldap headers in dir - --with-openldap-config=path - config program for openldap - --with-krb4=dir use krb4 in dir - --with-krb4-lib=dir use krb4 libraries in dir - --with-krb4-include=dir use krb4 headers in dir - --with-krb4-config=path config program for krb4 - --with-readline=dir use readline in dir - --with-readline-lib=dir use readline libraries in dir - --with-readline-include=dir - use readline headers in dir - --with-readline-config=path - config program for readline - --with-hesiod=dir use hesiod in dir - --with-hesiod-lib=dir use hesiod libraries in dir - --with-hesiod-include=dir - use hesiod headers in dir - --with-hesiod-config=path - config program for hesiod - --with-x use the X Window System - --with-openssl=dir use openssl in dir - --with-openssl-lib=dir use openssl libraries in dir - --with-openssl-include=dir - use openssl headers in dir - -Some influential environment variables: - CC C compiler command - CFLAGS C compiler flags - LDFLAGS linker flags, e.g. -L if you have libraries in a - nonstandard directory - CPPFLAGS C/C++ preprocessor flags, e.g. -I if you have - headers in a nonstandard directory - CPP C preprocessor - -Use these variables to override the choices made by `configure' or to help -it to find libraries and programs with nonstandard names/locations. - -Report bugs to . -_ACEOF -fi - -if test "$ac_init_help" = "recursive"; then - # If there are subdirs, report their specific --help. - ac_popdir=`pwd` - for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue - test -d $ac_dir || continue - ac_builddir=. - -if test "$ac_dir" != .; then - ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` - # A "../" for each directory in $ac_dir_suffix. - ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'` -else - ac_dir_suffix= ac_top_builddir= -fi - -case $srcdir in - .) # No --srcdir option. We are building in place. - ac_srcdir=. - if test -z "$ac_top_builddir"; then - ac_top_srcdir=. - else - ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'` - fi ;; - [\\/]* | ?:[\\/]* ) # Absolute path. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir ;; - *) # Relative path. - ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_builddir$srcdir ;; -esac -# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be -# absolute. -ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd` -ac_abs_top_builddir=`cd "$ac_dir" && cd $ac_top_builddir && pwd` -ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd` -ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd` - - cd $ac_dir - # Check for guested configure; otherwise get Cygnus style configure. - if test -f $ac_srcdir/configure.gnu; then - echo - $SHELL $ac_srcdir/configure.gnu --help=recursive - elif test -f $ac_srcdir/configure; then - echo - $SHELL $ac_srcdir/configure --help=recursive - elif test -f $ac_srcdir/configure.ac || - test -f $ac_srcdir/configure.in; then - echo - $ac_configure --help - else - echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 - fi - cd $ac_popdir - done -fi - -test -n "$ac_init_help" && exit 0 -if $ac_init_version; then - cat <<\_ACEOF -Heimdal configure 0.4f -generated by GNU Autoconf 2.53 - -Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002 -Free Software Foundation, Inc. -This configure script is free software; the Free Software Foundation -gives unlimited permission to copy, distribute and modify it. -_ACEOF - exit 0 -fi -exec 5>config.log -cat >&5 <<_ACEOF -This file contains any messages produced by compilers while -running configure, to aid debugging if configure makes a mistake. - -It was created by Heimdal $as_me 0.4f, which was -generated by GNU Autoconf 2.53. Invocation command line was - - $ $0 $@ - -_ACEOF -{ -cat <<_ASUNAME -## --------- ## -## Platform. ## -## --------- ## - -hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` -uname -m = `(uname -m) 2>/dev/null || echo unknown` -uname -r = `(uname -r) 2>/dev/null || echo unknown` -uname -s = `(uname -s) 2>/dev/null || echo unknown` -uname -v = `(uname -v) 2>/dev/null || echo unknown` - -/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` -/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` - -/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` -/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` -/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` -hostinfo = `(hostinfo) 2>/dev/null || echo unknown` -/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` -/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` -/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` - -_ASUNAME - -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - echo "PATH: $as_dir" -done - -} >&5 - -cat >&5 <<_ACEOF - - -## ----------- ## -## Core tests. ## -## ----------- ## - -_ACEOF - - -# Keep a trace of the command line. -# Strip out --no-create and --no-recursion so they do not pile up. -# Also quote any args containing shell meta-characters. -ac_configure_args= -ac_sep= -for ac_arg -do - case $ac_arg in - -no-create | --no-create | --no-creat | --no-crea | --no-cre \ - | --no-cr | --no-c | -n ) continue ;; - -no-recursion | --no-recursion | --no-recursio | --no-recursi \ - | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) - continue ;; - *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*) - ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - case " $ac_configure_args " in - *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. - *) ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'" - ac_sep=" " ;; - esac - # Get rid of the leading space. -done - -# When interrupted or exit'd, cleanup temporary files, and complete -# config.log. We remove comments because anyway the quotes in there -# would cause problems or look ugly. -# WARNING: Be sure not to use single quotes in there, as some shells, -# such as our DU 5.0 friend, will then `close' the trap. -trap 'exit_status=$? - # Save into config.log some information that might help in debugging. - { - echo - cat <<\_ASBOX -## ---------------- ## -## Cache variables. ## -## ---------------- ## -_ASBOX - echo - # The following way of writing the cache mishandles newlines in values, -{ - (set) 2>&1 | - case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in - *ac_space=\ *) - sed -n \ - "s/'"'"'/'"'"'\\\\'"'"''"'"'/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p" - ;; - *) - sed -n \ - "s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p" - ;; - esac; -} - echo - if test -s confdefs.h; then - cat <<\_ASBOX -## ----------- ## -## confdefs.h. ## -## ----------- ## -_ASBOX - echo - sed "/^$/d" confdefs.h - echo - fi - test "$ac_signal" != 0 && - echo "$as_me: caught signal $ac_signal" - echo "$as_me: exit $exit_status" - } >&5 - rm -f core core.* *.core && - rm -rf conftest* confdefs* conf$$* $ac_clean_files && - exit $exit_status - ' 0 -for ac_signal in 1 2 13 15; do - trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal -done -ac_signal=0 - -# confdefs.h avoids OS command line length limits that DEFS can exceed. -rm -rf conftest* confdefs.h -# AIX cpp loses on an empty file, so make sure it contains at least a newline. -echo >confdefs.h - -# Predefined preprocessor variables. - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_NAME "$PACKAGE_NAME" -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_TARNAME "$PACKAGE_TARNAME" -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_VERSION "$PACKAGE_VERSION" -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_STRING "$PACKAGE_STRING" -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" -_ACEOF - - -# Let the site file select an alternate cache file if it wants to. -# Prefer explicitly selected file to automatically selected ones. -if test -z "$CONFIG_SITE"; then - if test "x$prefix" != xNONE; then - CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site" - else - CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" - fi -fi -for ac_site_file in $CONFIG_SITE; do - if test -r "$ac_site_file"; then - { echo "$as_me:1314: loading site script $ac_site_file" >&5 -echo "$as_me: loading site script $ac_site_file" >&6;} - sed 's/^/| /' "$ac_site_file" >&5 - . "$ac_site_file" - fi -done - -if test -r "$cache_file"; then - # Some versions of bash will fail to source /dev/null (special - # files actually), so we avoid doing that. - if test -f "$cache_file"; then - { echo "$as_me:1325: loading cache $cache_file" >&5 -echo "$as_me: loading cache $cache_file" >&6;} - case $cache_file in - [\\/]* | ?:[\\/]* ) . $cache_file;; - *) . ./$cache_file;; - esac - fi -else - { echo "$as_me:1333: creating cache $cache_file" >&5 -echo "$as_me: creating cache $cache_file" >&6;} - >$cache_file -fi - -# Check that the precious variables saved in the cache have kept the same -# value. -ac_cache_corrupted=false -for ac_var in `(set) 2>&1 | - sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do - eval ac_old_set=\$ac_cv_env_${ac_var}_set - eval ac_new_set=\$ac_env_${ac_var}_set - eval ac_old_val="\$ac_cv_env_${ac_var}_value" - eval ac_new_val="\$ac_env_${ac_var}_value" - case $ac_old_set,$ac_new_set in - set,) - { echo "$as_me:1349: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 -echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,set) - { echo "$as_me:1353: error: \`$ac_var' was not set in the previous run" >&5 -echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,);; - *) - if test "x$ac_old_val" != "x$ac_new_val"; then - { echo "$as_me:1359: error: \`$ac_var' has changed since the previous run:" >&5 -echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} - { echo "$as_me:1361: former value: $ac_old_val" >&5 -echo "$as_me: former value: $ac_old_val" >&2;} - { echo "$as_me:1363: current value: $ac_new_val" >&5 -echo "$as_me: current value: $ac_new_val" >&2;} - ac_cache_corrupted=: - fi;; - esac - # Pass precious variables to config.status. - if test "$ac_new_set" = set; then - case $ac_new_val in - *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*) - ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; - *) ac_arg=$ac_var=$ac_new_val ;; - esac - case " $ac_configure_args " in - *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. - *) ac_configure_args="$ac_configure_args '$ac_arg'" ;; - esac - fi -done -if $ac_cache_corrupted; then - { echo "$as_me:1382: error: changes in the environment can compromise the build" >&5 -echo "$as_me: error: changes in the environment can compromise the build" >&2;} - { { echo "$as_me:1384: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 -echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} - { (exit 1); exit 1; }; } -fi - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - - - - - - - - - - - - - - - - - - - - - - - - - -# Add the stamp file to the list of files AC keeps track of, -# along with our hook. -ac_config_headers="$ac_config_headers include/config.h" - - - - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. -set dummy ${ac_tool_prefix}gcc; ac_word=$2 -echo "$as_me:1435: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}gcc" - echo "$as_me:1451: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - echo "$as_me:1461: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6 -else - echo "$as_me:1464: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -fi -if test -z "$ac_cv_prog_CC"; then - ac_ct_CC=$CC - # Extract the first word of "gcc", so it can be a program name with args. -set dummy gcc; ac_word=$2 -echo "$as_me:1473: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="gcc" - echo "$as_me:1489: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -ac_ct_CC=$ac_cv_prog_ac_ct_CC -if test -n "$ac_ct_CC"; then - echo "$as_me:1499: result: $ac_ct_CC" >&5 -echo "${ECHO_T}$ac_ct_CC" >&6 -else - echo "$as_me:1502: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - CC=$ac_ct_CC -else - CC="$ac_cv_prog_CC" -fi - -if test -z "$CC"; then - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. -set dummy ${ac_tool_prefix}cc; ac_word=$2 -echo "$as_me:1515: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}cc" - echo "$as_me:1531: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - echo "$as_me:1541: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6 -else - echo "$as_me:1544: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -fi -if test -z "$ac_cv_prog_CC"; then - ac_ct_CC=$CC - # Extract the first word of "cc", so it can be a program name with args. -set dummy cc; ac_word=$2 -echo "$as_me:1553: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="cc" - echo "$as_me:1569: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -ac_ct_CC=$ac_cv_prog_ac_ct_CC -if test -n "$ac_ct_CC"; then - echo "$as_me:1579: result: $ac_ct_CC" >&5 -echo "${ECHO_T}$ac_ct_CC" >&6 -else - echo "$as_me:1582: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - CC=$ac_ct_CC -else - CC="$ac_cv_prog_CC" -fi - -fi -if test -z "$CC"; then - # Extract the first word of "cc", so it can be a program name with args. -set dummy cc; ac_word=$2 -echo "$as_me:1595: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else - ac_prog_rejected=no -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then - ac_prog_rejected=yes - continue - fi - ac_cv_prog_CC="cc" - echo "$as_me:1616: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -if test $ac_prog_rejected = yes; then - # We found a bogon in the path, so make sure we never use it. - set dummy $ac_cv_prog_CC - shift - if test $# != 0; then - # We chose a different compiler from the bogus one. - # However, it has the same basename, so the bogon will be chosen - # first if we set CC to just the basename; use the full file name. - shift - set dummy "$as_dir/$ac_word" ${1+"$@"} - shift - ac_cv_prog_CC="$@" - fi -fi -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - echo "$as_me:1640: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6 -else - echo "$as_me:1643: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -fi -if test -z "$CC"; then - if test -n "$ac_tool_prefix"; then - for ac_prog in cl - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. -set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -echo "$as_me:1654: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - echo "$as_me:1670: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - echo "$as_me:1680: result: $CC" >&5 -echo "${ECHO_T}$CC" >&6 -else - echo "$as_me:1683: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - test -n "$CC" && break - done -fi -if test -z "$CC"; then - ac_ct_CC=$CC - for ac_prog in cl -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -echo "$as_me:1696: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="$ac_prog" - echo "$as_me:1712: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -ac_ct_CC=$ac_cv_prog_ac_ct_CC -if test -n "$ac_ct_CC"; then - echo "$as_me:1722: result: $ac_ct_CC" >&5 -echo "${ECHO_T}$ac_ct_CC" >&6 -else - echo "$as_me:1725: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - test -n "$ac_ct_CC" && break -done - - CC=$ac_ct_CC -fi - -fi - - -test -z "$CC" && { { echo "$as_me:1738: error: no acceptable C compiler found in \$PATH" >&5 -echo "$as_me: error: no acceptable C compiler found in \$PATH" >&2;} - { (exit 1); exit 1; }; } - -# Provide some information about the compiler. -echo "$as_me:1743:" \ - "checking for C compiler version" >&5 -ac_compiler=`set X $ac_compile; echo $2` -{ (eval echo "$as_me:1746: \"$ac_compiler --version &5\"") >&5 - (eval $ac_compiler --version &5) 2>&5 - ac_status=$? - echo "$as_me:1749: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (eval echo "$as_me:1751: \"$ac_compiler -v &5\"") >&5 - (eval $ac_compiler -v &5) 2>&5 - ac_status=$? - echo "$as_me:1754: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (eval echo "$as_me:1756: \"$ac_compiler -V &5\"") >&5 - (eval $ac_compiler -V &5) 2>&5 - ac_status=$? - echo "$as_me:1759: \$? = $ac_status" >&5 - (exit $ac_status); } - -cat >conftest.$ac_ext <<_ACEOF -#line 1763 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files a.out a.exe" -# Try to create an executable without -o first, disregard a.out. -# It will help us diagnose broken compilers, and finding out an intuition -# of exeext. -echo "$as_me:1785: checking for C compiler default output" >&5 -echo $ECHO_N "checking for C compiler default output... $ECHO_C" >&6 -ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` -if { (eval echo "$as_me:1788: \"$ac_link_default\"") >&5 - (eval $ac_link_default) 2>&5 - ac_status=$? - echo "$as_me:1791: \$? = $ac_status" >&5 - (exit $ac_status); }; then - # Find the output, starting from the most likely. This scheme is -# not robust to junk in `.', hence go to wildcards (a.*) only as a last -# resort. - -# Be careful to initialize this variable, since it used to be cached. -# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile. -ac_cv_exeext= -for ac_file in `ls a_out.exe a.exe conftest.exe 2>/dev/null; - ls a.out conftest 2>/dev/null; - ls a.* conftest.* 2>/dev/null`; do - case $ac_file in - *.$ac_ext | *.o | *.obj | *.xcoff | *.tds | *.d | *.pdb | *.xSYM ) ;; - a.out ) # We found the default executable, but exeext='' is most - # certainly right. - break;; - *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - # FIXME: I believe we export ac_cv_exeext for Libtool --akim. - export ac_cv_exeext - break;; - * ) break;; - esac -done -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -{ { echo "$as_me:1818: error: C compiler cannot create executables" >&5 -echo "$as_me: error: C compiler cannot create executables" >&2;} - { (exit 77); exit 77; }; } -fi - -ac_exeext=$ac_cv_exeext -echo "$as_me:1824: result: $ac_file" >&5 -echo "${ECHO_T}$ac_file" >&6 - -# Check the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -echo "$as_me:1829: checking whether the C compiler works" >&5 -echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6 -# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 -# If not cross compiling, check that we can run a simple program. -if test "$cross_compiling" != yes; then - if { ac_try='./$ac_file' - { (eval echo "$as_me:1835: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:1838: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else - { { echo "$as_me:1845: error: cannot run C compiled programs. -If you meant to cross compile, use \`--host'." >&5 -echo "$as_me: error: cannot run C compiled programs. -If you meant to cross compile, use \`--host'." >&2;} - { (exit 1); exit 1; }; } - fi - fi -fi -echo "$as_me:1853: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - -rm -f a.out a.exe conftest$ac_cv_exeext -ac_clean_files=$ac_clean_files_save -# Check the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -echo "$as_me:1860: checking whether we are cross compiling" >&5 -echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6 -echo "$as_me:1862: result: $cross_compiling" >&5 -echo "${ECHO_T}$cross_compiling" >&6 - -echo "$as_me:1865: checking for suffix of executables" >&5 -echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6 -if { (eval echo "$as_me:1867: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:1870: \$? = $ac_status" >&5 - (exit $ac_status); }; then - # If both `conftest.exe' and `conftest' are `present' (well, observable) -# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will -# work properly (i.e., refer to `conftest.exe'), while it won't with -# `rm'. -for ac_file in `(ls conftest.exe; ls conftest; ls conftest.*) 2>/dev/null`; do - case $ac_file in - *.$ac_ext | *.o | *.obj | *.xcoff | *.tds | *.d | *.pdb ) ;; - *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - export ac_cv_exeext - break;; - * ) break;; - esac -done -else - { { echo "$as_me:1886: error: cannot compute suffix of executables: cannot compile and link" >&5 -echo "$as_me: error: cannot compute suffix of executables: cannot compile and link" >&2;} - { (exit 1); exit 1; }; } -fi - -rm -f conftest$ac_cv_exeext -echo "$as_me:1892: result: $ac_cv_exeext" >&5 -echo "${ECHO_T}$ac_cv_exeext" >&6 - -rm -f conftest.$ac_ext -EXEEXT=$ac_cv_exeext -ac_exeext=$EXEEXT -echo "$as_me:1898: checking for suffix of object files" >&5 -echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6 -if test "${ac_cv_objext+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 1904 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.o conftest.obj -if { (eval echo "$as_me:1922: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:1925: \$? = $ac_status" >&5 - (exit $ac_status); }; then - for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb ) ;; - *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` - break;; - esac -done -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -{ { echo "$as_me:1937: error: cannot compute suffix of object files: cannot compile" >&5 -echo "$as_me: error: cannot compute suffix of object files: cannot compile" >&2;} - { (exit 1); exit 1; }; } -fi - -rm -f conftest.$ac_cv_objext conftest.$ac_ext -fi -echo "$as_me:1944: result: $ac_cv_objext" >&5 -echo "${ECHO_T}$ac_cv_objext" >&6 -OBJEXT=$ac_cv_objext -ac_objext=$OBJEXT -echo "$as_me:1948: checking whether we are using the GNU C compiler" >&5 -echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6 -if test "${ac_cv_c_compiler_gnu+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 1954 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -#ifndef __GNUC__ - choke me -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:1975: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:1978: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:1981: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:1984: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_compiler_gnu=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_compiler_gnu=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -ac_cv_c_compiler_gnu=$ac_compiler_gnu - -fi -echo "$as_me:1996: result: $ac_cv_c_compiler_gnu" >&5 -echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6 -GCC=`test $ac_compiler_gnu = yes && echo yes` -ac_test_CFLAGS=${CFLAGS+set} -ac_save_CFLAGS=$CFLAGS -CFLAGS="-g" -echo "$as_me:2002: checking whether $CC accepts -g" >&5 -echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6 -if test "${ac_cv_prog_cc_g+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 2008 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:2026: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:2029: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2032: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:2035: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_prog_cc_g=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_prog_cc_g=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:2045: result: $ac_cv_prog_cc_g" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_g" >&6 -if test "$ac_test_CFLAGS" = set; then - CFLAGS=$ac_save_CFLAGS -elif test $ac_cv_prog_cc_g = yes; then - if test "$GCC" = yes; then - CFLAGS="-g -O2" - else - CFLAGS="-g" - fi -else - if test "$GCC" = yes; then - CFLAGS="-O2" - else - CFLAGS= - fi -fi -# Some people use a C++ compiler to compile C. Since we use `exit', -# in C++ we need to declare it. In case someone uses the same compiler -# for both compiling C and C++ we need to have the C++ compiler decide -# the declaration of exit, since it's the most demanding environment. -cat >conftest.$ac_ext <<_ACEOF -#ifndef __cplusplus - choke me -#endif -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:2072: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:2075: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2078: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:2081: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - for ac_declaration in \ - ''\ - '#include ' \ - 'extern "C" void std::exit (int) throw (); using std::exit;' \ - 'extern "C" void std::exit (int); using std::exit;' \ - 'extern "C" void exit (int) throw ();' \ - 'extern "C" void exit (int);' \ - 'void exit (int);' -do - cat >conftest.$ac_ext <<_ACEOF -#line 2093 "configure" -#include "confdefs.h" -#include -$ac_declaration -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -exit (42); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:2112: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:2115: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2118: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:2121: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -continue -fi -rm -f conftest.$ac_objext conftest.$ac_ext - cat >conftest.$ac_ext <<_ACEOF -#line 2131 "configure" -#include "confdefs.h" -$ac_declaration -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -exit (42); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:2149: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:2152: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2155: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:2158: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext -done -rm -f conftest* -if test -n "$ac_declaration"; then - echo '#ifdef __cplusplus' >>confdefs.h - echo $ac_declaration >>confdefs.h - echo '#endif' >>confdefs.h -fi - -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -echo "$as_me:2190: checking how to run the C preprocessor" >&5 -echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6 -# On Suns, sometimes $CPP names a directory. -if test -n "$CPP" && test -d "$CPP"; then - CPP= -fi -if test -z "$CPP"; then - if test "${ac_cv_prog_CPP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # Double quotes because CPP needs to be expanded - for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" - do - ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat >conftest.$ac_ext <<_ACEOF -#line 2211 "configure" -#include "confdefs.h" -#include - Syntax error -_ACEOF -if { (eval echo "$as_me:2216: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:2222: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - : -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - # Broken: fails on valid input. -continue -fi -rm -f conftest.err conftest.$ac_ext - - # OK, works on sane cases. Now check whether non-existent headers - # can be detected and how. - cat >conftest.$ac_ext <<_ACEOF -#line 2245 "configure" -#include "confdefs.h" -#include -_ACEOF -if { (eval echo "$as_me:2249: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:2255: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - # Broken: success on invalid input. -continue -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - # Passes both tests. -ac_preproc_ok=: -break -fi -rm -f conftest.err conftest.$ac_ext - -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.err conftest.$ac_ext -if $ac_preproc_ok; then - break -fi - - done - ac_cv_prog_CPP=$CPP - -fi - CPP=$ac_cv_prog_CPP -else - ac_cv_prog_CPP=$CPP -fi -echo "$as_me:2292: result: $CPP" >&5 -echo "${ECHO_T}$CPP" >&6 -ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat >conftest.$ac_ext <<_ACEOF -#line 2302 "configure" -#include "confdefs.h" -#include - Syntax error -_ACEOF -if { (eval echo "$as_me:2307: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:2313: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - : -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - # Broken: fails on valid input. -continue -fi -rm -f conftest.err conftest.$ac_ext - - # OK, works on sane cases. Now check whether non-existent headers - # can be detected and how. - cat >conftest.$ac_ext <<_ACEOF -#line 2336 "configure" -#include "confdefs.h" -#include -_ACEOF -if { (eval echo "$as_me:2340: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:2346: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - # Broken: success on invalid input. -continue -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - # Passes both tests. -ac_preproc_ok=: -break -fi -rm -f conftest.err conftest.$ac_ext - -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.err conftest.$ac_ext -if $ac_preproc_ok; then - : -else - { { echo "$as_me:2374: error: C preprocessor \"$CPP\" fails sanity check" >&5 -echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check" >&2;} - { (exit 1); exit 1; }; } -fi - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - -echo "$as_me:2386: checking for $CC option to accept ANSI C" >&5 -echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6 -if test "${ac_cv_prog_cc_stdc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_prog_cc_stdc=no -ac_save_CC=$CC -cat >conftest.$ac_ext <<_ACEOF -#line 2394 "configure" -#include "confdefs.h" -#include -#include -#include -#include -/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ -struct buf { int x; }; -FILE * (*rcsopen) (struct buf *, struct stat *, int); -static char *e (p, i) - char **p; - int i; -{ - return p[i]; -} -static char *f (char * (*g) (char **, int), char **p, ...) -{ - char *s; - va_list v; - va_start (v,p); - s = g (p, va_arg (v,int)); - va_end (v); - return s; -} -int test (int i, double x); -struct s1 {int (*f) (int a);}; -struct s2 {int (*f) (double a);}; -int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); -int argc; -char **argv; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; - ; - return 0; -} -_ACEOF -# Don't try gcc -ansi; that turns off useful extensions and -# breaks some systems' header files. -# AIX -qlanglvl=ansi -# Ultrix and OSF/1 -std1 -# HP-UX 10.20 and later -Ae -# HP-UX older versions -Aa -D_HPUX_SOURCE -# SVR4 -Xc -D__EXTENSIONS__ -for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" -do - CC="$ac_save_CC $ac_arg" - rm -f conftest.$ac_objext -if { (eval echo "$as_me:2449: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:2452: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2455: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:2458: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_prog_cc_stdc=$ac_arg -break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext -done -rm -f conftest.$ac_ext conftest.$ac_objext -CC=$ac_save_CC - -fi - -case "x$ac_cv_prog_cc_stdc" in - x|xno) - echo "$as_me:2475: result: none needed" >&5 -echo "${ECHO_T}none needed" >&6 ;; - *) - echo "$as_me:2478: result: $ac_cv_prog_cc_stdc" >&5 -echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6 - CC="$CC $ac_cv_prog_cc_stdc" ;; -esac - - -am__api_version="1.6" -ac_aux_dir= -for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do - if test -f $ac_dir/install-sh; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install-sh -c" - break - elif test -f $ac_dir/install.sh; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install.sh -c" - break - elif test -f $ac_dir/shtool; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/shtool install -c" - break - fi -done -if test -z "$ac_aux_dir"; then - { { echo "$as_me:2502: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5 -echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2;} - { (exit 1); exit 1; }; } -fi -ac_config_guess="$SHELL $ac_aux_dir/config.guess" -ac_config_sub="$SHELL $ac_aux_dir/config.sub" -ac_configure="$SHELL $ac_aux_dir/configure" # This should be Cygnus configure. - -# Find a good install program. We prefer a C program (faster), -# so one script is as good as another. But avoid the broken or -# incompatible versions: -# SysV /etc/install, /usr/sbin/install -# SunOS /usr/etc/install -# IRIX /sbin/install -# AIX /bin/install -# AmigaOS /C/install, which installs bootblocks on floppy discs -# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag -# AFS /usr/afsws/bin/install, which mishandles nonexistent args -# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" -# ./install, which can be erroneously created by make from ./install.sh. -echo "$as_me:2522: checking for a BSD-compatible install" >&5 -echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6 -if test -z "$INSTALL"; then -if test "${ac_cv_path_install+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - # Account for people who put trailing slashes in PATH elements. -case $as_dir/ in - ./ | .// | /cC/* | \ - /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ - /usr/ucb/* ) ;; - *) - # OSF1 and SCO ODT 3.0 have their own names for install. - # Don't use installbsd from OSF since it installs stuff as root - # by default. - for ac_prog in ginstall scoinst install; do - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then - if test $ac_prog = install && - grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # AIX install. It has an incompatible calling convention. - : - elif test $ac_prog = install && - grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # program-specific install script used by HP pwplus--don't use. - : - else - ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" - break 3 - fi - fi - done - done - ;; -esac -done - - -fi - if test "${ac_cv_path_install+set}" = set; then - INSTALL=$ac_cv_path_install - else - # As a last resort, use the slow shell script. We don't cache a - # path for INSTALL within a source directory, because that will - # break other packages using the cache if that directory is - # removed, or if the path is relative. - INSTALL=$ac_install_sh - fi -fi -echo "$as_me:2576: result: $INSTALL" >&5 -echo "${ECHO_T}$INSTALL" >&6 - -# Use test -z because SunOS4 sh mishandles braces in ${var-val}. -# It thinks the first close brace ends the variable substitution. -test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' - -test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' - -test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' - -echo "$as_me:2587: checking whether build environment is sane" >&5 -echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6 -# Just in case -sleep 1 -echo timestamp > conftest.file -# Do `set' in a subshell so we don't clobber the current shell's -# arguments. Must try -L first in case configure is actually a -# symlink; some systems play weird games with the mod time of symlinks -# (eg FreeBSD returns the mod time of the symlink's containing -# directory). -if ( - set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null` - if test "$*" = "X"; then - # -L didn't work. - set X `ls -t $srcdir/configure conftest.file` - fi - rm -f conftest.file - if test "$*" != "X $srcdir/configure conftest.file" \ - && test "$*" != "X conftest.file $srcdir/configure"; then - - # If neither matched, then we have a broken ls. This can happen - # if, for instance, CONFIG_SHELL is bash and it inherits a - # broken ls alias from the environment. This has actually - # happened. Such a system could not be considered "sane". - { { echo "$as_me:2611: error: ls -t appears to fail. Make sure there is not a broken -alias in your environment" >&5 -echo "$as_me: error: ls -t appears to fail. Make sure there is not a broken -alias in your environment" >&2;} - { (exit 1); exit 1; }; } - fi - - test "$2" = conftest.file - ) -then - # Ok. - : -else - { { echo "$as_me:2624: error: newly created file is older than distributed files! -Check your system clock" >&5 -echo "$as_me: error: newly created file is older than distributed files! -Check your system clock" >&2;} - { (exit 1); exit 1; }; } -fi -echo "$as_me:2630: result: yes" >&5 -echo "${ECHO_T}yes" >&6 -test "$program_prefix" != NONE && - program_transform_name="s,^,$program_prefix,;$program_transform_name" -# Use a double $ so make ignores it. -test "$program_suffix" != NONE && - program_transform_name="s,\$,$program_suffix,;$program_transform_name" -# Double any \ or $. echo might interpret backslashes. -# By default was `s,x,x', remove it if useless. -cat <<\_ACEOF >conftest.sed -s/[\\$]/&&/g;s/;s,x,x,$// -_ACEOF -program_transform_name=`echo $program_transform_name | sed -f conftest.sed` -rm conftest.sed - - -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` - -test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing" -# Use eval to expand $SHELL -if eval "$MISSING --run true"; then - am_missing_run="$MISSING --run " -else - am_missing_run= - { echo "$as_me:2655: WARNING: \`missing' script is too old or missing" >&5 -echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;} -fi - -for ac_prog in gawk mawk nawk awk -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -echo "$as_me:2663: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_AWK+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$AWK"; then - ac_cv_prog_AWK="$AWK" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_AWK="$ac_prog" - echo "$as_me:2679: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -AWK=$ac_cv_prog_AWK -if test -n "$AWK"; then - echo "$as_me:2689: result: $AWK" >&5 -echo "${ECHO_T}$AWK" >&6 -else - echo "$as_me:2692: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - test -n "$AWK" && break -done - -echo "$as_me:2699: checking whether ${MAKE-make} sets \${MAKE}" >&5 -echo $ECHO_N "checking whether ${MAKE-make} sets \${MAKE}... $ECHO_C" >&6 -set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y,./+-,__p_,'` -if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.make <<\_ACEOF -all: - @echo 'ac_maketemp="${MAKE}"' -_ACEOF -# GNU make sometimes prints "make[1]: Entering...", which would confuse us. -eval `${MAKE-make} -f conftest.make 2>/dev/null | grep temp=` -if test -n "$ac_maketemp"; then - eval ac_cv_prog_make_${ac_make}_set=yes -else - eval ac_cv_prog_make_${ac_make}_set=no -fi -rm -f conftest.make -fi -if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then - echo "$as_me:2719: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - SET_MAKE= -else - echo "$as_me:2723: result: no" >&5 -echo "${ECHO_T}no" >&6 - SET_MAKE="MAKE=${MAKE-make}" -fi - -rm -f .deps 2>/dev/null -mkdir .deps 2>/dev/null -if test -d .deps; then - DEPDIR=.deps -else - # MS-DOS does not allow filenames that begin with a dot. - DEPDIR=_deps -fi -rmdir .deps 2>/dev/null - - -ac_config_commands="$ac_config_commands depfiles" - - -am_make=${MAKE-make} -cat > confinc << 'END' -doit: - @echo done -END -# If we don't find an include directive, just comment out the code. -echo "$as_me:2748: checking for style of include used by $am_make" >&5 -echo $ECHO_N "checking for style of include used by $am_make... $ECHO_C" >&6 -am__include="#" -am__quote= -_am_result=none -# First try GNU make style include. -echo "include confinc" > confmf -# We grep out `Entering directory' and `Leaving directory' -# messages which can occur if `w' ends up in MAKEFLAGS. -# In particular we don't look at `^make:' because GNU make might -# be invoked under some other name (usually "gmake"), in which -# case it prints its new name instead of `make'. -if test "`$am_make -s -f confmf 2> /dev/null | fgrep -v 'ing directory'`" = "done"; then - am__include=include - am__quote= - _am_result=GNU -fi -# Now try BSD make style include. -if test "$am__include" = "#"; then - echo '.include "confinc"' > confmf - if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then - am__include=.include - am__quote="\"" - _am_result=BSD - fi -fi - - -echo "$as_me:2776: result: $_am_result" >&5 -echo "${ECHO_T}$_am_result" >&6 -rm -f confinc confmf - -# Check whether --enable-dependency-tracking or --disable-dependency-tracking was given. -if test "${enable_dependency_tracking+set}" = set; then - enableval="$enable_dependency_tracking" - -fi; -if test "x$enable_dependency_tracking" != xno; then - am_depcomp="$ac_aux_dir/depcomp" - AMDEPBACKSLASH='\' -fi - - -if test "x$enable_dependency_tracking" != xno; then - AMDEP_TRUE= - AMDEP_FALSE='#' -else - AMDEP_TRUE='#' - AMDEP_FALSE= -fi - - - - # test to see if srcdir already configured -if test "`cd $srcdir && pwd`" != "`pwd`" && - test -f $srcdir/config.status; then - { { echo "$as_me:2804: error: source directory already configured; run \"make distclean\" there first" >&5 -echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;} - { (exit 1); exit 1; }; } -fi - -# Define the identity of the package. - PACKAGE=heimdal - VERSION=0.4f - - -cat >>confdefs.h <<_ACEOF -#define PACKAGE "$PACKAGE" -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define VERSION "$VERSION" -_ACEOF - -# Some tools Automake needs. - -ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} - - -AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} - - -AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} - - -AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} - - -MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} - - -AMTAR=${AMTAR-"${am_missing_run}tar"} - -install_sh=${install_sh-"$am_aux_dir/install-sh"} - -# Installed binaries are usually stripped using `strip' when the user -# run `make install-strip'. However `strip' might not be the right -# tool to use in cross-compilation environments, therefore Automake -# will honor the `STRIP' environment variable to overrule this program. -if test "$cross_compiling" != no; then - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. -set dummy ${ac_tool_prefix}strip; ac_word=$2 -echo "$as_me:2852: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_STRIP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$STRIP"; then - ac_cv_prog_STRIP="$STRIP" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_STRIP="${ac_tool_prefix}strip" - echo "$as_me:2868: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -STRIP=$ac_cv_prog_STRIP -if test -n "$STRIP"; then - echo "$as_me:2878: result: $STRIP" >&5 -echo "${ECHO_T}$STRIP" >&6 -else - echo "$as_me:2881: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -fi -if test -z "$ac_cv_prog_STRIP"; then - ac_ct_STRIP=$STRIP - # Extract the first word of "strip", so it can be a program name with args. -set dummy strip; ac_word=$2 -echo "$as_me:2890: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_STRIP"; then - ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_STRIP="strip" - echo "$as_me:2906: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - - test -z "$ac_cv_prog_ac_ct_STRIP" && ac_cv_prog_ac_ct_STRIP=":" -fi -fi -ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP -if test -n "$ac_ct_STRIP"; then - echo "$as_me:2917: result: $ac_ct_STRIP" >&5 -echo "${ECHO_T}$ac_ct_STRIP" >&6 -else - echo "$as_me:2920: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - STRIP=$ac_ct_STRIP -else - STRIP="$ac_cv_prog_STRIP" -fi - -fi -INSTALL_STRIP_PROGRAM="\${SHELL} \$(install_sh) -c -s" - -# We need awk for the "check" target. The system "awk" is bad on -# some platforms. - - -depcc="$CC" am_compiler_list= - -echo "$as_me:2938: checking dependency style of $depcc" >&5 -echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6 -if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then - # We make a subdir and do the tests there. Otherwise we can end up - # making bogus files that we don't know about and never remove. For - # instance it was reported that on HP-UX the gcc test will end up - # making a dummy file named `D' -- because `-MD' means `put the output - # in D'. - mkdir conftest.dir - # Copy depcomp to subdir because otherwise we won't find it if we're - # using a relative directory. - cp "$am_depcomp" conftest.dir - cd conftest.dir - - am_cv_CC_dependencies_compiler_type=none - if test "$am_compiler_list" = ""; then - am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` - fi - for depmode in $am_compiler_list; do - # We need to recreate these files for each test, as the compiler may - # overwrite some of them when testing with obscure command lines. - # This happens at least with the AIX C compiler. - echo '#include "conftest.h"' > conftest.c - echo 'int i;' > conftest.h - echo "${am__include} ${am__quote}conftest.Po${am__quote}" > confmf - - case $depmode in - nosideeffect) - # after this tag, mechanisms are not by side-effect, so they'll - # only be used when explicitly requested - if test "x$enable_dependency_tracking" = xyes; then - continue - else - break - fi - ;; - none) break ;; - esac - # We check with `-c' and `-o' for the sake of the "dashmstdout" - # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. - if depmode=$depmode \ - source=conftest.c object=conftest.o \ - depfile=conftest.Po tmpdepfile=conftest.TPo \ - $SHELL ./depcomp $depcc -c conftest.c -o conftest.o >/dev/null 2>&1 && - grep conftest.h conftest.Po > /dev/null 2>&1 && - ${MAKE-make} -s -f confmf > /dev/null 2>&1; then - am_cv_CC_dependencies_compiler_type=$depmode - break - fi - done - - cd .. - rm -rf conftest.dir -else - am_cv_CC_dependencies_compiler_type=none -fi - -fi -echo "$as_me:3000: result: $am_cv_CC_dependencies_compiler_type" >&5 -echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6 -CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type - - - - - - -test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' -test "$localstatedir" = '${prefix}/var' && localstatedir='/var/heimdal' - -# Make sure we can run config.sub. -$ac_config_sub sun4 >/dev/null 2>&1 || - { { echo "$as_me:3014: error: cannot run $ac_config_sub" >&5 -echo "$as_me: error: cannot run $ac_config_sub" >&2;} - { (exit 1); exit 1; }; } - -echo "$as_me:3018: checking build system type" >&5 -echo $ECHO_N "checking build system type... $ECHO_C" >&6 -if test "${ac_cv_build+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_build_alias=$build_alias -test -z "$ac_cv_build_alias" && - ac_cv_build_alias=`$ac_config_guess` -test -z "$ac_cv_build_alias" && - { { echo "$as_me:3027: error: cannot guess build type; you must specify one" >&5 -echo "$as_me: error: cannot guess build type; you must specify one" >&2;} - { (exit 1); exit 1; }; } -ac_cv_build=`$ac_config_sub $ac_cv_build_alias` || - { { echo "$as_me:3031: error: $ac_config_sub $ac_cv_build_alias failed" >&5 -echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;} - { (exit 1); exit 1; }; } - -fi -echo "$as_me:3036: result: $ac_cv_build" >&5 -echo "${ECHO_T}$ac_cv_build" >&6 -build=$ac_cv_build -build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` -build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` -build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` - - -echo "$as_me:3044: checking host system type" >&5 -echo $ECHO_N "checking host system type... $ECHO_C" >&6 -if test "${ac_cv_host+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_host_alias=$host_alias -test -z "$ac_cv_host_alias" && - ac_cv_host_alias=$ac_cv_build_alias -ac_cv_host=`$ac_config_sub $ac_cv_host_alias` || - { { echo "$as_me:3053: error: $ac_config_sub $ac_cv_host_alias failed" >&5 -echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;} - { (exit 1); exit 1; }; } - -fi -echo "$as_me:3058: result: $ac_cv_host" >&5 -echo "${ECHO_T}$ac_cv_host" >&6 -host=$ac_cv_host -host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` -host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` -host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` - - -CANONICAL_HOST=$host - - - -cat >>confdefs.h <<\_ACEOF -#define _GNU_SOURCE 1 -_ACEOF - - - - - -for ac_prog in 'bison -y' byacc -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -echo "$as_me:3082: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_YACC+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$YACC"; then - ac_cv_prog_YACC="$YACC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_YACC="$ac_prog" - echo "$as_me:3098: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -YACC=$ac_cv_prog_YACC -if test -n "$YACC"; then - echo "$as_me:3108: result: $YACC" >&5 -echo "${ECHO_T}$YACC" >&6 -else - echo "$as_me:3111: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - test -n "$YACC" && break -done -test -n "$YACC" || YACC="yacc" - -for ac_prog in flex lex -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -echo "$as_me:3123: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_LEX+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$LEX"; then - ac_cv_prog_LEX="$LEX" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_LEX="$ac_prog" - echo "$as_me:3139: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -LEX=$ac_cv_prog_LEX -if test -n "$LEX"; then - echo "$as_me:3149: result: $LEX" >&5 -echo "${ECHO_T}$LEX" >&6 -else - echo "$as_me:3152: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - test -n "$LEX" && break -done -test -n "$LEX" || LEX=":" - -if test -z "$LEXLIB" -then - echo "$as_me:3162: checking for yywrap in -lfl" >&5 -echo $ECHO_N "checking for yywrap in -lfl... $ECHO_C" >&6 -if test "${ac_cv_lib_fl_yywrap+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lfl $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 3170 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char yywrap (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -yywrap (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3195: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:3198: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3201: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:3204: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_fl_yywrap=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_fl_yywrap=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:3215: result: $ac_cv_lib_fl_yywrap" >&5 -echo "${ECHO_T}$ac_cv_lib_fl_yywrap" >&6 -if test $ac_cv_lib_fl_yywrap = yes; then - LEXLIB="-lfl" -else - echo "$as_me:3220: checking for yywrap in -ll" >&5 -echo $ECHO_N "checking for yywrap in -ll... $ECHO_C" >&6 -if test "${ac_cv_lib_l_yywrap+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ll $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 3228 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char yywrap (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -yywrap (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3253: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:3256: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3259: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:3262: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_l_yywrap=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_l_yywrap=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:3273: result: $ac_cv_lib_l_yywrap" >&5 -echo "${ECHO_T}$ac_cv_lib_l_yywrap" >&6 -if test $ac_cv_lib_l_yywrap = yes; then - LEXLIB="-ll" -fi - -fi - -fi - -if test "x$LEX" != "x:"; then - echo "$as_me:3284: checking lex output file root" >&5 -echo $ECHO_N "checking lex output file root... $ECHO_C" >&6 -if test "${ac_cv_prog_lex_root+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # The minimal lex program is just a single line: %%. But some broken lexes -# (Solaris, I think it was) want two %% lines, so accommodate them. -cat >conftest.l <<_ACEOF -%% -%% -_ACEOF -{ (eval echo "$as_me:3295: \"$LEX conftest.l\"") >&5 - (eval $LEX conftest.l) 2>&5 - ac_status=$? - echo "$as_me:3298: \$? = $ac_status" >&5 - (exit $ac_status); } -if test -f lex.yy.c; then - ac_cv_prog_lex_root=lex.yy -elif test -f lexyy.c; then - ac_cv_prog_lex_root=lexyy -else - { { echo "$as_me:3305: error: cannot find output from $LEX; giving up" >&5 -echo "$as_me: error: cannot find output from $LEX; giving up" >&2;} - { (exit 1); exit 1; }; } -fi -fi -echo "$as_me:3310: result: $ac_cv_prog_lex_root" >&5 -echo "${ECHO_T}$ac_cv_prog_lex_root" >&6 -rm -f conftest.l -LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root - -echo "$as_me:3315: checking whether yytext is a pointer" >&5 -echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6 -if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # POSIX says lex can declare yytext either as a pointer or an array; the -# default is implementation-dependent. Figure out which it is, since -# not all implementations provide the %pointer and %array declarations. -ac_cv_prog_lex_yytext_pointer=no -echo 'extern char *yytext;' >>$LEX_OUTPUT_ROOT.c -ac_save_LIBS=$LIBS -LIBS="$LIBS $LEXLIB" -cat >conftest.$ac_ext <<_ACEOF -`cat $LEX_OUTPUT_ROOT.c` -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3331: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:3334: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3337: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:3340: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_prog_lex_yytext_pointer=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_save_LIBS -rm -f "${LEX_OUTPUT_ROOT}.c" - -fi -echo "$as_me:3352: result: $ac_cv_prog_lex_yytext_pointer" >&5 -echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6 -if test $ac_cv_prog_lex_yytext_pointer = yes; then - -cat >>confdefs.h <<\_ACEOF -#define YYTEXT_POINTER 1 -_ACEOF - -fi - -fi -if test "$LEX" = :; then - LEX=${am_missing_run}flex -fi -for ac_prog in gawk mawk nawk awk -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -echo "$as_me:3370: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_AWK+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$AWK"; then - ac_cv_prog_AWK="$AWK" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_AWK="$ac_prog" - echo "$as_me:3386: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -AWK=$ac_cv_prog_AWK -if test -n "$AWK"; then - echo "$as_me:3396: result: $AWK" >&5 -echo "${ECHO_T}$AWK" >&6 -else - echo "$as_me:3399: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - test -n "$AWK" && break -done - -echo "$as_me:3406: checking for ln -s or something else" >&5 -echo $ECHO_N "checking for ln -s or something else... $ECHO_C" >&6 -if test "${ac_cv_prog_LN_S+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - rm -f conftestdata -if ln -s X conftestdata 2>/dev/null -then - rm -f conftestdata - ac_cv_prog_LN_S="ln -s" -else - touch conftestdata1 - if ln conftestdata1 conftestdata2; then - rm -f conftestdata* - ac_cv_prog_LN_S=ln - else - ac_cv_prog_LN_S=cp - fi -fi -fi -LN_S="$ac_cv_prog_LN_S" -echo "$as_me:3427: result: $ac_cv_prog_LN_S" >&5 -echo "${ECHO_T}$ac_cv_prog_LN_S" >&6 - - - - -# Check whether --with-mips_abi or --without-mips_abi was given. -if test "${with_mips_abi+set}" = set; then - withval="$with_mips_abi" - -fi; - -case "$host_os" in -irix*) -with_mips_abi="${with_mips_abi:-yes}" -if test -n "$GCC"; then - -# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select -# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs. -# -# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old -# GCC and revert back to O32. The same goes if O32 is asked for - old -# GCCs doesn't like the -mabi option, and new GCCs can't output O32. -# -# Don't you just love *all* the different SGI ABIs? - -case "${with_mips_abi}" in - 32|o32) abi='-mabi=32'; abilibdirext='' ;; - n32|yes) abi='-mabi=n32'; abilibdirext='32' ;; - 64) abi='-mabi=64'; abilibdirext='64' ;; - no) abi=''; abilibdirext='';; - *) { { echo "$as_me:3458: error: \"Invalid ABI specified\"" >&5 -echo "$as_me: error: \"Invalid ABI specified\"" >&2;} - { (exit 1); exit 1; }; } ;; -esac -if test -n "$abi" ; then -ac_foo=krb_cv_gcc_`echo $abi | tr =- __` -echo "$as_me:3464: checking if $CC supports the $abi option" >&5 -echo $ECHO_N "checking if $CC supports the $abi option... $ECHO_C" >&6 -if eval "test \"\${$ac_foo+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -save_CFLAGS="$CFLAGS" -CFLAGS="$CFLAGS $abi" -cat >conftest.$ac_ext <<_ACEOF -#line 3473 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -int x; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:3491: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:3494: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:3497: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:3500: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval $ac_foo=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval $ac_foo=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -CFLAGS="$save_CFLAGS" - -fi - -ac_res=`eval echo \\\$$ac_foo` -echo "$as_me:3514: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6 -if test $ac_res = no; then -# Try to figure out why that failed... -case $abi in - -mabi=32) - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -mabi=n32" - cat >conftest.$ac_ext <<_ACEOF -#line 3523 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -int x; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:3541: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:3544: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:3547: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:3550: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_res=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_res=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext - CLAGS="$save_CFLAGS" - if test $ac_res = yes; then - # New GCC - { { echo "$as_me:3562: error: $CC does not support the $with_mips_abi ABI" >&5 -echo "$as_me: error: $CC does not support the $with_mips_abi ABI" >&2;} - { (exit 1); exit 1; }; } - fi - # Old GCC - abi='' - abilibdirext='' - ;; - -mabi=n32|-mabi=64) - if test $with_mips_abi = yes; then - # Old GCC, default to O32 - abi='' - abilibdirext='' - else - # Some broken GCC - { { echo "$as_me:3577: error: $CC does not support the $with_mips_abi ABI" >&5 -echo "$as_me: error: $CC does not support the $with_mips_abi ABI" >&2;} - { (exit 1); exit 1; }; } - fi - ;; -esac -fi #if test $ac_res = no; then -fi #if test -n "$abi" ; then -else -case "${with_mips_abi}" in - 32|o32) abi='-32'; abilibdirext='' ;; - n32|yes) abi='-n32'; abilibdirext='32' ;; - 64) abi='-64'; abilibdirext='64' ;; - no) abi=''; abilibdirext='';; - *) { { echo "$as_me:3591: error: \"Invalid ABI specified\"" >&5 -echo "$as_me: error: \"Invalid ABI specified\"" >&2;} - { (exit 1); exit 1; }; } ;; -esac -fi #if test -n "$GCC"; then -;; -esac - -CC="$CC $abi" -libdir="$libdir$abilibdirext" - - -echo "$as_me:3603: checking for __attribute__" >&5 -echo $ECHO_N "checking for __attribute__... $ECHO_C" >&6 -if test "${ac_cv___attribute__+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 3610 "configure" -#include "confdefs.h" - -#include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -static void foo(void) __attribute__ ((noreturn)); - -static void -foo(void) -{ - exit(1); -} - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:3638: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:3641: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:3644: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:3647: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv___attribute__=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv___attribute__=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi - -if test "$ac_cv___attribute__" = "yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE___ATTRIBUTE__ 1 -_ACEOF - -fi -echo "$as_me:3665: result: $ac_cv___attribute__" >&5 -echo "${ECHO_T}$ac_cv___attribute__" >&6 - - -# Check whether --enable-shared or --disable-shared was given. -if test "${enable_shared+set}" = set; then - enableval="$enable_shared" - p=${PACKAGE-default} -case $enableval in -yes) enable_shared=yes ;; -no) enable_shared=no ;; -*) - enable_shared=no - # Look at the argument we got. We use all the common list separators. - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:," - for pkg in $enableval; do - if test "X$pkg" = "X$p"; then - enable_shared=yes - fi - done - IFS="$ac_save_ifs" - ;; -esac -else - enable_shared=no -fi; -# Check whether --enable-static or --disable-static was given. -if test "${enable_static+set}" = set; then - enableval="$enable_static" - p=${PACKAGE-default} -case $enableval in -yes) enable_static=yes ;; -no) enable_static=no ;; -*) - enable_static=no - # Look at the argument we got. We use all the common list separators. - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:," - for pkg in $enableval; do - if test "X$pkg" = "X$p"; then - enable_static=yes - fi - done - IFS="$ac_save_ifs" - ;; -esac -else - enable_static=yes -fi; -# Check whether --enable-fast-install or --disable-fast-install was given. -if test "${enable_fast_install+set}" = set; then - enableval="$enable_fast_install" - p=${PACKAGE-default} -case $enableval in -yes) enable_fast_install=yes ;; -no) enable_fast_install=no ;; -*) - enable_fast_install=no - # Look at the argument we got. We use all the common list separators. - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:," - for pkg in $enableval; do - if test "X$pkg" = "X$p"; then - enable_fast_install=yes - fi - done - IFS="$ac_save_ifs" - ;; -esac -else - enable_fast_install=yes -fi; -# Find the correct PATH separator. Usually this is `:', but -# DJGPP uses `;' like DOS. -if test "X${PATH_SEPARATOR+set}" != Xset; then - UNAME=${UNAME-`uname 2>/dev/null`} - case X$UNAME in - *-DOS) lt_cv_sys_path_separator=';' ;; - *) lt_cv_sys_path_separator=':' ;; - esac - PATH_SEPARATOR=$lt_cv_sys_path_separator -fi - - -# Check whether --with-gnu-ld or --without-gnu-ld was given. -if test "${with_gnu_ld+set}" = set; then - withval="$with_gnu_ld" - test "$withval" = no || with_gnu_ld=yes -else - with_gnu_ld=no -fi; -ac_prog=ld -if test "$GCC" = yes; then - # Check if gcc -print-prog-name=ld gives a path. - echo "$as_me:3757: checking for ld used by GCC" >&5 -echo $ECHO_N "checking for ld used by GCC... $ECHO_C" >&6 - case $host in - *-*-mingw*) - # gcc leaves a trailing carriage return which upsets mingw - ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; - *) - ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; - esac - case $ac_prog in - # Accept absolute paths. - [\\/]* | [A-Za-z]:[\\/]*) - re_direlt='/[^/][^/]*/\.\./' - # Canonicalize the path of ld - ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'` - while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do - ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"` - done - test -z "$LD" && LD="$ac_prog" - ;; - "") - # If it fails, then pretend we aren't using GCC. - ac_prog=ld - ;; - *) - # If it is relative, then search for the first ld in PATH. - with_gnu_ld=unknown - ;; - esac -elif test "$with_gnu_ld" = yes; then - echo "$as_me:3787: checking for GNU ld" >&5 -echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6 -else - echo "$as_me:3790: checking for non-GNU ld" >&5 -echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6 -fi -if test "${lt_cv_path_LD+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -z "$LD"; then - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for ac_dir in $PATH; do - test -z "$ac_dir" && ac_dir=. - if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then - lt_cv_path_LD="$ac_dir/$ac_prog" - # Check to see if the program is GNU ld. I'd rather use --version, - # but apparently some GNU ld's only accept -v. - # Break only if it was the GNU/non-GNU ld that we prefer. - if "$lt_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then - test "$with_gnu_ld" != no && break - else - test "$with_gnu_ld" != yes && break - fi - fi - done - IFS="$ac_save_ifs" -else - lt_cv_path_LD="$LD" # Let the user override the test with a path. -fi -fi - -LD="$lt_cv_path_LD" -if test -n "$LD"; then - echo "$as_me:3820: result: $LD" >&5 -echo "${ECHO_T}$LD" >&6 -else - echo "$as_me:3823: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi -test -z "$LD" && { { echo "$as_me:3826: error: no acceptable ld found in \$PATH" >&5 -echo "$as_me: error: no acceptable ld found in \$PATH" >&2;} - { (exit 1); exit 1; }; } -echo "$as_me:3829: checking if the linker ($LD) is GNU ld" >&5 -echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6 -if test "${lt_cv_prog_gnu_ld+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # I'd rather use --version here, but apparently some GNU ld's only accept -v. -if $LD -v 2>&1 &5; then - lt_cv_prog_gnu_ld=yes -else - lt_cv_prog_gnu_ld=no -fi -fi -echo "$as_me:3841: result: $lt_cv_prog_gnu_ld" >&5 -echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6 -with_gnu_ld=$lt_cv_prog_gnu_ld - - -echo "$as_me:3846: checking for $LD option to reload object files" >&5 -echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6 -if test "${lt_cv_ld_reload_flag+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_ld_reload_flag='-r' -fi -echo "$as_me:3853: result: $lt_cv_ld_reload_flag" >&5 -echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6 -reload_flag=$lt_cv_ld_reload_flag -test -n "$reload_flag" && reload_flag=" $reload_flag" - -echo "$as_me:3858: checking for BSD-compatible nm" >&5 -echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6 -if test "${lt_cv_path_NM+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$NM"; then - # Let the user override the test. - lt_cv_path_NM="$NM" -else - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do - test -z "$ac_dir" && ac_dir=. - tmp_nm=$ac_dir/${ac_tool_prefix}nm - if test -f $tmp_nm || test -f $tmp_nm$ac_exeext ; then - # Check to see if the nm accepts a BSD-compat flag. - # Adding the `sed 1q' prevents false positives on HP-UX, which says: - # nm: unknown option "B" ignored - # Tru64's nm complains that /dev/null is an invalid object file - if ($tmp_nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep '(/dev/null|Invalid file or object type)' >/dev/null; then - lt_cv_path_NM="$tmp_nm -B" - break - elif ($tmp_nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then - lt_cv_path_NM="$tmp_nm -p" - break - else - lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but - continue # so that we can try to find one that supports BSD flags - fi - fi - done - IFS="$ac_save_ifs" - test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm -fi -fi - -NM="$lt_cv_path_NM" -echo "$as_me:3894: result: $NM" >&5 -echo "${ECHO_T}$NM" >&6 - -echo "$as_me:3897: checking whether ln -s works" >&5 -echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6 -LN_S=$as_ln_s -if test "$LN_S" = "ln -s"; then - echo "$as_me:3901: result: yes" >&5 -echo "${ECHO_T}yes" >&6 -else - echo "$as_me:3904: result: no, using $LN_S" >&5 -echo "${ECHO_T}no, using $LN_S" >&6 -fi - -echo "$as_me:3908: checking how to recognise dependant libraries" >&5 -echo $ECHO_N "checking how to recognise dependant libraries... $ECHO_C" >&6 -if test "${lt_cv_deplibs_check_method+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_file_magic_cmd='$MAGIC_CMD' -lt_cv_file_magic_test_file= -lt_cv_deplibs_check_method='unknown' -# Need to set the preceding variable on all platforms that support -# interlibrary dependencies. -# 'none' -- dependencies not supported. -# `unknown' -- same as none, but documents that we really don't know. -# 'pass_all' -- all dependencies passed with no checks. -# 'test_compile' -- check by making test program. -# 'file_magic [[regex]]' -- check by looking for files in library path -# which responds to the $file_magic_cmd with a given egrep regex. -# If you have `file' or equivalent on your system and you're not sure -# whether `pass_all' will *always* work, you probably want this one. - -case $host_os in -aix4* | aix5*) - lt_cv_deplibs_check_method=pass_all - ;; - -beos*) - lt_cv_deplibs_check_method=pass_all - ;; - -bsdi4*) - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)' - lt_cv_file_magic_cmd='/usr/bin/file -L' - lt_cv_file_magic_test_file=/shlib/libc.so - ;; - -cygwin* | mingw* | pw32*) - lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' - lt_cv_file_magic_cmd='$OBJDUMP -f' - ;; - -darwin* | rhapsody*) - lt_cv_deplibs_check_method='file_magic Mach-O dynamically linked shared library' - lt_cv_file_magic_cmd='/usr/bin/file -L' - case "$host_os" in - rhapsody* | darwin1.[012]) - lt_cv_file_magic_test_file=`echo /System/Library/Frameworks/System.framework/Versions/*/System | head -1` - ;; - *) # Darwin 1.3 on - lt_cv_file_magic_test_file='/usr/lib/libSystem.dylib' - ;; - esac - ;; - -freebsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then - case $host_cpu in - i*86 ) - # Not sure whether the presence of OpenBSD here was a mistake. - # Let's accept both of them until this is cleared up. - lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[3-9]86 (compact )?demand paged shared library' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` - ;; - esac - else - lt_cv_deplibs_check_method=pass_all - fi - ;; - -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; - -hpux10.20*|hpux11*) - lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=/usr/lib/libc.sl - ;; - -irix5* | irix6*) - case $host_os in - irix5*) - # this will be overridden with pass_all, but let us keep it just in case - lt_cv_deplibs_check_method="file_magic ELF 32-bit MSB dynamic lib MIPS - version 1" - ;; - *) - case $LD in - *-32|*"-32 ") libmagic=32-bit;; - *-n32|*"-n32 ") libmagic=N32;; - *-64|*"-64 ") libmagic=64-bit;; - *) libmagic=never-match;; - esac - # this will be overridden with pass_all, but let us keep it just in case - lt_cv_deplibs_check_method="file_magic ELF ${libmagic} MSB mips-[1234] dynamic lib MIPS - version 1" - ;; - esac - lt_cv_file_magic_test_file=`echo /lib${libsuff}/libc.so*` - lt_cv_deplibs_check_method=pass_all - ;; - -# This must be Linux ELF. -linux-gnu*) - case $host_cpu in - alpha* | hppa* | i*86 | powerpc* | sparc* | ia64* ) - lt_cv_deplibs_check_method=pass_all ;; - *) - # glibc up to 2.1.1 does not perform some relocations on ARM - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;; - esac - lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so` - ;; - -netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then - lt_cv_deplibs_check_method='match_pattern /lib[^/\.]+\.so\.[0-9]+\.[0-9]+$' - else - lt_cv_deplibs_check_method='match_pattern /lib[^/\.]+\.so$' - fi - ;; - -newos6*) - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)' - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=/usr/lib/libnls.so - ;; - -openbsd*) - lt_cv_file_magic_cmd=/usr/bin/file - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object' - else - lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library' - fi - ;; - -osf3* | osf4* | osf5*) - # this will be overridden with pass_all, but let us keep it just in case - lt_cv_deplibs_check_method='file_magic COFF format alpha shared library' - lt_cv_file_magic_test_file=/shlib/libc.so - lt_cv_deplibs_check_method=pass_all - ;; - -sco3.2v5*) - lt_cv_deplibs_check_method=pass_all - ;; - -solaris*) - lt_cv_deplibs_check_method=pass_all - lt_cv_file_magic_test_file=/lib/libc.so - ;; - -sysv5uw[78]* | sysv4*uw2*) - lt_cv_deplibs_check_method=pass_all - ;; - -sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - case $host_vendor in - motorola) - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]' - lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` - ;; - ncr) - lt_cv_deplibs_check_method=pass_all - ;; - sequent) - lt_cv_file_magic_cmd='/bin/file' - lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' - ;; - sni) - lt_cv_file_magic_cmd='/bin/file' - lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib" - lt_cv_file_magic_test_file=/lib/libc.so - ;; - esac - ;; -esac - -fi -echo "$as_me:4086: result: $lt_cv_deplibs_check_method" >&5 -echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6 -file_magic_cmd=$lt_cv_file_magic_cmd -deplibs_check_method=$lt_cv_deplibs_check_method - - - - - -# Check for command to grab the raw symbol name followed by C symbol from nm. -echo "$as_me:4096: checking command to parse $NM output" >&5 -echo $ECHO_N "checking command to parse $NM output... $ECHO_C" >&6 -if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -# These are sane defaults that work on at least a few old systems. -# [They come from Ultrix. What could be older than Ultrix?!! ;)] - -# Character class describing NM global symbol codes. -symcode='[BCDEGRST]' - -# Regexp to match symbols that can be accessed directly from C. -sympat='\([_A-Za-z][_A-Za-z0-9]*\)' - -# Transform the above into a raw symbol and a C symbol. -symxfrm='\1 \2\3 \3' - -# Transform an extracted symbol line into a proper C declaration -lt_cv_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern char \1;/p'" - -# Transform an extracted symbol line into symbol name and symbol address -lt_cv_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([^ ]*\) \([^ ]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" - -# Define system-specific variables. -case $host_os in -aix*) - symcode='[BCDT]' - ;; -cygwin* | mingw* | pw32*) - symcode='[ABCDGISTW]' - ;; -hpux*) # Its linker distinguishes data from code symbols - lt_cv_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern char \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" - lt_cv_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"\2\", (lt_ptr) \&\2},/p'" - ;; -irix*) - symcode='[BCDEGRST]' - ;; -solaris* | sysv5*) - symcode='[BDT]' - ;; -sysv4) - symcode='[DFNSTU]' - ;; -esac - -# Handle CRLF in mingw tool chain -opt_cr= -case $host_os in -mingw*) - opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp - ;; -esac - -# If we're using GNU nm, then use its standard symbol codes. -if $NM -V 2>&1 | egrep '(GNU|with BFD)' > /dev/null; then - symcode='[ABCDGISTW]' -fi - -# Try without a prefix undercore, then with it. -for ac_symprfx in "" "_"; do - - # Write the raw and C identifiers. -lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'" - - # Check to see that the pipe works correctly. - pipe_works=no - rm -f conftest* - cat > conftest.$ac_ext <&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:4180: \$? = $ac_status" >&5 - (exit $ac_status); }; then - # Now try to grab the symbols. - nlist=conftest.nm - if { (eval echo "$as_me:4184: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5 - (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5 - ac_status=$? - echo "$as_me:4187: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s "$nlist"; then - # Try sorting and uniquifying the output. - if sort "$nlist" | uniq > "$nlist"T; then - mv -f "$nlist"T "$nlist" - else - rm -f "$nlist"T - fi - - # Make sure that we snagged all the symbols we need. - if egrep ' nm_test_var$' "$nlist" >/dev/null; then - if egrep ' nm_test_func$' "$nlist" >/dev/null; then - cat < conftest.$ac_ext -#ifdef __cplusplus -extern "C" { -#endif - -EOF - # Now generate the symbol file. - eval "$lt_cv_global_symbol_to_cdecl"' < "$nlist" >> conftest.$ac_ext' - - cat <> conftest.$ac_ext -#if defined (__STDC__) && __STDC__ -# define lt_ptr void * -#else -# define lt_ptr char * -# define const -#endif - -/* The mapping between symbol names and symbols. */ -const struct { - const char *name; - lt_ptr address; -} -lt_preloaded_symbols[] = -{ -EOF - sed "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (lt_ptr) \&\2},/" < "$nlist" >> conftest.$ac_ext - cat <<\EOF >> conftest.$ac_ext - {0, (lt_ptr) 0} -}; - -#ifdef __cplusplus -} -#endif -EOF - # Now try linking the two files. - mv conftest.$ac_objext conftstm.$ac_objext - save_LIBS="$LIBS" - save_CFLAGS="$CFLAGS" - LIBS="conftstm.$ac_objext" - CFLAGS="$CFLAGS$no_builtin_flag" - if { (eval echo "$as_me:4239: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:4242: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s conftest; then - pipe_works=yes - fi - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - else - echo "cannot find nm_test_func in $nlist" >&5 - fi - else - echo "cannot find nm_test_var in $nlist" >&5 - fi - else - echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5 - fi - else - echo "$progname: failed program was:" >&5 - cat conftest.$ac_ext >&5 - fi - rm -f conftest* conftst* - - # Do not use the global_symbol_pipe unless it works. - if test "$pipe_works" = yes; then - break - else - lt_cv_sys_global_symbol_pipe= - fi -done - -fi - -global_symbol_pipe="$lt_cv_sys_global_symbol_pipe" -if test -z "$lt_cv_sys_global_symbol_pipe"; then - global_symbol_to_cdecl= - global_symbol_to_c_name_address= -else - global_symbol_to_cdecl="$lt_cv_global_symbol_to_cdecl" - global_symbol_to_c_name_address="$lt_cv_global_symbol_to_c_name_address" -fi -if test -z "$global_symbol_pipe$global_symbol_to_cdec$global_symbol_to_c_name_address"; -then - echo "$as_me:4283: result: failed" >&5 -echo "${ECHO_T}failed" >&6 -else - echo "$as_me:4286: result: ok" >&5 -echo "${ECHO_T}ok" >&6 -fi - - -echo "$as_me:4291: checking for ANSI C header files" >&5 -echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6 -if test "${ac_cv_header_stdc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 4297 "configure" -#include "confdefs.h" -#include -#include -#include -#include - -_ACEOF -if { (eval echo "$as_me:4305: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:4311: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_cv_header_stdc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_cv_header_stdc=no -fi -rm -f conftest.err conftest.$ac_ext - -if test $ac_cv_header_stdc = yes; then - # SunOS 4.x string.h does not declare mem*, contrary to ANSI. - cat >conftest.$ac_ext <<_ACEOF -#line 4333 "configure" -#include "confdefs.h" -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "memchr" >/dev/null 2>&1; then - : -else - ac_cv_header_stdc=no -fi -rm -f conftest* - -fi - -if test $ac_cv_header_stdc = yes; then - # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. - cat >conftest.$ac_ext <<_ACEOF -#line 4351 "configure" -#include "confdefs.h" -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "free" >/dev/null 2>&1; then - : -else - ac_cv_header_stdc=no -fi -rm -f conftest* - -fi - -if test $ac_cv_header_stdc = yes; then - # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. - if test "$cross_compiling" = yes; then - : -else - cat >conftest.$ac_ext <<_ACEOF -#line 4372 "configure" -#include "confdefs.h" -#include -#if ((' ' & 0x0FF) == 0x020) -# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') -# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) -#else -# define ISLOWER(c) (('a' <= (c) && (c) <= 'i') \ - || ('j' <= (c) && (c) <= 'r') \ - || ('s' <= (c) && (c) <= 'z')) -# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) -#endif - -#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) -int -main () -{ - int i; - for (i = 0; i < 256; i++) - if (XOR (islower (i), ISLOWER (i)) - || toupper (i) != TOUPPER (i)) - exit(2); - exit (0); -} -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:4398: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:4401: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:4403: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:4406: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_header_stdc=no -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi -fi -echo "$as_me:4420: result: $ac_cv_header_stdc" >&5 -echo "${ECHO_T}$ac_cv_header_stdc" >&6 -if test $ac_cv_header_stdc = yes; then - -cat >>confdefs.h <<\_ACEOF -#define STDC_HEADERS 1 -_ACEOF - -fi - -# On IRIX 5.3, sys/types and inttypes.h are conflicting. - - - - - - - - - -for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ - inttypes.h stdint.h unistd.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -echo "$as_me:4444: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 4450 "configure" -#include "confdefs.h" -$ac_includes_default - -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:4457: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:4460: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:4463: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:4466: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_Header=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_Header=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:4476: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - - -for ac_header in dlfcn.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:4493: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:4498: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:4502: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 4505 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:4511: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:4514: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:4517: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:4520: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:4529: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:4533: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 4536 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:4540: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:4546: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:4564: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:4570: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:4572: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:4575: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:4577: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:4579: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:4582: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:4589: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - - - - -# Only perform the check for file, if the check method requires it -case $deplibs_check_method in -file_magic*) - if test "$file_magic_cmd" = '$MAGIC_CMD'; then - echo "$as_me:4610: checking for ${ac_tool_prefix}file" >&5 -echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6 -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - case $MAGIC_CMD in - /*) - lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. - ;; - ?:/*) - lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a dos path. - ;; - *) - ac_save_MAGIC_CMD="$MAGIC_CMD" - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="/usr/bin:$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/${ac_tool_prefix}file; then - lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file" - if test -n "$file_magic_test_file"; then - case $deplibs_check_method in - "file_magic "*) - file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`" - MAGIC_CMD="$lt_cv_path_MAGIC_CMD" - if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | - egrep "$file_magic_regex" > /dev/null; then - : - else - cat <&2 - -*** Warning: the command libtool uses to detect shared libraries, -*** $file_magic_cmd, produces output that libtool cannot recognize. -*** The result is that libtool may fail to recognize shared libraries -*** as such. This will affect the creation of libtool libraries that -*** depend on shared libraries, but programs linked with such libtool -*** libraries will work regardless of this problem. Nevertheless, you -*** may want to report the problem to your system manager and/or to -*** bug-libtool@gnu.org - -EOF - fi ;; - esac - fi - break - fi - done - IFS="$ac_save_ifs" - MAGIC_CMD="$ac_save_MAGIC_CMD" - ;; -esac -fi - -MAGIC_CMD="$lt_cv_path_MAGIC_CMD" -if test -n "$MAGIC_CMD"; then - echo "$as_me:4665: result: $MAGIC_CMD" >&5 -echo "${ECHO_T}$MAGIC_CMD" >&6 -else - echo "$as_me:4668: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -if test -z "$lt_cv_path_MAGIC_CMD"; then - if test -n "$ac_tool_prefix"; then - echo "$as_me:4674: checking for file" >&5 -echo $ECHO_N "checking for file... $ECHO_C" >&6 -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - case $MAGIC_CMD in - /*) - lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. - ;; - ?:/*) - lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a dos path. - ;; - *) - ac_save_MAGIC_CMD="$MAGIC_CMD" - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="/usr/bin:$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/file; then - lt_cv_path_MAGIC_CMD="$ac_dir/file" - if test -n "$file_magic_test_file"; then - case $deplibs_check_method in - "file_magic "*) - file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`" - MAGIC_CMD="$lt_cv_path_MAGIC_CMD" - if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | - egrep "$file_magic_regex" > /dev/null; then - : - else - cat <&2 - -*** Warning: the command libtool uses to detect shared libraries, -*** $file_magic_cmd, produces output that libtool cannot recognize. -*** The result is that libtool may fail to recognize shared libraries -*** as such. This will affect the creation of libtool libraries that -*** depend on shared libraries, but programs linked with such libtool -*** libraries will work regardless of this problem. Nevertheless, you -*** may want to report the problem to your system manager and/or to -*** bug-libtool@gnu.org - -EOF - fi ;; - esac - fi - break - fi - done - IFS="$ac_save_ifs" - MAGIC_CMD="$ac_save_MAGIC_CMD" - ;; -esac -fi - -MAGIC_CMD="$lt_cv_path_MAGIC_CMD" -if test -n "$MAGIC_CMD"; then - echo "$as_me:4729: result: $MAGIC_CMD" >&5 -echo "${ECHO_T}$MAGIC_CMD" >&6 -else - echo "$as_me:4732: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - else - MAGIC_CMD=: - fi -fi - - fi - ;; -esac - -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. -set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -echo "$as_me:4748: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_RANLIB+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$RANLIB"; then - ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - echo "$as_me:4764: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -RANLIB=$ac_cv_prog_RANLIB -if test -n "$RANLIB"; then - echo "$as_me:4774: result: $RANLIB" >&5 -echo "${ECHO_T}$RANLIB" >&6 -else - echo "$as_me:4777: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -fi -if test -z "$ac_cv_prog_RANLIB"; then - ac_ct_RANLIB=$RANLIB - # Extract the first word of "ranlib", so it can be a program name with args. -set dummy ranlib; ac_word=$2 -echo "$as_me:4786: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_RANLIB"; then - ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_RANLIB="ranlib" - echo "$as_me:4802: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - - test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":" -fi -fi -ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB -if test -n "$ac_ct_RANLIB"; then - echo "$as_me:4813: result: $ac_ct_RANLIB" >&5 -echo "${ECHO_T}$ac_ct_RANLIB" >&6 -else - echo "$as_me:4816: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - RANLIB=$ac_ct_RANLIB -else - RANLIB="$ac_cv_prog_RANLIB" -fi - -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. -set dummy ${ac_tool_prefix}strip; ac_word=$2 -echo "$as_me:4828: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_STRIP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$STRIP"; then - ac_cv_prog_STRIP="$STRIP" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_STRIP="${ac_tool_prefix}strip" - echo "$as_me:4844: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -STRIP=$ac_cv_prog_STRIP -if test -n "$STRIP"; then - echo "$as_me:4854: result: $STRIP" >&5 -echo "${ECHO_T}$STRIP" >&6 -else - echo "$as_me:4857: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -fi -if test -z "$ac_cv_prog_STRIP"; then - ac_ct_STRIP=$STRIP - # Extract the first word of "strip", so it can be a program name with args. -set dummy strip; ac_word=$2 -echo "$as_me:4866: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$ac_ct_STRIP"; then - ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_STRIP="strip" - echo "$as_me:4882: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - - test -z "$ac_cv_prog_ac_ct_STRIP" && ac_cv_prog_ac_ct_STRIP=":" -fi -fi -ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP -if test -n "$ac_ct_STRIP"; then - echo "$as_me:4893: result: $ac_ct_STRIP" >&5 -echo "${ECHO_T}$ac_ct_STRIP" >&6 -else - echo "$as_me:4896: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - STRIP=$ac_ct_STRIP -else - STRIP="$ac_cv_prog_STRIP" -fi - - -enable_dlopen=no -enable_win32_dll=no - -# Check whether --enable-libtool-lock or --disable-libtool-lock was given. -if test "${enable_libtool_lock+set}" = set; then - enableval="$enable_libtool_lock" - -fi; -test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes - -# Some flags need to be propagated to the compiler or linker for good -# libtool support. -case $host in -*-*-irix6*) - # Find out which ABI we are using. - echo '#line 4921 "configure"' > conftest.$ac_ext - if { (eval echo "$as_me:4922: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:4925: \$? = $ac_status" >&5 - (exit $ac_status); }; then - case `/usr/bin/file conftest.$ac_objext` in - *32-bit*) - LD="${LD-ld} -32" - ;; - *N32*) - LD="${LD-ld} -n32" - ;; - *64-bit*) - LD="${LD-ld} -64" - ;; - esac - fi - rm -rf conftest* - ;; - -*-*-sco3.2v5*) - # On SCO OpenServer 5, we need -belf to get full-featured binaries. - SAVE_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -belf" - echo "$as_me:4946: checking whether the C compiler needs -belf" >&5 -echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6 -if test "${lt_cv_cc_needs_belf+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - - - ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - cat >conftest.$ac_ext <<_ACEOF -#line 4960 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:4978: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:4981: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:4984: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:4987: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - lt_cv_cc_needs_belf=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -lt_cv_cc_needs_belf=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -fi -echo "$as_me:5003: result: $lt_cv_cc_needs_belf" >&5 -echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6 - if test x"$lt_cv_cc_needs_belf" != x"yes"; then - # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf - CFLAGS="$SAVE_CFLAGS" - fi - ;; - - -esac - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='sed -e s/^X//' -sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g' - -# Same as above, but do not quote variable references. -double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g' - -# Sed substitution to delay expansion of an escaped shell variable in a -# double_quote_subst'ed string. -delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' - -# Constants: -rm="rm -f" - -# Global variables: -default_ofile=libtool -can_build_shared=yes - -# All known linkers require a `.a' archive for static linking (except M$VC, -# which needs '.lib'). -libext=a -ltmain="$ac_aux_dir/ltmain.sh" -ofile="$default_ofile" -with_gnu_ld="$lt_cv_prog_gnu_ld" -need_locks="$enable_libtool_lock" - -old_CC="$CC" -old_CFLAGS="$CFLAGS" - -# Set sane defaults for various variables -test -z "$AR" && AR=ar -test -z "$AR_FLAGS" && AR_FLAGS=cru -test -z "$AS" && AS=as -test -z "$CC" && CC=cc -test -z "$DLLTOOL" && DLLTOOL=dlltool -test -z "$LD" && LD=ld -test -z "$LN_S" && LN_S="ln -s" -test -z "$MAGIC_CMD" && MAGIC_CMD=file -test -z "$NM" && NM=nm -test -z "$OBJDUMP" && OBJDUMP=objdump -test -z "$RANLIB" && RANLIB=: -test -z "$STRIP" && STRIP=: -test -z "$ac_objext" && ac_objext=o - -if test x"$host" != x"$build"; then - ac_tool_prefix=${host_alias}- -else - ac_tool_prefix= -fi - -# Transform linux* to *-*-linux-gnu*, to support old configure scripts. -case $host_os in -linux-gnu*) ;; -linux*) host=`echo $host | sed 's/^\(.*-.*-linux\)\(.*\)$/\1-gnu\2/'` -esac - -case $host_os in -aix3*) - # AIX sometimes has problems with the GCC collect2 program. For some - # reason, if we set the COLLECT_NAMES environment variable, the problems - # vanish in a puff of smoke. - if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES - fi - ;; -esac - -# Determine commands to create old-style static archives. -old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' -old_postinstall_cmds='chmod 644 $oldlib' -old_postuninstall_cmds= - -if test -n "$RANLIB"; then - case $host_os in - openbsd*) - old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds" - ;; - *) - old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds" - ;; - esac - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" -fi - -# Allow CC to be a program name with arguments. -set dummy $CC -compiler="$2" - -echo "$as_me:5104: checking for objdir" >&5 -echo $ECHO_N "checking for objdir... $ECHO_C" >&6 -rm -f .libs 2>/dev/null -mkdir .libs 2>/dev/null -if test -d .libs; then - objdir=.libs -else - # MS-DOS does not allow filenames that begin with a dot. - objdir=_libs -fi -rmdir .libs 2>/dev/null -echo "$as_me:5115: result: $objdir" >&5 -echo "${ECHO_T}$objdir" >&6 - - - -# Check whether --with-pic or --without-pic was given. -if test "${with_pic+set}" = set; then - withval="$with_pic" - pic_mode="$withval" -else - pic_mode=default -fi; -test -z "$pic_mode" && pic_mode=default - -# We assume here that the value for lt_cv_prog_cc_pic will not be cached -# in isolation, and that seeing it set (from the cache) indicates that -# the associated values are set (in the cache) correctly too. -echo "$as_me:5132: checking for $compiler option to produce PIC" >&5 -echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6 -if test "${lt_cv_prog_cc_pic+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_prog_cc_pic= - lt_cv_prog_cc_shlib= - lt_cv_prog_cc_wl= - lt_cv_prog_cc_static= - lt_cv_prog_cc_no_builtin= - lt_cv_prog_cc_can_build_shared=$can_build_shared - - if test "$GCC" = yes; then - lt_cv_prog_cc_wl='-Wl,' - lt_cv_prog_cc_static='-static' - - case $host_os in - aix*) - # Below there is a dirty hack to force normal static linking with -ldl - # The problem is because libdl dynamically linked with both libc and - # libC (AIX C++ library), which obviously doesn't included in libraries - # list by gcc. This cause undefined symbols with -static flags. - # This hack allows C programs to be linked with "-static -ldl", but - # not sure about C++ programs. - lt_cv_prog_cc_static="$lt_cv_prog_cc_static ${lt_cv_prog_cc_wl}-lC" - ;; - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - lt_cv_prog_cc_pic='-m68020 -resident32 -malways-restore-a4' - ;; - beos* | irix5* | irix6* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; - darwin* | rhapsody*) - # PIC is the default on this platform - # Common symbols not allowed in MH_DYLIB files - lt_cv_prog_cc_pic='-fno-common' - ;; - cygwin* | mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_cv_prog_cc_pic='-DDLL_EXPORT' - ;; - sysv4*MP*) - if test -d /usr/nec; then - lt_cv_prog_cc_pic=-Kconform_pic - fi - ;; - *) - lt_cv_prog_cc_pic='-fPIC' - ;; - esac - else - # PORTME Check for PIC flags for the system compiler. - case $host_os in - aix3* | aix4* | aix5*) - lt_cv_prog_cc_wl='-Wl,' - # All AIX code is PIC. - if test "$host_cpu" = ia64; then - # AIX 5 now supports IA64 processor - lt_cv_prog_cc_static='-Bstatic' - else - lt_cv_prog_cc_static='-bnso -bI:/lib/syscalls.exp' - fi - ;; - - hpux9* | hpux10* | hpux11*) - # Is there a better lt_cv_prog_cc_static that works with the bundled CC? - lt_cv_prog_cc_wl='-Wl,' - lt_cv_prog_cc_static="${lt_cv_prog_cc_wl}-a ${lt_cv_prog_cc_wl}archive" - lt_cv_prog_cc_pic='+Z' - ;; - - irix5* | irix6*) - lt_cv_prog_cc_wl='-Wl,' - lt_cv_prog_cc_static='-non_shared' - # PIC (with -KPIC) is the default. - ;; - - cygwin* | mingw* | pw32* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - lt_cv_prog_cc_pic='-DDLL_EXPORT' - ;; - - newsos6) - lt_cv_prog_cc_pic='-KPIC' - lt_cv_prog_cc_static='-Bstatic' - ;; - - osf3* | osf4* | osf5*) - # All OSF/1 code is PIC. - lt_cv_prog_cc_wl='-Wl,' - lt_cv_prog_cc_static='-non_shared' - ;; - - sco3.2v5*) - lt_cv_prog_cc_pic='-Kpic' - lt_cv_prog_cc_static='-dn' - lt_cv_prog_cc_shlib='-belf' - ;; - - solaris*) - lt_cv_prog_cc_pic='-KPIC' - lt_cv_prog_cc_static='-Bstatic' - lt_cv_prog_cc_wl='-Wl,' - ;; - - sunos4*) - lt_cv_prog_cc_pic='-PIC' - lt_cv_prog_cc_static='-Bstatic' - lt_cv_prog_cc_wl='-Qoption ld ' - ;; - - sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - lt_cv_prog_cc_pic='-KPIC' - lt_cv_prog_cc_static='-Bstatic' - if test "x$host_vendor" = xsni; then - lt_cv_prog_cc_wl='-LD' - else - lt_cv_prog_cc_wl='-Wl,' - fi - ;; - - uts4*) - lt_cv_prog_cc_pic='-pic' - lt_cv_prog_cc_static='-Bstatic' - ;; - - sysv4*MP*) - if test -d /usr/nec ;then - lt_cv_prog_cc_pic='-Kconform_pic' - lt_cv_prog_cc_static='-Bstatic' - fi - ;; - - *) - lt_cv_prog_cc_can_build_shared=no - ;; - esac - fi - -fi - -if test -z "$lt_cv_prog_cc_pic"; then - echo "$as_me:5279: result: none" >&5 -echo "${ECHO_T}none" >&6 -else - echo "$as_me:5282: result: $lt_cv_prog_cc_pic" >&5 -echo "${ECHO_T}$lt_cv_prog_cc_pic" >&6 - - # Check to make sure the pic_flag actually works. - echo "$as_me:5286: checking if $compiler PIC flag $lt_cv_prog_cc_pic works" >&5 -echo $ECHO_N "checking if $compiler PIC flag $lt_cv_prog_cc_pic works... $ECHO_C" >&6 - if test "${lt_cv_prog_cc_pic_works+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $lt_cv_prog_cc_pic -DPIC" - cat >conftest.$ac_ext <<_ACEOF -#line 5294 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:5312: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:5315: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:5318: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:5321: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - case $host_os in - hpux9* | hpux10* | hpux11*) - # On HP-UX, both CC and GCC only warn that PIC is supported... then - # they create non-PIC objects. So, if there were any warnings, we - # assume that PIC is not supported. - if test -s conftest.err; then - lt_cv_prog_cc_pic_works=no - else - lt_cv_prog_cc_pic_works=yes - fi - ;; - *) - lt_cv_prog_cc_pic_works=yes - ;; - esac - -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 - lt_cv_prog_cc_pic_works=no - -fi -rm -f conftest.$ac_objext conftest.$ac_ext - CFLAGS="$save_CFLAGS" - -fi - - - if test "X$lt_cv_prog_cc_pic_works" = Xno; then - lt_cv_prog_cc_pic= - lt_cv_prog_cc_can_build_shared=no - else - lt_cv_prog_cc_pic=" $lt_cv_prog_cc_pic" - fi - - echo "$as_me:5358: result: $lt_cv_prog_cc_pic_works" >&5 -echo "${ECHO_T}$lt_cv_prog_cc_pic_works" >&6 -fi - -# Check for any special shared library compilation flags. -if test -n "$lt_cv_prog_cc_shlib"; then - { echo "$as_me:5364: WARNING: \`$CC' requires \`$lt_cv_prog_cc_shlib' to build shared libraries" >&5 -echo "$as_me: WARNING: \`$CC' requires \`$lt_cv_prog_cc_shlib' to build shared libraries" >&2;} - if echo "$old_CC $old_CFLAGS " | egrep -e "[ ]$lt_cv_prog_cc_shlib[ ]" >/dev/null; then : - else - { echo "$as_me:5368: WARNING: add \`$lt_cv_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" >&5 -echo "$as_me: WARNING: add \`$lt_cv_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" >&2;} - lt_cv_prog_cc_can_build_shared=no - fi -fi - -echo "$as_me:5374: checking if $compiler static flag $lt_cv_prog_cc_static works" >&5 -echo $ECHO_N "checking if $compiler static flag $lt_cv_prog_cc_static works... $ECHO_C" >&6 -if test "${lt_cv_prog_cc_static_works+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - lt_cv_prog_cc_static_works=no - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $lt_cv_prog_cc_static" - cat >conftest.$ac_ext <<_ACEOF -#line 5383 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5401: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:5404: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5407: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:5410: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - lt_cv_prog_cc_static_works=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - LDFLAGS="$save_LDFLAGS" - -fi - - -# Belt *and* braces to stop my trousers falling down: -test "X$lt_cv_prog_cc_static_works" = Xno && lt_cv_prog_cc_static= -echo "$as_me:5425: result: $lt_cv_prog_cc_static_works" >&5 -echo "${ECHO_T}$lt_cv_prog_cc_static_works" >&6 - -pic_flag="$lt_cv_prog_cc_pic" -special_shlib_compile_flags="$lt_cv_prog_cc_shlib" -wl="$lt_cv_prog_cc_wl" -link_static_flag="$lt_cv_prog_cc_static" -no_builtin_flag="$lt_cv_prog_cc_no_builtin" -can_build_shared="$lt_cv_prog_cc_can_build_shared" - - -# Check to see if options -o and -c are simultaneously supported by compiler -echo "$as_me:5437: checking if $compiler supports -c -o file.$ac_objext" >&5 -echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6 -if test "${lt_cv_compiler_c_o+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -$rm -r conftest 2>/dev/null -mkdir conftest -cd conftest -echo "int some_variable = 0;" > conftest.$ac_ext -mkdir out -# According to Tom Tromey, Ian Lance Taylor reported there are C compilers -# that will create temporary files in the current directory regardless of -# the output directory. Thus, making CWD read-only will cause this test -# to fail, enabling locking or at least warning the user not to do parallel -# builds. -chmod -w . -save_CFLAGS="$CFLAGS" -CFLAGS="$CFLAGS -o out/conftest2.$ac_objext" -compiler_c_o=no -if { (eval echo configure:5457: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.$ac_objext; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s out/conftest.err; then - lt_cv_compiler_c_o=no - else - lt_cv_compiler_c_o=yes - fi -else - # Append any errors to the config.log. - cat out/conftest.err 1>&5 - lt_cv_compiler_c_o=no -fi -CFLAGS="$save_CFLAGS" -chmod u+w . -$rm conftest* out/* -rmdir out -cd .. -rmdir conftest -$rm -r conftest 2>/dev/null - -fi - -compiler_c_o=$lt_cv_compiler_c_o -echo "$as_me:5481: result: $compiler_c_o" >&5 -echo "${ECHO_T}$compiler_c_o" >&6 - -if test x"$compiler_c_o" = x"yes"; then - # Check to see if we can write to a .lo - echo "$as_me:5486: checking if $compiler supports -c -o file.lo" >&5 -echo $ECHO_N "checking if $compiler supports -c -o file.lo... $ECHO_C" >&6 - if test "${lt_cv_compiler_o_lo+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - - lt_cv_compiler_o_lo=no - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -c -o conftest.lo" - save_objext="$ac_objext" - ac_objext=lo - cat >conftest.$ac_ext <<_ACEOF -#line 5498 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -int some_variable = 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:5516: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:5519: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:5522: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:5525: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - lt_cv_compiler_o_lo=no - else - lt_cv_compiler_o_lo=yes - fi - -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext - ac_objext="$save_objext" - CFLAGS="$save_CFLAGS" - -fi - - compiler_o_lo=$lt_cv_compiler_o_lo - echo "$as_me:5546: result: $compiler_o_lo" >&5 -echo "${ECHO_T}$compiler_o_lo" >&6 -else - compiler_o_lo=no -fi - -# Check to see if we can do hard links to lock some files if needed -hard_links="nottested" -if test "$compiler_c_o" = no && test "$need_locks" != no; then - # do not overwrite the value of need_locks provided by the user - echo "$as_me:5556: checking if we can lock with hard links" >&5 -echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6 - hard_links=yes - $rm conftest* - ln conftest.a conftest.b 2>/dev/null && hard_links=no - touch conftest.a - ln conftest.a conftest.b 2>&5 || hard_links=no - ln conftest.a conftest.b 2>/dev/null && hard_links=no - echo "$as_me:5564: result: $hard_links" >&5 -echo "${ECHO_T}$hard_links" >&6 - if test "$hard_links" = no; then - { echo "$as_me:5567: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 -echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} - need_locks=warn - fi -else - need_locks=no -fi - -if test "$GCC" = yes; then - # Check to see if options -fno-rtti -fno-exceptions are supported by compiler - echo "$as_me:5577: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 -echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6 - echo "int some_variable = 0;" > conftest.$ac_ext - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.$ac_ext" - compiler_rtti_exceptions=no - cat >conftest.$ac_ext <<_ACEOF -#line 5584 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -int some_variable = 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:5602: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:5605: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:5608: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:5611: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s conftest.err; then - compiler_rtti_exceptions=no - else - compiler_rtti_exceptions=yes - fi - -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext - CFLAGS="$save_CFLAGS" - echo "$as_me:5627: result: $compiler_rtti_exceptions" >&5 -echo "${ECHO_T}$compiler_rtti_exceptions" >&6 - - if test "$compiler_rtti_exceptions" = "yes"; then - no_builtin_flag=' -fno-builtin -fno-rtti -fno-exceptions' - else - no_builtin_flag=' -fno-builtin' - fi -fi - -# See if the linker supports building shared libraries. -echo "$as_me:5638: checking whether the linker ($LD) supports shared libraries" >&5 -echo $ECHO_N "checking whether the linker ($LD) supports shared libraries... $ECHO_C" >&6 - -allow_undefined_flag= -no_undefined_flag= -need_lib_prefix=unknown -need_version=unknown -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -archive_cmds= -archive_expsym_cmds= -old_archive_from_new_cmds= -old_archive_from_expsyms_cmds= -export_dynamic_flag_spec= -whole_archive_flag_spec= -thread_safe_flag_spec= -hardcode_into_libs=no -hardcode_libdir_flag_spec= -hardcode_libdir_separator= -hardcode_direct=no -hardcode_minus_L=no -hardcode_shlibpath_var=unsupported -runpath_var= -link_all_deplibs=unknown -always_export_symbols=no -export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | sed '\''s/.* //'\'' | sort | uniq > $export_symbols' -# include_expsyms should be a list of space-separated symbols to be *always* -# included in the symbol list -include_expsyms= -# exclude_expsyms can be an egrep regular expression of symbols to exclude -# it will be wrapped by ` (' and `)$', so one must not match beginning or -# end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', -# as well as any symbol that contains `d'. -exclude_expsyms="_GLOBAL_OFFSET_TABLE_" -# Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out -# platforms (ab)use it in PIC code, but their linkers get confused if -# the symbol is explicitly referenced. Since portable code cannot -# rely on this symbol name, it's probably fine to never include it in -# preloaded symbol tables. -extract_expsyms_cmds= - -case $host_os in -cygwin* | mingw* | pw32*) - # FIXME: the MSVC++ port hasn't been tested in a loooong time - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - if test "$GCC" != yes; then - with_gnu_ld=no - fi - ;; -openbsd*) - with_gnu_ld=no - ;; -esac - -ld_shlibs=yes -if test "$with_gnu_ld" = yes; then - # If archive_cmds runs LD, not CC, wlarc should be empty - wlarc='${wl}' - - # See if GNU ld supports shared libraries. - case $host_os in - aix3* | aix4* | aix5*) - # On AIX, the GNU linker is very broken - # Note:Check GNU linker on AIX 5-IA64 when/if it becomes available. - ld_shlibs=no - cat <&2 - -*** Warning: the GNU linker, at least up to release 2.9.1, is reported -*** to be unable to reliably create shared libraries on AIX. -*** Therefore, libtool is disabling shared libraries support. If you -*** really care for shared libraries, you may want to modify your PATH -*** so that a non-GNU linker is found, and then restart. - -EOF - ;; - - amigaos*) - archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - - # Samuel A. Falvo II reports - # that the semantics of dynamic libraries on AmigaOS, at least up - # to version 4, is to share data among multiple programs linked - # with the same dynamic library. Since this doesn't match the - # behavior of shared libraries on other platforms, we can use - # them. - ld_shlibs=no - ;; - - beos*) - if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then - allow_undefined_flag=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - else - ld_shlibs=no - fi - ;; - - cygwin* | mingw* | pw32*) - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec='-L$libdir' - allow_undefined_flag=unsupported - always_export_symbols=yes - - extract_expsyms_cmds='test -f $output_objdir/impgen.c || \ - sed -e "/^# \/\* impgen\.c starts here \*\//,/^# \/\* impgen.c ends here \*\// { s/^# //;s/^# *$//; p; }" -e d < $''0 > $output_objdir/impgen.c~ - test -f $output_objdir/impgen.exe || (cd $output_objdir && \ - if test "x$HOST_CC" != "x" ; then $HOST_CC -o impgen impgen.c ; \ - else $CC -o impgen impgen.c ; fi)~ - $output_objdir/impgen $dir/$soroot > $output_objdir/$soname-def' - - old_archive_from_expsyms_cmds='$DLLTOOL --as=$AS --dllname $soname --def $output_objdir/$soname-def --output-lib $output_objdir/$newlib' - - # cygwin and mingw dlls have different entry points and sets of symbols - # to exclude. - # FIXME: what about values for MSVC? - dll_entry=__cygwin_dll_entry@12 - dll_exclude_symbols=DllMain@12,_cygwin_dll_entry@12,_cygwin_noncygwin_dll_entry@12~ - case $host_os in - mingw*) - # mingw values - dll_entry=_DllMainCRTStartup@12 - dll_exclude_symbols=DllMain@12,DllMainCRTStartup@12,DllEntryPoint@12~ - ;; - esac - - # mingw and cygwin differ, and it's simplest to just exclude the union - # of the two symbol sets. - dll_exclude_symbols=DllMain@12,_cygwin_dll_entry@12,_cygwin_noncygwin_dll_entry@12,DllMainCRTStartup@12,DllEntryPoint@12 - - # recent cygwin and mingw systems supply a stub DllMain which the user - # can override, but on older systems we have to supply one (in ltdll.c) - if test "x$lt_cv_need_dllmain" = "xyes"; then - ltdll_obj='$output_objdir/$soname-ltdll.'"$ac_objext " - ltdll_cmds='test -f $output_objdir/$soname-ltdll.c || sed -e "/^# \/\* ltdll\.c starts here \*\//,/^# \/\* ltdll.c ends here \*\// { s/^# //; p; }" -e d < $''0 > $output_objdir/$soname-ltdll.c~ - test -f $output_objdir/$soname-ltdll.$ac_objext || (cd $output_objdir && $CC -c $soname-ltdll.c)~' - else - ltdll_obj= - ltdll_cmds= - fi - - # Extract the symbol export list from an `--export-all' def file, - # then regenerate the def file from the symbol export list, so that - # the compiled dll only exports the symbol export list. - # Be careful not to strip the DATA tag left be newer dlltools. - export_symbols_cmds="$ltdll_cmds"' - $DLLTOOL --export-all --exclude-symbols '$dll_exclude_symbols' --output-def $output_objdir/$soname-def '$ltdll_obj'$libobjs $convenience~ - sed -e "1,/EXPORTS/d" -e "s/ @ [0-9]*//" -e "s/ *;.*$//" < $output_objdir/$soname-def > $export_symbols' - - # If the export-symbols file already is a .def file (1st line - # is EXPORTS), use it as is. - # If DATA tags from a recent dlltool are present, honour them! - archive_expsym_cmds='if test "x`head -1 $export_symbols`" = xEXPORTS; then - cp $export_symbols $output_objdir/$soname-def; - else - echo EXPORTS > $output_objdir/$soname-def; - _lt_hint=1; - cat $export_symbols | while read symbol; do - set dummy \$symbol; - case \$# in - 2) echo " \$2 @ \$_lt_hint ; " >> $output_objdir/$soname-def;; - *) echo " \$2 @ \$_lt_hint \$3 ; " >> $output_objdir/$soname-def;; - esac; - _lt_hint=`expr 1 + \$_lt_hint`; - done; - fi~ - '"$ltdll_cmds"' - $CC -Wl,--base-file,$output_objdir/$soname-base '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $output_objdir/$soname '$ltdll_obj'$libobjs $deplibs $compiler_flags~ - $DLLTOOL --as=$AS --dllname $soname --exclude-symbols '$dll_exclude_symbols' --def $output_objdir/$soname-def --base-file $output_objdir/$soname-base --output-exp $output_objdir/$soname-exp~ - $CC -Wl,--base-file,$output_objdir/$soname-base $output_objdir/$soname-exp '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $output_objdir/$soname '$ltdll_obj'$libobjs $deplibs $compiler_flags~ - $DLLTOOL --as=$AS --dllname $soname --exclude-symbols '$dll_exclude_symbols' --def $output_objdir/$soname-def --base-file $output_objdir/$soname-base --output-exp $output_objdir/$soname-exp --output-lib $output_objdir/$libname.dll.a~ - $CC $output_objdir/$soname-exp '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $output_objdir/$soname '$ltdll_obj'$libobjs $deplibs $compiler_flags' - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' - wlarc= - else - archive_cmds='$CC -shared -nodefaultlibs $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared -nodefaultlibs $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - fi - ;; - - solaris* | sysv5*) - if $LD -v 2>&1 | egrep 'BFD 2\.8' > /dev/null; then - ld_shlibs=no - cat <&2 - -*** Warning: The releases 2.8.* of the GNU linker cannot reliably -*** create shared libraries on Solaris systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.9.1 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. - -EOF - elif $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs=no - fi - ;; - - sunos4*) - archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' - wlarc= - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - *) - if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs=no - fi - ;; - esac - - if test "$ld_shlibs" = yes; then - runpath_var=LD_RUN_PATH - hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir' - export_dynamic_flag_spec='${wl}--export-dynamic' - case $host_os in - cygwin* | mingw* | pw32*) - # dlltool doesn't understand --whole-archive et. al. - whole_archive_flag_spec= - ;; - *) - # ancient GNU ld didn't support --whole-archive et. al. - if $LD --help 2>&1 | egrep 'no-whole-archive' > /dev/null; then - whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - whole_archive_flag_spec= - fi - ;; - esac - fi -else - # PORTME fill in a description of your system's linker (not GNU ld) - case $host_os in - aix3*) - allow_undefined_flag=unsupported - always_export_symbols=yes - archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' - # Note: this linker hardcodes the directories in LIBPATH if there - # are no directories specified by -L. - hardcode_minus_L=yes - if test "$GCC" = yes && test -z "$link_static_flag"; then - # Neither direct hardcoding nor static linking is supported with a - # broken collect2. - hardcode_direct=unsupported - fi - ;; - - aix4* | aix5*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - exp_sym_flag='-Bexport' - no_entry_flag="" - else - aix_use_runtimelinking=no - - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix5*) - for ld_flag in $LDFLAGS; do - if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then - aix_use_runtimelinking=yes - break - fi - done - esac - - exp_sym_flag='-bexport' - no_entry_flag='-bnoentry' - fi - - # When large executables or shared objects are built, AIX ld can - # have problems creating the table of contents. If linking a library - # or program results in "error TOC overflow" add -mminimal-toc to - # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not - # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. - - hardcode_direct=yes - archive_cmds='' - hardcode_libdir_separator=':' - if test "$GCC" = yes; then - case $host_os in aix4.[012]|aix4.[012].*) - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - hardcode_direct=yes - else - # We have old collect2 - hardcode_direct=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - hardcode_minus_L=yes - hardcode_libdir_flag_spec='-L$libdir' - hardcode_libdir_separator= - fi - esac - - shared_flag='-shared' - else - # not using gcc - if test "$host_cpu" = ia64; then - shared_flag='${wl}-G' - else - if test "$aix_use_runtimelinking" = yes; then - shared_flag='${wl}-G' - else - shared_flag='${wl}-bM:SRE' - fi - fi - fi - - # It seems that -bexpall can do strange things, so it is better to - # generate a list of symbols to export. - always_export_symbols=yes - if test "$aix_use_runtimelinking" = yes; then - # Warning - without using the other runtime loading flags (-brtl), - # -berok will link without error, but may produce a broken library. - allow_undefined_flag='-berok' - hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:/usr/lib:/lib' - archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag" - else - if test "$host_cpu" = ia64; then - hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib' - allow_undefined_flag="-z nodefs" - archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname ${wl}-h$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols" - else - hardcode_libdir_flag_spec='${wl}-bnolibpath ${wl}-blibpath:$libdir:/usr/lib:/lib' - # Warning - without using the other run time loading flags, - # -berok will link without error, but may produce a broken library. - allow_undefined_flag='${wl}-berok' - # This is a bit strange, but is similar to how AIX traditionally builds - # it's shared libraries. - archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"' ~$AR -crlo $objdir/$libname$release.a $objdir/$soname' - fi - fi - ;; - - amigaos*) - archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - # see comment about different semantics on the GNU ld section - ld_shlibs=no - ;; - - cygwin* | mingw* | pw32*) - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec=' ' - allow_undefined_flag=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib - # FIXME: Setting linknames here is a bad hack. - archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | sed -e '\''s/ -lc$//'\''` -link -dll~linknames=' - # The linker will automatically build a .lib file if we build a DLL. - old_archive_from_new_cmds='true' - # FIXME: Should let the user specify the lib program. - old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs' - fix_srcfile_path='`cygpath -w "$srcfile"`' - ;; - - darwin* | rhapsody*) - case "$host_os" in - rhapsody* | darwin1.[012]) - allow_undefined_flag='-undefined suppress' - ;; - *) # Darwin 1.3 on - allow_undefined_flag='-flat_namespace -undefined suppress' - ;; - esac - # FIXME: Relying on posixy $() will cause problems for - # cross-compilation, but unfortunately the echo tests do not - # yet detect zsh echo's removal of \ escapes. - archive_cmds='$nonopt $(test "x$module" = xyes && echo -bundle || echo -dynamiclib) $allow_undefined_flag -o $lib $libobjs $deplibs$linker_flags -install_name $rpath/$soname $verstring' - # We need to add '_' to the symbols in $export_symbols first - #archive_expsym_cmds="$archive_cmds"' && strip -s $export_symbols' - hardcode_direct=yes - hardcode_shlibpath_var=no - whole_archive_flag_spec='-all_load $convenience' - ;; - - freebsd1*) - ld_shlibs=no - ;; - - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor - # support. Future versions do this automatically, but an explicit c++rt0.o - # does not break anything, and helps significantly (at the cost of a little - # extra space). - freebsd2.2*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes - hardcode_minus_L=yes - hardcode_shlibpath_var=no - ;; - - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd*) - archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - hpux9* | hpux10* | hpux11*) - case $host_os in - hpux9*) archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' ;; - *) archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' ;; - esac - hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_separator=: - hardcode_direct=yes - hardcode_minus_L=yes # Not in the search PATH, but as the default - # location of the library. - export_dynamic_flag_spec='${wl}-E' - ;; - - irix5* | irix6*) - if test "$GCC" = yes; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - link_all_deplibs=yes - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out - else - archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF - fi - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - newsos6) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - hardcode_shlibpath_var=no - ;; - - openbsd*) - hardcode_direct=yes - hardcode_shlibpath_var=no - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - export_dynamic_flag_spec='${wl}-E' - else - case "$host_os" in - openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-R$libdir' - ;; - *) - archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - ;; - esac - fi - ;; - - os2*) - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - allow_undefined_flag=unsupported - archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' - old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' - ;; - - osf3*) - if test "$GCC" = yes; then - allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - allow_undefined_flag=' -expect_unresolved \*' - archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - ;; - - osf4* | osf5*) # as osf3* with the addition of -msym flag - if test "$GCC" = yes; then - allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - else - allow_undefined_flag=' -expect_unresolved \*' - archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - archive_expsym_cmds='for i in `cat $export_symbols`; do printf "-exported_symbol " >> $lib.exp; echo "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~ - $LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp' - - #Both c and cxx compiler support -rpath directly - hardcode_libdir_flag_spec='-rpath $libdir' - fi - hardcode_libdir_separator=: - ;; - - sco3.2v5*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - export_dynamic_flag_spec='${wl}-Bexport' - ;; - - solaris*) - # gcc --version < 3.0 without binutils cannot create self contained - # shared libraries reliably, requiring libgcc.a to resolve some of - # the object symbols generated in some cases. Libraries that use - # assert need libgcc.a to resolve __eprintf, for example. Linking - # a copy of libgcc.a into every shared library to guarantee resolving - # such symbols causes other problems: According to Tim Van Holder - # , C++ libraries end up with a separate - # (to the application) exception stack for one thing. - no_undefined_flag=' -z defs' - if test "$GCC" = yes; then - case `$CC --version 2>/dev/null` in - [12].*) - cat <&2 - -*** Warning: Releases of GCC earlier than version 3.0 cannot reliably -*** create self contained shared libraries on Solaris systems, without -*** introducing a dependency on libgcc.a. Therefore, libtool is disabling -*** -no-undefined support, which will at least allow you to build shared -*** libraries. However, you may find that when you link such libraries -*** into an application without using GCC, you have to manually add -*** \`gcc --print-libgcc-file-name\` to the link command. We urge you to -*** upgrade to a newer version of GCC. Another option is to rebuild your -*** current GCC to use the GNU linker from GNU binutils 2.9.1 or newer. - -EOF - no_undefined_flag= - ;; - esac - fi - # $CC -shared without GNU ld will not create a library from C++ - # object files and a static libstdc++, better avoid it by now - archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_shlibpath_var=no - case $host_os in - solaris2.[0-5] | solaris2.[0-5].*) ;; - *) # Supported since Solaris 2.6 (maybe 2.5.1?) - whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;; - esac - link_all_deplibs=yes - ;; - - sunos4*) - if test "x$host_vendor" = xsequent; then - # Use $CC to link under sequent, because it throws in some extra .o - # files that make .init and .fini sections work. - archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' - fi - hardcode_libdir_flag_spec='-L$libdir' - hardcode_direct=yes - hardcode_minus_L=yes - hardcode_shlibpath_var=no - ;; - - sysv4) - if test "x$host_vendor" = xsno; then - archive_cmds='$LD -G -Bsymbolic -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes # is this really true??? - else - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=no #Motorola manual says yes, but my tests say they lie - fi - runpath_var='LD_RUN_PATH' - hardcode_shlibpath_var=no - ;; - - sysv4.3*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var=no - export_dynamic_flag_spec='-Bexport' - ;; - - sysv5*) - no_undefined_flag=' -z text' - # $CC -shared without GNU ld will not create a library from C++ - # object files and a static libstdc++, better avoid it by now - archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - hardcode_libdir_flag_spec= - hardcode_shlibpath_var=no - runpath_var='LD_RUN_PATH' - ;; - - uts4*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_shlibpath_var=no - ;; - - dgux*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_shlibpath_var=no - ;; - - sysv4*MP*) - if test -d /usr/nec; then - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - ld_shlibs=yes - fi - ;; - - sysv4.2uw2*) - archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes - hardcode_minus_L=no - hardcode_shlibpath_var=no - hardcode_runpath_var=yes - runpath_var=LD_RUN_PATH - ;; - - sysv5uw7* | unixware7*) - no_undefined_flag='${wl}-z ${wl}text' - if test "$GCC" = yes; then - archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - else - archive_cmds='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' - fi - runpath_var='LD_RUN_PATH' - hardcode_shlibpath_var=no - ;; - - *) - ld_shlibs=no - ;; - esac -fi -echo "$as_me:6318: result: $ld_shlibs" >&5 -echo "${ECHO_T}$ld_shlibs" >&6 -test "$ld_shlibs" = no && can_build_shared=no - -# Check hardcoding attributes. -echo "$as_me:6323: checking how to hardcode library paths into programs" >&5 -echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6 -hardcode_action= -if test -n "$hardcode_libdir_flag_spec" || \ - test -n "$runpath_var"; then - - # We can hardcode non-existant directories. - if test "$hardcode_direct" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$hardcode_shlibpath_var" != no && - test "$hardcode_minus_L" != no; then - # Linking always hardcodes the temporary library directory. - hardcode_action=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - hardcode_action=immediate - fi -else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - hardcode_action=unsupported -fi -echo "$as_me:6347: result: $hardcode_action" >&5 -echo "${ECHO_T}$hardcode_action" >&6 - -striplib= -old_striplib= -echo "$as_me:6352: checking whether stripping libraries is possible" >&5 -echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6 -if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then - test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" - test -z "$striplib" && striplib="$STRIP --strip-unneeded" - echo "$as_me:6357: result: yes" >&5 -echo "${ECHO_T}yes" >&6 -else - echo "$as_me:6360: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -reload_cmds='$LD$reload_flag -o $output$reload_objs' -test -z "$deplibs_check_method" && deplibs_check_method=unknown - -# PORTME Fill in your ld.so characteristics -echo "$as_me:6368: checking dynamic linker characteristics" >&5 -echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6 -library_names_spec= -libname_spec='lib$name' -soname_spec= -postinstall_cmds= -postuninstall_cmds= -finish_cmds= -finish_eval= -shlibpath_var= -shlibpath_overrides_runpath=unknown -version_type=none -dynamic_linker="$host_os ld.so" -sys_lib_dlsearch_path_spec="/lib /usr/lib" -sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" - -case $host_os in -aix3*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix $libname.a' - shlibpath_var=LIBPATH - - # AIX has no versioning support, so we append a major version to the name. - soname_spec='${libname}${release}.so$major' - ;; - -aix4* | aix5*) - version_type=linux - if test "$host_cpu" = ia64; then - # AIX 5 supports IA64 - library_names_spec='${libname}${release}.so$major ${libname}${release}.so$versuffix $libname.so' - shlibpath_var=LD_LIBRARY_PATH - else - # With GCC up to 2.95.x, collect2 would create an import file - # for dependence libraries. The import file would start with - # the line `#! .'. This would cause the generated library to - # depend on `.', always an invalid library. This was fixed in - # development snapshots of GCC prior to 3.0. - case $host_os in - aix4 | aix4.[01] | aix4.[01].*) - if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' - echo ' yes ' - echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then - : - else - can_build_shared=no - fi - ;; - esac - # AIX (on Power*) has no versioning support, so currently we can - # not hardcode correct soname into executable. Probably we can - # add versioning support to collect2, so additional links can - # be useful in future. - if test "$aix_use_runtimelinking" = yes; then - # If using run time linking (on AIX 4.2 or later) use lib.so - # instead of lib.a to let people know that these are not - # typical AIX shared libraries. - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - else - # We preserve .a as extension for shared libraries through AIX4.2 - # and later when we are not doing run time linking. - library_names_spec='${libname}${release}.a $libname.a' - soname_spec='${libname}${release}.so$major' - fi - shlibpath_var=LIBPATH - fi - ;; - -amigaos*) - library_names_spec='$libname.ixlibrary $libname.a' - # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "(cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a)"; (cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a) || exit 1; done' - ;; - -beos*) - library_names_spec='${libname}.so' - dynamic_linker="$host_os ld.so" - shlibpath_var=LIBRARY_PATH - ;; - -bsdi4*) - version_type=linux - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" - sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" - export_dynamic_flag_spec=-rdynamic - # the default ld.so.conf also contains /usr/contrib/lib and - # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow - # libtool to hard-code these into programs - ;; - -cygwin* | mingw* | pw32*) - version_type=windows - need_version=no - need_lib_prefix=no - case $GCC,$host_os in - yes,cygwin*) - library_names_spec='$libname.dll.a' - soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll' - postinstall_cmds='dlpath=`bash 2>&1 -c '\''. $dir/${file}i;echo \$dlname'\''`~ - dldir=$destdir/`dirname \$dlpath`~ - test -d \$dldir || mkdir -p \$dldir~ - $install_prog .libs/$dlname \$dldir/$dlname' - postuninstall_cmds='dldll=`bash 2>&1 -c '\''. $file; echo \$dlname'\''`~ - dlpath=$dir/\$dldll~ - $rm \$dlpath' - ;; - yes,mingw*) - library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll' - sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | sed -e "s/^libraries://" -e "s/;/ /g"` - ;; - yes,pw32*) - library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | sed -e 's/./-/g'`${versuffix}.dll' - ;; - *) - library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.lib' - ;; - esac - dynamic_linker='Win32 ld.exe' - # FIXME: first we should search . and the directory the executable is in - shlibpath_var=PATH - ;; - -darwin* | rhapsody*) - dynamic_linker="$host_os dyld" - version_type=darwin - need_lib_prefix=no - need_version=no - # FIXME: Relying on posixy $() will cause problems for - # cross-compilation, but unfortunately the echo tests do not - # yet detect zsh echo's removal of \ escapes. - library_names_spec='${libname}${release}${versuffix}.$(test .$module = .yes && echo so || echo dylib) ${libname}${release}${major}.$(test .$module = .yes && echo so || echo dylib) ${libname}.$(test .$module = .yes && echo so || echo dylib)' - soname_spec='${libname}${release}${major}.$(test .$module = .yes && echo so || echo dylib)' - shlibpath_overrides_runpath=yes - shlibpath_var=DYLD_LIBRARY_PATH - ;; - -freebsd1*) - dynamic_linker=no - ;; - -freebsd*) - objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout` - version_type=freebsd-$objformat - case $version_type in - freebsd-elf*) - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so' - need_version=no - need_lib_prefix=no - ;; - freebsd-*) - library_names_spec='${libname}${release}.so$versuffix $libname.so$versuffix' - need_version=yes - ;; - esac - shlibpath_var=LD_LIBRARY_PATH - case $host_os in - freebsd2*) - shlibpath_overrides_runpath=yes - ;; - *) - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - esac - ;; - -gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so${major} ${libname}.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - hardcode_into_libs=yes - ;; - -hpux9* | hpux10* | hpux11*) - # Give a soname corresponding to the major version so that dld.sl refuses to - # link against other versions. - dynamic_linker="$host_os dld.sl" - version_type=sunos - need_lib_prefix=no - need_version=no - shlibpath_var=SHLIB_PATH - shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH - library_names_spec='${libname}${release}.sl$versuffix ${libname}${release}.sl$major $libname.sl' - soname_spec='${libname}${release}.sl$major' - # HP-UX runs *really* slowly unless shared libraries are mode 555. - postinstall_cmds='chmod 555 $lib' - ;; - -irix5* | irix6*) - version_type=irix - need_lib_prefix=no - need_version=no - soname_spec='${libname}${release}.so$major' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so $libname.so' - case $host_os in - irix5*) - libsuff= shlibsuff= - ;; - *) - case $LD in # libtool.m4 will add one of these switches to LD - *-32|*"-32 ") libsuff= shlibsuff= libmagic=32-bit;; - *-n32|*"-n32 ") libsuff=32 shlibsuff=N32 libmagic=N32;; - *-64|*"-64 ") libsuff=64 shlibsuff=64 libmagic=64-bit;; - *) libsuff= shlibsuff= libmagic=never-match;; - esac - ;; - esac - shlibpath_var=LD_LIBRARY${shlibsuff}_PATH - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" - sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" - ;; - -# No shared lib support for Linux oldld, aout, or coff. -linux-gnuoldld* | linux-gnuaout* | linux-gnucoff*) - dynamic_linker=no - ;; - -# This must be Linux ELF. -linux-gnu*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. - hardcode_into_libs=yes - - # We used to test for /lib/ld.so.1 and disable shared libraries on - # powerpc, because MkLinux only supported shared libraries with the - # GNU dynamic linker. Since this was broken with cross compilers, - # most powerpc-linux boxes support dynamic linking these days and - # people can always --disable-shared, the test was removed, and we - # assume the GNU/Linux dynamic linker is in use. - dynamic_linker='GNU/Linux ld.so' - ;; - -netbsd*) - version_type=sunos - need_lib_prefix=no - need_version=no - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - dynamic_linker='NetBSD (a.out) ld.so' - else - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so ${libname}.so' - soname_spec='${libname}${release}.so$major' - dynamic_linker='NetBSD ld.elf_so' - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - -newsos6) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - ;; - -openbsd*) - version_type=sunos - need_lib_prefix=no - need_version=no - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - case "$host_os" in - openbsd2.[89] | openbsd2.[89].*) - shlibpath_overrides_runpath=no - ;; - *) - shlibpath_overrides_runpath=yes - ;; - esac - else - shlibpath_overrides_runpath=yes - fi - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - ;; - -os2*) - libname_spec='$name' - need_lib_prefix=no - library_names_spec='$libname.dll $libname.a' - dynamic_linker='OS/2 ld.exe' - shlibpath_var=LIBPATH - ;; - -osf3* | osf4* | osf5*) - version_type=osf - need_version=no - soname_spec='${libname}${release}.so' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so' - shlibpath_var=LD_LIBRARY_PATH - sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" - sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" - ;; - -sco3.2v5*) - version_type=osf - soname_spec='${libname}${release}.so$major' - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - shlibpath_var=LD_LIBRARY_PATH - ;; - -solaris*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; - -sunos4*) - version_type=sunos - library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' - finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes - if test "$with_gnu_ld" = yes; then - need_lib_prefix=no - fi - need_version=yes - ;; - -sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - case $host_vendor in - sni) - shlibpath_overrides_runpath=no - ;; - motorola) - need_lib_prefix=no - need_version=no - shlibpath_overrides_runpath=no - sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' - ;; - esac - ;; - -uts4*) - version_type=linux - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -dgux*) - version_type=linux - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' - soname_spec='${libname}${release}.so$major' - shlibpath_var=LD_LIBRARY_PATH - ;; - -sysv4*MP*) - if test -d /usr/nec ;then - version_type=linux - library_names_spec='$libname.so.$versuffix $libname.so.$major $libname.so' - soname_spec='$libname.so.$major' - shlibpath_var=LD_LIBRARY_PATH - fi - ;; - -*) - dynamic_linker=no - ;; -esac -echo "$as_me:6761: result: $dynamic_linker" >&5 -echo "${ECHO_T}$dynamic_linker" >&6 -test "$dynamic_linker" = no && can_build_shared=no - -# Report the final consequences. -echo "$as_me:6766: checking if libtool supports shared libraries" >&5 -echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6 -echo "$as_me:6768: result: $can_build_shared" >&5 -echo "${ECHO_T}$can_build_shared" >&6 - -echo "$as_me:6771: checking whether to build shared libraries" >&5 -echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6 -test "$can_build_shared" = "no" && enable_shared=no - -# On AIX, shared libraries and static libraries use the same namespace, and -# are all built from PIC. -case "$host_os" in -aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' - fi - ;; - -aix4*) - if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then - test "$enable_shared" = yes && enable_static=no - fi - ;; -esac -echo "$as_me:6792: result: $enable_shared" >&5 -echo "${ECHO_T}$enable_shared" >&6 - -echo "$as_me:6795: checking whether to build static libraries" >&5 -echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6 -# Make sure either enable_shared or enable_static is yes. -test "$enable_shared" = yes || enable_static=yes -echo "$as_me:6799: result: $enable_static" >&5 -echo "${ECHO_T}$enable_static" >&6 - -if test "$hardcode_action" = relink; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless -fi - -variables_saved_for_relink="PATH $shlibpath_var $runpath_var" -if test "$GCC" = yes; then - variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" -fi - -if test "x$enable_dlopen" != xyes; then - enable_dlopen=unknown - enable_dlopen_self=unknown - enable_dlopen_self_static=unknown -else - lt_cv_dlopen=no - lt_cv_dlopen_libs= - - case $host_os in - beos*) - lt_cv_dlopen="load_add_on" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - ;; - - cygwin* | mingw* | pw32*) - lt_cv_dlopen="LoadLibrary" - lt_cv_dlopen_libs= - ;; - - *) - echo "$as_me:6837: checking for shl_load" >&5 -echo $ECHO_N "checking for shl_load... $ECHO_C" >&6 -if test "${ac_cv_func_shl_load+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 6843 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char shl_load (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char shl_load (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_shl_load) || defined (__stub___shl_load) -choke me -#else -f = shl_load; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6880: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:6883: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6886: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:6889: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_shl_load=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_shl_load=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:6899: result: $ac_cv_func_shl_load" >&5 -echo "${ECHO_T}$ac_cv_func_shl_load" >&6 -if test $ac_cv_func_shl_load = yes; then - lt_cv_dlopen="shl_load" -else - echo "$as_me:6904: checking for shl_load in -ldld" >&5 -echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6 -if test "${ac_cv_lib_dld_shl_load+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 6912 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char shl_load (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -shl_load (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6937: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:6940: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6943: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:6946: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_dld_shl_load=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_dld_shl_load=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:6957: result: $ac_cv_lib_dld_shl_load" >&5 -echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6 -if test $ac_cv_lib_dld_shl_load = yes; then - lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld" -else - echo "$as_me:6962: checking for dlopen" >&5 -echo $ECHO_N "checking for dlopen... $ECHO_C" >&6 -if test "${ac_cv_func_dlopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 6968 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char dlopen (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char dlopen (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_dlopen) || defined (__stub___dlopen) -choke me -#else -f = dlopen; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7005: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:7008: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7011: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:7014: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_dlopen=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_dlopen=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:7024: result: $ac_cv_func_dlopen" >&5 -echo "${ECHO_T}$ac_cv_func_dlopen" >&6 -if test $ac_cv_func_dlopen = yes; then - lt_cv_dlopen="dlopen" -else - echo "$as_me:7029: checking for dlopen in -ldl" >&5 -echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6 -if test "${ac_cv_lib_dl_dlopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldl $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 7037 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char dlopen (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dlopen (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7062: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:7065: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7068: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:7071: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_dl_dlopen=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_dl_dlopen=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:7082: result: $ac_cv_lib_dl_dlopen" >&5 -echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6 -if test $ac_cv_lib_dl_dlopen = yes; then - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" -else - echo "$as_me:7087: checking for dlopen in -lsvld" >&5 -echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6 -if test "${ac_cv_lib_svld_dlopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsvld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 7095 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char dlopen (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dlopen (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7120: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:7123: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7126: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:7129: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_svld_dlopen=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_svld_dlopen=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:7140: result: $ac_cv_lib_svld_dlopen" >&5 -echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6 -if test $ac_cv_lib_svld_dlopen = yes; then - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" -else - echo "$as_me:7145: checking for dld_link in -ldld" >&5 -echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6 -if test "${ac_cv_lib_dld_dld_link+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 7153 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char dld_link (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dld_link (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7178: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:7181: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7184: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:7187: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_dld_dld_link=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_dld_dld_link=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:7198: result: $ac_cv_lib_dld_dld_link" >&5 -echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6 -if test $ac_cv_lib_dld_dld_link = yes; then - lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld" -fi - - -fi - - -fi - - -fi - - -fi - - -fi - - ;; - esac - - if test "x$lt_cv_dlopen" != xno; then - enable_dlopen=yes - else - enable_dlopen=no - fi - - case $lt_cv_dlopen in - dlopen) - save_CPPFLAGS="$CPPFLAGS" - test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" - - save_LDFLAGS="$LDFLAGS" - eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" - - save_LIBS="$LIBS" - LIBS="$lt_cv_dlopen_libs $LIBS" - - echo "$as_me:7239: checking whether a program can dlopen itself" >&5 -echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6 -if test "${lt_cv_dlopen_self+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test "$cross_compiling" = yes; then : - lt_cv_dlopen_self=cross -else - lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 - lt_status=$lt_dlunknown - cat > conftest.$ac_ext < -#endif - -#include - -#ifdef RTLD_GLOBAL -# define LT_DLGLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LT_DLGLOBAL DL_GLOBAL -# else -# define LT_DLGLOBAL 0 -# endif -#endif - -/* We may have to define LT_DLLAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LT_DLLAZY_OR_NOW -# ifdef RTLD_LAZY -# define LT_DLLAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LT_DLLAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LT_DLLAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LT_DLLAZY_OR_NOW DL_NOW -# else -# define LT_DLLAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -#ifdef __cplusplus -extern "C" void exit (int); -#endif - -void fnord() { int i=42;} -int main () -{ - void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); - int status = $lt_dlunknown; - - if (self) - { - if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; - /* dlclose (self); */ - } - - exit (status); -} -EOF - if { (eval echo "$as_me:7311: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:7314: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then - (./conftest; exit; ) 2>/dev/null - lt_status=$? - case x$lt_status in - x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;; - x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;; - x$lt_unknown|x*) lt_cv_dlopen_self=no ;; - esac - else : - # compilation failed - lt_cv_dlopen_self=no - fi -fi -rm -fr conftest* - - -fi -echo "$as_me:7332: result: $lt_cv_dlopen_self" >&5 -echo "${ECHO_T}$lt_cv_dlopen_self" >&6 - - if test "x$lt_cv_dlopen_self" = xyes; then - LDFLAGS="$LDFLAGS $link_static_flag" - echo "$as_me:7337: checking whether a statically linked program can dlopen itself" >&5 -echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6 -if test "${lt_cv_dlopen_self_static+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test "$cross_compiling" = yes; then : - lt_cv_dlopen_self_static=cross -else - lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 - lt_status=$lt_dlunknown - cat > conftest.$ac_ext < -#endif - -#include - -#ifdef RTLD_GLOBAL -# define LT_DLGLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LT_DLGLOBAL DL_GLOBAL -# else -# define LT_DLGLOBAL 0 -# endif -#endif - -/* We may have to define LT_DLLAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LT_DLLAZY_OR_NOW -# ifdef RTLD_LAZY -# define LT_DLLAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LT_DLLAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LT_DLLAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LT_DLLAZY_OR_NOW DL_NOW -# else -# define LT_DLLAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -#ifdef __cplusplus -extern "C" void exit (int); -#endif - -void fnord() { int i=42;} -int main () -{ - void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); - int status = $lt_dlunknown; - - if (self) - { - if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; - /* dlclose (self); */ - } - - exit (status); -} -EOF - if { (eval echo "$as_me:7409: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:7412: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then - (./conftest; exit; ) 2>/dev/null - lt_status=$? - case x$lt_status in - x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;; - x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;; - x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;; - esac - else : - # compilation failed - lt_cv_dlopen_self_static=no - fi -fi -rm -fr conftest* - - -fi -echo "$as_me:7430: result: $lt_cv_dlopen_self_static" >&5 -echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6 - fi - - CPPFLAGS="$save_CPPFLAGS" - LDFLAGS="$save_LDFLAGS" - LIBS="$save_LIBS" - ;; - esac - - case $lt_cv_dlopen_self in - yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; - *) enable_dlopen_self=unknown ;; - esac - - case $lt_cv_dlopen_self_static in - yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; - *) enable_dlopen_self_static=unknown ;; - esac -fi - - -if test "$enable_shared" = yes && test "$GCC" = yes; then - case $archive_cmds in - *'~'*) - # FIXME: we may have to deal with multi-command sequences. - ;; - '$CC '*) - # Test whether the compiler implicitly links with -lc since on some - # systems, -lgcc has to come before -lc. If gcc already passes -lc - # to ld, don't add -lc before -lgcc. - echo "$as_me:7461: checking whether -lc should be explicitly linked in" >&5 -echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6 - if test "${lt_cv_archive_cmds_need_lc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - $rm conftest* - echo 'static int dummy;' > conftest.$ac_ext - - if { (eval echo "$as_me:7469: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:7472: \$? = $ac_status" >&5 - (exit $ac_status); }; then - soname=conftest - lib=conftest - libobjs=conftest.$ac_objext - deplibs= - wl=$lt_cv_prog_cc_wl - compiler_flags=-v - linker_flags=-v - verstring= - output_objdir=. - libname=conftest - save_allow_undefined_flag=$allow_undefined_flag - allow_undefined_flag= - if { (eval echo "$as_me:7486: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5 - (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5 - ac_status=$? - echo "$as_me:7489: \$? = $ac_status" >&5 - (exit $ac_status); } - then - lt_cv_archive_cmds_need_lc=no - else - lt_cv_archive_cmds_need_lc=yes - fi - allow_undefined_flag=$save_allow_undefined_flag - else - cat conftest.err 1>&5 - fi -fi - - echo "$as_me:7502: result: $lt_cv_archive_cmds_need_lc" >&5 -echo "${ECHO_T}$lt_cv_archive_cmds_need_lc" >&6 - ;; - esac -fi -need_lc=${lt_cv_archive_cmds_need_lc-yes} - -# The second clause should only fire when bootstrapping the -# libtool distribution, otherwise you forgot to ship ltmain.sh -# with your package, and you will get complaints that there are -# no rules to generate ltmain.sh. -if test -f "$ltmain"; then - : -else - # If there is no Makefile yet, we rely on a make rule to execute - # `config.status --recheck' to rerun these tests and create the - # libtool script then. - test -f Makefile && make "$ltmain" -fi - -if test -f "$ltmain"; then - trap "$rm \"${ofile}T\"; exit 1" 1 2 15 - $rm -f "${ofile}T" - - echo creating $ofile - - # Now quote all the things that may contain metacharacters while being - # careful not to overquote the AC_SUBSTed values. We take copies of the - # variables and quote the copies for generation of the libtool script. - for var in echo old_CC old_CFLAGS \ - AR AR_FLAGS CC LD LN_S NM SHELL \ - reload_flag reload_cmds wl \ - pic_flag link_static_flag no_builtin_flag export_dynamic_flag_spec \ - thread_safe_flag_spec whole_archive_flag_spec libname_spec \ - library_names_spec soname_spec \ - RANLIB old_archive_cmds old_archive_from_new_cmds old_postinstall_cmds \ - old_postuninstall_cmds archive_cmds archive_expsym_cmds postinstall_cmds \ - postuninstall_cmds extract_expsyms_cmds old_archive_from_expsyms_cmds \ - old_striplib striplib file_magic_cmd export_symbols_cmds \ - deplibs_check_method allow_undefined_flag no_undefined_flag \ - finish_cmds finish_eval global_symbol_pipe global_symbol_to_cdecl \ - global_symbol_to_c_name_address \ - hardcode_libdir_flag_spec hardcode_libdir_separator \ - sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - compiler_c_o compiler_o_lo need_locks exclude_expsyms include_expsyms; do - - case $var in - reload_cmds | old_archive_cmds | old_archive_from_new_cmds | \ - old_postinstall_cmds | old_postuninstall_cmds | \ - export_symbols_cmds | archive_cmds | archive_expsym_cmds | \ - extract_expsyms_cmds | old_archive_from_expsyms_cmds | \ - postinstall_cmds | postuninstall_cmds | \ - finish_cmds | sys_lib_search_path_spec | sys_lib_dlsearch_path_spec) - # Double-quote double-evaled strings. - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" - ;; - *) - eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" - ;; - esac - done - - cat <<__EOF__ > "${ofile}T" -#! $SHELL - -# `$echo "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. -# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) -# NOTE: Changes made to this file will be lost: look at ltmain.sh. -# -# Copyright (C) 1996-2000 Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Sed that helps us avoid accidentally triggering echo(1) options like -n. -Xsed="sed -e s/^X//" - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi - -# ### BEGIN LIBTOOL CONFIG - -# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: - -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL - -# Whether or not to build shared libraries. -build_libtool_libs=$enable_shared - -# Whether or not to build static libraries. -build_old_libs=$enable_static - -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=$need_lc - -# Whether or not to optimize for fast installation. -fast_install=$enable_fast_install - -# The host system. -host_alias=$host_alias -host=$host - -# An echo program that does not interpret backslashes. -echo=$lt_echo - -# The archiver. -AR=$lt_AR -AR_FLAGS=$lt_AR_FLAGS - -# The default C compiler. -CC=$lt_CC - -# Is the compiler the GNU C compiler? -with_gcc=$GCC - -# The linker used to build libraries. -LD=$lt_LD - -# Whether we need hard or soft links. -LN_S=$lt_LN_S - -# A BSD-compatible nm program. -NM=$lt_NM - -# A symbol stripping program -STRIP=$STRIP - -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=$MAGIC_CMD - -# Used on cygwin: DLL creation program. -DLLTOOL="$DLLTOOL" - -# Used on cygwin: object dumper. -OBJDUMP="$OBJDUMP" - -# Used on cygwin: assembler. -AS="$AS" - -# The name of the directory that contains temporary libtool files. -objdir=$objdir - -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds - -# How to pass a linker flag through the compiler. -wl=$lt_wl - -# Object file suffix (normally "o"). -objext="$ac_objext" - -# Old archive suffix (normally "a"). -libext="$libext" - -# Executable file suffix (normally ""). -exeext="$exeext" - -# Additional compiler flags for building library objects. -pic_flag=$lt_pic_flag -pic_mode=$pic_mode - -# Does compiler simultaneously support -c and -o options? -compiler_c_o=$lt_compiler_c_o - -# Can we write directly to a .lo ? -compiler_o_lo=$lt_compiler_o_lo - -# Must we lock files when doing compilation ? -need_locks=$lt_need_locks - -# Do we need the lib prefix for modules? -need_lib_prefix=$need_lib_prefix - -# Do we need a version for libraries? -need_version=$need_version - -# Whether dlopen is supported. -dlopen_support=$enable_dlopen - -# Whether dlopen of programs is supported. -dlopen_self=$enable_dlopen_self - -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=$enable_dlopen_self_static - -# Compiler flag to prevent dynamic linking. -link_static_flag=$lt_link_static_flag - -# Compiler flag to turn off builtin functions. -no_builtin_flag=$lt_no_builtin_flag - -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec=$lt_export_dynamic_flag_spec - -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec=$lt_whole_archive_flag_spec - -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec=$lt_thread_safe_flag_spec - -# Library versioning type. -version_type=$version_type - -# Format of library name prefix. -libname_spec=$lt_libname_spec - -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec=$lt_library_names_spec - -# The coded name of the library, if different from the real name. -soname_spec=$lt_soname_spec - -# Commands used to build and install an old-style archive. -RANLIB=$lt_RANLIB -old_archive_cmds=$lt_old_archive_cmds -old_postinstall_cmds=$lt_old_postinstall_cmds -old_postuninstall_cmds=$lt_old_postuninstall_cmds - -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds=$lt_old_archive_from_new_cmds - -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds - -# Commands used to build and install a shared archive. -archive_cmds=$lt_archive_cmds -archive_expsym_cmds=$lt_archive_expsym_cmds -postinstall_cmds=$lt_postinstall_cmds -postuninstall_cmds=$lt_postuninstall_cmds - -# Commands to strip libraries. -old_striplib=$lt_old_striplib -striplib=$lt_striplib - -# Method to check whether dependent libraries are shared objects. -deplibs_check_method=$lt_deplibs_check_method - -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd=$lt_file_magic_cmd - -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag=$lt_allow_undefined_flag - -# Flag that forces no undefined symbols. -no_undefined_flag=$lt_no_undefined_flag - -# Commands used to finish a libtool library installation in a directory. -finish_cmds=$lt_finish_cmds - -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval=$lt_finish_eval - -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe=$lt_global_symbol_pipe - -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl=$lt_global_symbol_to_cdecl - -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address=$lt_global_symbol_to_c_name_address - -# This is the shared library runtime path variable. -runpath_var=$runpath_var - -# This is the shared library path variable. -shlibpath_var=$shlibpath_var - -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=$shlibpath_overrides_runpath - -# How to hardcode a shared library path into an executable. -hardcode_action=$hardcode_action - -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=$hardcode_into_libs - -# Flag to hardcode \$libdir into a binary during linking. -# This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator=$lt_hardcode_libdir_separator - -# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=$hardcode_direct - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=$hardcode_minus_L - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=$hardcode_shlibpath_var - -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="$variables_saved_for_relink" - -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=$link_all_deplibs - -# Compile-time system search path for libraries -sys_lib_search_path_spec=$lt_sys_lib_search_path_spec - -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec - -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path="$fix_srcfile_path" - -# Set to yes if exported symbols are required. -always_export_symbols=$always_export_symbols - -# The commands to list exported symbols. -export_symbols_cmds=$lt_export_symbols_cmds - -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds=$lt_extract_expsyms_cmds - -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms=$lt_exclude_expsyms - -# Symbols that must always be exported. -include_expsyms=$lt_include_expsyms - -# ### END LIBTOOL CONFIG - -__EOF__ - - case $host_os in - aix3*) - cat <<\EOF >> "${ofile}T" - -# AIX sometimes has problems with the GCC collect2 program. For some -# reason, if we set the COLLECT_NAMES environment variable, the problems -# vanish in a puff of smoke. -if test "X${COLLECT_NAMES+set}" != Xset; then - COLLECT_NAMES= - export COLLECT_NAMES -fi -EOF - ;; - esac - - case $host_os in - cygwin* | mingw* | pw32* | os2*) - cat <<'EOF' >> "${ofile}T" - # This is a source program that is used to create dlls on Windows - # Don't remove nor modify the starting and closing comments -# /* ltdll.c starts here */ -# #define WIN32_LEAN_AND_MEAN -# #include -# #undef WIN32_LEAN_AND_MEAN -# #include -# -# #ifndef __CYGWIN__ -# # ifdef __CYGWIN32__ -# # define __CYGWIN__ __CYGWIN32__ -# # endif -# #endif -# -# #ifdef __cplusplus -# extern "C" { -# #endif -# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved); -# #ifdef __cplusplus -# } -# #endif -# -# #ifdef __CYGWIN__ -# #include -# DECLARE_CYGWIN_DLL( DllMain ); -# #endif -# HINSTANCE __hDllInstance_base; -# -# BOOL APIENTRY -# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved) -# { -# __hDllInstance_base = hInst; -# return TRUE; -# } -# /* ltdll.c ends here */ - # This is a source program that is used to create import libraries - # on Windows for dlls which lack them. Don't remove nor modify the - # starting and closing comments -# /* impgen.c starts here */ -# /* Copyright (C) 1999-2000 Free Software Foundation, Inc. -# -# This file is part of GNU libtool. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# */ -# -# #include /* for printf() */ -# #include /* for open(), lseek(), read() */ -# #include /* for O_RDONLY, O_BINARY */ -# #include /* for strdup() */ -# -# /* O_BINARY isn't required (or even defined sometimes) under Unix */ -# #ifndef O_BINARY -# #define O_BINARY 0 -# #endif -# -# static unsigned int -# pe_get16 (fd, offset) -# int fd; -# int offset; -# { -# unsigned char b[2]; -# lseek (fd, offset, SEEK_SET); -# read (fd, b, 2); -# return b[0] + (b[1]<<8); -# } -# -# static unsigned int -# pe_get32 (fd, offset) -# int fd; -# int offset; -# { -# unsigned char b[4]; -# lseek (fd, offset, SEEK_SET); -# read (fd, b, 4); -# return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24); -# } -# -# static unsigned int -# pe_as32 (ptr) -# void *ptr; -# { -# unsigned char *b = ptr; -# return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24); -# } -# -# int -# main (argc, argv) -# int argc; -# char *argv[]; -# { -# int dll; -# unsigned long pe_header_offset, opthdr_ofs, num_entries, i; -# unsigned long export_rva, export_size, nsections, secptr, expptr; -# unsigned long name_rvas, nexp; -# unsigned char *expdata, *erva; -# char *filename, *dll_name; -# -# filename = argv[1]; -# -# dll = open(filename, O_RDONLY|O_BINARY); -# if (dll < 1) -# return 1; -# -# dll_name = filename; -# -# for (i=0; filename[i]; i++) -# if (filename[i] == '/' || filename[i] == '\\' || filename[i] == ':') -# dll_name = filename + i +1; -# -# pe_header_offset = pe_get32 (dll, 0x3c); -# opthdr_ofs = pe_header_offset + 4 + 20; -# num_entries = pe_get32 (dll, opthdr_ofs + 92); -# -# if (num_entries < 1) /* no exports */ -# return 1; -# -# export_rva = pe_get32 (dll, opthdr_ofs + 96); -# export_size = pe_get32 (dll, opthdr_ofs + 100); -# nsections = pe_get16 (dll, pe_header_offset + 4 +2); -# secptr = (pe_header_offset + 4 + 20 + -# pe_get16 (dll, pe_header_offset + 4 + 16)); -# -# expptr = 0; -# for (i = 0; i < nsections; i++) -# { -# char sname[8]; -# unsigned long secptr1 = secptr + 40 * i; -# unsigned long vaddr = pe_get32 (dll, secptr1 + 12); -# unsigned long vsize = pe_get32 (dll, secptr1 + 16); -# unsigned long fptr = pe_get32 (dll, secptr1 + 20); -# lseek(dll, secptr1, SEEK_SET); -# read(dll, sname, 8); -# if (vaddr <= export_rva && vaddr+vsize > export_rva) -# { -# expptr = fptr + (export_rva - vaddr); -# if (export_rva + export_size > vaddr + vsize) -# export_size = vsize - (export_rva - vaddr); -# break; -# } -# } -# -# expdata = (unsigned char*)malloc(export_size); -# lseek (dll, expptr, SEEK_SET); -# read (dll, expdata, export_size); -# erva = expdata - export_rva; -# -# nexp = pe_as32 (expdata+24); -# name_rvas = pe_as32 (expdata+32); -# -# printf ("EXPORTS\n"); -# for (i = 0; i> "${ofile}T" || (rm -f "${ofile}T"; exit 1) - - mv -f "${ofile}T" "$ofile" || \ - (rm -f "$ofile" && cp "${ofile}T" "$ofile" && rm -f "${ofile}T") - chmod +x "$ofile" -fi - - - - - -# This can be used to rebuild libtool when needed -LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh" - -# Always use our own libtool. -LIBTOOL='$(SHELL) $(top_builddir)/libtool' - -# Prevent multiple expansion - - - - -WFLAGS_NOUNUSED="" -WFLAGS_NOIMPLICITINT="" -if test -z "$WFLAGS" -a "$GCC" = "yes"; then - # -Wno-implicit-int for broken X11 headers - # leave these out for now: - # -Wcast-align doesn't work well on alpha osf/1 - # -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast - # -Wmissing-declarations -Wnested-externs - WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs" - WFLAGS_NOUNUSED="-Wno-unused" - WFLAGS_NOIMPLICITINT="-Wno-implicit-int" -fi - - - -# Check whether --enable-berkeley-db or --disable-berkeley-db was given. -if test "${enable_berkeley_db+set}" = set; then - enableval="$enable_berkeley_db" - - -fi; - -have_ndbm=no -db_type=unknown - -if test "$enable_berkeley_db" != no; then - - - - - -for ac_header in \ - db4/db.h \ - db3/db.h \ - db.h \ - db_185.h \ - -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:8114: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:8119: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:8123: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 8126 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:8132: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:8135: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:8138: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:8141: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:8150: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:8154: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 8157 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:8161: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:8167: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:8185: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:8191: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:8193: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:8196: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:8198: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:8200: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:8203: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:8210: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - - - - - -echo "$as_me:8228: checking for db_create" >&5 -echo $ECHO_N "checking for db_create... $ECHO_C" >&6 -if test "${ac_cv_funclib_db_create+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_db_create\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" db4 db3 db; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 8246 "configure" -#include "confdefs.h" - - #include - #ifdef HAVE_DB4_DB_H - #include - #elif defined(HAVE_DB3_DB_H) - #include - #else - #include - #endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -db_create(NULL, NULL, 0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8273: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:8276: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8279: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:8282: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_db_create=$ac_lib; else ac_cv_funclib_db_create=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_db_create=\${ac_cv_funclib_db_create-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_db_create" - -if false; then - -for ac_func in db_create -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:8305: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 8311 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8348: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:8351: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8354: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:8357: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:8367: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# db_create -eval "ac_tr_func=HAVE_`echo db_create | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_db_create=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_db_create=yes" - eval "LIB_db_create=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:8391: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_db_create=no" - eval "LIB_db_create=" - echo "$as_me:8397: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_db_create=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:8411: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - if test "$ac_cv_func_db_create" = "yes"; then - db_type=db3 - if test "$ac_cv_funclib_db_create" != "yes"; then - DBLIB="$ac_cv_funclib_db_create" - else - DBLIB="" - fi - -cat >>confdefs.h <<\_ACEOF -#define HAVE_DB3 1 -_ACEOF - - else - - - - - -echo "$as_me:8436: checking for dbopen" >&5 -echo $ECHO_N "checking for dbopen... $ECHO_C" >&6 -if test "${ac_cv_funclib_dbopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_dbopen\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" db2 db; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 8454 "configure" -#include "confdefs.h" - - #include - #if defined(HAVE_DB2_DB_H) - #include - #elif defined(HAVE_DB_185_H) - #include - #elif defined(HAVE_DB_H) - #include - #else - #error no db.h - #endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dbopen(NULL, 0, 0, 0, NULL) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8483: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:8486: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8489: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:8492: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbopen=$ac_lib; else ac_cv_funclib_dbopen=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_dbopen=\${ac_cv_funclib_dbopen-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_dbopen" - -if false; then - -for ac_func in dbopen -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:8515: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 8521 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8558: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:8561: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8564: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:8567: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:8577: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# dbopen -eval "ac_tr_func=HAVE_`echo dbopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_dbopen=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_dbopen=yes" - eval "LIB_dbopen=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:8601: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_dbopen=no" - eval "LIB_dbopen=" - echo "$as_me:8607: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_dbopen=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:8621: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - if test "$ac_cv_func_dbopen" = "yes"; then - db_type=db1 - if test "$ac_cv_funclib_dbopen" != "yes"; then - DBLIB="$ac_cv_funclib_dbopen" - else - DBLIB="" - fi - -cat >>confdefs.h <<\_ACEOF -#define HAVE_DB1 1 -_ACEOF - - fi - fi - - - if test "$ac_cv_func_dbm_firstkey" != yes; then - - -echo "$as_me:8647: checking for dbm_firstkey" >&5 -echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6 -if test "${ac_cv_funclib_dbm_firstkey+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_dbm_firstkey\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in $ac_cv_funclib_dbopen $ac_cv_funclib_db_create; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 8665 "configure" -#include "confdefs.h" - - #include - #define DB_DBM_HSEARCH 1 - #include - DBM *dbm; - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dbm_firstkey(NULL) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8688: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:8691: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8694: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:8697: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_dbm_firstkey" - -if false; then - -for ac_func in dbm_firstkey -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:8720: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 8726 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8763: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:8766: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8769: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:8772: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:8782: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# dbm_firstkey -eval "ac_tr_func=HAVE_`echo dbm_firstkey | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_dbm_firstkey=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_dbm_firstkey=yes" - eval "LIB_dbm_firstkey=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:8806: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_dbm_firstkey=no" - eval "LIB_dbm_firstkey=" - echo "$as_me:8812: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_dbm_firstkey=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:8826: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - if test "$ac_cv_func_dbm_firstkey" = "yes"; then - if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then - LIB_NDBM="$ac_cv_funclib_dbm_firstkey" - else - LIB_NDBM="" - fi - -cat >>confdefs.h <<\_ACEOF -#define HAVE_DB_NDBM 1 -_ACEOF - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_NEW_DB 1 -_ACEOF - - else - $as_unset ac_cv_func_dbm_firstkey - $as_unset ac_cv_funclib_dbm_firstkey - fi - fi - -fi # berkeley db - -if test "$db_type" = "unknown" -o "$ac_cv_func_dbm_firstkey" = ""; then - - - -for ac_header in \ - dbm.h \ - ndbm.h \ - -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:8868: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:8873: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:8877: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 8880 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:8886: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:8889: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:8892: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:8895: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:8904: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:8908: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 8911 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:8915: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:8921: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:8939: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:8945: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:8947: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:8950: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:8952: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:8954: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:8957: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:8964: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - - - - -echo "$as_me:8981: checking for dbm_firstkey" >&5 -echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6 -if test "${ac_cv_funclib_dbm_firstkey+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_dbm_firstkey\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ndbm; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 8999 "configure" -#include "confdefs.h" - - #include - #if defined(HAVE_NDBM_H) - #include - #elif defined(HAVE_DBM_H) - #include - #endif - DBM *dbm; - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dbm_firstkey(NULL) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9025: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:9028: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9031: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9034: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_dbm_firstkey" - -if false; then - -for ac_func in dbm_firstkey -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:9057: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 9063 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9100: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:9103: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9106: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9109: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:9119: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# dbm_firstkey -eval "ac_tr_func=HAVE_`echo dbm_firstkey | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_dbm_firstkey=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_dbm_firstkey=yes" - eval "LIB_dbm_firstkey=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:9143: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_dbm_firstkey=no" - eval "LIB_dbm_firstkey=" - echo "$as_me:9149: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_dbm_firstkey=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:9163: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - if test "$ac_cv_func_dbm_firstkey" = "yes"; then - if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then - LIB_NDBM="$ac_cv_funclib_dbm_firstkey" - else - LIB_NDBM="" - fi - -cat >>confdefs.h <<\_ACEOF -#define HAVE_NDBM 1 -_ACEOF - have_ndbm=yes - if test "$db_type" = "unknown"; then - db_type=ndbm - DBLIB="$LIB_NDBM" - fi - else - - $as_unset ac_cv_func_dbm_firstkey - $as_unset ac_cv_funclib_dbm_firstkey - - -for ac_header in \ - gdbm/ndbm.h \ - -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:9197: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:9202: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:9206: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 9209 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:9215: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:9218: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:9221: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9224: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:9233: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:9237: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 9240 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:9244: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:9250: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:9268: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:9274: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:9276: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:9279: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:9281: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:9283: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:9286: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:9293: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - - - - -echo "$as_me:9310: checking for dbm_firstkey" >&5 -echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6 -if test "${ac_cv_funclib_dbm_firstkey+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_dbm_firstkey\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" gdbm; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 9328 "configure" -#include "confdefs.h" - - #include - #include - DBM *dbm; - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dbm_firstkey(NULL) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9350: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:9353: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9356: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9359: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_dbm_firstkey" - -if false; then - -for ac_func in dbm_firstkey -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:9382: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 9388 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9425: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:9428: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9431: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9434: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:9444: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# dbm_firstkey -eval "ac_tr_func=HAVE_`echo dbm_firstkey | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_dbm_firstkey=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_dbm_firstkey=yes" - eval "LIB_dbm_firstkey=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:9468: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_dbm_firstkey=no" - eval "LIB_dbm_firstkey=" - echo "$as_me:9474: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_dbm_firstkey=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:9488: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - if test "$ac_cv_func_dbm_firstkey" = "yes"; then - if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then - LIB_NDBM="$ac_cv_funclib_dbm_firstkey" - else - LIB_NDBM="" - fi - -cat >>confdefs.h <<\_ACEOF -#define HAVE_NDBM 1 -_ACEOF - have_ndbm=yes - if test "$db_type" = "unknown"; then - db_type=ndbm - DBLIB="$LIB_NDBM" - fi - fi - fi - -fi # unknown - -if test "$have_ndbm" = "yes"; then - echo "$as_me:9516: checking if ndbm is implemented with db" >&5 -echo $ECHO_N "checking if ndbm is implemented with db... $ECHO_C" >&6 - if test "$cross_compiling" = yes; then - { { echo "$as_me:9519: error: cannot run test program while cross compiling" >&5 -echo "$as_me: error: cannot run test program while cross compiling" >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -#line 9524 "configure" -#include "confdefs.h" - -#include -#include -#if defined(HAVE_GDBM_NDBM_H) -#include -#elif defined(HAVE_NDBM_H) -#include -#elif defined(HAVE_DBM_H) -#include -#endif -int main() -{ - DBM *d; - - d = dbm_open("conftest", O_RDWR | O_CREAT, 0666); - if (d == NULL) - return 1; - dbm_close(d); - return 0; -} -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:9548: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:9551: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:9553: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9556: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - - if test -f conftest.db; then - echo "$as_me:9560: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF -#define HAVE_NEW_DB 1 -_ACEOF - - else - echo "$as_me:9568: result: no" >&5 -echo "${ECHO_T}no" >&6 - fi -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -echo "$as_me:9576: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi - - - -if test "$db_type" = db1; then - HAVE_DB1_TRUE= - HAVE_DB1_FALSE='#' -else - HAVE_DB1_TRUE='#' - HAVE_DB1_FALSE= -fi - - -if test "$db_type" = db3; then - HAVE_DB3_TRUE= - HAVE_DB3_FALSE='#' -else - HAVE_DB3_TRUE='#' - HAVE_DB3_FALSE= -fi - - -if test "$db_type" = ndbm; then - HAVE_NDBM_TRUE= - HAVE_NDBM_FALSE='#' -else - HAVE_NDBM_TRUE='#' - HAVE_NDBM_FALSE= -fi - -DBLIB="$LDFLAGS $DBLIB" - - - - - -echo "$as_me:9617: checking for inline" >&5 -echo $ECHO_N "checking for inline... $ECHO_C" >&6 -if test "${ac_cv_c_inline+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_c_inline=no -for ac_kw in inline __inline__ __inline; do - cat >conftest.$ac_ext <<_ACEOF -#line 9625 "configure" -#include "confdefs.h" -#ifndef __cplusplus -static $ac_kw int static_foo () {return 0; } -$ac_kw int foo () {return 0; } -#endif - -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:9634: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:9637: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:9640: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9643: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_c_inline=$ac_kw; break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext -done - -fi -echo "$as_me:9654: result: $ac_cv_c_inline" >&5 -echo "${ECHO_T}$ac_cv_c_inline" >&6 -case $ac_cv_c_inline in - inline | yes) ;; - no) -cat >>confdefs.h <<\_ACEOF -#define inline -_ACEOF - ;; - *) cat >>confdefs.h <<_ACEOF -#define inline $ac_cv_c_inline -_ACEOF - ;; -esac - -echo "$as_me:9669: checking for an ANSI C-conforming const" >&5 -echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6 -if test "${ac_cv_c_const+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 9675 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* FIXME: Include the comments suggested by Paul. */ -#ifndef __cplusplus - /* Ultrix mips cc rejects this. */ - typedef int charset[2]; - const charset x; - /* SunOS 4.1.1 cc rejects this. */ - char const *const *ccp; - char **p; - /* NEC SVR4.0.2 mips cc rejects this. */ - struct point {int x, y;}; - static struct point const zero = {0,0}; - /* AIX XL C 1.02.0.0 rejects this. - It does not let you subtract one const X* pointer from another in - an arm of an if-expression whose if-part is not a constant - expression */ - const char *g = "string"; - ccp = &g + (g ? g-g : 0); - /* HPUX 7.0 cc rejects these. */ - ++ccp; - p = (char**) ccp; - ccp = (char const *const *) p; - { /* SCO 3.2v4 cc rejects this. */ - char *t; - char const *s = 0 ? (char *) 0 : (char const *) 0; - - *t++ = 0; - } - { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ - int x[] = {25, 17}; - const int *foo = &x[0]; - ++foo; - } - { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ - typedef const int *iptr; - iptr p = 0; - ++p; - } - { /* AIX XL C 1.02.0.0 rejects this saying - "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ - struct s { int j; const int *ap[3]; }; - struct s *b; b->j = 5; - } - { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ - const int foo = 10; - } -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:9739: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:9742: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:9745: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9748: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_c_const=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_c_const=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:9758: result: $ac_cv_c_const" >&5 -echo "${ECHO_T}$ac_cv_c_const" >&6 -if test $ac_cv_c_const = no; then - -cat >>confdefs.h <<\_ACEOF -#define const -_ACEOF - -fi - -echo "$as_me:9768: checking for size_t" >&5 -echo $ECHO_N "checking for size_t... $ECHO_C" >&6 -if test "${ac_cv_type_size_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 9774 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((size_t *) 0) - return 0; -if (sizeof (size_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:9795: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:9798: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:9801: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9804: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_size_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_size_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:9814: result: $ac_cv_type_size_t" >&5 -echo "${ECHO_T}$ac_cv_type_size_t" >&6 -if test $ac_cv_type_size_t = yes; then - : -else - -cat >>confdefs.h <<_ACEOF -#define size_t unsigned -_ACEOF - -fi - -echo "$as_me:9826: checking for pid_t" >&5 -echo $ECHO_N "checking for pid_t... $ECHO_C" >&6 -if test "${ac_cv_type_pid_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 9832 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((pid_t *) 0) - return 0; -if (sizeof (pid_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:9853: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:9856: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:9859: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9862: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_pid_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_pid_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:9872: result: $ac_cv_type_pid_t" >&5 -echo "${ECHO_T}$ac_cv_type_pid_t" >&6 -if test $ac_cv_type_pid_t = yes; then - : -else - -cat >>confdefs.h <<_ACEOF -#define pid_t int -_ACEOF - -fi - -echo "$as_me:9884: checking for uid_t in sys/types.h" >&5 -echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6 -if test "${ac_cv_type_uid_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 9890 "configure" -#include "confdefs.h" -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "uid_t" >/dev/null 2>&1; then - ac_cv_type_uid_t=yes -else - ac_cv_type_uid_t=no -fi -rm -f conftest* - -fi -echo "$as_me:9904: result: $ac_cv_type_uid_t" >&5 -echo "${ECHO_T}$ac_cv_type_uid_t" >&6 -if test $ac_cv_type_uid_t = no; then - -cat >>confdefs.h <<\_ACEOF -#define uid_t int -_ACEOF - - -cat >>confdefs.h <<\_ACEOF -#define gid_t int -_ACEOF - -fi - - -echo "$as_me:9920: checking return type of signal handlers" >&5 -echo $ECHO_N "checking return type of signal handlers... $ECHO_C" >&6 -if test "${ac_cv_type_signal+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 9926 "configure" -#include "confdefs.h" -#include -#include -#ifdef signal -# undef signal -#endif -#ifdef __cplusplus -extern "C" void (*signal (int, void (*)(int)))(int); -#else -void (*signal ()) (); -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -int i; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:9954: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:9957: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:9960: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:9963: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_signal=void -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_signal=int -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:9973: result: $ac_cv_type_signal" >&5 -echo "${ECHO_T}$ac_cv_type_signal" >&6 - -cat >>confdefs.h <<_ACEOF -#define RETSIGTYPE $ac_cv_type_signal -_ACEOF - - -if test "$ac_cv_type_signal" = "void" ; then - -cat >>confdefs.h <<\_ACEOF -#define VOID_RETSIGTYPE 1 -_ACEOF - -fi - - - - -echo "$as_me:9992: checking whether time.h and sys/time.h may both be included" >&5 -echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6 -if test "${ac_cv_header_time+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 9998 "configure" -#include "confdefs.h" -#include -#include -#include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((struct tm *) 0) -return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:10020: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:10023: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10026: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10029: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_header_time=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_header_time=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:10039: result: $ac_cv_header_time" >&5 -echo "${ECHO_T}$ac_cv_header_time" >&6 -if test $ac_cv_header_time = yes; then - -cat >>confdefs.h <<\_ACEOF -#define TIME_WITH_SYS_TIME 1 -_ACEOF - -fi - - - -for ac_header in standards.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:10055: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:10060: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:10064: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 10067 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:10073: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:10076: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10079: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10082: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:10091: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:10095: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 10098 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:10102: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:10108: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:10126: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:10132: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:10134: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:10137: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:10139: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:10141: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:10144: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:10151: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - -for i in netinet/ip.h netinet/tcp.h; do - -cv=`echo "$i" | sed 'y%./+-%__p_%'` - -echo "$as_me:10168: checking for $i" >&5 -echo $ECHO_N "checking for $i... $ECHO_C" >&6 -if eval "test \"\${ac_cv_header_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 10174 "configure" -#include "confdefs.h" -\ -#ifdef HAVE_STANDARDS_H -#include -#endif -#include <$i> - -_ACEOF -if { (eval echo "$as_me:10183: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:10189: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - eval "ac_cv_header_$cv=yes" -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - eval "ac_cv_header_$cv=no" -fi -rm -f conftest.err conftest.$ac_ext -fi -echo "$as_me:10208: result: `eval echo '${'ac_cv_header_$cv'}'`" >&5 -echo "${ECHO_T}`eval echo '${'ac_cv_header_$cv'}'`" >&6 -ac_res=`eval echo \\$ac_cv_header_$cv` -if test "$ac_res" = yes; then - ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` - cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi -done -if false;then - - -for ac_header in netinet/ip.h netinet/tcp.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:10226: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:10231: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:10235: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 10238 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:10244: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:10247: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10250: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10253: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:10262: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:10266: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 10269 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:10273: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:10279: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:10297: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:10303: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:10305: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:10308: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:10310: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:10312: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:10315: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:10322: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - -fi - - - - -for ac_func in getlogin setlogin -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:10343: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 10349 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:10386: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:10389: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:10392: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10395: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:10405: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -if test "$ac_cv_func_getlogin" = yes; then -echo "$as_me:10416: checking if getlogin is posix" >&5 -echo $ECHO_N "checking if getlogin is posix... $ECHO_C" >&6 -if test "${ac_cv_func_getlogin_posix+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then - ac_cv_func_getlogin_posix=no -else - ac_cv_func_getlogin_posix=yes -fi - -fi -echo "$as_me:10429: result: $ac_cv_func_getlogin_posix" >&5 -echo "${ECHO_T}$ac_cv_func_getlogin_posix" >&6 -if test "$ac_cv_func_getlogin_posix" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define POSIX_GETLOGIN 1 -_ACEOF - -fi -fi - - -echo "$as_me:10441: checking if realloc if broken" >&5 -echo $ECHO_N "checking if realloc if broken... $ECHO_C" >&6 -if test "${ac_cv_func_realloc_broken+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -ac_cv_func_realloc_broken=no -if test "$cross_compiling" = yes; then - : -else - cat >conftest.$ac_ext <<_ACEOF -#line 10452 "configure" -#include "confdefs.h" - -#include -#include - -int main() -{ - return realloc(NULL, 17) == NULL; -} - -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:10465: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:10468: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:10470: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10473: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_func_realloc_broken=yes -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - -fi -echo "$as_me:10487: result: $ac_cv_func_realloc_broken" >&5 -echo "${ECHO_T}$ac_cv_func_realloc_broken" >&6 -if test "$ac_cv_func_realloc_broken" = yes ; then - -cat >>confdefs.h <<\_ACEOF -#define BROKEN_REALLOC 1 -_ACEOF - -fi - - - - - - - -DIR_roken=roken -LIB_roken='$(top_builddir)/lib/roken/libroken.la' -INCLUDES_roken='-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken' - - - - - - - - - - - - - - -WFLAGS_NOUNUSED="" -WFLAGS_NOIMPLICITINT="" -if test -z "$WFLAGS" -a "$GCC" = "yes"; then - # -Wno-implicit-int for broken X11 headers - # leave these out for now: - # -Wcast-align doesn't work well on alpha osf/1 - # -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast - # -Wmissing-declarations -Wnested-externs - WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs" - WFLAGS_NOUNUSED="-Wno-unused" - WFLAGS_NOIMPLICITINT="-Wno-implicit-int" -fi - - - - - - - - -cv=`echo "ssize_t" | sed 'y%./+- %__p__%'` -echo "$as_me:10541: checking for ssize_t" >&5 -echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 10547 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -ssize_t foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:10570: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:10573: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10576: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10579: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:10590: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo ssize_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:10595: checking for ssize_t" >&5 -echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6 -if test "${ac_cv_type_ssize_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 10601 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((ssize_t *) 0) - return 0; -if (sizeof (ssize_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:10622: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:10625: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10628: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10631: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_ssize_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_ssize_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:10641: result: $ac_cv_type_ssize_t" >&5 -echo "${ECHO_T}$ac_cv_type_ssize_t" >&6 -if test $ac_cv_type_ssize_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SSIZE_T 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - - - -cv=`echo "long long" | sed 'y%./+- %__p__%'` -echo "$as_me:10665: checking for long long" >&5 -echo $ECHO_N "checking for long long... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 10671 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -long long foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:10694: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:10697: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10700: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10703: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:10714: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:10719: checking for long long" >&5 -echo $ECHO_N "checking for long long... $ECHO_C" >&6 -if test "${ac_cv_type_long_long+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 10725 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((long long *) 0) - return 0; -if (sizeof (long long)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:10746: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:10749: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10752: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10755: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_long_long=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_long_long=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:10765: result: $ac_cv_type_long_long" >&5 -echo "${ECHO_T}$ac_cv_type_long_long" >&6 -if test $ac_cv_type_long_long = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_LONG_LONG 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -for ac_header in \ - arpa/inet.h \ - arpa/nameser.h \ - config.h \ - crypt.h \ - dirent.h \ - errno.h \ - err.h \ - fcntl.h \ - grp.h \ - ifaddrs.h \ - net/if.h \ - netdb.h \ - netinet/in.h \ - netinet/in6.h \ - netinet/in_systm.h \ - netinet6/in6.h \ - netinet6/in6_var.h \ - paths.h \ - pwd.h \ - resolv.h \ - rpcsvc/ypclnt.h \ - shadow.h \ - sys/bswap.h \ - sys/ioctl.h \ - sys/param.h \ - sys/proc.h \ - sys/resource.h \ - sys/socket.h \ - sys/sockio.h \ - sys/stat.h \ - sys/sysctl.h \ - sys/time.h \ - sys/tty.h \ - sys/types.h \ - sys/uio.h \ - sys/utsname.h \ - sys/wait.h \ - syslog.h \ - termios.h \ - unistd.h \ - userconf.h \ - usersec.h \ - util.h \ - vis.h \ - -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:10883: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:10888: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:10892: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 10895 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:10901: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:10904: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10907: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:10910: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:10919: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:10923: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 10926 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:10930: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:10936: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:10954: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:10960: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:10962: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:10965: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:10967: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:10969: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:10972: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:10979: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - - - - - -if test "$ac_cv_header_err_h" = yes; then - have_err_h_TRUE= - have_err_h_FALSE='#' -else - have_err_h_TRUE='#' - have_err_h_FALSE= -fi - - - -if test "$ac_cv_header_fnmatch_h" = yes; then - have_fnmatch_h_TRUE= - have_fnmatch_h_FALSE='#' -else - have_fnmatch_h_TRUE='#' - have_fnmatch_h_FALSE= -fi - - - -if test "$ac_cv_header_ifaddrs_h" = yes; then - have_ifaddrs_h_TRUE= - have_ifaddrs_h_FALSE='#' -else - have_ifaddrs_h_TRUE='#' - have_ifaddrs_h_FALSE= -fi - - - -if test "$ac_cv_header_vis_h" = yes; then - have_vis_h_TRUE= - have_vis_h_FALSE='#' -else - have_vis_h_TRUE='#' - have_vis_h_FALSE= -fi - - - - - - - -echo "$as_me:11041: checking for socket" >&5 -echo $ECHO_N "checking for socket... $ECHO_C" >&6 -if test "${ac_cv_funclib_socket+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_socket\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" socket; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 11059 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -socket() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11077: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11080: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11083: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11086: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_socket=$ac_lib; else ac_cv_funclib_socket=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_socket=\${ac_cv_funclib_socket-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_socket" - -if false; then - -for ac_func in socket -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:11109: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 11115 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11152: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11155: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11158: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11161: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:11171: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# socket -eval "ac_tr_func=HAVE_`echo socket | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_socket=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_socket=yes" - eval "LIB_socket=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:11195: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_socket=no" - eval "LIB_socket=" - echo "$as_me:11201: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_socket=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:11215: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_socket"; then - LIBS="$LIB_socket $LIBS" -fi - - - - - -echo "$as_me:11229: checking for gethostbyname" >&5 -echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6 -if test "${ac_cv_funclib_gethostbyname+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_gethostbyname\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" nsl; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 11247 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -gethostbyname() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11265: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11268: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11271: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11274: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname=$ac_lib; else ac_cv_funclib_gethostbyname=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_gethostbyname=\${ac_cv_funclib_gethostbyname-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_gethostbyname" - -if false; then - -for ac_func in gethostbyname -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:11297: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 11303 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11340: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11343: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11346: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11349: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:11359: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# gethostbyname -eval "ac_tr_func=HAVE_`echo gethostbyname | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_gethostbyname=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_gethostbyname=yes" - eval "LIB_gethostbyname=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:11383: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_gethostbyname=no" - eval "LIB_gethostbyname=" - echo "$as_me:11389: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_gethostbyname=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:11403: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_gethostbyname"; then - LIBS="$LIB_gethostbyname $LIBS" -fi - - - - - -echo "$as_me:11417: checking for syslog" >&5 -echo $ECHO_N "checking for syslog... $ECHO_C" >&6 -if test "${ac_cv_funclib_syslog+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_syslog\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" syslog; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 11435 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -syslog() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11453: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11456: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11459: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11462: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_syslog=$ac_lib; else ac_cv_funclib_syslog=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_syslog=\${ac_cv_funclib_syslog-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_syslog" - -if false; then - -for ac_func in syslog -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:11485: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 11491 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11528: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11531: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11534: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11537: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:11547: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# syslog -eval "ac_tr_func=HAVE_`echo syslog | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_syslog=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_syslog=yes" - eval "LIB_syslog=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:11571: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_syslog=no" - eval "LIB_syslog=" - echo "$as_me:11577: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_syslog=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:11591: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_syslog"; then - LIBS="$LIB_syslog $LIBS" -fi - - - - -# Check whether --with-ipv6 or --without-ipv6 was given. -if test "${with_ipv6+set}" = set; then - withval="$with_ipv6" - -if test "$withval" = "no"; then - ac_cv_lib_ipv6=no -fi -fi; -save_CFLAGS="${CFLAGS}" -echo "$as_me:11613: checking for IPv6 stack type" >&5 -echo $ECHO_N "checking for IPv6 stack type... $ECHO_C" >&6 -if test "${v6type+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - v6type=unknown -v6lib=none - -for i in v6d toshiba kame inria zeta linux; do - case $i in - v6d) - cat >conftest.$ac_ext <<_ACEOF -#line 11625 "configure" -#include "confdefs.h" - -#include -#ifdef __V6D__ -yes -#endif -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - v6type=$i; v6lib=v6; - v6libdir=/usr/local/v6/lib; - CFLAGS="-I/usr/local/v6/include $CFLAGS" -fi -rm -f conftest* - - ;; - toshiba) - cat >conftest.$ac_ext <<_ACEOF -#line 11644 "configure" -#include "confdefs.h" - -#include -#ifdef _TOSHIBA_INET6 -yes -#endif -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - v6type=$i; v6lib=inet6; - v6libdir=/usr/local/v6/lib; - CFLAGS="-DINET6 $CFLAGS" -fi -rm -f conftest* - - ;; - kame) - cat >conftest.$ac_ext <<_ACEOF -#line 11663 "configure" -#include "confdefs.h" - -#include -#ifdef __KAME__ -yes -#endif -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - v6type=$i; v6lib=inet6; - v6libdir=/usr/local/v6/lib; - CFLAGS="-DINET6 $CFLAGS" -fi -rm -f conftest* - - ;; - inria) - cat >conftest.$ac_ext <<_ACEOF -#line 11682 "configure" -#include "confdefs.h" - -#include -#ifdef IPV6_INRIA_VERSION -yes -#endif -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - v6type=$i; CFLAGS="-DINET6 $CFLAGS" -fi -rm -f conftest* - - ;; - zeta) - cat >conftest.$ac_ext <<_ACEOF -#line 11699 "configure" -#include "confdefs.h" - -#include -#ifdef _ZETA_MINAMI_INET6 -yes -#endif -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - v6type=$i; v6lib=inet6; - v6libdir=/usr/local/v6/lib; - CFLAGS="-DINET6 $CFLAGS" -fi -rm -f conftest* - - ;; - linux) - if test -d /usr/inet6; then - v6type=$i - v6lib=inet6 - v6libdir=/usr/inet6 - CFLAGS="-DINET6 $CFLAGS" - fi - ;; - esac - if test "$v6type" != "unknown"; then - break - fi -done - -if test "$v6lib" != "none"; then - for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do - if test -d $dir -a -f $dir/lib$v6lib.a; then - LIBS="-L$dir -l$v6lib $LIBS" - break - fi - done -fi - -fi -echo "$as_me:11740: result: $v6type" >&5 -echo "${ECHO_T}$v6type" >&6 - -echo "$as_me:11743: checking for IPv6" >&5 -echo $ECHO_N "checking for IPv6... $ECHO_C" >&6 -if test "${ac_cv_lib_ipv6+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 11750 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - struct sockaddr_in6 sin6; - int s; - - s = socket(AF_INET6, SOCK_DGRAM, 0); - - sin6.sin6_family = AF_INET6; - sin6.sin6_port = htons(17); - sin6.sin6_addr = in6addr_any; - bind(s, (struct sockaddr *)&sin6, sizeof(sin6)); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11791: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11794: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11797: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11800: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_ipv6=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_ipv6=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:11810: result: $ac_cv_lib_ipv6" >&5 -echo "${ECHO_T}$ac_cv_lib_ipv6" >&6 -if test "$ac_cv_lib_ipv6" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_IPV6 1 -_ACEOF - -else - CFLAGS="${save_CFLAGS}" -fi - -if test "$ac_cv_lib_ipv6" = yes; then - echo "$as_me:11823: checking for in6addr_loopback" >&5 -echo $ECHO_N "checking for in6addr_loopback... $ECHO_C" >&6 -if test "${ac_cv_var_in6addr_loopback+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - - cat >conftest.$ac_ext <<_ACEOF -#line 11830 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_NETINET_IN6_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -struct sockaddr_in6 sin6; -sin6.sin6_addr = in6addr_loopback; - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11863: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11866: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11869: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11872: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_var_in6addr_loopback=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_var_in6addr_loopback=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:11882: result: $ac_cv_var_in6addr_loopback" >&5 -echo "${ECHO_T}$ac_cv_var_in6addr_loopback" >&6 - if test "$ac_cv_var_in6addr_loopback" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_IN6ADDR_LOOPBACK 1 -_ACEOF - - fi -fi - - - - - - -echo "$as_me:11898: checking for gethostbyname2" >&5 -echo $ECHO_N "checking for gethostbyname2... $ECHO_C" >&6 -if test "${ac_cv_funclib_gethostbyname2+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_gethostbyname2\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" inet6 ip6; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 11916 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -gethostbyname2() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:11934: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:11937: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:11940: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:11943: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname2=$ac_lib; else ac_cv_funclib_gethostbyname2=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_gethostbyname2=\${ac_cv_funclib_gethostbyname2-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_gethostbyname2" - -if false; then - -for ac_func in gethostbyname2 -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:11966: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 11972 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:12009: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12012: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:12015: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12018: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:12028: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# gethostbyname2 -eval "ac_tr_func=HAVE_`echo gethostbyname2 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_gethostbyname2=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_gethostbyname2=yes" - eval "LIB_gethostbyname2=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:12052: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_gethostbyname2=no" - eval "LIB_gethostbyname2=" - echo "$as_me:12058: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_gethostbyname2=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:12072: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_gethostbyname2"; then - LIBS="$LIB_gethostbyname2 $LIBS" -fi - - - - - - -echo "$as_me:12087: checking for res_search" >&5 -echo $ECHO_N "checking for res_search... $ECHO_C" >&6 -if test "${ac_cv_funclib_res_search+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_res_search\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" resolv; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 12105 "configure" -#include "confdefs.h" - -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -res_search(0,0,0,0,0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:12137: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12140: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:12143: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12146: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_search=$ac_lib; else ac_cv_funclib_res_search=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_res_search=\${ac_cv_funclib_res_search-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_res_search" - -if false; then - -for ac_func in res_search -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:12169: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 12175 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:12212: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12215: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:12218: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12221: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:12231: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# res_search -eval "ac_tr_func=HAVE_`echo res_search | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_res_search=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_res_search=yes" - eval "LIB_res_search=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:12255: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_res_search=no" - eval "LIB_res_search=" - echo "$as_me:12261: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_res_search=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:12275: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_res_search"; then - LIBS="$LIB_res_search $LIBS" -fi - - - - - - -echo "$as_me:12290: checking for dn_expand" >&5 -echo $ECHO_N "checking for dn_expand... $ECHO_C" >&6 -if test "${ac_cv_funclib_dn_expand+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" resolv; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 12308 "configure" -#include "confdefs.h" - -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dn_expand(0,0,0,0,0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:12340: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12343: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:12346: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12349: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_dn_expand=$ac_lib; else ac_cv_funclib_dn_expand=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_dn_expand=\${ac_cv_funclib_dn_expand-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_dn_expand" - -if false; then - -for ac_func in dn_expand -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:12372: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 12378 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:12415: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12418: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:12421: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12424: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:12434: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# dn_expand -eval "ac_tr_func=HAVE_`echo dn_expand | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_dn_expand=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_dn_expand=yes" - eval "LIB_dn_expand=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:12458: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_dn_expand=no" - eval "LIB_dn_expand=" - echo "$as_me:12464: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_dn_expand=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:12478: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_dn_expand"; then - LIBS="$LIB_dn_expand $LIBS" -fi - - - -echo "$as_me:12490: checking for _res" >&5 -echo $ECHO_N "checking for _res... $ECHO_C" >&6 -if test "${ac_cv_var__res+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 12497 "configure" -#include "confdefs.h" -extern int _res; -int foo() { return _res; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -foo() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:12516: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12519: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:12522: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12525: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_var__res=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_var__res=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - -fi - -ac_foo=`eval echo \\$ac_cv_var__res` -echo "$as_me:12538: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE__RES 1 -_ACEOF - - -echo "$as_me:12547: checking if _res is properly declared" >&5 -echo $ECHO_N "checking if _res is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var__res_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 12554 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif -#ifdef HAVE_RESOLV_H -#include -#endif -extern struct { int foo; } _res; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -_res.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:12585: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:12588: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12591: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12594: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var__res_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var__res_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:12609: result: $ac_cv_var__res_declaration" >&5 -echo "${ECHO_T}$ac_cv_var__res_declaration" >&6 -if eval "test \"\$ac_cv_var__res_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE__RES_DECLARATION 1 -_ACEOF - -fi - - -fi - - - - -echo "$as_me:12625: checking for working snprintf" >&5 -echo $ECHO_N "checking for working snprintf... $ECHO_C" >&6 -if test "${ac_cv_func_snprintf_working+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_func_snprintf_working=yes -if test "$cross_compiling" = yes; then - : -else - cat >conftest.$ac_ext <<_ACEOF -#line 12635 "configure" -#include "confdefs.h" - -#include -#include -int main() -{ - char foo[3]; - snprintf(foo, 2, "12"); - return strcmp(foo, "1"); -} -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:12648: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12651: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:12653: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12656: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_func_snprintf_working=no -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi -echo "$as_me:12669: result: $ac_cv_func_snprintf_working" >&5 -echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6 - -if test "$ac_cv_func_snprintf_working" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SNPRINTF 1 -_ACEOF - -fi -if test "$ac_cv_func_snprintf_working" = yes; then - -if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then -echo "$as_me:12682: checking if snprintf needs a prototype" >&5 -echo $ECHO_N "checking if snprintf needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_snprintf_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 12688 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int snprintf (struct foo*); -snprintf(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:12709: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:12712: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12715: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12718: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_snprintf_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_snprintf_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:12728: result: $ac_cv_func_snprintf_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6 -if test "$ac_cv_func_snprintf_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_SNPRINTF_PROTO 1 -_ACEOF - -fi -fi - -fi - - -echo "$as_me:12742: checking for working vsnprintf" >&5 -echo $ECHO_N "checking for working vsnprintf... $ECHO_C" >&6 -if test "${ac_cv_func_vsnprintf_working+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_func_vsnprintf_working=yes -if test "$cross_compiling" = yes; then - : -else - cat >conftest.$ac_ext <<_ACEOF -#line 12752 "configure" -#include "confdefs.h" - -#include -#include -#include - -int foo(int num, ...) -{ - char bar[3]; - va_list arg; - va_start(arg, num); - vsnprintf(bar, 2, "%s", arg); - va_end(arg); - return strcmp(bar, "1"); -} - - -int main() -{ - return foo(0, "12"); -} -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:12776: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12779: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:12781: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12784: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_func_vsnprintf_working=no -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi -echo "$as_me:12797: result: $ac_cv_func_vsnprintf_working" >&5 -echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6 - -if test "$ac_cv_func_vsnprintf_working" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_VSNPRINTF 1 -_ACEOF - -fi -if test "$ac_cv_func_vsnprintf_working" = yes; then - -if test "$ac_cv_func_vsnprintf+set" != set -o "$ac_cv_func_vsnprintf" = yes; then -echo "$as_me:12810: checking if vsnprintf needs a prototype" >&5 -echo $ECHO_N "checking if vsnprintf needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_vsnprintf_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 12816 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int vsnprintf (struct foo*); -vsnprintf(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:12837: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:12840: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12843: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12846: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_vsnprintf_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_vsnprintf_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:12856: result: $ac_cv_func_vsnprintf_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6 -if test "$ac_cv_func_vsnprintf_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_VSNPRINTF_PROTO 1 -_ACEOF - -fi -fi - -fi - - - -echo "$as_me:12871: checking for working glob" >&5 -echo $ECHO_N "checking for working glob... $ECHO_C" >&6 -if test "${ac_cv_func_glob_working+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_func_glob_working=yes -cat >conftest.$ac_ext <<_ACEOF -#line 12878 "configure" -#include "confdefs.h" - -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE| -#ifdef GLOB_MAXPATH -GLOB_MAXPATH -#else -GLOB_LIMIT -#endif -, -NULL, NULL); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:12907: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:12910: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:12913: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12916: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_glob_working=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:12926: result: $ac_cv_func_glob_working" >&5 -echo "${ECHO_T}$ac_cv_func_glob_working" >&6 - -if test "$ac_cv_func_glob_working" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_GLOB 1 -_ACEOF - -fi -if test "$ac_cv_func_glob_working" = yes; then - -if test "$ac_cv_func_glob+set" != set -o "$ac_cv_func_glob" = yes; then -echo "$as_me:12939: checking if glob needs a prototype" >&5 -echo $ECHO_N "checking if glob needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_glob_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 12945 "configure" -#include "confdefs.h" -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int glob (struct foo*); -glob(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:12967: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:12970: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12973: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:12976: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_glob_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_glob_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:12986: result: $ac_cv_func_glob_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_glob_noproto" >&6 -if test "$ac_cv_func_glob_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_GLOB_PROTO 1 -_ACEOF - -fi -fi - -fi - -if test "$ac_cv_func_glob_working" != yes; then - LIBOBJS="$LIBOBJS glob.$ac_objext" -fi - - -if test "$ac_cv_func_glob_working" = yes; then - have_glob_h_TRUE= - have_glob_h_FALSE='#' -else - have_glob_h_TRUE='#' - have_glob_h_FALSE= -fi - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -for ac_func in \ - asnprintf \ - asprintf \ - atexit \ - cgetent \ - getconfattr \ - getprogname \ - getrlimit \ - getspnam \ - initstate \ - issetugid \ - on_exit \ - random \ - setprogname \ - setstate \ - strsvis \ - strunvis \ - strvis \ - strvisx \ - svis \ - sysconf \ - sysctl \ - uname \ - unvis \ - vasnprintf \ - vasprintf \ - vis \ - -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:13070: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13076 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:13113: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:13116: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:13119: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13122: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:13132: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - -if test "$ac_cv_func_cgetent" = no; then - LIBOBJS="$LIBOBJS getcap.$ac_objext" -fi - - - - - - -echo "$as_me:13152: checking for getsockopt" >&5 -echo $ECHO_N "checking for getsockopt... $ECHO_C" >&6 -if test "${ac_cv_funclib_getsockopt+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_getsockopt\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 13170 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -getsockopt(0,0,0,0,0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:13193: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:13196: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:13199: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13202: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_getsockopt=$ac_lib; else ac_cv_funclib_getsockopt=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_getsockopt=\${ac_cv_funclib_getsockopt-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_getsockopt" - -if false; then - -for ac_func in getsockopt -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:13225: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13231 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:13268: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:13271: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:13274: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13277: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:13287: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# getsockopt -eval "ac_tr_func=HAVE_`echo getsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_getsockopt=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_getsockopt=yes" - eval "LIB_getsockopt=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:13311: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_getsockopt=no" - eval "LIB_getsockopt=" - echo "$as_me:13317: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_getsockopt=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:13331: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - -echo "$as_me:13340: checking for setsockopt" >&5 -echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6 -if test "${ac_cv_funclib_setsockopt+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_setsockopt\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 13358 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -setsockopt(0,0,0,0,0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:13381: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:13384: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:13387: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13390: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_setsockopt=$ac_lib; else ac_cv_funclib_setsockopt=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_setsockopt=\${ac_cv_funclib_setsockopt-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_setsockopt" - -if false; then - -for ac_func in setsockopt -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:13413: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13419 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:13456: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:13459: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:13462: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13465: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:13475: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# setsockopt -eval "ac_tr_func=HAVE_`echo setsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_setsockopt=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_setsockopt=yes" - eval "LIB_setsockopt=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:13499: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_setsockopt=no" - eval "LIB_setsockopt=" - echo "$as_me:13505: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_setsockopt=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:13519: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - - - -echo "$as_me:13530: checking for hstrerror" >&5 -echo $ECHO_N "checking for hstrerror... $ECHO_C" >&6 -if test "${ac_cv_funclib_hstrerror+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_hstrerror\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" resolv; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 13548 "configure" -#include "confdefs.h" -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -hstrerror(17) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:13568: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:13571: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:13574: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13577: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_hstrerror=$ac_lib; else ac_cv_funclib_hstrerror=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_hstrerror=\${ac_cv_funclib_hstrerror-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_hstrerror" - -if false; then - -for ac_func in hstrerror -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:13600: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13606 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:13643: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:13646: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:13649: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13652: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:13662: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# hstrerror -eval "ac_tr_func=HAVE_`echo hstrerror | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_hstrerror=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_hstrerror=yes" - eval "LIB_hstrerror=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:13686: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_hstrerror=no" - eval "LIB_hstrerror=" - echo "$as_me:13692: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_hstrerror=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:13706: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_hstrerror"; then - LIBS="$LIB_hstrerror $LIBS" -fi - -if eval "test \"$ac_cv_func_hstrerror\" != yes"; then - LIBOBJS="$LIBOBJS hstrerror.$ac_objext" -fi - - -if test "$ac_cv_func_hstrerror+set" != set -o "$ac_cv_func_hstrerror" = yes; then -echo "$as_me:13722: checking if hstrerror needs a prototype" >&5 -echo $ECHO_N "checking if hstrerror needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_hstrerror_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13728 "configure" -#include "confdefs.h" - -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int hstrerror (struct foo*); -hstrerror(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:13752: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:13755: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13758: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13761: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_hstrerror_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_hstrerror_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:13771: result: $ac_cv_func_hstrerror_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_hstrerror_noproto" >&6 -if test "$ac_cv_func_hstrerror_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_HSTRERROR_PROTO 1 -_ACEOF - -fi -fi - - - -if test "$ac_cv_func_asprintf+set" != set -o "$ac_cv_func_asprintf" = yes; then -echo "$as_me:13785: checking if asprintf needs a prototype" >&5 -echo $ECHO_N "checking if asprintf needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_asprintf_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13791 "configure" -#include "confdefs.h" - - #include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int asprintf (struct foo*); -asprintf(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:13814: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:13817: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13820: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13823: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_asprintf_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_asprintf_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:13833: result: $ac_cv_func_asprintf_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_asprintf_noproto" >&6 -if test "$ac_cv_func_asprintf_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_ASPRINTF_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_vasprintf+set" != set -o "$ac_cv_func_vasprintf" = yes; then -echo "$as_me:13845: checking if vasprintf needs a prototype" >&5 -echo $ECHO_N "checking if vasprintf needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_vasprintf_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13851 "configure" -#include "confdefs.h" - - #include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int vasprintf (struct foo*); -vasprintf(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:13874: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:13877: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13880: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13883: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_vasprintf_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_vasprintf_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:13893: result: $ac_cv_func_vasprintf_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_vasprintf_noproto" >&6 -if test "$ac_cv_func_vasprintf_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_VASPRINTF_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_asnprintf+set" != set -o "$ac_cv_func_asnprintf" = yes; then -echo "$as_me:13905: checking if asnprintf needs a prototype" >&5 -echo $ECHO_N "checking if asnprintf needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_asnprintf_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13911 "configure" -#include "confdefs.h" - - #include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int asnprintf (struct foo*); -asnprintf(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:13934: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:13937: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13940: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:13943: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_asnprintf_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_asnprintf_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:13953: result: $ac_cv_func_asnprintf_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_asnprintf_noproto" >&6 -if test "$ac_cv_func_asnprintf_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_ASNPRINTF_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_vasnprintf+set" != set -o "$ac_cv_func_vasnprintf" = yes; then -echo "$as_me:13965: checking if vasnprintf needs a prototype" >&5 -echo $ECHO_N "checking if vasnprintf needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_vasnprintf_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 13971 "configure" -#include "confdefs.h" - - #include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int vasnprintf (struct foo*); -vasnprintf(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:13994: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:13997: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:14000: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14003: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_vasnprintf_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_vasnprintf_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:14013: result: $ac_cv_func_vasnprintf_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_vasnprintf_noproto" >&6 -if test "$ac_cv_func_vasnprintf_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_VASNPRINTF_PROTO 1 -_ACEOF - -fi -fi - - - - - -echo "$as_me:14028: checking for bswap16" >&5 -echo $ECHO_N "checking for bswap16... $ECHO_C" >&6 -if test "${ac_cv_funclib_bswap16+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_bswap16\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 14046 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_BSWAP_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -bswap16(0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14066: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14069: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14072: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14075: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_bswap16=$ac_lib; else ac_cv_funclib_bswap16=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_bswap16=\${ac_cv_funclib_bswap16-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_bswap16" - -if false; then - -for ac_func in bswap16 -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:14098: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 14104 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14141: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14144: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14147: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14150: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:14160: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# bswap16 -eval "ac_tr_func=HAVE_`echo bswap16 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_bswap16=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_bswap16=yes" - eval "LIB_bswap16=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:14184: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_bswap16=no" - eval "LIB_bswap16=" - echo "$as_me:14190: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_bswap16=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:14204: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - - -echo "$as_me:14214: checking for bswap32" >&5 -echo $ECHO_N "checking for bswap32... $ECHO_C" >&6 -if test "${ac_cv_funclib_bswap32+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_bswap32\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 14232 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_BSWAP_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -bswap32(0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14252: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14255: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14258: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14261: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_bswap32=$ac_lib; else ac_cv_funclib_bswap32=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_bswap32=\${ac_cv_funclib_bswap32-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_bswap32" - -if false; then - -for ac_func in bswap32 -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:14284: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 14290 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14327: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14330: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14333: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14336: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:14346: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# bswap32 -eval "ac_tr_func=HAVE_`echo bswap32 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_bswap32=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_bswap32=yes" - eval "LIB_bswap32=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:14370: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_bswap32=no" - eval "LIB_bswap32=" - echo "$as_me:14376: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_bswap32=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:14390: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - - -echo "$as_me:14400: checking for pidfile" >&5 -echo $ECHO_N "checking for pidfile... $ECHO_C" >&6 -if test "${ac_cv_funclib_pidfile+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_pidfile\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" util; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 14418 "configure" -#include "confdefs.h" -#ifdef HAVE_UTIL_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -pidfile(0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14438: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14441: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14444: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14447: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_pidfile=$ac_lib; else ac_cv_funclib_pidfile=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_pidfile=\${ac_cv_funclib_pidfile-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_pidfile" - -if false; then - -for ac_func in pidfile -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:14470: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 14476 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14513: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14516: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14519: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14522: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:14532: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# pidfile -eval "ac_tr_func=HAVE_`echo pidfile | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_pidfile=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_pidfile=yes" - eval "LIB_pidfile=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:14556: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_pidfile=no" - eval "LIB_pidfile=" - echo "$as_me:14562: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_pidfile=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:14576: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - - - -echo "$as_me:14587: checking for getaddrinfo" >&5 -echo $ECHO_N "checking for getaddrinfo... $ECHO_C" >&6 -if test "${ac_cv_funclib_getaddrinfo+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_getaddrinfo\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 14605 "configure" -#include "confdefs.h" -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -getaddrinfo(0,0,0,0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14625: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14628: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14631: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14634: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_getaddrinfo=$ac_lib; else ac_cv_funclib_getaddrinfo=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_getaddrinfo=\${ac_cv_funclib_getaddrinfo-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_getaddrinfo" - -if false; then - -for ac_func in getaddrinfo -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:14657: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 14663 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14700: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14703: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14706: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14709: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:14719: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# getaddrinfo -eval "ac_tr_func=HAVE_`echo getaddrinfo | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_getaddrinfo=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_getaddrinfo=yes" - eval "LIB_getaddrinfo=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:14743: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_getaddrinfo=no" - eval "LIB_getaddrinfo=" - echo "$as_me:14749: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_getaddrinfo=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:14763: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_getaddrinfo"; then - LIBS="$LIB_getaddrinfo $LIBS" -fi - -if eval "test \"$ac_cv_func_getaddrinfo\" != yes"; then - LIBOBJS="$LIBOBJS getaddrinfo.$ac_objext" -fi - - - - - - -echo "$as_me:14782: checking for getnameinfo" >&5 -echo $ECHO_N "checking for getnameinfo... $ECHO_C" >&6 -if test "${ac_cv_funclib_getnameinfo+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_getnameinfo\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 14800 "configure" -#include "confdefs.h" -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -getnameinfo(0,0,0,0,0,0,0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14820: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14823: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14826: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14829: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_getnameinfo=$ac_lib; else ac_cv_funclib_getnameinfo=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_getnameinfo=\${ac_cv_funclib_getnameinfo-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_getnameinfo" - -if false; then - -for ac_func in getnameinfo -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:14852: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 14858 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14895: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:14898: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14901: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:14904: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:14914: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# getnameinfo -eval "ac_tr_func=HAVE_`echo getnameinfo | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_getnameinfo=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_getnameinfo=yes" - eval "LIB_getnameinfo=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:14938: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_getnameinfo=no" - eval "LIB_getnameinfo=" - echo "$as_me:14944: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_getnameinfo=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:14958: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_getnameinfo"; then - LIBS="$LIB_getnameinfo $LIBS" -fi - -if eval "test \"$ac_cv_func_getnameinfo\" != yes"; then - LIBOBJS="$LIBOBJS getnameinfo.$ac_objext" -fi - - - - - - -echo "$as_me:14977: checking for freeaddrinfo" >&5 -echo $ECHO_N "checking for freeaddrinfo... $ECHO_C" >&6 -if test "${ac_cv_funclib_freeaddrinfo+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_freeaddrinfo\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 14995 "configure" -#include "confdefs.h" -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -freeaddrinfo(0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15015: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15018: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15021: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15024: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_freeaddrinfo=$ac_lib; else ac_cv_funclib_freeaddrinfo=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_freeaddrinfo=\${ac_cv_funclib_freeaddrinfo-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_freeaddrinfo" - -if false; then - -for ac_func in freeaddrinfo -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:15047: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15053 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15090: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15093: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15096: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15099: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15109: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# freeaddrinfo -eval "ac_tr_func=HAVE_`echo freeaddrinfo | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_freeaddrinfo=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_freeaddrinfo=yes" - eval "LIB_freeaddrinfo=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:15133: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_freeaddrinfo=no" - eval "LIB_freeaddrinfo=" - echo "$as_me:15139: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_freeaddrinfo=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:15153: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_freeaddrinfo"; then - LIBS="$LIB_freeaddrinfo $LIBS" -fi - -if eval "test \"$ac_cv_func_freeaddrinfo\" != yes"; then - LIBOBJS="$LIBOBJS freeaddrinfo.$ac_objext" -fi - - - - - - -echo "$as_me:15172: checking for gai_strerror" >&5 -echo $ECHO_N "checking for gai_strerror... $ECHO_C" >&6 -if test "${ac_cv_funclib_gai_strerror+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_gai_strerror\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 15190 "configure" -#include "confdefs.h" -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -gai_strerror(0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15210: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15213: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15216: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15219: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_gai_strerror=$ac_lib; else ac_cv_funclib_gai_strerror=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_gai_strerror=\${ac_cv_funclib_gai_strerror-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_gai_strerror" - -if false; then - -for ac_func in gai_strerror -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:15242: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15248 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15285: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15288: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15291: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15294: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15304: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# gai_strerror -eval "ac_tr_func=HAVE_`echo gai_strerror | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_gai_strerror=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_gai_strerror=yes" - eval "LIB_gai_strerror=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:15328: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_gai_strerror=no" - eval "LIB_gai_strerror=" - echo "$as_me:15334: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_gai_strerror=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:15348: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_gai_strerror"; then - LIBS="$LIB_gai_strerror $LIBS" -fi - -if eval "test \"$ac_cv_func_gai_strerror\" != yes"; then - LIBOBJS="$LIBOBJS gai_strerror.$ac_objext" -fi - - -echo "$as_me:15363: checking for chown" >&5 -echo $ECHO_N "checking for chown... $ECHO_C" >&6 -if test "${ac_cv_func_chown+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15369 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char chown (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char chown (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_chown) || defined (__stub___chown) -choke me -#else -f = chown; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15406: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15409: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15412: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15415: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_chown=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_chown=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15425: result: $ac_cv_func_chown" >&5 -echo "${ECHO_T}$ac_cv_func_chown" >&6 -if test $ac_cv_func_chown = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_CHOWN 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS chown.$ac_objext" -fi -echo "$as_me:15436: checking for copyhostent" >&5 -echo $ECHO_N "checking for copyhostent... $ECHO_C" >&6 -if test "${ac_cv_func_copyhostent+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15442 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char copyhostent (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char copyhostent (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_copyhostent) || defined (__stub___copyhostent) -choke me -#else -f = copyhostent; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15479: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15482: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15485: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15488: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_copyhostent=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_copyhostent=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15498: result: $ac_cv_func_copyhostent" >&5 -echo "${ECHO_T}$ac_cv_func_copyhostent" >&6 -if test $ac_cv_func_copyhostent = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_COPYHOSTENT 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS copyhostent.$ac_objext" -fi -echo "$as_me:15509: checking for daemon" >&5 -echo $ECHO_N "checking for daemon... $ECHO_C" >&6 -if test "${ac_cv_func_daemon+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15515 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char daemon (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char daemon (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_daemon) || defined (__stub___daemon) -choke me -#else -f = daemon; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15552: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15555: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15558: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15561: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_daemon=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_daemon=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15571: result: $ac_cv_func_daemon" >&5 -echo "${ECHO_T}$ac_cv_func_daemon" >&6 -if test $ac_cv_func_daemon = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_DAEMON 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS daemon.$ac_objext" -fi -echo "$as_me:15582: checking for ecalloc" >&5 -echo $ECHO_N "checking for ecalloc... $ECHO_C" >&6 -if test "${ac_cv_func_ecalloc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15588 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char ecalloc (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char ecalloc (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_ecalloc) || defined (__stub___ecalloc) -choke me -#else -f = ecalloc; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15625: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15628: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15631: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15634: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_ecalloc=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_ecalloc=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15644: result: $ac_cv_func_ecalloc" >&5 -echo "${ECHO_T}$ac_cv_func_ecalloc" >&6 -if test $ac_cv_func_ecalloc = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_ECALLOC 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS ecalloc.$ac_objext" -fi -echo "$as_me:15655: checking for emalloc" >&5 -echo $ECHO_N "checking for emalloc... $ECHO_C" >&6 -if test "${ac_cv_func_emalloc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15661 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char emalloc (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char emalloc (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_emalloc) || defined (__stub___emalloc) -choke me -#else -f = emalloc; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15698: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15701: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15704: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15707: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_emalloc=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_emalloc=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15717: result: $ac_cv_func_emalloc" >&5 -echo "${ECHO_T}$ac_cv_func_emalloc" >&6 -if test $ac_cv_func_emalloc = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_EMALLOC 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS emalloc.$ac_objext" -fi -echo "$as_me:15728: checking for erealloc" >&5 -echo $ECHO_N "checking for erealloc... $ECHO_C" >&6 -if test "${ac_cv_func_erealloc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15734 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char erealloc (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char erealloc (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_erealloc) || defined (__stub___erealloc) -choke me -#else -f = erealloc; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15771: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15774: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15777: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15780: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_erealloc=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_erealloc=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15790: result: $ac_cv_func_erealloc" >&5 -echo "${ECHO_T}$ac_cv_func_erealloc" >&6 -if test $ac_cv_func_erealloc = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_EREALLOC 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS erealloc.$ac_objext" -fi -echo "$as_me:15801: checking for estrdup" >&5 -echo $ECHO_N "checking for estrdup... $ECHO_C" >&6 -if test "${ac_cv_func_estrdup+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15807 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char estrdup (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char estrdup (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_estrdup) || defined (__stub___estrdup) -choke me -#else -f = estrdup; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15844: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15847: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15850: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15853: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_estrdup=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_estrdup=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15863: result: $ac_cv_func_estrdup" >&5 -echo "${ECHO_T}$ac_cv_func_estrdup" >&6 -if test $ac_cv_func_estrdup = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_ESTRDUP 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS estrdup.$ac_objext" -fi -echo "$as_me:15874: checking for err" >&5 -echo $ECHO_N "checking for err... $ECHO_C" >&6 -if test "${ac_cv_func_err+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15880 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char err (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char err (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_err) || defined (__stub___err) -choke me -#else -f = err; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15917: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15920: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15923: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15926: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_err=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_err=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:15936: result: $ac_cv_func_err" >&5 -echo "${ECHO_T}$ac_cv_func_err" >&6 -if test $ac_cv_func_err = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_ERR 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS err.$ac_objext" -fi -echo "$as_me:15947: checking for errx" >&5 -echo $ECHO_N "checking for errx... $ECHO_C" >&6 -if test "${ac_cv_func_errx+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 15953 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char errx (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char errx (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_errx) || defined (__stub___errx) -choke me -#else -f = errx; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15990: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:15993: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15996: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:15999: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_errx=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_errx=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16009: result: $ac_cv_func_errx" >&5 -echo "${ECHO_T}$ac_cv_func_errx" >&6 -if test $ac_cv_func_errx = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_ERRX 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS errx.$ac_objext" -fi -echo "$as_me:16020: checking for fchown" >&5 -echo $ECHO_N "checking for fchown... $ECHO_C" >&6 -if test "${ac_cv_func_fchown+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16026 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char fchown (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char fchown (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_fchown) || defined (__stub___fchown) -choke me -#else -f = fchown; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16063: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16066: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16069: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16072: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_fchown=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_fchown=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16082: result: $ac_cv_func_fchown" >&5 -echo "${ECHO_T}$ac_cv_func_fchown" >&6 -if test $ac_cv_func_fchown = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_FCHOWN 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS fchown.$ac_objext" -fi -echo "$as_me:16093: checking for flock" >&5 -echo $ECHO_N "checking for flock... $ECHO_C" >&6 -if test "${ac_cv_func_flock+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16099 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char flock (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char flock (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_flock) || defined (__stub___flock) -choke me -#else -f = flock; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16136: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16139: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16142: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16145: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_flock=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_flock=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16155: result: $ac_cv_func_flock" >&5 -echo "${ECHO_T}$ac_cv_func_flock" >&6 -if test $ac_cv_func_flock = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_FLOCK 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS flock.$ac_objext" -fi -echo "$as_me:16166: checking for fnmatch" >&5 -echo $ECHO_N "checking for fnmatch... $ECHO_C" >&6 -if test "${ac_cv_func_fnmatch+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16172 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char fnmatch (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char fnmatch (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_fnmatch) || defined (__stub___fnmatch) -choke me -#else -f = fnmatch; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16209: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16212: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16215: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16218: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_fnmatch=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_fnmatch=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16228: result: $ac_cv_func_fnmatch" >&5 -echo "${ECHO_T}$ac_cv_func_fnmatch" >&6 -if test $ac_cv_func_fnmatch = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_FNMATCH 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS fnmatch.$ac_objext" -fi -echo "$as_me:16239: checking for freehostent" >&5 -echo $ECHO_N "checking for freehostent... $ECHO_C" >&6 -if test "${ac_cv_func_freehostent+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16245 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char freehostent (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char freehostent (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_freehostent) || defined (__stub___freehostent) -choke me -#else -f = freehostent; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16282: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16285: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16288: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16291: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_freehostent=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_freehostent=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16301: result: $ac_cv_func_freehostent" >&5 -echo "${ECHO_T}$ac_cv_func_freehostent" >&6 -if test $ac_cv_func_freehostent = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_FREEHOSTENT 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS freehostent.$ac_objext" -fi -echo "$as_me:16312: checking for getcwd" >&5 -echo $ECHO_N "checking for getcwd... $ECHO_C" >&6 -if test "${ac_cv_func_getcwd+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16318 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getcwd (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getcwd (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getcwd) || defined (__stub___getcwd) -choke me -#else -f = getcwd; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16355: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16358: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16361: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16364: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getcwd=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getcwd=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16374: result: $ac_cv_func_getcwd" >&5 -echo "${ECHO_T}$ac_cv_func_getcwd" >&6 -if test $ac_cv_func_getcwd = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETCWD 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getcwd.$ac_objext" -fi -echo "$as_me:16385: checking for getdtablesize" >&5 -echo $ECHO_N "checking for getdtablesize... $ECHO_C" >&6 -if test "${ac_cv_func_getdtablesize+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16391 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getdtablesize (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getdtablesize (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getdtablesize) || defined (__stub___getdtablesize) -choke me -#else -f = getdtablesize; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16428: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16431: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16434: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16437: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getdtablesize=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getdtablesize=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16447: result: $ac_cv_func_getdtablesize" >&5 -echo "${ECHO_T}$ac_cv_func_getdtablesize" >&6 -if test $ac_cv_func_getdtablesize = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETDTABLESIZE 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getdtablesize.$ac_objext" -fi -echo "$as_me:16458: checking for getegid" >&5 -echo $ECHO_N "checking for getegid... $ECHO_C" >&6 -if test "${ac_cv_func_getegid+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16464 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getegid (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getegid (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getegid) || defined (__stub___getegid) -choke me -#else -f = getegid; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16501: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16504: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16507: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16510: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getegid=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getegid=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16520: result: $ac_cv_func_getegid" >&5 -echo "${ECHO_T}$ac_cv_func_getegid" >&6 -if test $ac_cv_func_getegid = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETEGID 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getegid.$ac_objext" -fi -echo "$as_me:16531: checking for geteuid" >&5 -echo $ECHO_N "checking for geteuid... $ECHO_C" >&6 -if test "${ac_cv_func_geteuid+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16537 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char geteuid (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char geteuid (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_geteuid) || defined (__stub___geteuid) -choke me -#else -f = geteuid; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16574: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16577: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16580: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16583: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_geteuid=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_geteuid=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16593: result: $ac_cv_func_geteuid" >&5 -echo "${ECHO_T}$ac_cv_func_geteuid" >&6 -if test $ac_cv_func_geteuid = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETEUID 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS geteuid.$ac_objext" -fi -echo "$as_me:16604: checking for getgid" >&5 -echo $ECHO_N "checking for getgid... $ECHO_C" >&6 -if test "${ac_cv_func_getgid+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16610 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getgid (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getgid (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getgid) || defined (__stub___getgid) -choke me -#else -f = getgid; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16647: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16650: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16653: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16656: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getgid=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getgid=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16666: result: $ac_cv_func_getgid" >&5 -echo "${ECHO_T}$ac_cv_func_getgid" >&6 -if test $ac_cv_func_getgid = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETGID 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getgid.$ac_objext" -fi -echo "$as_me:16677: checking for gethostname" >&5 -echo $ECHO_N "checking for gethostname... $ECHO_C" >&6 -if test "${ac_cv_func_gethostname+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16683 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char gethostname (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char gethostname (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_gethostname) || defined (__stub___gethostname) -choke me -#else -f = gethostname; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16720: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16723: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16726: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16729: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_gethostname=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_gethostname=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16739: result: $ac_cv_func_gethostname" >&5 -echo "${ECHO_T}$ac_cv_func_gethostname" >&6 -if test $ac_cv_func_gethostname = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETHOSTNAME 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS gethostname.$ac_objext" -fi -echo "$as_me:16750: checking for getifaddrs" >&5 -echo $ECHO_N "checking for getifaddrs... $ECHO_C" >&6 -if test "${ac_cv_func_getifaddrs+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16756 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getifaddrs (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getifaddrs (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getifaddrs) || defined (__stub___getifaddrs) -choke me -#else -f = getifaddrs; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16793: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16796: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16799: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16802: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getifaddrs=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getifaddrs=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16812: result: $ac_cv_func_getifaddrs" >&5 -echo "${ECHO_T}$ac_cv_func_getifaddrs" >&6 -if test $ac_cv_func_getifaddrs = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETIFADDRS 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getifaddrs.$ac_objext" -fi -echo "$as_me:16823: checking for getipnodebyaddr" >&5 -echo $ECHO_N "checking for getipnodebyaddr... $ECHO_C" >&6 -if test "${ac_cv_func_getipnodebyaddr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16829 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getipnodebyaddr (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getipnodebyaddr (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getipnodebyaddr) || defined (__stub___getipnodebyaddr) -choke me -#else -f = getipnodebyaddr; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16866: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16869: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16872: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16875: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getipnodebyaddr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getipnodebyaddr=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16885: result: $ac_cv_func_getipnodebyaddr" >&5 -echo "${ECHO_T}$ac_cv_func_getipnodebyaddr" >&6 -if test $ac_cv_func_getipnodebyaddr = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETIPNODEBYADDR 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getipnodebyaddr.$ac_objext" -fi -echo "$as_me:16896: checking for getipnodebyname" >&5 -echo $ECHO_N "checking for getipnodebyname... $ECHO_C" >&6 -if test "${ac_cv_func_getipnodebyname+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16902 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getipnodebyname (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getipnodebyname (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getipnodebyname) || defined (__stub___getipnodebyname) -choke me -#else -f = getipnodebyname; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:16939: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:16942: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:16945: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:16948: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getipnodebyname=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getipnodebyname=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:16958: result: $ac_cv_func_getipnodebyname" >&5 -echo "${ECHO_T}$ac_cv_func_getipnodebyname" >&6 -if test $ac_cv_func_getipnodebyname = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETIPNODEBYNAME 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getipnodebyname.$ac_objext" -fi -echo "$as_me:16969: checking for getopt" >&5 -echo $ECHO_N "checking for getopt... $ECHO_C" >&6 -if test "${ac_cv_func_getopt+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 16975 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getopt (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getopt (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getopt) || defined (__stub___getopt) -choke me -#else -f = getopt; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17012: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17015: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17018: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17021: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getopt=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getopt=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17031: result: $ac_cv_func_getopt" >&5 -echo "${ECHO_T}$ac_cv_func_getopt" >&6 -if test $ac_cv_func_getopt = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETOPT 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getopt.$ac_objext" -fi -echo "$as_me:17042: checking for gettimeofday" >&5 -echo $ECHO_N "checking for gettimeofday... $ECHO_C" >&6 -if test "${ac_cv_func_gettimeofday+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17048 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char gettimeofday (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char gettimeofday (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_gettimeofday) || defined (__stub___gettimeofday) -choke me -#else -f = gettimeofday; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17085: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17088: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17091: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17094: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_gettimeofday=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_gettimeofday=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17104: result: $ac_cv_func_gettimeofday" >&5 -echo "${ECHO_T}$ac_cv_func_gettimeofday" >&6 -if test $ac_cv_func_gettimeofday = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETTIMEOFDAY 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS gettimeofday.$ac_objext" -fi -echo "$as_me:17115: checking for getuid" >&5 -echo $ECHO_N "checking for getuid... $ECHO_C" >&6 -if test "${ac_cv_func_getuid+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17121 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getuid (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getuid (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getuid) || defined (__stub___getuid) -choke me -#else -f = getuid; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17158: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17161: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17164: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17167: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getuid=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getuid=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17177: result: $ac_cv_func_getuid" >&5 -echo "${ECHO_T}$ac_cv_func_getuid" >&6 -if test $ac_cv_func_getuid = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETUID 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getuid.$ac_objext" -fi -echo "$as_me:17188: checking for getusershell" >&5 -echo $ECHO_N "checking for getusershell... $ECHO_C" >&6 -if test "${ac_cv_func_getusershell+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17194 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getusershell (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getusershell (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getusershell) || defined (__stub___getusershell) -choke me -#else -f = getusershell; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17231: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17234: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17237: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17240: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getusershell=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getusershell=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17250: result: $ac_cv_func_getusershell" >&5 -echo "${ECHO_T}$ac_cv_func_getusershell" >&6 -if test $ac_cv_func_getusershell = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_GETUSERSHELL 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS getusershell.$ac_objext" -fi -echo "$as_me:17261: checking for initgroups" >&5 -echo $ECHO_N "checking for initgroups... $ECHO_C" >&6 -if test "${ac_cv_func_initgroups+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17267 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char initgroups (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char initgroups (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_initgroups) || defined (__stub___initgroups) -choke me -#else -f = initgroups; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17304: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17307: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17310: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17313: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_initgroups=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_initgroups=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17323: result: $ac_cv_func_initgroups" >&5 -echo "${ECHO_T}$ac_cv_func_initgroups" >&6 -if test $ac_cv_func_initgroups = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INITGROUPS 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS initgroups.$ac_objext" -fi -echo "$as_me:17334: checking for innetgr" >&5 -echo $ECHO_N "checking for innetgr... $ECHO_C" >&6 -if test "${ac_cv_func_innetgr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17340 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char innetgr (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char innetgr (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_innetgr) || defined (__stub___innetgr) -choke me -#else -f = innetgr; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17377: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17380: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17383: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17386: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_innetgr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_innetgr=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17396: result: $ac_cv_func_innetgr" >&5 -echo "${ECHO_T}$ac_cv_func_innetgr" >&6 -if test $ac_cv_func_innetgr = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INNETGR 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS innetgr.$ac_objext" -fi -echo "$as_me:17407: checking for iruserok" >&5 -echo $ECHO_N "checking for iruserok... $ECHO_C" >&6 -if test "${ac_cv_func_iruserok+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17413 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char iruserok (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char iruserok (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_iruserok) || defined (__stub___iruserok) -choke me -#else -f = iruserok; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17450: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17453: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17456: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17459: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_iruserok=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_iruserok=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17469: result: $ac_cv_func_iruserok" >&5 -echo "${ECHO_T}$ac_cv_func_iruserok" >&6 -if test $ac_cv_func_iruserok = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_IRUSEROK 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS iruserok.$ac_objext" -fi -echo "$as_me:17480: checking for localtime_r" >&5 -echo $ECHO_N "checking for localtime_r... $ECHO_C" >&6 -if test "${ac_cv_func_localtime_r+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17486 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char localtime_r (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char localtime_r (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_localtime_r) || defined (__stub___localtime_r) -choke me -#else -f = localtime_r; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17523: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17526: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17529: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17532: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_localtime_r=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_localtime_r=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17542: result: $ac_cv_func_localtime_r" >&5 -echo "${ECHO_T}$ac_cv_func_localtime_r" >&6 -if test $ac_cv_func_localtime_r = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_LOCALTIME_R 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS localtime_r.$ac_objext" -fi -echo "$as_me:17553: checking for lstat" >&5 -echo $ECHO_N "checking for lstat... $ECHO_C" >&6 -if test "${ac_cv_func_lstat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17559 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char lstat (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char lstat (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_lstat) || defined (__stub___lstat) -choke me -#else -f = lstat; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17596: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17599: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17602: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17605: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_lstat=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_lstat=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17615: result: $ac_cv_func_lstat" >&5 -echo "${ECHO_T}$ac_cv_func_lstat" >&6 -if test $ac_cv_func_lstat = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_LSTAT 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS lstat.$ac_objext" -fi -echo "$as_me:17626: checking for memmove" >&5 -echo $ECHO_N "checking for memmove... $ECHO_C" >&6 -if test "${ac_cv_func_memmove+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17632 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char memmove (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char memmove (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_memmove) || defined (__stub___memmove) -choke me -#else -f = memmove; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17669: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17672: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17675: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17678: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_memmove=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_memmove=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17688: result: $ac_cv_func_memmove" >&5 -echo "${ECHO_T}$ac_cv_func_memmove" >&6 -if test $ac_cv_func_memmove = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_MEMMOVE 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS memmove.$ac_objext" -fi -echo "$as_me:17699: checking for mkstemp" >&5 -echo $ECHO_N "checking for mkstemp... $ECHO_C" >&6 -if test "${ac_cv_func_mkstemp+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17705 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char mkstemp (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char mkstemp (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_mkstemp) || defined (__stub___mkstemp) -choke me -#else -f = mkstemp; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17742: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17745: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17748: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17751: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_mkstemp=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_mkstemp=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17761: result: $ac_cv_func_mkstemp" >&5 -echo "${ECHO_T}$ac_cv_func_mkstemp" >&6 -if test $ac_cv_func_mkstemp = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_MKSTEMP 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS mkstemp.$ac_objext" -fi -echo "$as_me:17772: checking for putenv" >&5 -echo $ECHO_N "checking for putenv... $ECHO_C" >&6 -if test "${ac_cv_func_putenv+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17778 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char putenv (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char putenv (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_putenv) || defined (__stub___putenv) -choke me -#else -f = putenv; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17815: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17818: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17821: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17824: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_putenv=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_putenv=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17834: result: $ac_cv_func_putenv" >&5 -echo "${ECHO_T}$ac_cv_func_putenv" >&6 -if test $ac_cv_func_putenv = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_PUTENV 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS putenv.$ac_objext" -fi -echo "$as_me:17845: checking for rcmd" >&5 -echo $ECHO_N "checking for rcmd... $ECHO_C" >&6 -if test "${ac_cv_func_rcmd+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17851 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char rcmd (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char rcmd (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_rcmd) || defined (__stub___rcmd) -choke me -#else -f = rcmd; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17888: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17891: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17894: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17897: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_rcmd=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_rcmd=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17907: result: $ac_cv_func_rcmd" >&5 -echo "${ECHO_T}$ac_cv_func_rcmd" >&6 -if test $ac_cv_func_rcmd = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_RCMD 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS rcmd.$ac_objext" -fi -echo "$as_me:17918: checking for readv" >&5 -echo $ECHO_N "checking for readv... $ECHO_C" >&6 -if test "${ac_cv_func_readv+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17924 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char readv (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char readv (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_readv) || defined (__stub___readv) -choke me -#else -f = readv; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:17961: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:17964: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:17967: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:17970: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_readv=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_readv=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:17980: result: $ac_cv_func_readv" >&5 -echo "${ECHO_T}$ac_cv_func_readv" >&6 -if test $ac_cv_func_readv = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_READV 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS readv.$ac_objext" -fi -echo "$as_me:17991: checking for recvmsg" >&5 -echo $ECHO_N "checking for recvmsg... $ECHO_C" >&6 -if test "${ac_cv_func_recvmsg+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 17997 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char recvmsg (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char recvmsg (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_recvmsg) || defined (__stub___recvmsg) -choke me -#else -f = recvmsg; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18034: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18037: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18040: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18043: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_recvmsg=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_recvmsg=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18053: result: $ac_cv_func_recvmsg" >&5 -echo "${ECHO_T}$ac_cv_func_recvmsg" >&6 -if test $ac_cv_func_recvmsg = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_RECVMSG 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS recvmsg.$ac_objext" -fi -echo "$as_me:18064: checking for sendmsg" >&5 -echo $ECHO_N "checking for sendmsg... $ECHO_C" >&6 -if test "${ac_cv_func_sendmsg+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18070 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char sendmsg (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char sendmsg (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_sendmsg) || defined (__stub___sendmsg) -choke me -#else -f = sendmsg; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18107: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18110: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18113: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18116: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_sendmsg=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_sendmsg=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18126: result: $ac_cv_func_sendmsg" >&5 -echo "${ECHO_T}$ac_cv_func_sendmsg" >&6 -if test $ac_cv_func_sendmsg = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SENDMSG 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS sendmsg.$ac_objext" -fi -echo "$as_me:18137: checking for setegid" >&5 -echo $ECHO_N "checking for setegid... $ECHO_C" >&6 -if test "${ac_cv_func_setegid+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18143 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char setegid (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char setegid (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_setegid) || defined (__stub___setegid) -choke me -#else -f = setegid; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18180: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18183: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18186: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18189: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_setegid=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_setegid=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18199: result: $ac_cv_func_setegid" >&5 -echo "${ECHO_T}$ac_cv_func_setegid" >&6 -if test $ac_cv_func_setegid = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SETEGID 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS setegid.$ac_objext" -fi -echo "$as_me:18210: checking for setenv" >&5 -echo $ECHO_N "checking for setenv... $ECHO_C" >&6 -if test "${ac_cv_func_setenv+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18216 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char setenv (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char setenv (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_setenv) || defined (__stub___setenv) -choke me -#else -f = setenv; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18253: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18256: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18259: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18262: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_setenv=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_setenv=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18272: result: $ac_cv_func_setenv" >&5 -echo "${ECHO_T}$ac_cv_func_setenv" >&6 -if test $ac_cv_func_setenv = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SETENV 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS setenv.$ac_objext" -fi -echo "$as_me:18283: checking for seteuid" >&5 -echo $ECHO_N "checking for seteuid... $ECHO_C" >&6 -if test "${ac_cv_func_seteuid+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18289 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char seteuid (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char seteuid (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_seteuid) || defined (__stub___seteuid) -choke me -#else -f = seteuid; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18326: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18329: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18332: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18335: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_seteuid=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_seteuid=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18345: result: $ac_cv_func_seteuid" >&5 -echo "${ECHO_T}$ac_cv_func_seteuid" >&6 -if test $ac_cv_func_seteuid = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SETEUID 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS seteuid.$ac_objext" -fi -echo "$as_me:18356: checking for strcasecmp" >&5 -echo $ECHO_N "checking for strcasecmp... $ECHO_C" >&6 -if test "${ac_cv_func_strcasecmp+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18362 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strcasecmp (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strcasecmp (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strcasecmp) || defined (__stub___strcasecmp) -choke me -#else -f = strcasecmp; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18399: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18402: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18405: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18408: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strcasecmp=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strcasecmp=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18418: result: $ac_cv_func_strcasecmp" >&5 -echo "${ECHO_T}$ac_cv_func_strcasecmp" >&6 -if test $ac_cv_func_strcasecmp = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRCASECMP 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strcasecmp.$ac_objext" -fi -echo "$as_me:18429: checking for strdup" >&5 -echo $ECHO_N "checking for strdup... $ECHO_C" >&6 -if test "${ac_cv_func_strdup+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18435 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strdup (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strdup (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strdup) || defined (__stub___strdup) -choke me -#else -f = strdup; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18472: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18475: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18478: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18481: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strdup=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strdup=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18491: result: $ac_cv_func_strdup" >&5 -echo "${ECHO_T}$ac_cv_func_strdup" >&6 -if test $ac_cv_func_strdup = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRDUP 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strdup.$ac_objext" -fi -echo "$as_me:18502: checking for strerror" >&5 -echo $ECHO_N "checking for strerror... $ECHO_C" >&6 -if test "${ac_cv_func_strerror+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18508 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strerror (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strerror (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strerror) || defined (__stub___strerror) -choke me -#else -f = strerror; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18545: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18548: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18551: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18554: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strerror=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strerror=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18564: result: $ac_cv_func_strerror" >&5 -echo "${ECHO_T}$ac_cv_func_strerror" >&6 -if test $ac_cv_func_strerror = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRERROR 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strerror.$ac_objext" -fi -echo "$as_me:18575: checking for strftime" >&5 -echo $ECHO_N "checking for strftime... $ECHO_C" >&6 -if test "${ac_cv_func_strftime+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18581 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strftime (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strftime (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strftime) || defined (__stub___strftime) -choke me -#else -f = strftime; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18618: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18621: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18624: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18627: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strftime=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strftime=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18637: result: $ac_cv_func_strftime" >&5 -echo "${ECHO_T}$ac_cv_func_strftime" >&6 -if test $ac_cv_func_strftime = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRFTIME 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strftime.$ac_objext" -fi -echo "$as_me:18648: checking for strlcat" >&5 -echo $ECHO_N "checking for strlcat... $ECHO_C" >&6 -if test "${ac_cv_func_strlcat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18654 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strlcat (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strlcat (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strlcat) || defined (__stub___strlcat) -choke me -#else -f = strlcat; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18691: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18694: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18697: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18700: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strlcat=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strlcat=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18710: result: $ac_cv_func_strlcat" >&5 -echo "${ECHO_T}$ac_cv_func_strlcat" >&6 -if test $ac_cv_func_strlcat = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRLCAT 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strlcat.$ac_objext" -fi -echo "$as_me:18721: checking for strlcpy" >&5 -echo $ECHO_N "checking for strlcpy... $ECHO_C" >&6 -if test "${ac_cv_func_strlcpy+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18727 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strlcpy (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strlcpy (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strlcpy) || defined (__stub___strlcpy) -choke me -#else -f = strlcpy; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18764: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18767: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18770: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18773: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strlcpy=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strlcpy=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18783: result: $ac_cv_func_strlcpy" >&5 -echo "${ECHO_T}$ac_cv_func_strlcpy" >&6 -if test $ac_cv_func_strlcpy = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRLCPY 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strlcpy.$ac_objext" -fi -echo "$as_me:18794: checking for strlwr" >&5 -echo $ECHO_N "checking for strlwr... $ECHO_C" >&6 -if test "${ac_cv_func_strlwr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18800 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strlwr (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strlwr (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strlwr) || defined (__stub___strlwr) -choke me -#else -f = strlwr; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18837: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18840: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18843: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18846: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strlwr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strlwr=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18856: result: $ac_cv_func_strlwr" >&5 -echo "${ECHO_T}$ac_cv_func_strlwr" >&6 -if test $ac_cv_func_strlwr = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRLWR 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strlwr.$ac_objext" -fi -echo "$as_me:18867: checking for strncasecmp" >&5 -echo $ECHO_N "checking for strncasecmp... $ECHO_C" >&6 -if test "${ac_cv_func_strncasecmp+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18873 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strncasecmp (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strncasecmp (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strncasecmp) || defined (__stub___strncasecmp) -choke me -#else -f = strncasecmp; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18910: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18913: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18916: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18919: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strncasecmp=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strncasecmp=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:18929: result: $ac_cv_func_strncasecmp" >&5 -echo "${ECHO_T}$ac_cv_func_strncasecmp" >&6 -if test $ac_cv_func_strncasecmp = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRNCASECMP 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strncasecmp.$ac_objext" -fi -echo "$as_me:18940: checking for strndup" >&5 -echo $ECHO_N "checking for strndup... $ECHO_C" >&6 -if test "${ac_cv_func_strndup+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 18946 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strndup (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strndup (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strndup) || defined (__stub___strndup) -choke me -#else -f = strndup; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:18983: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:18986: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:18989: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:18992: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strndup=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strndup=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19002: result: $ac_cv_func_strndup" >&5 -echo "${ECHO_T}$ac_cv_func_strndup" >&6 -if test $ac_cv_func_strndup = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRNDUP 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strndup.$ac_objext" -fi -echo "$as_me:19013: checking for strnlen" >&5 -echo $ECHO_N "checking for strnlen... $ECHO_C" >&6 -if test "${ac_cv_func_strnlen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19019 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strnlen (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strnlen (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strnlen) || defined (__stub___strnlen) -choke me -#else -f = strnlen; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19056: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19059: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19062: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19065: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strnlen=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strnlen=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19075: result: $ac_cv_func_strnlen" >&5 -echo "${ECHO_T}$ac_cv_func_strnlen" >&6 -if test $ac_cv_func_strnlen = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRNLEN 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strnlen.$ac_objext" -fi -echo "$as_me:19086: checking for strptime" >&5 -echo $ECHO_N "checking for strptime... $ECHO_C" >&6 -if test "${ac_cv_func_strptime+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19092 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strptime (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strptime (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strptime) || defined (__stub___strptime) -choke me -#else -f = strptime; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19129: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19132: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19135: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19138: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strptime=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strptime=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19148: result: $ac_cv_func_strptime" >&5 -echo "${ECHO_T}$ac_cv_func_strptime" >&6 -if test $ac_cv_func_strptime = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRPTIME 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strptime.$ac_objext" -fi -echo "$as_me:19159: checking for strsep" >&5 -echo $ECHO_N "checking for strsep... $ECHO_C" >&6 -if test "${ac_cv_func_strsep+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19165 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strsep (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strsep (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strsep) || defined (__stub___strsep) -choke me -#else -f = strsep; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19202: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19205: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19208: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19211: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strsep=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strsep=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19221: result: $ac_cv_func_strsep" >&5 -echo "${ECHO_T}$ac_cv_func_strsep" >&6 -if test $ac_cv_func_strsep = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRSEP 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strsep.$ac_objext" -fi -echo "$as_me:19232: checking for strsep_copy" >&5 -echo $ECHO_N "checking for strsep_copy... $ECHO_C" >&6 -if test "${ac_cv_func_strsep_copy+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19238 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strsep_copy (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strsep_copy (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strsep_copy) || defined (__stub___strsep_copy) -choke me -#else -f = strsep_copy; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19275: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19278: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19281: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19284: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strsep_copy=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strsep_copy=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19294: result: $ac_cv_func_strsep_copy" >&5 -echo "${ECHO_T}$ac_cv_func_strsep_copy" >&6 -if test $ac_cv_func_strsep_copy = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRSEP_COPY 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strsep_copy.$ac_objext" -fi -echo "$as_me:19305: checking for strtok_r" >&5 -echo $ECHO_N "checking for strtok_r... $ECHO_C" >&6 -if test "${ac_cv_func_strtok_r+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19311 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strtok_r (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strtok_r (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strtok_r) || defined (__stub___strtok_r) -choke me -#else -f = strtok_r; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19348: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19351: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19354: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19357: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strtok_r=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strtok_r=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19367: result: $ac_cv_func_strtok_r" >&5 -echo "${ECHO_T}$ac_cv_func_strtok_r" >&6 -if test $ac_cv_func_strtok_r = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRTOK_R 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strtok_r.$ac_objext" -fi -echo "$as_me:19378: checking for strupr" >&5 -echo $ECHO_N "checking for strupr... $ECHO_C" >&6 -if test "${ac_cv_func_strupr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19384 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char strupr (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char strupr (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_strupr) || defined (__stub___strupr) -choke me -#else -f = strupr; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19421: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19424: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19427: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19430: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_strupr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_strupr=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19440: result: $ac_cv_func_strupr" >&5 -echo "${ECHO_T}$ac_cv_func_strupr" >&6 -if test $ac_cv_func_strupr = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUPR 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS strupr.$ac_objext" -fi -echo "$as_me:19451: checking for swab" >&5 -echo $ECHO_N "checking for swab... $ECHO_C" >&6 -if test "${ac_cv_func_swab+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19457 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char swab (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char swab (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_swab) || defined (__stub___swab) -choke me -#else -f = swab; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19494: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19497: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19500: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19503: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_swab=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_swab=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19513: result: $ac_cv_func_swab" >&5 -echo "${ECHO_T}$ac_cv_func_swab" >&6 -if test $ac_cv_func_swab = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SWAB 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS swab.$ac_objext" -fi -echo "$as_me:19524: checking for unsetenv" >&5 -echo $ECHO_N "checking for unsetenv... $ECHO_C" >&6 -if test "${ac_cv_func_unsetenv+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19530 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char unsetenv (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char unsetenv (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_unsetenv) || defined (__stub___unsetenv) -choke me -#else -f = unsetenv; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19567: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19570: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19573: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19576: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_unsetenv=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_unsetenv=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19586: result: $ac_cv_func_unsetenv" >&5 -echo "${ECHO_T}$ac_cv_func_unsetenv" >&6 -if test $ac_cv_func_unsetenv = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_UNSETENV 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS unsetenv.$ac_objext" -fi -echo "$as_me:19597: checking for verr" >&5 -echo $ECHO_N "checking for verr... $ECHO_C" >&6 -if test "${ac_cv_func_verr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19603 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char verr (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char verr (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_verr) || defined (__stub___verr) -choke me -#else -f = verr; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19640: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19643: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19646: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19649: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_verr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_verr=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19659: result: $ac_cv_func_verr" >&5 -echo "${ECHO_T}$ac_cv_func_verr" >&6 -if test $ac_cv_func_verr = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_VERR 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS verr.$ac_objext" -fi -echo "$as_me:19670: checking for verrx" >&5 -echo $ECHO_N "checking for verrx... $ECHO_C" >&6 -if test "${ac_cv_func_verrx+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19676 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char verrx (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char verrx (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_verrx) || defined (__stub___verrx) -choke me -#else -f = verrx; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19713: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19716: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19719: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19722: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_verrx=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_verrx=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19732: result: $ac_cv_func_verrx" >&5 -echo "${ECHO_T}$ac_cv_func_verrx" >&6 -if test $ac_cv_func_verrx = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_VERRX 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS verrx.$ac_objext" -fi -echo "$as_me:19743: checking for vsyslog" >&5 -echo $ECHO_N "checking for vsyslog... $ECHO_C" >&6 -if test "${ac_cv_func_vsyslog+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19749 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char vsyslog (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char vsyslog (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_vsyslog) || defined (__stub___vsyslog) -choke me -#else -f = vsyslog; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19786: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19789: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19792: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19795: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_vsyslog=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_vsyslog=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19805: result: $ac_cv_func_vsyslog" >&5 -echo "${ECHO_T}$ac_cv_func_vsyslog" >&6 -if test $ac_cv_func_vsyslog = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_VSYSLOG 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS vsyslog.$ac_objext" -fi -echo "$as_me:19816: checking for vwarn" >&5 -echo $ECHO_N "checking for vwarn... $ECHO_C" >&6 -if test "${ac_cv_func_vwarn+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19822 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char vwarn (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char vwarn (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_vwarn) || defined (__stub___vwarn) -choke me -#else -f = vwarn; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19859: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19862: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19865: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19868: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_vwarn=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_vwarn=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19878: result: $ac_cv_func_vwarn" >&5 -echo "${ECHO_T}$ac_cv_func_vwarn" >&6 -if test $ac_cv_func_vwarn = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_VWARN 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS vwarn.$ac_objext" -fi -echo "$as_me:19889: checking for vwarnx" >&5 -echo $ECHO_N "checking for vwarnx... $ECHO_C" >&6 -if test "${ac_cv_func_vwarnx+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19895 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char vwarnx (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char vwarnx (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_vwarnx) || defined (__stub___vwarnx) -choke me -#else -f = vwarnx; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:19932: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:19935: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:19938: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:19941: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_vwarnx=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_vwarnx=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:19951: result: $ac_cv_func_vwarnx" >&5 -echo "${ECHO_T}$ac_cv_func_vwarnx" >&6 -if test $ac_cv_func_vwarnx = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_VWARNX 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS vwarnx.$ac_objext" -fi -echo "$as_me:19962: checking for warn" >&5 -echo $ECHO_N "checking for warn... $ECHO_C" >&6 -if test "${ac_cv_func_warn+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 19968 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char warn (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char warn (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_warn) || defined (__stub___warn) -choke me -#else -f = warn; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:20005: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:20008: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:20011: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20014: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_warn=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_warn=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:20024: result: $ac_cv_func_warn" >&5 -echo "${ECHO_T}$ac_cv_func_warn" >&6 -if test $ac_cv_func_warn = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_WARN 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS warn.$ac_objext" -fi -echo "$as_me:20035: checking for warnx" >&5 -echo $ECHO_N "checking for warnx... $ECHO_C" >&6 -if test "${ac_cv_func_warnx+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20041 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char warnx (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char warnx (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_warnx) || defined (__stub___warnx) -choke me -#else -f = warnx; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:20078: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:20081: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:20084: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20087: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_warnx=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_warnx=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:20097: result: $ac_cv_func_warnx" >&5 -echo "${ECHO_T}$ac_cv_func_warnx" >&6 -if test $ac_cv_func_warnx = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_WARNX 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS warnx.$ac_objext" -fi -echo "$as_me:20108: checking for writev" >&5 -echo $ECHO_N "checking for writev... $ECHO_C" >&6 -if test "${ac_cv_func_writev+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20114 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char writev (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char writev (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_writev) || defined (__stub___writev) -choke me -#else -f = writev; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:20151: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:20154: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:20157: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20160: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_writev=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_writev=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:20170: result: $ac_cv_func_writev" >&5 -echo "${ECHO_T}$ac_cv_func_writev" >&6 -if test $ac_cv_func_writev = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_WRITEV 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS writev.$ac_objext" -fi - - - -if test "$ac_cv_func_strndup+set" != set -o "$ac_cv_func_strndup" = yes; then -echo "$as_me:20185: checking if strndup needs a prototype" >&5 -echo $ECHO_N "checking if strndup needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_strndup_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20191 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strndup (struct foo*); -strndup(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20212: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20215: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20218: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20221: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_strndup_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_strndup_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20231: result: $ac_cv_func_strndup_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_strndup_noproto" >&6 -if test "$ac_cv_func_strndup_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_STRNDUP_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_strsep+set" != set -o "$ac_cv_func_strsep" = yes; then -echo "$as_me:20243: checking if strsep needs a prototype" >&5 -echo $ECHO_N "checking if strsep needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_strsep_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20249 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strsep (struct foo*); -strsep(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20270: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20273: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20276: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20279: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_strsep_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_strsep_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20289: result: $ac_cv_func_strsep_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_strsep_noproto" >&6 -if test "$ac_cv_func_strsep_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_STRSEP_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_strtok_r+set" != set -o "$ac_cv_func_strtok_r" = yes; then -echo "$as_me:20301: checking if strtok_r needs a prototype" >&5 -echo $ECHO_N "checking if strtok_r needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_strtok_r_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20307 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strtok_r (struct foo*); -strtok_r(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20328: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20331: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20334: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20337: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_strtok_r_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_strtok_r_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20347: result: $ac_cv_func_strtok_r_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_strtok_r_noproto" >&6 -if test "$ac_cv_func_strtok_r_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_STRTOK_R_PROTO 1 -_ACEOF - -fi -fi - - - -if test "$ac_cv_func_strsvis+set" != set -o "$ac_cv_func_strsvis" = yes; then -echo "$as_me:20361: checking if strsvis needs a prototype" >&5 -echo $ECHO_N "checking if strsvis needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_strsvis_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20367 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strsvis (struct foo*); -strsvis(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20390: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20393: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20396: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20399: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_strsvis_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_strsvis_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20409: result: $ac_cv_func_strsvis_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_strsvis_noproto" >&6 -if test "$ac_cv_func_strsvis_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_STRSVIS_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_strunvis+set" != set -o "$ac_cv_func_strunvis" = yes; then -echo "$as_me:20421: checking if strunvis needs a prototype" >&5 -echo $ECHO_N "checking if strunvis needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_strunvis_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20427 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strunvis (struct foo*); -strunvis(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20450: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20453: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20456: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20459: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_strunvis_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_strunvis_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20469: result: $ac_cv_func_strunvis_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_strunvis_noproto" >&6 -if test "$ac_cv_func_strunvis_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_STRUNVIS_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_strvis+set" != set -o "$ac_cv_func_strvis" = yes; then -echo "$as_me:20481: checking if strvis needs a prototype" >&5 -echo $ECHO_N "checking if strvis needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_strvis_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20487 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strvis (struct foo*); -strvis(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20510: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20513: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20516: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20519: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_strvis_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_strvis_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20529: result: $ac_cv_func_strvis_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_strvis_noproto" >&6 -if test "$ac_cv_func_strvis_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_STRVIS_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_strvisx+set" != set -o "$ac_cv_func_strvisx" = yes; then -echo "$as_me:20541: checking if strvisx needs a prototype" >&5 -echo $ECHO_N "checking if strvisx needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_strvisx_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20547 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int strvisx (struct foo*); -strvisx(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20570: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20573: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20576: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20579: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_strvisx_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_strvisx_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20589: result: $ac_cv_func_strvisx_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_strvisx_noproto" >&6 -if test "$ac_cv_func_strvisx_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_STRVISX_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_svis+set" != set -o "$ac_cv_func_svis" = yes; then -echo "$as_me:20601: checking if svis needs a prototype" >&5 -echo $ECHO_N "checking if svis needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_svis_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20607 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int svis (struct foo*); -svis(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20630: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20633: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20636: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20639: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_svis_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_svis_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20649: result: $ac_cv_func_svis_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_svis_noproto" >&6 -if test "$ac_cv_func_svis_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_SVIS_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_unvis+set" != set -o "$ac_cv_func_unvis" = yes; then -echo "$as_me:20661: checking if unvis needs a prototype" >&5 -echo $ECHO_N "checking if unvis needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_unvis_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20667 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int unvis (struct foo*); -unvis(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20690: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20693: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20696: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20699: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_unvis_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_unvis_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20709: result: $ac_cv_func_unvis_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_unvis_noproto" >&6 -if test "$ac_cv_func_unvis_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_UNVIS_PROTO 1 -_ACEOF - -fi -fi - -if test "$ac_cv_func_vis+set" != set -o "$ac_cv_func_vis" = yes; then -echo "$as_me:20721: checking if vis needs a prototype" >&5 -echo $ECHO_N "checking if vis needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_vis_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20727 "configure" -#include "confdefs.h" -#ifdef HAVE_VIS_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int vis (struct foo*); -vis(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:20750: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:20753: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:20756: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20759: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_vis_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_vis_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:20769: result: $ac_cv_func_vis_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_vis_noproto" >&6 -if test "$ac_cv_func_vis_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_VIS_PROTO 1 -_ACEOF - -fi -fi - - -echo "$as_me:20781: checking for inet_aton" >&5 -echo $ECHO_N "checking for inet_aton... $ECHO_C" >&6 -if test "${ac_cv_func_inet_aton+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20787 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_inet_aton) || defined (__stub___inet_aton) -choke me -#else -inet_aton(0,0) -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:20825: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:20828: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:20831: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20834: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_inet_aton=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_inet_aton=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi - -if eval "test \"\${ac_cv_func_inet_aton}\" = yes"; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INET_ATON 1 -_ACEOF - - echo "$as_me:20851: result: yes" >&5 -echo "${ECHO_T}yes" >&6 -else - echo "$as_me:20854: result: no" >&5 -echo "${ECHO_T}no" >&6 - LIBOBJS="$LIBOBJS inet_aton.$ac_objext" -fi - -echo "$as_me:20859: checking for inet_ntop" >&5 -echo $ECHO_N "checking for inet_ntop... $ECHO_C" >&6 -if test "${ac_cv_func_inet_ntop+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20865 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_inet_ntop) || defined (__stub___inet_ntop) -choke me -#else -inet_ntop(0, 0, 0, 0) -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:20903: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:20906: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:20909: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20912: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_inet_ntop=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_inet_ntop=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi - -if eval "test \"\${ac_cv_func_inet_ntop}\" = yes"; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INET_NTOP 1 -_ACEOF - - echo "$as_me:20929: result: yes" >&5 -echo "${ECHO_T}yes" >&6 -else - echo "$as_me:20932: result: no" >&5 -echo "${ECHO_T}no" >&6 - LIBOBJS="$LIBOBJS inet_ntop.$ac_objext" -fi - -echo "$as_me:20937: checking for inet_pton" >&5 -echo $ECHO_N "checking for inet_pton... $ECHO_C" >&6 -if test "${ac_cv_func_inet_pton+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 20943 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_inet_pton) || defined (__stub___inet_pton) -choke me -#else -inet_pton(0,0,0) -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:20981: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:20984: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:20987: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:20990: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_inet_pton=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_inet_pton=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi - -if eval "test \"\${ac_cv_func_inet_pton}\" = yes"; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INET_PTON 1 -_ACEOF - - echo "$as_me:21007: result: yes" >&5 -echo "${ECHO_T}yes" >&6 -else - echo "$as_me:21010: result: no" >&5 -echo "${ECHO_T}no" >&6 - LIBOBJS="$LIBOBJS inet_pton.$ac_objext" -fi - - - -echo "$as_me:21017: checking for sa_len in struct sockaddr" >&5 -echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6 -if test "${ac_cv_type_struct_sockaddr_sa_len+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 21024 "configure" -#include "confdefs.h" -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct sockaddr x; x.sa_len; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21043: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21046: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21049: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21052: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_sockaddr_sa_len=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_sockaddr_sa_len=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21062: result: $ac_cv_type_struct_sockaddr_sa_len" >&5 -echo "${ECHO_T}$ac_cv_type_struct_sockaddr_sa_len" >&6 -if test "$ac_cv_type_struct_sockaddr_sa_len" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_SOCKADDR_SA_LEN 1 -_ACEOF - - -fi - - - -if test "$ac_cv_func_getnameinfo" = "yes"; then - -echo "$as_me:21078: checking if getnameinfo is broken" >&5 -echo $ECHO_N "checking if getnameinfo is broken... $ECHO_C" >&6 -if test "${ac_cv_func_getnameinfo_broken+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test "$cross_compiling" = yes; then - { { echo "$as_me:21084: error: cannot run test program while cross compiling" >&5 -echo "$as_me: error: cannot run test program while cross compiling" >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -#line 21089 "configure" -#include "confdefs.h" -#include -#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - struct sockaddr_in sin; - char host[256]; - memset(&sin, 0, sizeof(sin)); -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - sin.sin_len = sizeof(sin); -#endif - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = 0xffffffff; - sin.sin_port = 0; - return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host), - NULL, 0, 0); -} - -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:21115: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:21118: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:21120: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21123: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getnameinfo_broken=no -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_func_getnameinfo_broken=yes -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi -echo "$as_me:21136: result: $ac_cv_func_getnameinfo_broken" >&5 -echo "${ECHO_T}$ac_cv_func_getnameinfo_broken" >&6 - if test "$ac_cv_func_getnameinfo_broken" = yes; then - LIBOBJS="$LIBOBJS getnameinfo.$ac_objext" - fi -fi - -if test "$ac_cv_func_getaddrinfo" = "yes"; then - -echo "$as_me:21145: checking if getaddrinfo handles numeric services" >&5 -echo $ECHO_N "checking if getaddrinfo handles numeric services... $ECHO_C" >&6 -if test "${ac_cv_func_getaddrinfo_numserv+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test "$cross_compiling" = yes; then - { { echo "$as_me:21151: error: cannot run test program while cross compiling" >&5 -echo "$as_me: error: cannot run test program while cross compiling" >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -#line 21156 "configure" -#include "confdefs.h" -#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - struct addrinfo hints, *ai; - memset(&hints, 0, sizeof(hints)); - hints.ai_flags = AI_PASSIVE; - hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; - if(getaddrinfo(NULL, "17", &hints, &ai) != 0) - return 1; - return 0; -} - -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:21178: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:21181: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:21183: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21186: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getaddrinfo_numserv=yes -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_func_getaddrinfo_numserv=no -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi -echo "$as_me:21199: result: $ac_cv_func_getaddrinfo_numserv" >&5 -echo "${ECHO_T}$ac_cv_func_getaddrinfo_numserv" >&6 - if test "$ac_cv_func_getaddrinfo_numserv" = no; then - LIBOBJS="$LIBOBJS getaddrinfo.$ac_objext" - LIBOBJS="$LIBOBJS freeaddrinfo.$ac_objext" - fi -fi - - -if test "$ac_cv_func_setenv+set" != set -o "$ac_cv_func_setenv" = yes; then -echo "$as_me:21209: checking if setenv needs a prototype" >&5 -echo $ECHO_N "checking if setenv needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_setenv_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21215 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int setenv (struct foo*); -setenv(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21236: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21239: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21242: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21245: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_setenv_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_setenv_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21255: result: $ac_cv_func_setenv_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_setenv_noproto" >&6 -if test "$ac_cv_func_setenv_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_SETENV_PROTO 1 -_ACEOF - -fi -fi - - -if test "$ac_cv_func_unsetenv+set" != set -o "$ac_cv_func_unsetenv" = yes; then -echo "$as_me:21268: checking if unsetenv needs a prototype" >&5 -echo $ECHO_N "checking if unsetenv needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_unsetenv_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21274 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int unsetenv (struct foo*); -unsetenv(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21295: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21298: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21301: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21304: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_unsetenv_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_unsetenv_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21314: result: $ac_cv_func_unsetenv_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_unsetenv_noproto" >&6 -if test "$ac_cv_func_unsetenv_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_UNSETENV_PROTO 1 -_ACEOF - -fi -fi - - -if test "$ac_cv_func_gethostname+set" != set -o "$ac_cv_func_gethostname" = yes; then -echo "$as_me:21327: checking if gethostname needs a prototype" >&5 -echo $ECHO_N "checking if gethostname needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_gethostname_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21333 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int gethostname (struct foo*); -gethostname(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21354: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21357: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21360: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21363: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_gethostname_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_gethostname_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21373: result: $ac_cv_func_gethostname_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_gethostname_noproto" >&6 -if test "$ac_cv_func_gethostname_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_GETHOSTNAME_PROTO 1 -_ACEOF - -fi -fi - - -if test "$ac_cv_func_mkstemp+set" != set -o "$ac_cv_func_mkstemp" = yes; then -echo "$as_me:21386: checking if mkstemp needs a prototype" >&5 -echo $ECHO_N "checking if mkstemp needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_mkstemp_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21392 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int mkstemp (struct foo*); -mkstemp(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21413: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21416: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21419: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21422: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_mkstemp_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_mkstemp_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21432: result: $ac_cv_func_mkstemp_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_mkstemp_noproto" >&6 -if test "$ac_cv_func_mkstemp_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_MKSTEMP_PROTO 1 -_ACEOF - -fi -fi - - -if test "$ac_cv_func_getusershell+set" != set -o "$ac_cv_func_getusershell" = yes; then -echo "$as_me:21445: checking if getusershell needs a prototype" >&5 -echo $ECHO_N "checking if getusershell needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_getusershell_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21451 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int getusershell (struct foo*); -getusershell(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21472: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21475: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21478: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21481: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_getusershell_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_getusershell_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21491: result: $ac_cv_func_getusershell_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_getusershell_noproto" >&6 -if test "$ac_cv_func_getusershell_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_GETUSERSHELL_PROTO 1 -_ACEOF - -fi -fi - - - -if test "$ac_cv_func_inet_aton+set" != set -o "$ac_cv_func_inet_aton" = yes; then -echo "$as_me:21505: checking if inet_aton needs a prototype" >&5 -echo $ECHO_N "checking if inet_aton needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_inet_aton_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21511 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int inet_aton (struct foo*); -inet_aton(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21544: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21547: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21550: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21553: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_inet_aton_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_inet_aton_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21563: result: $ac_cv_func_inet_aton_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_inet_aton_noproto" >&6 -if test "$ac_cv_func_inet_aton_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_INET_ATON_PROTO 1 -_ACEOF - -fi -fi - - - - - -echo "$as_me:21578: checking for crypt" >&5 -echo $ECHO_N "checking for crypt... $ECHO_C" >&6 -if test "${ac_cv_funclib_crypt+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_crypt\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" crypt; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 21596 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -crypt() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:21614: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:21617: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:21620: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21623: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_crypt=$ac_lib; else ac_cv_funclib_crypt=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_crypt=\${ac_cv_funclib_crypt-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_crypt" - -if false; then - -for ac_func in crypt -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:21646: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21652 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:21689: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:21692: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:21695: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21698: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:21708: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# crypt -eval "ac_tr_func=HAVE_`echo crypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_crypt=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_crypt=yes" - eval "LIB_crypt=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:21732: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_crypt=no" - eval "LIB_crypt=" - echo "$as_me:21738: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_crypt=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:21752: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - - -echo "$as_me:21762: checking if gethostbyname is compatible with system prototype" >&5 -echo $ECHO_N "checking if gethostbyname is compatible with system prototype... $ECHO_C" >&6 -if test "${ac_cv_func_gethostbyname_proto_compat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21768 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct hostent *gethostbyname(const char *); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21802: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21805: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21808: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21811: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_gethostbyname_proto_compat=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_gethostbyname_proto_compat=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21821: result: $ac_cv_func_gethostbyname_proto_compat" >&5 -echo "${ECHO_T}$ac_cv_func_gethostbyname_proto_compat" >&6 - -if test "$ac_cv_func_gethostbyname_proto_compat" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define GETHOSTBYNAME_PROTO_COMPATIBLE 1 -_ACEOF - -fi - - - - -echo "$as_me:21835: checking if gethostbyaddr is compatible with system prototype" >&5 -echo $ECHO_N "checking if gethostbyaddr is compatible with system prototype... $ECHO_C" >&6 -if test "${ac_cv_func_gethostbyaddr_proto_compat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21841 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct hostent *gethostbyaddr(const void *, size_t, int); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21875: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21878: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21881: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21884: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_gethostbyaddr_proto_compat=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_gethostbyaddr_proto_compat=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21894: result: $ac_cv_func_gethostbyaddr_proto_compat" >&5 -echo "${ECHO_T}$ac_cv_func_gethostbyaddr_proto_compat" >&6 - -if test "$ac_cv_func_gethostbyaddr_proto_compat" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define GETHOSTBYADDR_PROTO_COMPATIBLE 1 -_ACEOF - -fi - - - - -echo "$as_me:21908: checking if getservbyname is compatible with system prototype" >&5 -echo $ECHO_N "checking if getservbyname is compatible with system prototype... $ECHO_C" >&6 -if test "${ac_cv_func_getservbyname_proto_compat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21914 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct servent *getservbyname(const char *, const char *); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:21948: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:21951: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:21954: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:21957: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_getservbyname_proto_compat=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_getservbyname_proto_compat=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:21967: result: $ac_cv_func_getservbyname_proto_compat" >&5 -echo "${ECHO_T}$ac_cv_func_getservbyname_proto_compat" >&6 - -if test "$ac_cv_func_getservbyname_proto_compat" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define GETSERVBYNAME_PROTO_COMPATIBLE 1 -_ACEOF - -fi - - - - -echo "$as_me:21981: checking if getsockname is compatible with system prototype" >&5 -echo $ECHO_N "checking if getsockname is compatible with system prototype... $ECHO_C" >&6 -if test "${ac_cv_func_getsockname_proto_compat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 21987 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -int getsockname(int, struct sockaddr*, socklen_t*); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22012: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22015: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22018: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22021: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_getsockname_proto_compat=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_getsockname_proto_compat=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:22031: result: $ac_cv_func_getsockname_proto_compat" >&5 -echo "${ECHO_T}$ac_cv_func_getsockname_proto_compat" >&6 - -if test "$ac_cv_func_getsockname_proto_compat" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define GETSOCKNAME_PROTO_COMPATIBLE 1 -_ACEOF - -fi - - - - -echo "$as_me:22045: checking if openlog is compatible with system prototype" >&5 -echo $ECHO_N "checking if openlog is compatible with system prototype... $ECHO_C" >&6 -if test "${ac_cv_func_openlog_proto_compat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 22051 "configure" -#include "confdefs.h" - -#ifdef HAVE_SYSLOG_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -void openlog(const char *, int, int); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22073: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22076: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22079: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22082: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_openlog_proto_compat=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_openlog_proto_compat=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:22092: result: $ac_cv_func_openlog_proto_compat" >&5 -echo "${ECHO_T}$ac_cv_func_openlog_proto_compat" >&6 - -if test "$ac_cv_func_openlog_proto_compat" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define OPENLOG_PROTO_COMPATIBLE 1 -_ACEOF - -fi - - - - -if test "$ac_cv_func_crypt+set" != set -o "$ac_cv_func_crypt" = yes; then -echo "$as_me:22107: checking if crypt needs a prototype" >&5 -echo $ECHO_N "checking if crypt needs a prototype... $ECHO_C" >&6 -if test "${ac_cv_func_crypt_noproto+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 22113 "configure" -#include "confdefs.h" - -#ifdef HAVE_CRYPT_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct foo { int foo; } xx; -extern int crypt (struct foo*); -crypt(&xx); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22141: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22144: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22147: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22150: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_func_crypt_noproto=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_func_crypt_noproto=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:22160: result: $ac_cv_func_crypt_noproto" >&5 -echo "${ECHO_T}$ac_cv_func_crypt_noproto" >&6 -if test "$ac_cv_func_crypt_noproto" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define NEED_CRYPT_PROTO 1 -_ACEOF - -fi -fi - - - - -echo "$as_me:22174: checking for h_errno" >&5 -echo $ECHO_N "checking for h_errno... $ECHO_C" >&6 -if test "${ac_cv_var_h_errno+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22181 "configure" -#include "confdefs.h" -extern int h_errno; -int foo() { return h_errno; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -foo() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:22200: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:22203: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:22206: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22209: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_var_h_errno=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_var_h_errno=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - -fi - -ac_foo=`eval echo \\$ac_cv_var_h_errno` -echo "$as_me:22222: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_H_ERRNO 1 -_ACEOF - - -echo "$as_me:22231: checking if h_errno is properly declared" >&5 -echo $ECHO_N "checking if h_errno is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_h_errno_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22238 "configure" -#include "confdefs.h" -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -extern struct { int foo; } h_errno; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -h_errno.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22262: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22265: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22268: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22271: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_h_errno_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_h_errno_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22286: result: $ac_cv_var_h_errno_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_h_errno_declaration" >&6 -if eval "test \"\$ac_cv_var_h_errno_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_H_ERRNO_DECLARATION 1 -_ACEOF - -fi - - -fi - - - -echo "$as_me:22301: checking for h_errlist" >&5 -echo $ECHO_N "checking for h_errlist... $ECHO_C" >&6 -if test "${ac_cv_var_h_errlist+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22308 "configure" -#include "confdefs.h" -extern int h_errlist; -int foo() { return h_errlist; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -foo() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:22327: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:22330: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:22333: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22336: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_var_h_errlist=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_var_h_errlist=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - -fi - -ac_foo=`eval echo \\$ac_cv_var_h_errlist` -echo "$as_me:22349: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_H_ERRLIST 1 -_ACEOF - - -echo "$as_me:22358: checking if h_errlist is properly declared" >&5 -echo $ECHO_N "checking if h_errlist is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_h_errlist_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22365 "configure" -#include "confdefs.h" -#ifdef HAVE_NETDB_H -#include -#endif -extern struct { int foo; } h_errlist; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -h_errlist.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22386: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22389: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22392: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22395: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_h_errlist_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_h_errlist_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22410: result: $ac_cv_var_h_errlist_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_h_errlist_declaration" >&6 -if eval "test \"\$ac_cv_var_h_errlist_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_H_ERRLIST_DECLARATION 1 -_ACEOF - -fi - - -fi - - - -echo "$as_me:22425: checking for h_nerr" >&5 -echo $ECHO_N "checking for h_nerr... $ECHO_C" >&6 -if test "${ac_cv_var_h_nerr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22432 "configure" -#include "confdefs.h" -extern int h_nerr; -int foo() { return h_nerr; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -foo() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:22451: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:22454: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:22457: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22460: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_var_h_nerr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_var_h_nerr=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - -fi - -ac_foo=`eval echo \\$ac_cv_var_h_nerr` -echo "$as_me:22473: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_H_NERR 1 -_ACEOF - - -echo "$as_me:22482: checking if h_nerr is properly declared" >&5 -echo $ECHO_N "checking if h_nerr is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_h_nerr_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22489 "configure" -#include "confdefs.h" -#ifdef HAVE_NETDB_H -#include -#endif -extern struct { int foo; } h_nerr; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -h_nerr.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22510: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22513: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22516: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22519: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_h_nerr_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_h_nerr_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22534: result: $ac_cv_var_h_nerr_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_h_nerr_declaration" >&6 -if eval "test \"\$ac_cv_var_h_nerr_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_H_NERR_DECLARATION 1 -_ACEOF - -fi - - -fi - - - -echo "$as_me:22549: checking for __progname" >&5 -echo $ECHO_N "checking for __progname... $ECHO_C" >&6 -if test "${ac_cv_var___progname+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22556 "configure" -#include "confdefs.h" -extern int __progname; -int foo() { return __progname; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -foo() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:22575: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:22578: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:22581: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22584: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_var___progname=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_var___progname=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - -fi - -ac_foo=`eval echo \\$ac_cv_var___progname` -echo "$as_me:22597: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE___PROGNAME 1 -_ACEOF - - -echo "$as_me:22606: checking if __progname is properly declared" >&5 -echo $ECHO_N "checking if __progname is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var___progname_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22613 "configure" -#include "confdefs.h" -#ifdef HAVE_ERR_H -#include -#endif -extern struct { int foo; } __progname; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -__progname.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22634: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22637: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22640: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22643: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var___progname_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var___progname_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22658: result: $ac_cv_var___progname_declaration" >&5 -echo "${ECHO_T}$ac_cv_var___progname_declaration" >&6 -if eval "test \"\$ac_cv_var___progname_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE___PROGNAME_DECLARATION 1 -_ACEOF - -fi - - -fi - - - -echo "$as_me:22673: checking if optarg is properly declared" >&5 -echo $ECHO_N "checking if optarg is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_optarg_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22680 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_UNISTD_H -#include -#endif -extern struct { int foo; } optarg; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -optarg.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22702: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22705: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22708: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22711: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_optarg_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_optarg_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22726: result: $ac_cv_var_optarg_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_optarg_declaration" >&6 -if eval "test \"\$ac_cv_var_optarg_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_OPTARG_DECLARATION 1 -_ACEOF - -fi - - - -echo "$as_me:22738: checking if optind is properly declared" >&5 -echo $ECHO_N "checking if optind is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_optind_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22745 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_UNISTD_H -#include -#endif -extern struct { int foo; } optind; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -optind.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22767: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22770: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22773: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22776: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_optind_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_optind_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22791: result: $ac_cv_var_optind_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_optind_declaration" >&6 -if eval "test \"\$ac_cv_var_optind_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_OPTIND_DECLARATION 1 -_ACEOF - -fi - - - -echo "$as_me:22803: checking if opterr is properly declared" >&5 -echo $ECHO_N "checking if opterr is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_opterr_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22810 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_UNISTD_H -#include -#endif -extern struct { int foo; } opterr; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -opterr.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22832: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22835: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22838: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22841: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_opterr_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_opterr_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22856: result: $ac_cv_var_opterr_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_opterr_declaration" >&6 -if eval "test \"\$ac_cv_var_opterr_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_OPTERR_DECLARATION 1 -_ACEOF - -fi - - - -echo "$as_me:22868: checking if optopt is properly declared" >&5 -echo $ECHO_N "checking if optopt is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_optopt_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22875 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_UNISTD_H -#include -#endif -extern struct { int foo; } optopt; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -optopt.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22897: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22900: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22903: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22906: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_optopt_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_optopt_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22921: result: $ac_cv_var_optopt_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_optopt_declaration" >&6 -if eval "test \"\$ac_cv_var_optopt_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_OPTOPT_DECLARATION 1 -_ACEOF - -fi - - - - -echo "$as_me:22934: checking if environ is properly declared" >&5 -echo $ECHO_N "checking if environ is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_environ_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 22941 "configure" -#include "confdefs.h" -#include -extern struct { int foo; } environ; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -environ.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:22960: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:22963: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:22966: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:22969: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_environ_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_environ_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:22984: result: $ac_cv_var_environ_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_environ_declaration" >&6 -if eval "test \"\$ac_cv_var_environ_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_ENVIRON_DECLARATION 1 -_ACEOF - -fi - - - - - - -echo "$as_me:22999: checking for tm_gmtoff in struct tm" >&5 -echo $ECHO_N "checking for tm_gmtoff in struct tm... $ECHO_C" >&6 -if test "${ac_cv_type_struct_tm_tm_gmtoff+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 23006 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct tm x; x.tm_gmtoff; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23024: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23027: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23030: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23033: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_tm_tm_gmtoff=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_tm_tm_gmtoff=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:23043: result: $ac_cv_type_struct_tm_tm_gmtoff" >&5 -echo "${ECHO_T}$ac_cv_type_struct_tm_tm_gmtoff" >&6 -if test "$ac_cv_type_struct_tm_tm_gmtoff" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_TM_TM_GMTOFF 1 -_ACEOF - - -fi - - - - -echo "$as_me:23058: checking for tm_zone in struct tm" >&5 -echo $ECHO_N "checking for tm_zone in struct tm... $ECHO_C" >&6 -if test "${ac_cv_type_struct_tm_tm_zone+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 23065 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct tm x; x.tm_zone; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23083: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23086: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23089: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23092: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_tm_tm_zone=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_tm_tm_zone=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:23102: result: $ac_cv_type_struct_tm_tm_zone" >&5 -echo "${ECHO_T}$ac_cv_type_struct_tm_tm_zone" >&6 -if test "$ac_cv_type_struct_tm_tm_zone" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_TM_TM_ZONE 1 -_ACEOF - - -fi - - - - - -echo "$as_me:23118: checking for timezone" >&5 -echo $ECHO_N "checking for timezone... $ECHO_C" >&6 -if test "${ac_cv_var_timezone+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 23125 "configure" -#include "confdefs.h" -extern int timezone; -int foo() { return timezone; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -foo() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:23144: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:23147: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:23150: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23153: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_var_timezone=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_var_timezone=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - -fi - -ac_foo=`eval echo \\$ac_cv_var_timezone` -echo "$as_me:23166: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_TIMEZONE 1 -_ACEOF - - -echo "$as_me:23175: checking if timezone is properly declared" >&5 -echo $ECHO_N "checking if timezone is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_timezone_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 23182 "configure" -#include "confdefs.h" -#include -extern struct { int foo; } timezone; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -timezone.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23201: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23204: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23207: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23210: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_timezone_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_timezone_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:23225: result: $ac_cv_var_timezone_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_timezone_declaration" >&6 -if eval "test \"\$ac_cv_var_timezone_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_TIMEZONE_DECLARATION 1 -_ACEOF - -fi - - -fi - - -echo "$as_me:23239: checking for altzone" >&5 -echo $ECHO_N "checking for altzone... $ECHO_C" >&6 -if test "${ac_cv_var_altzone+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 23246 "configure" -#include "confdefs.h" -extern int altzone; -int foo() { return altzone; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -foo() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:23265: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:23268: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:23271: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23274: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_var_altzone=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_var_altzone=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - -fi - -ac_foo=`eval echo \\$ac_cv_var_altzone` -echo "$as_me:23287: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_ALTZONE 1 -_ACEOF - - -echo "$as_me:23296: checking if altzone is properly declared" >&5 -echo $ECHO_N "checking if altzone is properly declared... $ECHO_C" >&6 -if test "${ac_cv_var_altzone_declaration+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 23303 "configure" -#include "confdefs.h" -#include -extern struct { int foo; } altzone; -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -altzone.foo = 1; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23322: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23325: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23328: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23331: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_var_altzone_declaration=no" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_var_altzone_declaration=yes" -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - - - - -echo "$as_me:23346: result: $ac_cv_var_altzone_declaration" >&5 -echo "${ECHO_T}$ac_cv_var_altzone_declaration" >&6 -if eval "test \"\$ac_cv_var_altzone_declaration\" = yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_ALTZONE_DECLARATION 1 -_ACEOF - -fi - - -fi - - - - -cv=`echo "sa_family_t" | sed 'y%./+- %__p__%'` -echo "$as_me:23363: checking for sa_family_t" >&5 -echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23369 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -sa_family_t foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23392: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23395: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23398: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23401: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:23412: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo sa_family_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:23417: checking for sa_family_t" >&5 -echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6 -if test "${ac_cv_type_sa_family_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23423 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((sa_family_t *) 0) - return 0; -if (sizeof (sa_family_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23444: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23447: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23450: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23453: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_sa_family_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_sa_family_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:23463: result: $ac_cv_type_sa_family_t" >&5 -echo "${ECHO_T}$ac_cv_type_sa_family_t" >&6 -if test $ac_cv_type_sa_family_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SA_FAMILY_T 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - -cv=`echo "socklen_t" | sed 'y%./+- %__p__%'` -echo "$as_me:23485: checking for socklen_t" >&5 -echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23491 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -socklen_t foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23514: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23517: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23520: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23523: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:23534: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo socklen_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:23539: checking for socklen_t" >&5 -echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6 -if test "${ac_cv_type_socklen_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23545 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((socklen_t *) 0) - return 0; -if (sizeof (socklen_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23566: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23569: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23572: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23575: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_socklen_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_socklen_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:23585: result: $ac_cv_type_socklen_t" >&5 -echo "${ECHO_T}$ac_cv_type_socklen_t" >&6 -if test $ac_cv_type_socklen_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_SOCKLEN_T 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - -cv=`echo "struct sockaddr" | sed 'y%./+- %__p__%'` -echo "$as_me:23607: checking for struct sockaddr" >&5 -echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23613 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct sockaddr foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23636: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23639: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23642: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23645: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:23656: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo struct sockaddr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:23661: checking for struct sockaddr" >&5 -echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6 -if test "${ac_cv_type_struct_sockaddr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23667 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((struct sockaddr *) 0) - return 0; -if (sizeof (struct sockaddr)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23688: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23691: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23694: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23697: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_sockaddr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_sockaddr=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:23707: result: $ac_cv_type_struct_sockaddr" >&5 -echo "${ECHO_T}$ac_cv_type_struct_sockaddr" >&6 -if test $ac_cv_type_struct_sockaddr = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_SOCKADDR 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - -cv=`echo "struct sockaddr_storage" | sed 'y%./+- %__p__%'` -echo "$as_me:23729: checking for struct sockaddr_storage" >&5 -echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23735 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct sockaddr_storage foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23758: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23761: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23764: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23767: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:23778: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo struct sockaddr_storage | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:23783: checking for struct sockaddr_storage" >&5 -echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6 -if test "${ac_cv_type_struct_sockaddr_storage+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23789 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((struct sockaddr_storage *) 0) - return 0; -if (sizeof (struct sockaddr_storage)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23810: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23813: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23816: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23819: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_sockaddr_storage=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_sockaddr_storage=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:23829: result: $ac_cv_type_struct_sockaddr_storage" >&5 -echo "${ECHO_T}$ac_cv_type_struct_sockaddr_storage" >&6 -if test $ac_cv_type_struct_sockaddr_storage = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_SOCKADDR_STORAGE 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - -cv=`echo "struct addrinfo" | sed 'y%./+- %__p__%'` -echo "$as_me:23851: checking for struct addrinfo" >&5 -echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23857 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct addrinfo foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23880: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23883: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23886: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23889: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:23900: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo struct addrinfo | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:23905: checking for struct addrinfo" >&5 -echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6 -if test "${ac_cv_type_struct_addrinfo+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23911 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((struct addrinfo *) 0) - return 0; -if (sizeof (struct addrinfo)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:23932: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:23935: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:23938: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:23941: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_addrinfo=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_addrinfo=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:23951: result: $ac_cv_type_struct_addrinfo" >&5 -echo "${ECHO_T}$ac_cv_type_struct_addrinfo" >&6 -if test $ac_cv_type_struct_addrinfo = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_ADDRINFO 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - -cv=`echo "struct ifaddrs" | sed 'y%./+- %__p__%'` -echo "$as_me:23973: checking for struct ifaddrs" >&5 -echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 23979 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct ifaddrs foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24002: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24005: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24008: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24011: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:24022: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo struct ifaddrs | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:24027: checking for struct ifaddrs" >&5 -echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6 -if test "${ac_cv_type_struct_ifaddrs+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 24033 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((struct ifaddrs *) 0) - return 0; -if (sizeof (struct ifaddrs)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24054: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24057: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24060: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24063: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_ifaddrs=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_ifaddrs=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:24073: result: $ac_cv_type_struct_ifaddrs" >&5 -echo "${ECHO_T}$ac_cv_type_struct_ifaddrs" >&6 -if test $ac_cv_type_struct_ifaddrs = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_IFADDRS 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - -cv=`echo "struct iovec" | sed 'y%./+- %__p__%'` -echo "$as_me:24095: checking for struct iovec" >&5 -echo $ECHO_N "checking for struct iovec... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 24101 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif - -#include -#include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct iovec foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24127: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24130: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24133: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24136: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:24147: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo struct iovec | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:24152: checking for struct iovec" >&5 -echo $ECHO_N "checking for struct iovec... $ECHO_C" >&6 -if test "${ac_cv_type_struct_iovec+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 24158 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((struct iovec *) 0) - return 0; -if (sizeof (struct iovec)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24179: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24182: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24185: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24188: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_iovec=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_iovec=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:24198: result: $ac_cv_type_struct_iovec" >&5 -echo "${ECHO_T}$ac_cv_type_struct_iovec" >&6 -if test $ac_cv_type_struct_iovec = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_IOVEC 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - -cv=`echo "struct msghdr" | sed 'y%./+- %__p__%'` -echo "$as_me:24220: checking for struct msghdr" >&5 -echo $ECHO_N "checking for struct msghdr... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 24226 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif - -#include -#include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct msghdr foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24252: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24255: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24258: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24261: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:24272: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo struct msghdr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:24277: checking for struct msghdr" >&5 -echo $ECHO_N "checking for struct msghdr... $ECHO_C" >&6 -if test "${ac_cv_type_struct_msghdr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 24283 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((struct msghdr *) 0) - return 0; -if (sizeof (struct msghdr)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24304: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24307: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24310: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24313: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_msghdr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_msghdr=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:24323: result: $ac_cv_type_struct_msghdr" >&5 -echo "${ECHO_T}$ac_cv_type_struct_msghdr" >&6 -if test $ac_cv_type_struct_msghdr = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_MSGHDR 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - - - - -echo "$as_me:24345: checking for struct winsize" >&5 -echo $ECHO_N "checking for struct winsize... $ECHO_C" >&6 -if test "${ac_cv_struct_winsize+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -ac_cv_struct_winsize=no -for i in sys/termios.h sys/ioctl.h; do -cat >conftest.$ac_ext <<_ACEOF -#line 24354 "configure" -#include "confdefs.h" -#include <$i> - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "struct[ ]*winsize" >/dev/null 2>&1; then - ac_cv_struct_winsize=yes; break -fi -rm -f conftest* -done - -fi - -if test "$ac_cv_struct_winsize" = "yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_WINSIZE 1 -_ACEOF - -fi -echo "$as_me:24375: result: $ac_cv_struct_winsize" >&5 -echo "${ECHO_T}$ac_cv_struct_winsize" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 24378 "configure" -#include "confdefs.h" -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "ws_xpixel" >/dev/null 2>&1; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_WS_XPIXEL 1 -_ACEOF - -fi -rm -f conftest* - -cat >conftest.$ac_ext <<_ACEOF -#line 24394 "configure" -#include "confdefs.h" -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "ws_ypixel" >/dev/null 2>&1; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_WS_YPIXEL 1 -_ACEOF - -fi -rm -f conftest* - - - - - -echo "$as_me:24413: checking for struct spwd" >&5 -echo $ECHO_N "checking for struct spwd... $ECHO_C" >&6 -if test "${ac_cv_struct_spwd+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 24420 "configure" -#include "confdefs.h" -#include -#ifdef HAVE_SHADOW_H -#include -#endif -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct spwd foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24441: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24444: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24447: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24450: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_struct_spwd=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_struct_spwd=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi - -echo "$as_me:24462: result: $ac_cv_struct_spwd" >&5 -echo "${ECHO_T}$ac_cv_struct_spwd" >&6 - -if test "$ac_cv_struct_spwd" = "yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_SPWD 1 -_ACEOF - -fi - - - -LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)" - - -LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken" - - - -# Check whether --with-openldap or --without-openldap was given. -if test "${with_openldap+set}" = set; then - withval="$with_openldap" - -fi; - -# Check whether --with-openldap-lib or --without-openldap-lib was given. -if test "${with_openldap_lib+set}" = set; then - withval="$with_openldap_lib" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:24492: error: No argument for --with-openldap-lib" >&5 -echo "$as_me: error: No argument for --with-openldap-lib" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_openldap" = "X"; then - with_openldap=yes -fi -fi; - -# Check whether --with-openldap-include or --without-openldap-include was given. -if test "${with_openldap_include+set}" = set; then - withval="$with_openldap_include" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:24504: error: No argument for --with-openldap-include" >&5 -echo "$as_me: error: No argument for --with-openldap-include" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_openldap" = "X"; then - with_openldap=yes -fi -fi; - -# Check whether --with-openldap-config or --without-openldap-config was given. -if test "${with_openldap_config+set}" = set; then - withval="$with_openldap_config" - -fi; - - - -echo "$as_me:24520: checking for openldap" >&5 -echo $ECHO_N "checking for openldap... $ECHO_C" >&6 - -case "$with_openldap" in -yes|"") d='' ;; -no) d= ;; -*) d="$with_openldap" ;; -esac - -header_dirs= -lib_dirs= -for i in $d; do - if test "$with_openldap_include" = ""; then - if test -d "$i/include/openldap"; then - header_dirs="$header_dirs $i/include/openldap" - fi - if test -d "$i/include"; then - header_dirs="$header_dirs $i/include" - fi - fi - if test "$with_openldap_lib" = ""; then - if test -d "$i/lib$abilibdirext"; then - lib_dirs="$lib_dirs $i/lib$abilibdirext" - fi - fi -done - -if test "$with_openldap_include"; then - header_dirs="$with_openldap_include $header_dirs" -fi -if test "$with_openldap_lib"; then - lib_dirs="$with_openldap_lib $lib_dirs" -fi - -if test "$with_openldap_config" = ""; then - with_openldap_config='' -fi - -openldap_cflags= -openldap_libs= - -case "$with_openldap_config" in -yes|no|"") - ;; -*) - openldap_cflags="`$with_openldap_config --cflags 2>&1`" - openldap_libs="`$with_openldap_config --libs 2>&1`" - ;; -esac - -found=no -if test "$with_openldap" != no; then - save_CFLAGS="$CFLAGS" - save_LIBS="$LIBS" - if test "$openldap_cflags" -a "$openldap_libs"; then - CFLAGS="$openldap_cflags $save_CFLAGS" - LIBS="$openldap_libs $save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 24578 "configure" -#include "confdefs.h" -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:24597: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:24600: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:24603: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24606: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - - INCLUDE_openldap="$openldap_cflags" - LIB_openldap="$openldap_libs" - echo "$as_me:24611: result: from $with_openldap_config" >&5 -echo "${ECHO_T}from $with_openldap_config" >&6 - found=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - fi - if test "$found" = no; then - ires= lres= - for i in $header_dirs; do - CFLAGS="-I$i $save_CFLAGS" - cat >conftest.$ac_ext <<_ACEOF -#line 24625 "configure" -#include "confdefs.h" -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24644: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24647: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24650: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24653: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ires=$i;break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext - done - for i in $lib_dirs; do - LIBS="-L$i -lldap -llber $save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 24665 "configure" -#include "confdefs.h" -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:24684: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:24687: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:24690: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24693: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - lres=$i;break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - if test "$ires" -a "$lres" -a "$with_openldap" != "no"; then - INCLUDE_openldap="-I$ires" - LIB_openldap="-L$lres -lldap -llber" - found=yes - echo "$as_me:24706: result: headers $ires, libraries $lres" >&5 -echo "${ECHO_T}headers $ires, libraries $lres" >&6 - fi - fi - CFLAGS="$save_CFLAGS" - LIBS="$save_LIBS" -fi - -if test "$found" = yes; then - -cat >>confdefs.h <<_ACEOF -#define OPENLDAP 1 -_ACEOF - - with_openldap=yes -else - with_openldap=no - INCLUDE_openldap= - LIB_openldap= - echo "$as_me:24725: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - - - - -if test "$openldap_libdir"; then - LIB_openldap="-R $openldap_libdir $LIB_openldap" -fi - - - -# Check whether --with-krb4 or --without-krb4 was given. -if test "${with_krb4+set}" = set; then - withval="$with_krb4" - -fi; - -# Check whether --with-krb4-lib or --without-krb4-lib was given. -if test "${with_krb4_lib+set}" = set; then - withval="$with_krb4_lib" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:24749: error: No argument for --with-krb4-lib" >&5 -echo "$as_me: error: No argument for --with-krb4-lib" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_krb4" = "X"; then - with_krb4=yes -fi -fi; - -# Check whether --with-krb4-include or --without-krb4-include was given. -if test "${with_krb4_include+set}" = set; then - withval="$with_krb4_include" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:24761: error: No argument for --with-krb4-include" >&5 -echo "$as_me: error: No argument for --with-krb4-include" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_krb4" = "X"; then - with_krb4=yes -fi -fi; - -# Check whether --with-krb4-config or --without-krb4-config was given. -if test "${with_krb4_config+set}" = set; then - withval="$with_krb4_config" - -fi; - - - -echo "$as_me:24777: checking for krb4" >&5 -echo $ECHO_N "checking for krb4... $ECHO_C" >&6 - -case "$with_krb4" in -yes|"") d='/usr/athena' ;; -no) d= ;; -*) d="$with_krb4" ;; -esac - -header_dirs= -lib_dirs= -for i in $d; do - if test "$with_krb4_include" = ""; then - if test -d "$i/include/krb4"; then - header_dirs="$header_dirs $i/include/krb4" - fi - if test -d "$i/include"; then - header_dirs="$header_dirs $i/include" - fi - fi - if test "$with_krb4_lib" = ""; then - if test -d "$i/lib$abilibdirext"; then - lib_dirs="$lib_dirs $i/lib$abilibdirext" - fi - fi -done - -if test "$with_krb4_include"; then - header_dirs="$with_krb4_include $header_dirs" -fi -if test "$with_krb4_lib"; then - lib_dirs="$with_krb4_lib $lib_dirs" -fi - -if test "$with_krb4_config" = ""; then - with_krb4_config='krb4-config' -fi - -krb4_cflags= -krb4_libs= - -case "$with_krb4_config" in -yes|no|"") - ;; -*) - krb4_cflags="`$with_krb4_config --cflags 2>&1`" - krb4_libs="`$with_krb4_config --libs 2>&1`" - ;; -esac - -found=no -if test "$with_krb4" != no; then - save_CFLAGS="$CFLAGS" - save_LIBS="$LIBS" - if test "$krb4_cflags" -a "$krb4_libs"; then - CFLAGS="$krb4_cflags $save_CFLAGS" - LIBS="$krb4_libs $save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 24835 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:24853: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:24856: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:24859: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24862: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - - INCLUDE_krb4="$krb4_cflags" - LIB_krb4="$krb4_libs" - echo "$as_me:24867: result: from $with_krb4_config" >&5 -echo "${ECHO_T}from $with_krb4_config" >&6 - found=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - fi - if test "$found" = no; then - ires= lres= - for i in $header_dirs; do - CFLAGS="-I$i $save_CFLAGS" - cat >conftest.$ac_ext <<_ACEOF -#line 24881 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:24899: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:24902: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:24905: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24908: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ires=$i;break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext - done - for i in $lib_dirs; do - LIBS="-L$i -lkrb -ldes $save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 24920 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:24938: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:24941: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:24944: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:24947: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - lres=$i;break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - if test "$ires" -a "$lres" -a "$with_krb4" != "no"; then - INCLUDE_krb4="-I$ires" - LIB_krb4="-L$lres -lkrb" - found=yes - echo "$as_me:24960: result: headers $ires, libraries $lres" >&5 -echo "${ECHO_T}headers $ires, libraries $lres" >&6 - fi - fi - CFLAGS="$save_CFLAGS" - LIBS="$save_LIBS" -fi - -if test "$found" = yes; then - -cat >>confdefs.h <<_ACEOF -#define KRB4 1 -_ACEOF - - with_krb4=yes -else - with_krb4=no - INCLUDE_krb4= - LIB_krb4= - echo "$as_me:24979: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - - - - -LIB_kdb= -if test "$with_krb4" != "no"; then - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $INCLUDE_krb4" - save_LIBS="$LIBS" - LIBS="$LIB_krb4 $LIBS" - EXTRA_LIB45=lib45.a - - echo "$as_me:24995: checking for four valued krb_put_int" >&5 -echo $ECHO_N "checking for four valued krb_put_int... $ECHO_C" >&6 -if test "${ac_cv_func_krb_put_int_four+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 25001 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - char tmp[4]; - krb_put_int(17, tmp, 4, sizeof(tmp)); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:25021: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:25024: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:25027: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25030: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_krb_put_int_four=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_krb_put_int_four=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi -echo "$as_me:25041: result: $ac_cv_func_krb_put_int_four" >&5 -echo "${ECHO_T}$ac_cv_func_krb_put_int_four" >&6 - if test "$ac_cv_func_krb_put_int_four" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_FOUR_VALUED_KRB_PUT_INT 1 -_ACEOF - - fi - - - echo "$as_me:25052: checking for KRB_VERIFY_SECURE" >&5 -echo $ECHO_N "checking for KRB_VERIFY_SECURE... $ECHO_C" >&6 -if test "${ac_cv_func_krb_verify_secure+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 25058 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - int x = KRB_VERIFY_SECURE - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:25077: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:25080: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:25083: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25086: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_krb_verify_secure=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_krb_verify_secure=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi -echo "$as_me:25097: result: $ac_cv_func_krb_verify_secure" >&5 -echo "${ECHO_T}$ac_cv_func_krb_verify_secure" >&6 - if test "$ac_cv_func_krb_verify_secure" != yes; then - -cat >>confdefs.h <<\_ACEOF -#define KRB_VERIFY_SECURE 1 -_ACEOF - - -cat >>confdefs.h <<\_ACEOF -#define KRB_VERIFY_SECURE_FAIL 2 -_ACEOF - - fi - echo "$as_me:25111: checking for KRB_VERIFY_NOT_SECURE" >&5 -echo $ECHO_N "checking for KRB_VERIFY_NOT_SECURE... $ECHO_C" >&6 -if test "${ac_cv_func_krb_verify_not_secure+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 25117 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - int x = KRB_VERIFY_NOT_SECURE - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:25136: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:25139: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:25142: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25145: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_krb_verify_not_secure=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_krb_verify_not_secure=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi -echo "$as_me:25156: result: $ac_cv_func_krb_verify_not_secure" >&5 -echo "${ECHO_T}$ac_cv_func_krb_verify_not_secure" >&6 - if test "$ac_cv_func_krb_verify_not_secure" != yes; then - -cat >>confdefs.h <<\_ACEOF -#define KRB_VERIFY_NOT_SECURE 0 -_ACEOF - - fi - - - - -echo "$as_me:25169: checking for krb_enable_debug" >&5 -echo $ECHO_N "checking for krb_enable_debug... $ECHO_C" >&6 -if test "${ac_cv_funclib_krb_enable_debug+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_krb_enable_debug\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 25187 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -krb_enable_debug() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25205: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25208: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25211: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25214: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_enable_debug=$ac_lib; else ac_cv_funclib_krb_enable_debug=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_krb_enable_debug=\${ac_cv_funclib_krb_enable_debug-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_krb_enable_debug" - -if false; then - -for ac_func in krb_enable_debug -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:25237: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 25243 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25280: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25283: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25286: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25289: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:25299: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# krb_enable_debug -eval "ac_tr_func=HAVE_`echo krb_enable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_krb_enable_debug=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_krb_enable_debug=yes" - eval "LIB_krb_enable_debug=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:25323: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_krb_enable_debug=no" - eval "LIB_krb_enable_debug=" - echo "$as_me:25329: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_krb_enable_debug=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:25343: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_krb_enable_debug"; then - LIBS="$LIB_krb_enable_debug $LIBS" -fi - - - - - -echo "$as_me:25357: checking for krb_disable_debug" >&5 -echo $ECHO_N "checking for krb_disable_debug... $ECHO_C" >&6 -if test "${ac_cv_funclib_krb_disable_debug+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_krb_disable_debug\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 25375 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -krb_disable_debug() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25393: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25396: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25399: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25402: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_disable_debug=$ac_lib; else ac_cv_funclib_krb_disable_debug=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_krb_disable_debug=\${ac_cv_funclib_krb_disable_debug-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_krb_disable_debug" - -if false; then - -for ac_func in krb_disable_debug -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:25425: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 25431 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25468: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25471: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25474: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25477: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:25487: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# krb_disable_debug -eval "ac_tr_func=HAVE_`echo krb_disable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_krb_disable_debug=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_krb_disable_debug=yes" - eval "LIB_krb_disable_debug=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:25511: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_krb_disable_debug=no" - eval "LIB_krb_disable_debug=" - echo "$as_me:25517: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_krb_disable_debug=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:25531: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_krb_disable_debug"; then - LIBS="$LIB_krb_disable_debug $LIBS" -fi - - - - - -echo "$as_me:25545: checking for krb_get_our_ip_for_realm" >&5 -echo $ECHO_N "checking for krb_get_our_ip_for_realm... $ECHO_C" >&6 -if test "${ac_cv_funclib_krb_get_our_ip_for_realm+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_krb_get_our_ip_for_realm\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 25563 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -krb_get_our_ip_for_realm() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25581: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25584: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25587: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25590: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_get_our_ip_for_realm=$ac_lib; else ac_cv_funclib_krb_get_our_ip_for_realm=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_krb_get_our_ip_for_realm=\${ac_cv_funclib_krb_get_our_ip_for_realm-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_krb_get_our_ip_for_realm" - -if false; then - -for ac_func in krb_get_our_ip_for_realm -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:25613: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 25619 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25656: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25659: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25662: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25665: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:25675: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# krb_get_our_ip_for_realm -eval "ac_tr_func=HAVE_`echo krb_get_our_ip_for_realm | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_krb_get_our_ip_for_realm=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_krb_get_our_ip_for_realm=yes" - eval "LIB_krb_get_our_ip_for_realm=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:25699: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_krb_get_our_ip_for_realm=no" - eval "LIB_krb_get_our_ip_for_realm=" - echo "$as_me:25705: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_krb_get_our_ip_for_realm=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:25719: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_krb_get_our_ip_for_realm"; then - LIBS="$LIB_krb_get_our_ip_for_realm $LIBS" -fi - - - - - -echo "$as_me:25733: checking for krb_kdctimeofday" >&5 -echo $ECHO_N "checking for krb_kdctimeofday... $ECHO_C" >&6 -if test "${ac_cv_funclib_krb_kdctimeofday+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_krb_kdctimeofday\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 25751 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -krb_kdctimeofday() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25769: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25772: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25775: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25778: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_kdctimeofday=$ac_lib; else ac_cv_funclib_krb_kdctimeofday=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_krb_kdctimeofday=\${ac_cv_funclib_krb_kdctimeofday-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_krb_kdctimeofday" - -if false; then - -for ac_func in krb_kdctimeofday -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:25801: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 25807 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25844: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25847: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25850: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25853: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:25863: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# krb_kdctimeofday -eval "ac_tr_func=HAVE_`echo krb_kdctimeofday | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_krb_kdctimeofday=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_krb_kdctimeofday=yes" - eval "LIB_krb_kdctimeofday=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:25887: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_krb_kdctimeofday=no" - eval "LIB_krb_kdctimeofday=" - echo "$as_me:25893: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_krb_kdctimeofday=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:25907: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_krb_kdctimeofday"; then - LIBS="$LIB_krb_kdctimeofday $LIBS" -fi - - - - - - - -echo "$as_me:25923: checking for krb_get_kdc_time_diff" >&5 -echo $ECHO_N "checking for krb_get_kdc_time_diff... $ECHO_C" >&6 -if test "${ac_cv_funclib_krb_get_kdc_time_diff+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_krb_get_kdc_time_diff\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 25941 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -krb_get_kdc_time_diff() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:25959: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:25962: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:25965: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:25968: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_get_kdc_time_diff=$ac_lib; else ac_cv_funclib_krb_get_kdc_time_diff=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_krb_get_kdc_time_diff=\${ac_cv_funclib_krb_get_kdc_time_diff-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_krb_get_kdc_time_diff" - -if false; then - -for ac_func in krb_get_kdc_time_diff -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:25991: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 25997 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:26034: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:26037: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:26040: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26043: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:26053: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# krb_get_kdc_time_diff -eval "ac_tr_func=HAVE_`echo krb_get_kdc_time_diff | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_krb_get_kdc_time_diff=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_krb_get_kdc_time_diff=yes" - eval "LIB_krb_get_kdc_time_diff=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:26077: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_krb_get_kdc_time_diff=no" - eval "LIB_krb_get_kdc_time_diff=" - echo "$as_me:26083: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_krb_get_kdc_time_diff=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:26097: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test -n "$LIB_krb_get_kdc_time_diff"; then - LIBS="$LIB_krb_get_kdc_time_diff $LIBS" -fi - - - - echo "$as_me:26109: checking for KRB_SENDAUTH_VERS" >&5 -echo $ECHO_N "checking for KRB_SENDAUTH_VERS... $ECHO_C" >&6 -if test "${ac_cv_func_krb_sendauth_vers+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 26115 "configure" -#include "confdefs.h" -#include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - char *x = KRB_SENDAUTH_VERS - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:26135: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:26138: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:26141: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26144: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_krb_sendauth_vers=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_krb_sendauth_vers=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi -echo "$as_me:26155: result: $ac_cv_func_krb_sendauth_vers" >&5 -echo "${ECHO_T}$ac_cv_func_krb_sendauth_vers" >&6 - if test "$ac_cv_func_krb_sendauth_vers" != yes; then - -cat >>confdefs.h <<\_ACEOF -#define KRB_SENDAUTH_VERS "AUTHV0.1" -_ACEOF - - fi - echo "$as_me:26164: checking for krb_mk_req with const arguments" >&5 -echo $ECHO_N "checking for krb_mk_req with const arguments... $ECHO_C" >&6 -if test "${ac_cv_func_krb_mk_req_const+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 26170 "configure" -#include "confdefs.h" -#include - int krb_mk_req(KTEXT a, const char *s, const char *i, - const char *r, int32_t checksum) - { return 17; } -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:26191: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:26194: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:26197: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26200: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_krb_mk_req_const=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_krb_mk_req_const=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext - -fi -echo "$as_me:26211: result: $ac_cv_func_krb_mk_req_const" >&5 -echo "${ECHO_T}$ac_cv_func_krb_mk_req_const" >&6 - if test "$ac_cv_func_krb_mk_req_const" = "yes"; then - -cat >>confdefs.h <<\_ACEOF -#define KRB_MK_REQ_CONST 1 -_ACEOF - - fi - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - LIB_kdb="-lkdb -lkrb" - if test "$krb4_libdir"; then - LIB_krb4="-R $krb4_libdir $LIB_krb4" - LIB_kdb="-R $krb4_libdir -L$krb4_libdir $LIB_kdb" - fi -fi - - -if test "$with_krb4" != "no"; then - KRB4_TRUE= - KRB4_FALSE='#' -else - KRB4_TRUE='#' - KRB4_FALSE= -fi - - - -if true; then - KRB5_TRUE= - KRB5_FALSE='#' -else - KRB5_TRUE='#' - KRB5_FALSE= -fi - - - -if true; then - do_roken_rename_TRUE= - do_roken_rename_FALSE='#' -else - do_roken_rename_TRUE='#' - do_roken_rename_FALSE= -fi - - - -cat >>confdefs.h <<\_ACEOF -#define KRB5 1 -_ACEOF - -# Check whether --enable-dce or --disable-dce was given. -if test "${enable_dce+set}" = set; then - enableval="$enable_dce" - -fi; -if test "$enable_dce" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define DCE 1 -_ACEOF - -fi - - -if test "$enable_dce" = yes; then - DCE_TRUE= - DCE_FALSE='#' -else - DCE_TRUE='#' - DCE_FALSE= -fi - - -## XXX quite horrible: -if test -f /etc/ibmcxx.cfg; then - dpagaix_ldadd=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/libraries/{;s/^[^=]*=\(.*\)/\1/;s/,/ /gp;}'` - dpagaix_cflags=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/options/{;s/^[^=]*=\(.*\)/\1/;s/-q^,*//;s/,/ /gp;}'` - dpagaix_ldflags= -else - dpagaix_cflags="-D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce" - dpagaix_ldadd="-L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r" - dpagaix_ldflags="-Wl,-bI:dfspag.exp" -fi - - - - - -# Check whether --enable-otp or --disable-otp was given. -if test "${enable_otp+set}" = set; then - enableval="$enable_otp" - -fi; -if test "$enable_otp" = yes -a "$db_type" = unknown; then - { { echo "$as_me:26309: error: OTP requires a NDBM/DB compatible library" >&5 -echo "$as_me: error: OTP requires a NDBM/DB compatible library" >&2;} - { (exit 1); exit 1; }; } -fi -if test "$enable_otp" != no; then - if test "$db_type" != unknown; then - enable_otp=yes - else - enable_otp=no - fi -fi -if test "$enable_otp" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define OTP 1 -_ACEOF - - LIB_otp='$(top_builddir)/lib/otp/libotp.la' - -fi -echo "$as_me:26329: checking whether to enable OTP library" >&5 -echo $ECHO_N "checking whether to enable OTP library... $ECHO_C" >&6 -echo "$as_me:26331: result: $enable_otp" >&5 -echo "${ECHO_T}$enable_otp" >&6 - - -if test "$enable_otp" = yes; then - OTP_TRUE= - OTP_FALSE='#' -else - OTP_TRUE='#' - OTP_FALSE= -fi - - - -# Check whether --enable-osfc2 or --disable-osfc2 was given. -if test "${enable_osfc2+set}" = set; then - enableval="$enable_osfc2" - -fi; -LIB_security= -if test "$enable_osfc2" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_OSFC2 1 -_ACEOF - - LIB_security=-lsecurity -fi - - - -# Extract the first word of "nroff", so it can be a program name with args. -set dummy nroff; ac_word=$2 -echo "$as_me:26364: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_path_NROFF+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - case $NROFF in - [\\/]* | ?:[\\/]*) - ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_NROFF="$as_dir/$ac_word$ac_exec_ext" - echo "$as_me:26382: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - - ;; -esac -fi -NROFF=$ac_cv_path_NROFF - -if test -n "$NROFF"; then - echo "$as_me:26394: result: $NROFF" >&5 -echo "${ECHO_T}$NROFF" >&6 -else - echo "$as_me:26397: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -# Extract the first word of "groff", so it can be a program name with args. -set dummy groff; ac_word=$2 -echo "$as_me:26403: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_path_GROFF+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - case $GROFF in - [\\/]* | ?:[\\/]*) - ac_cv_path_GROFF="$GROFF" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_GROFF="$as_dir/$ac_word$ac_exec_ext" - echo "$as_me:26421: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - - ;; -esac -fi -GROFF=$ac_cv_path_GROFF - -if test -n "$GROFF"; then - echo "$as_me:26433: result: $GROFF" >&5 -echo "${ECHO_T}$GROFF" >&6 -else - echo "$as_me:26436: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - -echo "$as_me:26440: checking how to format man pages" >&5 -echo $ECHO_N "checking how to format man pages... $ECHO_C" >&6 -if test "${ac_cv_sys_man_format+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat > conftest.1 << END -.Dd January 1, 1970 -.Dt CONFTEST 1 -.Sh NAME -.Nm conftest -.Nd -foobar -END - -if test "$NROFF" ; then - for i in "-mdoc" "-mandoc"; do - if "$NROFF" $i conftest.1 2> /dev/null | \ - grep Jan > /dev/null 2>&1 ; then - ac_cv_sys_man_format="$NROFF $i" - break - fi - done -fi -if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then - for i in "-mdoc" "-mandoc"; do - if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \ - grep Jan > /dev/null 2>&1 ; then - ac_cv_sys_man_format="$GROFF -Tascii $i" - break - fi - done -fi -if test "$ac_cv_sys_man_format"; then - ac_cv_sys_man_format="$ac_cv_sys_man_format \$< > \$@" -fi - -fi -echo "$as_me:26477: result: $ac_cv_sys_man_format" >&5 -echo "${ECHO_T}$ac_cv_sys_man_format" >&6 -if test "$ac_cv_sys_man_format"; then - CATMAN="$ac_cv_sys_man_format" - -fi - - -if test "$CATMAN"; then - CATMAN_TRUE= - CATMAN_FALSE='#' -else - CATMAN_TRUE='#' - CATMAN_FALSE= -fi - -echo "$as_me:26493: checking extension of pre-formatted manual pages" >&5 -echo $ECHO_N "checking extension of pre-formatted manual pages... $ECHO_C" >&6 -if test "${ac_cv_sys_catman_ext+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if grep _suffix /etc/man.conf > /dev/null 2>&1; then - ac_cv_sys_catman_ext=0 -else - ac_cv_sys_catman_ext=number -fi - -fi -echo "$as_me:26505: result: $ac_cv_sys_catman_ext" >&5 -echo "${ECHO_T}$ac_cv_sys_catman_ext" >&6 -if test "$ac_cv_sys_catman_ext" = number; then - CATMANEXT='$$section' -else - CATMANEXT=0 -fi - - - - - -# Check whether --with-readline or --without-readline was given. -if test "${with_readline+set}" = set; then - withval="$with_readline" - -fi; - -# Check whether --with-readline-lib or --without-readline-lib was given. -if test "${with_readline_lib+set}" = set; then - withval="$with_readline_lib" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:26527: error: No argument for --with-readline-lib" >&5 -echo "$as_me: error: No argument for --with-readline-lib" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_readline" = "X"; then - with_readline=yes -fi -fi; - -# Check whether --with-readline-include or --without-readline-include was given. -if test "${with_readline_include+set}" = set; then - withval="$with_readline_include" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:26539: error: No argument for --with-readline-include" >&5 -echo "$as_me: error: No argument for --with-readline-include" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_readline" = "X"; then - with_readline=yes -fi -fi; - -# Check whether --with-readline-config or --without-readline-config was given. -if test "${with_readline_config+set}" = set; then - withval="$with_readline_config" - -fi; - - - -echo "$as_me:26555: checking for readline" >&5 -echo $ECHO_N "checking for readline... $ECHO_C" >&6 - -case "$with_readline" in -yes|"") d='' ;; -no) d= ;; -*) d="$with_readline" ;; -esac - -header_dirs= -lib_dirs= -for i in $d; do - if test "$with_readline_include" = ""; then - if test -d "$i/include/readline"; then - header_dirs="$header_dirs $i/include/readline" - fi - if test -d "$i/include"; then - header_dirs="$header_dirs $i/include" - fi - fi - if test "$with_readline_lib" = ""; then - if test -d "$i/lib$abilibdirext"; then - lib_dirs="$lib_dirs $i/lib$abilibdirext" - fi - fi -done - -if test "$with_readline_include"; then - header_dirs="$with_readline_include $header_dirs" -fi -if test "$with_readline_lib"; then - lib_dirs="$with_readline_lib $lib_dirs" -fi - -if test "$with_readline_config" = ""; then - with_readline_config='' -fi - -readline_cflags= -readline_libs= - -case "$with_readline_config" in -yes|no|"") - ;; -*) - readline_cflags="`$with_readline_config --cflags 2>&1`" - readline_libs="`$with_readline_config --libs 2>&1`" - ;; -esac - -found=no -if test "$with_readline" != no; then - save_CFLAGS="$CFLAGS" - save_LIBS="$LIBS" - if test "$readline_cflags" -a "$readline_libs"; then - CFLAGS="$readline_cflags $save_CFLAGS" - LIBS="$readline_libs $save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 26613 "configure" -#include "confdefs.h" -#include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:26632: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:26635: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:26638: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26641: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - - INCLUDE_readline="$readline_cflags" - LIB_readline="$readline_libs" - echo "$as_me:26646: result: from $with_readline_config" >&5 -echo "${ECHO_T}from $with_readline_config" >&6 - found=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - fi - if test "$found" = no; then - ires= lres= - for i in $header_dirs; do - CFLAGS="-I$i $save_CFLAGS" - cat >conftest.$ac_ext <<_ACEOF -#line 26660 "configure" -#include "confdefs.h" -#include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:26679: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:26682: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:26685: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26688: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ires=$i;break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext - done - for i in $lib_dirs; do - LIBS="-L$i -lreadline $save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 26700 "configure" -#include "confdefs.h" -#include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:26719: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:26722: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:26725: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26728: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - lres=$i;break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - if test "$ires" -a "$lres" -a "$with_readline" != "no"; then - INCLUDE_readline="-I$ires" - LIB_readline="-L$lres -lreadline" - found=yes - echo "$as_me:26741: result: headers $ires, libraries $lres" >&5 -echo "${ECHO_T}headers $ires, libraries $lres" >&6 - fi - fi - CFLAGS="$save_CFLAGS" - LIBS="$save_LIBS" -fi - -if test "$found" = yes; then - -cat >>confdefs.h <<_ACEOF -#define READLINE 1 -_ACEOF - - with_readline=yes -else - with_readline=no - INCLUDE_readline= - LIB_readline= - echo "$as_me:26760: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - - - - - - -# Check whether --with-hesiod or --without-hesiod was given. -if test "${with_hesiod+set}" = set; then - withval="$with_hesiod" - -fi; - -# Check whether --with-hesiod-lib or --without-hesiod-lib was given. -if test "${with_hesiod_lib+set}" = set; then - withval="$with_hesiod_lib" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:26780: error: No argument for --with-hesiod-lib" >&5 -echo "$as_me: error: No argument for --with-hesiod-lib" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_hesiod" = "X"; then - with_hesiod=yes -fi -fi; - -# Check whether --with-hesiod-include or --without-hesiod-include was given. -if test "${with_hesiod_include+set}" = set; then - withval="$with_hesiod_include" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:26792: error: No argument for --with-hesiod-include" >&5 -echo "$as_me: error: No argument for --with-hesiod-include" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_hesiod" = "X"; then - with_hesiod=yes -fi -fi; - -# Check whether --with-hesiod-config or --without-hesiod-config was given. -if test "${with_hesiod_config+set}" = set; then - withval="$with_hesiod_config" - -fi; - - - -echo "$as_me:26808: checking for hesiod" >&5 -echo $ECHO_N "checking for hesiod... $ECHO_C" >&6 - -case "$with_hesiod" in -yes|"") d='' ;; -no) d= ;; -*) d="$with_hesiod" ;; -esac - -header_dirs= -lib_dirs= -for i in $d; do - if test "$with_hesiod_include" = ""; then - if test -d "$i/include/hesiod"; then - header_dirs="$header_dirs $i/include/hesiod" - fi - if test -d "$i/include"; then - header_dirs="$header_dirs $i/include" - fi - fi - if test "$with_hesiod_lib" = ""; then - if test -d "$i/lib$abilibdirext"; then - lib_dirs="$lib_dirs $i/lib$abilibdirext" - fi - fi -done - -if test "$with_hesiod_include"; then - header_dirs="$with_hesiod_include $header_dirs" -fi -if test "$with_hesiod_lib"; then - lib_dirs="$with_hesiod_lib $lib_dirs" -fi - -if test "$with_hesiod_config" = ""; then - with_hesiod_config='' -fi - -hesiod_cflags= -hesiod_libs= - -case "$with_hesiod_config" in -yes|no|"") - ;; -*) - hesiod_cflags="`$with_hesiod_config --cflags 2>&1`" - hesiod_libs="`$with_hesiod_config --libs 2>&1`" - ;; -esac - -found=no -if test "$with_hesiod" != no; then - save_CFLAGS="$CFLAGS" - save_LIBS="$LIBS" - if test "$hesiod_cflags" -a "$hesiod_libs"; then - CFLAGS="$hesiod_cflags $save_CFLAGS" - LIBS="$hesiod_libs $save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 26866 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:26884: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:26887: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:26890: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26893: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - - INCLUDE_hesiod="$hesiod_cflags" - LIB_hesiod="$hesiod_libs" - echo "$as_me:26898: result: from $with_hesiod_config" >&5 -echo "${ECHO_T}from $with_hesiod_config" >&6 - found=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - fi - if test "$found" = no; then - ires= lres= - for i in $header_dirs; do - CFLAGS="-I$i $save_CFLAGS" - cat >conftest.$ac_ext <<_ACEOF -#line 26912 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:26930: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:26933: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:26936: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26939: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ires=$i;break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext - done - for i in $lib_dirs; do - LIBS="-L$i -lhesiod $save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 26951 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:26969: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:26972: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:26975: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:26978: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - lres=$i;break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - if test "$ires" -a "$lres" -a "$with_hesiod" != "no"; then - INCLUDE_hesiod="-I$ires" - LIB_hesiod="-L$lres -lhesiod" - found=yes - echo "$as_me:26991: result: headers $ires, libraries $lres" >&5 -echo "${ECHO_T}headers $ires, libraries $lres" >&6 - fi - fi - CFLAGS="$save_CFLAGS" - LIBS="$save_LIBS" -fi - -if test "$found" = yes; then - -cat >>confdefs.h <<_ACEOF -#define HESIOD 1 -_ACEOF - - with_hesiod=yes -else - with_hesiod=no - INCLUDE_hesiod= - LIB_hesiod= - echo "$as_me:27010: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - - - - - -# Check whether --enable-bigendian or --disable-bigendian was given. -if test "${enable_bigendian+set}" = set; then - enableval="$enable_bigendian" - krb_cv_c_bigendian=yes -fi; -# Check whether --enable-littleendian or --disable-littleendian was given. -if test "${enable_littleendian+set}" = set; then - enableval="$enable_littleendian" - krb_cv_c_bigendian=no -fi; -echo "$as_me:27029: checking whether byte order is known at compile time" >&5 -echo $ECHO_N "checking whether byte order is known at compile time... $ECHO_C" >&6 -if test "${krb_cv_c_bigendian_compile+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 27035 "configure" -#include "confdefs.h" - -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN - bogus endian macros -#endif - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:27058: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:27061: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:27064: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27067: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - krb_cv_c_bigendian_compile=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -krb_cv_c_bigendian_compile=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:27077: result: $krb_cv_c_bigendian_compile" >&5 -echo "${ECHO_T}$krb_cv_c_bigendian_compile" >&6 -echo "$as_me:27079: checking whether byte ordering is bigendian" >&5 -echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6 -if test "${krb_cv_c_bigendian+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - - if test "$krb_cv_c_bigendian_compile" = "yes"; then - cat >conftest.$ac_ext <<_ACEOF -#line 27087 "configure" -#include "confdefs.h" - -#include -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - -#if BYTE_ORDER != BIG_ENDIAN - not big endian -#endif - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:27110: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:27113: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:27116: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27119: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - krb_cv_c_bigendian=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -krb_cv_c_bigendian=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext - else - if test "$cross_compiling" = yes; then - { { echo "$as_me:27130: error: specify either --enable-bigendian or --enable-littleendian" >&5 -echo "$as_me: error: specify either --enable-bigendian or --enable-littleendian" >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -#line 27135 "configure" -#include "confdefs.h" -main () { - /* Are we little or big endian? From Harbison&Steele. */ - union - { - long l; - char c[sizeof (long)]; - } u; - u.l = 1; - exit (u.c[sizeof (long) - 1] == 1); - } -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:27149: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:27152: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:27154: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27157: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - krb_cv_c_bigendian=no -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -krb_cv_c_bigendian=yes -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - fi - -fi -echo "$as_me:27172: result: $krb_cv_c_bigendian" >&5 -echo "${ECHO_T}$krb_cv_c_bigendian" >&6 -if test "$krb_cv_c_bigendian" = "yes"; then - -cat >>confdefs.h <<\_ACEOF -#define WORDS_BIGENDIAN 1 -_ACEOF -fi -if test "$krb_cv_c_bigendian_compile" = "yes"; then - -cat >>confdefs.h <<\_ACEOF -#define ENDIANESS_IN_SYS_PARAM_H 1 -_ACEOF -fi - - - -echo "$as_me:27189: checking for inline" >&5 -echo $ECHO_N "checking for inline... $ECHO_C" >&6 -if test "${ac_cv_c_inline+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_c_inline=no -for ac_kw in inline __inline__ __inline; do - cat >conftest.$ac_ext <<_ACEOF -#line 27197 "configure" -#include "confdefs.h" -#ifndef __cplusplus -static $ac_kw int static_foo () {return 0; } -$ac_kw int foo () {return 0; } -#endif - -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:27206: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:27209: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:27212: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27215: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_c_inline=$ac_kw; break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext -done - -fi -echo "$as_me:27226: result: $ac_cv_c_inline" >&5 -echo "${ECHO_T}$ac_cv_c_inline" >&6 -case $ac_cv_c_inline in - inline | yes) ;; - no) -cat >>confdefs.h <<\_ACEOF -#define inline -_ACEOF - ;; - *) cat >>confdefs.h <<_ACEOF -#define inline $ac_cv_c_inline -_ACEOF - ;; -esac - - - - - - -echo "$as_me:27246: checking for dlopen" >&5 -echo $ECHO_N "checking for dlopen... $ECHO_C" >&6 -if test "${ac_cv_funclib_dlopen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_dlopen\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" dl; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 27264 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dlopen() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:27282: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:27285: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:27288: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27291: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_dlopen=$ac_lib; else ac_cv_funclib_dlopen=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_dlopen=\${ac_cv_funclib_dlopen-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_dlopen" - -if false; then - -for ac_func in dlopen -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:27314: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 27320 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:27357: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:27360: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:27363: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27366: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:27376: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# dlopen -eval "ac_tr_func=HAVE_`echo dlopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_dlopen=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_dlopen=yes" - eval "LIB_dlopen=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:27400: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_dlopen=no" - eval "LIB_dlopen=" - echo "$as_me:27406: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_dlopen=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:27420: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - -if test "$ac_cv_funclib_dlopen" != no; then - HAVE_DLOPEN_TRUE= - HAVE_DLOPEN_FALSE='#' -else - HAVE_DLOPEN_TRUE='#' - HAVE_DLOPEN_FALSE= -fi - - - - -aix=no -case "$host" in -*-*-aix3*) - aix=3 - ;; -*-*-aix4*|*-*-aix5*) - aix=4 - ;; -esac - - - -if test "$aix" != no; then - AIX_TRUE= - AIX_FALSE='#' -else - AIX_TRUE='#' - AIX_FALSE= -fi - - -if test "$aix" = 4; then - AIX4_TRUE= - AIX4_FALSE='#' -else - AIX4_TRUE='#' - AIX4_FALSE= -fi - - - -# Check whether --enable-dynamic-afs or --disable-dynamic-afs was given. -if test "${enable_dynamic_afs+set}" = set; then - enableval="$enable_dynamic_afs" - -fi; - -if test "$aix" != no; then - if test "$enable_dynamic_afs" != no; then - - if test "$ac_cv_func_dlopen" = no; then - - - -echo "$as_me:27483: checking for loadquery" >&5 -echo $ECHO_N "checking for loadquery... $ECHO_C" >&6 -if test "${ac_cv_funclib_loadquery+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_loadquery\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" ld; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 27501 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -loadquery() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:27519: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:27522: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:27525: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27528: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_loadquery=$ac_lib; else ac_cv_funclib_loadquery=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_loadquery=\${ac_cv_funclib_loadquery-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_loadquery" - -if false; then - -for ac_func in loadquery -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:27551: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 27557 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:27594: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:27597: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:27600: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27603: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:27613: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# loadquery -eval "ac_tr_func=HAVE_`echo loadquery | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_loadquery=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_loadquery=yes" - eval "LIB_loadquery=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:27637: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_loadquery=no" - eval "LIB_loadquery=" - echo "$as_me:27643: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_loadquery=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:27657: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - fi - if test "$ac_cv_func_dlopen" != no; then - AIX_EXTRA_KAFS='$(LIB_dlopen)' - elif test "$ac_cv_func_loadquery" != no; then - AIX_EXTRA_KAFS='$(LIB_loadquery)' - else - { echo "$as_me:27669: not using dynloaded AFS library" >&5 -echo "$as_me: not using dynloaded AFS library" >&6;} - AIX_EXTRA_KAFS= - enable_dynamic_afs=no - fi - else - AIX_EXTRA_KAFS= - fi -fi - - - -if test "$enable_dynamic_afs" != no; then - AIX_DYNAMIC_AFS_TRUE= - AIX_DYNAMIC_AFS_FALSE='#' -else - AIX_DYNAMIC_AFS_TRUE='#' - AIX_DYNAMIC_AFS_FALSE= -fi - - - - - - -irix=no -case "$host" in -*-*-irix4*) - -cat >>confdefs.h <<\_ACEOF -#define IRIX4 1 -_ACEOF - - irix=yes - ;; -*-*-irix*) - irix=yes - ;; -esac - - -if test "$irix" != no; then - IRIX_TRUE= - IRIX_FALSE='#' -else - IRIX_TRUE='#' - IRIX_FALSE= -fi - - - - - -sunos=no -case "$host" in -*-*-sunos4*) - sunos=40 - ;; -*-*-solaris2.7) - sunos=57 - ;; -*-*-solaris2.89) - sunos=58 - ;; -*-*-solaris2*) - sunos=50 - ;; -esac -if test "$sunos" != no; then - -cat >>confdefs.h <<_ACEOF -#define SunOS $sunos -_ACEOF - -fi - - -echo "$as_me:27746: checking for X" >&5 -echo $ECHO_N "checking for X... $ECHO_C" >&6 - - -# Check whether --with-x or --without-x was given. -if test "${with_x+set}" = set; then - withval="$with_x" - -fi; -# $have_x is `yes', `no', `disabled', or empty when we do not yet know. -if test "x$with_x" = xno; then - # The user explicitly disabled X. - have_x=disabled -else - if test "x$x_includes" != xNONE && test "x$x_libraries" != xNONE; then - # Both variables are already set. - have_x=yes - else - if test "${ac_cv_have_x+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - # One or both of the vars are not set, and there is no cached value. -ac_x_includes=no ac_x_libraries=no -rm -fr conftest.dir -if mkdir conftest.dir; then - cd conftest.dir - # Make sure to not put "make" in the Imakefile rules, since we grep it out. - cat >Imakefile <<'_ACEOF' -acfindx: - @echo 'ac_im_incroot="${INCROOT}"; ac_im_usrlibdir="${USRLIBDIR}"; ac_im_libdir="${LIBDIR}"' -_ACEOF - if (xmkmf) >/dev/null 2>/dev/null && test -f Makefile; then - # GNU make sometimes prints "make[1]: Entering...", which would confuse us. - eval `${MAKE-make} acfindx 2>/dev/null | grep -v make` - # Open Windows xmkmf reportedly sets LIBDIR instead of USRLIBDIR. - for ac_extension in a so sl; do - if test ! -f $ac_im_usrlibdir/libX11.$ac_extension && - test -f $ac_im_libdir/libX11.$ac_extension; then - ac_im_usrlibdir=$ac_im_libdir; break - fi - done - # Screen out bogus values from the imake configuration. They are - # bogus both because they are the default anyway, and because - # using them would break gcc on systems where it needs fixed includes. - case $ac_im_incroot in - /usr/include) ;; - *) test -f "$ac_im_incroot/X11/Xos.h" && ac_x_includes=$ac_im_incroot;; - esac - case $ac_im_usrlibdir in - /usr/lib | /lib) ;; - *) test -d "$ac_im_usrlibdir" && ac_x_libraries=$ac_im_usrlibdir ;; - esac - fi - cd .. - rm -fr conftest.dir -fi - -# Standard set of common directories for X headers. -# Check X11 before X11Rn because it is often a symlink to the current release. -ac_x_header_dirs=' -/usr/X11/include -/usr/X11R6/include -/usr/X11R5/include -/usr/X11R4/include - -/usr/include/X11 -/usr/include/X11R6 -/usr/include/X11R5 -/usr/include/X11R4 - -/usr/local/X11/include -/usr/local/X11R6/include -/usr/local/X11R5/include -/usr/local/X11R4/include - -/usr/local/include/X11 -/usr/local/include/X11R6 -/usr/local/include/X11R5 -/usr/local/include/X11R4 - -/usr/X386/include -/usr/x386/include -/usr/XFree86/include/X11 - -/usr/include -/usr/local/include -/usr/unsupported/include -/usr/athena/include -/usr/local/x11r5/include -/usr/lpp/Xamples/include - -/usr/openwin/include -/usr/openwin/share/include' - -if test "$ac_x_includes" = no; then - # Guess where to find include files, by looking for Intrinsic.h. - # First, try using that file with no special directory specified. - cat >conftest.$ac_ext <<_ACEOF -#line 27844 "configure" -#include "confdefs.h" -#include -_ACEOF -if { (eval echo "$as_me:27848: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:27854: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - # We can compile using X headers with no special include directory. -ac_x_includes= -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - for ac_dir in $ac_x_header_dirs; do - if test -r "$ac_dir/X11/Intrinsic.h"; then - ac_x_includes=$ac_dir - break - fi -done -fi -rm -f conftest.err conftest.$ac_ext -fi # $ac_x_includes = no - -if test "$ac_x_libraries" = no; then - # Check for the libraries. - # See if we find them without any special options. - # Don't add to $LIBS permanently. - ac_save_LIBS=$LIBS - LIBS="-lXt $LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 27887 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -XtMalloc (0) - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:27905: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:27908: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:27911: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:27914: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - LIBS=$ac_save_LIBS -# We can link X programs with no special library path. -ac_x_libraries= -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -LIBS=$ac_save_LIBS -for ac_dir in `echo "$ac_x_includes $ac_x_header_dirs" | sed s/include/lib/g` -do - # Don't even attempt the hair of trying to link an X program! - for ac_extension in a so sl; do - if test -r $ac_dir/libXt.$ac_extension; then - ac_x_libraries=$ac_dir - break 2 - fi - done -done -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi # $ac_x_libraries = no - -if test "$ac_x_includes" = no || test "$ac_x_libraries" = no; then - # Didn't find X anywhere. Cache the known absence of X. - ac_cv_have_x="have_x=no" -else - # Record where we found X for the cache. - ac_cv_have_x="have_x=yes \ - ac_x_includes=$ac_x_includes ac_x_libraries=$ac_x_libraries" -fi -fi - - fi - eval "$ac_cv_have_x" -fi # $with_x != no - -if test "$have_x" != yes; then - echo "$as_me:27952: result: $have_x" >&5 -echo "${ECHO_T}$have_x" >&6 - no_x=yes -else - # If each of the values was on the command line, it overrides each guess. - test "x$x_includes" = xNONE && x_includes=$ac_x_includes - test "x$x_libraries" = xNONE && x_libraries=$ac_x_libraries - # Update the cache value to reflect the command line values. - ac_cv_have_x="have_x=yes \ - ac_x_includes=$x_includes ac_x_libraries=$x_libraries" - echo "$as_me:27962: result: libraries $x_libraries, headers $x_includes" >&5 -echo "${ECHO_T}libraries $x_libraries, headers $x_includes" >&6 -fi - - -if test "$no_x" = yes; then - # Not all programs may use this symbol, but it does not hurt to define it. - -cat >>confdefs.h <<\_ACEOF -#define X_DISPLAY_MISSING 1 -_ACEOF - - X_CFLAGS= X_PRE_LIBS= X_LIBS= X_EXTRA_LIBS= -else - if test -n "$x_includes"; then - X_CFLAGS="$X_CFLAGS -I$x_includes" - fi - - # It would also be nice to do this for all -L options, not just this one. - if test -n "$x_libraries"; then - X_LIBS="$X_LIBS -L$x_libraries" - # For Solaris; some versions of Sun CC require a space after -R and - # others require no space. Words are not sufficient . . . . - case `(uname -sr) 2>/dev/null` in - "SunOS 5"*) - echo "$as_me:27987: checking whether -R must be followed by a space" >&5 -echo $ECHO_N "checking whether -R must be followed by a space... $ECHO_C" >&6 - ac_xsave_LIBS=$LIBS; LIBS="$LIBS -R$x_libraries" - cat >conftest.$ac_ext <<_ACEOF -#line 27991 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28009: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28012: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28015: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28018: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_R_nospace=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_R_nospace=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - if test $ac_R_nospace = yes; then - echo "$as_me:28028: result: no" >&5 -echo "${ECHO_T}no" >&6 - X_LIBS="$X_LIBS -R$x_libraries" - else - LIBS="$ac_xsave_LIBS -R $x_libraries" - cat >conftest.$ac_ext <<_ACEOF -#line 28034 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28052: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28055: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28058: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28061: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_R_space=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_R_space=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - if test $ac_R_space = yes; then - echo "$as_me:28071: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - X_LIBS="$X_LIBS -R $x_libraries" - else - echo "$as_me:28075: result: neither works" >&5 -echo "${ECHO_T}neither works" >&6 - fi - fi - LIBS=$ac_xsave_LIBS - esac - fi - - # Check for system-dependent libraries X programs must link with. - # Do this before checking for the system-independent R6 libraries - # (-lICE), since we may need -lsocket or whatever for X linking. - - if test "$ISC" = yes; then - X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl_s -linet" - else - # Martyn Johnson says this is needed for Ultrix, if the X - # libraries were built with DECnet support. And Karl Berry says - # the Alpha needs dnet_stub (dnet does not exist). - ac_xsave_LIBS="$LIBS"; LIBS="$LIBS $X_LIBS -lX11" - cat >conftest.$ac_ext <<_ACEOF -#line 28095 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char XOpenDisplay (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -XOpenDisplay (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28120: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28123: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28126: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28129: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -echo "$as_me:28135: checking for dnet_ntoa in -ldnet" >&5 -echo $ECHO_N "checking for dnet_ntoa in -ldnet... $ECHO_C" >&6 -if test "${ac_cv_lib_dnet_dnet_ntoa+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldnet $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 28143 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char dnet_ntoa (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dnet_ntoa (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28168: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28171: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28174: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28177: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_dnet_dnet_ntoa=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_dnet_dnet_ntoa=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:28188: result: $ac_cv_lib_dnet_dnet_ntoa" >&5 -echo "${ECHO_T}$ac_cv_lib_dnet_dnet_ntoa" >&6 -if test $ac_cv_lib_dnet_dnet_ntoa = yes; then - X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet" -fi - - if test $ac_cv_lib_dnet_dnet_ntoa = no; then - echo "$as_me:28195: checking for dnet_ntoa in -ldnet_stub" >&5 -echo $ECHO_N "checking for dnet_ntoa in -ldnet_stub... $ECHO_C" >&6 -if test "${ac_cv_lib_dnet_stub_dnet_ntoa+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldnet_stub $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 28203 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char dnet_ntoa (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -dnet_ntoa (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28228: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28231: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28234: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28237: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_dnet_stub_dnet_ntoa=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_dnet_stub_dnet_ntoa=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:28248: result: $ac_cv_lib_dnet_stub_dnet_ntoa" >&5 -echo "${ECHO_T}$ac_cv_lib_dnet_stub_dnet_ntoa" >&6 -if test $ac_cv_lib_dnet_stub_dnet_ntoa = yes; then - X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet_stub" -fi - - fi -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - LIBS="$ac_xsave_LIBS" - - # msh@cis.ufl.edu says -lnsl (and -lsocket) are needed for his 386/AT, - # to get the SysV transport functions. - # Chad R. Larson says the Pyramis MIS-ES running DC/OSx (SVR4) - # needs -lnsl. - # The nsl library prevents programs from opening the X display - # on Irix 5.2, according to T.E. Dickey. - # The functions gethostbyname, getservbyname, and inet_addr are - # in -lbsd on LynxOS 3.0.1/i386, according to Lars Hecking. - echo "$as_me:28267: checking for gethostbyname" >&5 -echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6 -if test "${ac_cv_func_gethostbyname+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 28273 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char gethostbyname (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char gethostbyname (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_gethostbyname) || defined (__stub___gethostbyname) -choke me -#else -f = gethostbyname; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28310: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28313: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28316: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28319: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_gethostbyname=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_gethostbyname=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:28329: result: $ac_cv_func_gethostbyname" >&5 -echo "${ECHO_T}$ac_cv_func_gethostbyname" >&6 - - if test $ac_cv_func_gethostbyname = no; then - echo "$as_me:28333: checking for gethostbyname in -lnsl" >&5 -echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6 -if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lnsl $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 28341 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char gethostbyname (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -gethostbyname (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28366: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28369: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28372: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28375: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_nsl_gethostbyname=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_nsl_gethostbyname=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:28386: result: $ac_cv_lib_nsl_gethostbyname" >&5 -echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6 -if test $ac_cv_lib_nsl_gethostbyname = yes; then - X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl" -fi - - if test $ac_cv_lib_nsl_gethostbyname = no; then - echo "$as_me:28393: checking for gethostbyname in -lbsd" >&5 -echo $ECHO_N "checking for gethostbyname in -lbsd... $ECHO_C" >&6 -if test "${ac_cv_lib_bsd_gethostbyname+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lbsd $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 28401 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char gethostbyname (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -gethostbyname (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28426: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28429: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28432: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28435: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_bsd_gethostbyname=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_bsd_gethostbyname=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:28446: result: $ac_cv_lib_bsd_gethostbyname" >&5 -echo "${ECHO_T}$ac_cv_lib_bsd_gethostbyname" >&6 -if test $ac_cv_lib_bsd_gethostbyname = yes; then - X_EXTRA_LIBS="$X_EXTRA_LIBS -lbsd" -fi - - fi - fi - - # lieder@skyler.mavd.honeywell.com says without -lsocket, - # socket/setsockopt and other routines are undefined under SCO ODT - # 2.0. But -lsocket is broken on IRIX 5.2 (and is not necessary - # on later versions), says Simon Leinen: it contains gethostby* - # variants that don't use the nameserver (or something). -lsocket - # must be given before -lnsl if both are needed. We assume that - # if connect needs -lnsl, so does gethostbyname. - echo "$as_me:28462: checking for connect" >&5 -echo $ECHO_N "checking for connect... $ECHO_C" >&6 -if test "${ac_cv_func_connect+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 28468 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char connect (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char connect (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_connect) || defined (__stub___connect) -choke me -#else -f = connect; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28505: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28508: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28511: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28514: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_connect=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_connect=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:28524: result: $ac_cv_func_connect" >&5 -echo "${ECHO_T}$ac_cv_func_connect" >&6 - - if test $ac_cv_func_connect = no; then - echo "$as_me:28528: checking for connect in -lsocket" >&5 -echo $ECHO_N "checking for connect in -lsocket... $ECHO_C" >&6 -if test "${ac_cv_lib_socket_connect+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsocket $X_EXTRA_LIBS $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 28536 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char connect (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -connect (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28561: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28564: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28567: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28570: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_socket_connect=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_socket_connect=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:28581: result: $ac_cv_lib_socket_connect" >&5 -echo "${ECHO_T}$ac_cv_lib_socket_connect" >&6 -if test $ac_cv_lib_socket_connect = yes; then - X_EXTRA_LIBS="-lsocket $X_EXTRA_LIBS" -fi - - fi - - # Guillermo Gomez says -lposix is necessary on A/UX. - echo "$as_me:28590: checking for remove" >&5 -echo $ECHO_N "checking for remove... $ECHO_C" >&6 -if test "${ac_cv_func_remove+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 28596 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char remove (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char remove (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_remove) || defined (__stub___remove) -choke me -#else -f = remove; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28633: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28636: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28639: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28642: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_remove=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_remove=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:28652: result: $ac_cv_func_remove" >&5 -echo "${ECHO_T}$ac_cv_func_remove" >&6 - - if test $ac_cv_func_remove = no; then - echo "$as_me:28656: checking for remove in -lposix" >&5 -echo $ECHO_N "checking for remove in -lposix... $ECHO_C" >&6 -if test "${ac_cv_lib_posix_remove+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lposix $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 28664 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char remove (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -remove (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28689: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28692: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28695: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28698: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_posix_remove=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_posix_remove=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:28709: result: $ac_cv_lib_posix_remove" >&5 -echo "${ECHO_T}$ac_cv_lib_posix_remove" >&6 -if test $ac_cv_lib_posix_remove = yes; then - X_EXTRA_LIBS="$X_EXTRA_LIBS -lposix" -fi - - fi - - # BSDI BSD/OS 2.1 needs -lipc for XOpenDisplay. - echo "$as_me:28718: checking for shmat" >&5 -echo $ECHO_N "checking for shmat... $ECHO_C" >&6 -if test "${ac_cv_func_shmat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 28724 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char shmat (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char shmat (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_shmat) || defined (__stub___shmat) -choke me -#else -f = shmat; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28761: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28764: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28767: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28770: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_shmat=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_shmat=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:28780: result: $ac_cv_func_shmat" >&5 -echo "${ECHO_T}$ac_cv_func_shmat" >&6 - - if test $ac_cv_func_shmat = no; then - echo "$as_me:28784: checking for shmat in -lipc" >&5 -echo $ECHO_N "checking for shmat in -lipc... $ECHO_C" >&6 -if test "${ac_cv_lib_ipc_shmat+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lipc $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 28792 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char shmat (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -shmat (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28817: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28820: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28823: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28826: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_ipc_shmat=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_ipc_shmat=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:28837: result: $ac_cv_lib_ipc_shmat" >&5 -echo "${ECHO_T}$ac_cv_lib_ipc_shmat" >&6 -if test $ac_cv_lib_ipc_shmat = yes; then - X_EXTRA_LIBS="$X_EXTRA_LIBS -lipc" -fi - - fi - fi - - # Check for libraries that X11R6 Xt/Xaw programs need. - ac_save_LDFLAGS=$LDFLAGS - test -n "$x_libraries" && LDFLAGS="$LDFLAGS -L$x_libraries" - # SM needs ICE to (dynamically) link under SunOS 4.x (so we have to - # check for ICE first), but we must link in the order -lSM -lICE or - # we get undefined symbols. So assume we have SM if we have ICE. - # These have to be linked with before -lX11, unlike the other - # libraries we check for below, so use a different variable. - # John Interrante, Karl Berry - echo "$as_me:28855: checking for IceConnectionNumber in -lICE" >&5 -echo $ECHO_N "checking for IceConnectionNumber in -lICE... $ECHO_C" >&6 -if test "${ac_cv_lib_ICE_IceConnectionNumber+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lICE $X_EXTRA_LIBS $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line 28863 "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char IceConnectionNumber (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -IceConnectionNumber (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:28888: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28891: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:28894: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28897: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_ICE_IceConnectionNumber=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_ICE_IceConnectionNumber=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:28908: result: $ac_cv_lib_ICE_IceConnectionNumber" >&5 -echo "${ECHO_T}$ac_cv_lib_ICE_IceConnectionNumber" >&6 -if test $ac_cv_lib_ICE_IceConnectionNumber = yes; then - X_PRE_LIBS="$X_PRE_LIBS -lSM -lICE" -fi - - LDFLAGS=$ac_save_LDFLAGS - -fi - - -# try to figure out if we need any additional ld flags, like -R -# and yes, the autoconf X test is utterly broken -if test "$no_x" != yes; then - echo "$as_me:28922: checking for special X linker flags" >&5 -echo $ECHO_N "checking for special X linker flags... $ECHO_C" >&6 -if test "${krb_cv_sys_x_libs_rpath+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - - ac_save_libs="$LIBS" - ac_save_cflags="$CFLAGS" - CFLAGS="$CFLAGS $X_CFLAGS" - krb_cv_sys_x_libs_rpath="" - krb_cv_sys_x_libs="" - for rflag in "" "-R" "-R " "-rpath "; do - if test "$rflag" = ""; then - foo="$X_LIBS" - else - foo="" - for flag in $X_LIBS; do - case $flag in - -L*) - foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`" - ;; - *) - foo="$foo $flag" - ;; - esac - done - fi - LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS" - if test "$cross_compiling" = yes; then - { { echo "$as_me:28951: error: cannot run test program while cross compiling" >&5 -echo "$as_me: error: cannot run test program while cross compiling" >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -#line 28956 "configure" -#include "confdefs.h" - - #include - foo() - { - XOpenDisplay(NULL); - } - main() - { - return 0; - } - -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:28971: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:28974: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:28976: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:28979: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -: -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - done - LIBS="$ac_save_libs" - CFLAGS="$ac_save_cflags" - -fi -echo "$as_me:28996: result: $krb_cv_sys_x_libs_rpath" >&5 -echo "${ECHO_T}$krb_cv_sys_x_libs_rpath" >&6 - X_LIBS="$krb_cv_sys_x_libs" -fi - - - - -if test "$no_x" != yes; then - HAVE_X_TRUE= - HAVE_X_FALSE='#' -else - HAVE_X_TRUE='#' - HAVE_X_FALSE= -fi - - - -save_CFLAGS="$CFLAGS" -CFLAGS="$X_CFLAGS $CFLAGS" -save_LIBS="$LIBS" -LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS" -save_LDFLAGS="$LDFLAGS" -LDFLAGS="$LDFLAGS $X_LIBS" - - - - - -echo "$as_me:29025: checking for XauWriteAuth" >&5 -echo $ECHO_N "checking for XauWriteAuth... $ECHO_C" >&6 -if test "${ac_cv_funclib_XauWriteAuth+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_XauWriteAuth\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" X11 Xau; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 29043 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -XauWriteAuth() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:29061: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:29064: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:29067: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29070: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauWriteAuth=$ac_lib; else ac_cv_funclib_XauWriteAuth=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_XauWriteAuth=\${ac_cv_funclib_XauWriteAuth-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_XauWriteAuth" - -if false; then - -for ac_func in XauWriteAuth -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:29093: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29099 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:29136: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:29139: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:29142: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29145: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:29155: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# XauWriteAuth -eval "ac_tr_func=HAVE_`echo XauWriteAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_XauWriteAuth=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_XauWriteAuth=yes" - eval "LIB_XauWriteAuth=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:29179: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_XauWriteAuth=no" - eval "LIB_XauWriteAuth=" - echo "$as_me:29185: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_XauWriteAuth=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:29199: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -ac_xxx="$LIBS" -LIBS="$LIB_XauWriteAuth $LIBS" - - - -echo "$as_me:29210: checking for XauReadAuth" >&5 -echo $ECHO_N "checking for XauReadAuth... $ECHO_C" >&6 -if test "${ac_cv_funclib_XauReadAuth+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_XauReadAuth\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" X11 Xau; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 29228 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -XauReadAuth() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:29246: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:29249: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:29252: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29255: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauReadAuth=$ac_lib; else ac_cv_funclib_XauReadAuth=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_XauReadAuth=\${ac_cv_funclib_XauReadAuth-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_XauReadAuth" - -if false; then - -for ac_func in XauReadAuth -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:29278: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29284 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:29321: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:29324: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:29327: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29330: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:29340: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# XauReadAuth -eval "ac_tr_func=HAVE_`echo XauReadAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_XauReadAuth=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_XauReadAuth=yes" - eval "LIB_XauReadAuth=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:29364: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_XauReadAuth=no" - eval "LIB_XauReadAuth=" - echo "$as_me:29370: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_XauReadAuth=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:29384: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -LIBS="$LIB_XauReadAauth $LIBS" - - - -echo "$as_me:29394: checking for XauFileName" >&5 -echo $ECHO_N "checking for XauFileName... $ECHO_C" >&6 -if test "${ac_cv_funclib_XauFileName+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_XauFileName\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" X11 Xau; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 29412 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -XauFileName() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:29430: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:29433: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:29436: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29439: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauFileName=$ac_lib; else ac_cv_funclib_XauFileName=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_XauFileName=\${ac_cv_funclib_XauFileName-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_XauFileName" - -if false; then - -for ac_func in XauFileName -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:29462: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29468 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:29505: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:29508: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:29511: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29514: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:29524: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# XauFileName -eval "ac_tr_func=HAVE_`echo XauFileName | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_XauFileName=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_XauFileName=yes" - eval "LIB_XauFileName=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:29548: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_XauFileName=no" - eval "LIB_XauFileName=" - echo "$as_me:29554: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_XauFileName=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:29568: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -LIBS="$ac_xxx" - -case "$ac_cv_funclib_XauWriteAuth" in -yes) ;; -no) ;; -*) if test "$ac_cv_funclib_XauReadAuth" = yes; then - if test "$ac_cv_funclib_XauFileName" = yes; then - LIB_XauReadAuth="$LIB_XauWriteAuth" - else - LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName" - fi - else - if test "$ac_cv_funclib_XauFileName" = yes; then - LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth" - else - LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName" - fi - fi - ;; -esac - -if test "$AUTOMAKE" != ""; then - - -if test "$ac_cv_func_XauWriteAuth" != "yes"; then - NEED_WRITEAUTH_TRUE= - NEED_WRITEAUTH_FALSE='#' -else - NEED_WRITEAUTH_TRUE='#' - NEED_WRITEAUTH_FALSE= -fi - -else - - - if test "$ac_cv_func_XauWriteAuth" != "yes"; then - NEED_WRITEAUTH_TRUE= - NEED_WRITEAUTH_FALSE='#' - else - NEED_WRITEAUTH_TRUE='#' - NEED_WRITEAUTH_FALSE= - fi -fi -CFLAGS=$save_CFLAGS -LIBS=$save_LIBS -LDFLAGS=$save_LDFLAGS - - - -echo "$as_me:29623: checking for an ANSI C-conforming const" >&5 -echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6 -if test "${ac_cv_c_const+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29629 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* FIXME: Include the comments suggested by Paul. */ -#ifndef __cplusplus - /* Ultrix mips cc rejects this. */ - typedef int charset[2]; - const charset x; - /* SunOS 4.1.1 cc rejects this. */ - char const *const *ccp; - char **p; - /* NEC SVR4.0.2 mips cc rejects this. */ - struct point {int x, y;}; - static struct point const zero = {0,0}; - /* AIX XL C 1.02.0.0 rejects this. - It does not let you subtract one const X* pointer from another in - an arm of an if-expression whose if-part is not a constant - expression */ - const char *g = "string"; - ccp = &g + (g ? g-g : 0); - /* HPUX 7.0 cc rejects these. */ - ++ccp; - p = (char**) ccp; - ccp = (char const *const *) p; - { /* SCO 3.2v4 cc rejects this. */ - char *t; - char const *s = 0 ? (char *) 0 : (char const *) 0; - - *t++ = 0; - } - { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ - int x[] = {25, 17}; - const int *foo = &x[0]; - ++foo; - } - { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ - typedef const int *iptr; - iptr p = 0; - ++p; - } - { /* AIX XL C 1.02.0.0 rejects this saying - "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ - struct s { int j; const int *ap[3]; }; - struct s *b; b->j = 5; - } - { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ - const int foo = 10; - } -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:29693: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:29696: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:29699: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29702: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_c_const=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_c_const=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:29712: result: $ac_cv_c_const" >&5 -echo "${ECHO_T}$ac_cv_c_const" >&6 -if test $ac_cv_c_const = no; then - -cat >>confdefs.h <<\_ACEOF -#define const -_ACEOF - -fi - -echo "$as_me:29722: checking for off_t" >&5 -echo $ECHO_N "checking for off_t... $ECHO_C" >&6 -if test "${ac_cv_type_off_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29728 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((off_t *) 0) - return 0; -if (sizeof (off_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:29749: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:29752: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:29755: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29758: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_off_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_off_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:29768: result: $ac_cv_type_off_t" >&5 -echo "${ECHO_T}$ac_cv_type_off_t" >&6 -if test $ac_cv_type_off_t = yes; then - : -else - -cat >>confdefs.h <<_ACEOF -#define off_t long -_ACEOF - -fi - -echo "$as_me:29780: checking for mode_t" >&5 -echo $ECHO_N "checking for mode_t... $ECHO_C" >&6 -if test "${ac_cv_type_mode_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29786 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "mode_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then - ac_cv_type_mode_t=yes -else - ac_cv_type_mode_t=no -fi -rm -f conftest* - -fi -echo "$as_me:29804: result: $ac_cv_type_mode_t" >&5 -echo "${ECHO_T}$ac_cv_type_mode_t" >&6 -if test $ac_cv_type_mode_t = no; then - -cat >>confdefs.h <<\_ACEOF -#define mode_t unsigned short -_ACEOF - -fi - -echo "$as_me:29814: checking for sig_atomic_t" >&5 -echo $ECHO_N "checking for sig_atomic_t... $ECHO_C" >&6 -if test "${ac_cv_type_sig_atomic_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29820 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif -#include -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "sig_atomic_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then - ac_cv_type_sig_atomic_t=yes -else - ac_cv_type_sig_atomic_t=no -fi -rm -f conftest* - -fi -echo "$as_me:29838: result: $ac_cv_type_sig_atomic_t" >&5 -echo "${ECHO_T}$ac_cv_type_sig_atomic_t" >&6 -if test $ac_cv_type_sig_atomic_t = no; then - -cat >>confdefs.h <<\_ACEOF -#define sig_atomic_t int -_ACEOF - -fi - - - -cv=`echo "long long" | sed 'y%./+- %__p__%'` -echo "$as_me:29851: checking for long long" >&5 -echo $ECHO_N "checking for long long... $ECHO_C" >&6 -if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29857 "configure" -#include "confdefs.h" -#include -#if STDC_HEADERS -#include -#include -#endif - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -long long foo; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:29880: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:29883: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:29886: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29889: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "ac_cv_type_$cv=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "ac_cv_type_$cv=no" -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -ac_foo=`eval echo \\$ac_cv_type_$cv` -echo "$as_me:29900: result: $ac_foo" >&5 -echo "${ECHO_T}$ac_foo" >&6 -if test "$ac_foo" = yes; then - ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` -if false; then - echo "$as_me:29905: checking for long long" >&5 -echo $ECHO_N "checking for long long... $ECHO_C" >&6 -if test "${ac_cv_type_long_long+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29911 "configure" -#include "confdefs.h" -$ac_includes_default -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((long long *) 0) - return 0; -if (sizeof (long long)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:29932: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:29935: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:29938: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:29941: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_long_long=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_long_long=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:29951: result: $ac_cv_type_long_long" >&5 -echo "${ECHO_T}$ac_cv_type_long_long" >&6 -if test $ac_cv_type_long_long = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_LONG_LONG 1 -_ACEOF - - -fi - -fi - -cat >>confdefs.h <<_ACEOF -#define $ac_tr_hdr 1 -_ACEOF - -fi - -echo "$as_me:29970: checking whether time.h and sys/time.h may both be included" >&5 -echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6 -if test "${ac_cv_header_time+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 29976 "configure" -#include "confdefs.h" -#include -#include -#include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((struct tm *) 0) -return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:29998: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:30001: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:30004: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30007: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_header_time=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_header_time=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:30017: result: $ac_cv_header_time" >&5 -echo "${ECHO_T}$ac_cv_header_time" >&6 -if test $ac_cv_header_time = yes; then - -cat >>confdefs.h <<\_ACEOF -#define TIME_WITH_SYS_TIME 1 -_ACEOF - -fi - -echo "$as_me:30027: checking whether struct tm is in sys/time.h or time.h" >&5 -echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6 -if test "${ac_cv_struct_tm+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 30033 "configure" -#include "confdefs.h" -#include -#include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct tm *tp; tp->tm_sec; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:30053: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:30056: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:30059: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30062: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_struct_tm=time.h -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_struct_tm=sys/time.h -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:30072: result: $ac_cv_struct_tm" >&5 -echo "${ECHO_T}$ac_cv_struct_tm" >&6 -if test $ac_cv_struct_tm = sys/time.h; then - -cat >>confdefs.h <<\_ACEOF -#define TM_IN_SYS_TIME 1 -_ACEOF - -fi - - -echo "$as_me:30083: checking for ANSI C header files" >&5 -echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6 -if test "${ac_cv_header_stdc+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 30089 "configure" -#include "confdefs.h" -#include -#include -#include -#include - -_ACEOF -if { (eval echo "$as_me:30097: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:30103: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_cv_header_stdc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_cv_header_stdc=no -fi -rm -f conftest.err conftest.$ac_ext - -if test $ac_cv_header_stdc = yes; then - # SunOS 4.x string.h does not declare mem*, contrary to ANSI. - cat >conftest.$ac_ext <<_ACEOF -#line 30125 "configure" -#include "confdefs.h" -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "memchr" >/dev/null 2>&1; then - : -else - ac_cv_header_stdc=no -fi -rm -f conftest* - -fi - -if test $ac_cv_header_stdc = yes; then - # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. - cat >conftest.$ac_ext <<_ACEOF -#line 30143 "configure" -#include "confdefs.h" -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "free" >/dev/null 2>&1; then - : -else - ac_cv_header_stdc=no -fi -rm -f conftest* - -fi - -if test $ac_cv_header_stdc = yes; then - # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. - if test "$cross_compiling" = yes; then - : -else - cat >conftest.$ac_ext <<_ACEOF -#line 30164 "configure" -#include "confdefs.h" -#include -#if ((' ' & 0x0FF) == 0x020) -# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') -# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) -#else -# define ISLOWER(c) (('a' <= (c) && (c) <= 'i') \ - || ('j' <= (c) && (c) <= 'r') \ - || ('s' <= (c) && (c) <= 'z')) -# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) -#endif - -#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) -int -main () -{ - int i; - for (i = 0; i < 256; i++) - if (XOR (islower (i), ISLOWER (i)) - || toupper (i) != TOUPPER (i)) - exit(2); - exit (0); -} -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:30190: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:30193: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:30195: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30198: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_header_stdc=no -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi -fi -echo "$as_me:30212: result: $ac_cv_header_stdc" >&5 -echo "${ECHO_T}$ac_cv_header_stdc" >&6 -if test $ac_cv_header_stdc = yes; then - -cat >>confdefs.h <<\_ACEOF -#define STDC_HEADERS 1 -_ACEOF - -fi - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -for ac_header in \ - arpa/ftp.h \ - arpa/telnet.h \ - bind/bitypes.h \ - bsdsetjmp.h \ - curses.h \ - dlfcn.h \ - fnmatch.h \ - inttypes.h \ - io.h \ - libutil.h \ - limits.h \ - maillock.h \ - netinet/in6_machtypes.h \ - netinfo/ni.h \ - pthread.h \ - pty.h \ - sac.h \ - security/pam_modules.h \ - sgtty.h \ - siad.h \ - signal.h \ - stropts.h \ - sys/bitypes.h \ - sys/category.h \ - sys/file.h \ - sys/filio.h \ - sys/ioccom.h \ - sys/pty.h \ - sys/ptyio.h \ - sys/ptyvar.h \ - sys/select.h \ - sys/str_tty.h \ - sys/stream.h \ - sys/stropts.h \ - sys/strtty.h \ - sys/syscall.h \ - sys/termio.h \ - sys/timeb.h \ - sys/times.h \ - sys/un.h \ - term.h \ - termcap.h \ - termio.h \ - time.h \ - tmpdir.h \ - udb.h \ - utmp.h \ - utmpx.h \ - -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:30324: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:30329: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:30333: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 30336 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:30342: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:30345: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:30348: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30351: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:30360: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:30364: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 30367 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:30371: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:30377: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:30395: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:30401: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:30403: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:30406: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:30408: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:30410: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:30413: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:30420: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - -# Check whether --enable-netinfo or --disable-netinfo was given. -if test "${enable_netinfo+set}" = set; then - enableval="$enable_netinfo" - -fi; - -if test "$ac_cv_header_netinfo_ni_h" = yes -a "$enable_netinfo" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_NETINFO 1 -_ACEOF - -fi - - - - - -echo "$as_me:30452: checking for logwtmp" >&5 -echo $ECHO_N "checking for logwtmp... $ECHO_C" >&6 -if test "${ac_cv_funclib_logwtmp+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_logwtmp\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" util; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 30470 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -logwtmp() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:30488: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:30491: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:30494: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30497: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_logwtmp=$ac_lib; else ac_cv_funclib_logwtmp=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_logwtmp=\${ac_cv_funclib_logwtmp-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_logwtmp" - -if false; then - -for ac_func in logwtmp -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:30520: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 30526 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:30563: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:30566: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:30569: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30572: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:30582: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# logwtmp -eval "ac_tr_func=HAVE_`echo logwtmp | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_logwtmp=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_logwtmp=yes" - eval "LIB_logwtmp=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:30606: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_logwtmp=no" - eval "LIB_logwtmp=" - echo "$as_me:30612: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_logwtmp=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:30626: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - -echo "$as_me:30635: checking for logout" >&5 -echo $ECHO_N "checking for logout... $ECHO_C" >&6 -if test "${ac_cv_funclib_logout+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_logout\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" util; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 30653 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -logout() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:30671: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:30674: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:30677: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30680: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_logout=$ac_lib; else ac_cv_funclib_logout=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_logout=\${ac_cv_funclib_logout-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_logout" - -if false; then - -for ac_func in logout -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:30703: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 30709 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:30746: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:30749: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:30752: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30755: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:30765: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# logout -eval "ac_tr_func=HAVE_`echo logout | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_logout=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_logout=yes" - eval "LIB_logout=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:30789: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_logout=no" - eval "LIB_logout=" - echo "$as_me:30795: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_logout=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:30809: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - -echo "$as_me:30818: checking for openpty" >&5 -echo $ECHO_N "checking for openpty... $ECHO_C" >&6 -if test "${ac_cv_funclib_openpty+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_openpty\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" util; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 30836 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -openpty() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:30854: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:30857: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:30860: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30863: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_openpty=$ac_lib; else ac_cv_funclib_openpty=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_openpty=\${ac_cv_funclib_openpty-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_openpty" - -if false; then - -for ac_func in openpty -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:30886: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 30892 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:30929: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:30932: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:30935: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:30938: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:30948: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# openpty -eval "ac_tr_func=HAVE_`echo openpty | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_openpty=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_openpty=yes" - eval "LIB_openpty=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:30972: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_openpty=no" - eval "LIB_openpty=" - echo "$as_me:30978: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_openpty=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:30992: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - -echo "$as_me:31001: checking for tgetent" >&5 -echo $ECHO_N "checking for tgetent... $ECHO_C" >&6 -if test "${ac_cv_funclib_tgetent+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_tgetent\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" termcap ncurses curses; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 31019 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -tgetent() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:31037: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:31040: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:31043: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31046: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_tgetent=$ac_lib; else ac_cv_funclib_tgetent=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_tgetent=\${ac_cv_funclib_tgetent-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_tgetent" - -if false; then - -for ac_func in tgetent -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:31069: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 31075 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:31112: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:31115: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:31118: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31121: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:31131: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# tgetent -eval "ac_tr_func=HAVE_`echo tgetent | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_tgetent=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_tgetent=yes" - eval "LIB_tgetent=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:31155: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_tgetent=no" - eval "LIB_tgetent=" - echo "$as_me:31161: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_tgetent=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:31175: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -for ac_func in \ - _getpty \ - _scrsize \ - fcntl \ - grantpt \ - mktime \ - ptsname \ - rand \ - revoke \ - select \ - setitimer \ - setpcred \ - setpgid \ - setproctitle \ - setregid \ - setresgid \ - setresuid \ - setreuid \ - setsid \ - setutent \ - sigaction \ - strstr \ - timegm \ - ttyname \ - ttyslot \ - umask \ - unlockpt \ - vhangup \ - yp_get_default_domain \ - -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:31243: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 31249 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:31286: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:31289: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:31292: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31295: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:31305: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - - - - - -for ac_header in capability.h sys/capability.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo "$as_me:31324: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:31329: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 -else - # Is the header compilable? -echo "$as_me:31333: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 31336 "configure" -#include "confdefs.h" -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:31342: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:31345: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:31348: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31351: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:31360: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:31364: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line 31367 "configure" -#include "confdefs.h" -#include <$ac_header> -_ACEOF -if { (eval echo "$as_me:31371: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:31377: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:31395: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:31401: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:31403: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:31406: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:31408: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:31410: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:31413: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 -if eval "test \"\${$as_ac_Header+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=$ac_header_preproc" -fi -echo "$as_me:31420: result: `eval echo '${'$as_ac_Header'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - - - -for ac_func in sgi_getcapabilitybyname cap_set_proc -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:31439: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 31445 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:31482: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:31485: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:31488: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31491: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:31501: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - - - - - - -echo "$as_me:31517: checking for getpwnam_r" >&5 -echo $ECHO_N "checking for getpwnam_r... $ECHO_C" >&6 -if test "${ac_cv_funclib_getpwnam_r+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_getpwnam_r\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" c_r; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 31535 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -getpwnam_r() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:31553: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:31556: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:31559: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31562: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_getpwnam_r=$ac_lib; else ac_cv_funclib_getpwnam_r=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_getpwnam_r=\${ac_cv_funclib_getpwnam_r-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_getpwnam_r" - -if false; then - -for ac_func in getpwnam_r -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:31585: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 31591 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:31628: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:31631: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:31634: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31637: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:31647: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# getpwnam_r -eval "ac_tr_func=HAVE_`echo getpwnam_r | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_getpwnam_r=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_getpwnam_r=yes" - eval "LIB_getpwnam_r=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:31671: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_getpwnam_r=no" - eval "LIB_getpwnam_r=" - echo "$as_me:31677: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_getpwnam_r=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:31691: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test "$ac_cv_func_getpwnam_r" = yes; then - echo "$as_me:31698: checking if getpwnam_r is posix" >&5 -echo $ECHO_N "checking if getpwnam_r is posix... $ECHO_C" >&6 -if test "${ac_cv_func_getpwnam_r_posix+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_libs="$LIBS" - LIBS="$LIBS $LIB_getpwnam_r" - if test "$cross_compiling" = yes; then - : -else - cat >conftest.$ac_ext <<_ACEOF -#line 31709 "configure" -#include "confdefs.h" - -#include -int main() -{ - struct passwd pw, *pwd; - return getpwnam_r("", &pw, NULL, 0, &pwd) < 0; -} - -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:31721: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:31724: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:31726: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31729: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getpwnam_r_posix=yes -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_func_getpwnam_r_posix=no -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -LIBS="$ac_libs" -fi -echo "$as_me:31743: result: $ac_cv_func_getpwnam_r_posix" >&5 -echo "${ECHO_T}$ac_cv_func_getpwnam_r_posix" >&6 -if test "$ac_cv_func_getpwnam_r_posix" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define POSIX_GETPWNAM_R 1 -_ACEOF - -fi -fi - - - - -for ac_func in getudbnam setlim -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:31760: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 31766 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:31803: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:31806: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:31809: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31812: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:31822: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - - - - - -echo "$as_me:31837: checking for ut_addr in struct utmp" >&5 -echo $ECHO_N "checking for ut_addr in struct utmp... $ECHO_C" >&6 -if test "${ac_cv_type_struct_utmp_ut_addr+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 31844 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_addr; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:31862: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:31865: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:31868: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31871: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_utmp_ut_addr=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_utmp_ut_addr=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:31881: result: $ac_cv_type_struct_utmp_ut_addr" >&5 -echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_addr" >&6 -if test "$ac_cv_type_struct_utmp_ut_addr" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_UTMP_UT_ADDR 1 -_ACEOF - - -fi - - - - -echo "$as_me:31896: checking for ut_host in struct utmp" >&5 -echo $ECHO_N "checking for ut_host in struct utmp... $ECHO_C" >&6 -if test "${ac_cv_type_struct_utmp_ut_host+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 31903 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_host; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:31921: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:31924: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:31927: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31930: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_utmp_ut_host=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_utmp_ut_host=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:31940: result: $ac_cv_type_struct_utmp_ut_host" >&5 -echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_host" >&6 -if test "$ac_cv_type_struct_utmp_ut_host" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_UTMP_UT_HOST 1 -_ACEOF - - -fi - - - - -echo "$as_me:31955: checking for ut_id in struct utmp" >&5 -echo $ECHO_N "checking for ut_id in struct utmp... $ECHO_C" >&6 -if test "${ac_cv_type_struct_utmp_ut_id+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 31962 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_id; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:31980: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:31983: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:31986: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:31989: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_utmp_ut_id=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_utmp_ut_id=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:31999: result: $ac_cv_type_struct_utmp_ut_id" >&5 -echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_id" >&6 -if test "$ac_cv_type_struct_utmp_ut_id" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_UTMP_UT_ID 1 -_ACEOF - - -fi - - - - -echo "$as_me:32014: checking for ut_pid in struct utmp" >&5 -echo $ECHO_N "checking for ut_pid in struct utmp... $ECHO_C" >&6 -if test "${ac_cv_type_struct_utmp_ut_pid+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 32021 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_pid; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32039: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32042: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32045: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32048: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_utmp_ut_pid=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_utmp_ut_pid=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32058: result: $ac_cv_type_struct_utmp_ut_pid" >&5 -echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_pid" >&6 -if test "$ac_cv_type_struct_utmp_ut_pid" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_UTMP_UT_PID 1 -_ACEOF - - -fi - - - - -echo "$as_me:32073: checking for ut_type in struct utmp" >&5 -echo $ECHO_N "checking for ut_type in struct utmp... $ECHO_C" >&6 -if test "${ac_cv_type_struct_utmp_ut_type+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 32080 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_type; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32098: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32101: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32104: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32107: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_utmp_ut_type=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_utmp_ut_type=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32117: result: $ac_cv_type_struct_utmp_ut_type" >&5 -echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_type" >&6 -if test "$ac_cv_type_struct_utmp_ut_type" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_UTMP_UT_TYPE 1 -_ACEOF - - -fi - - - - -echo "$as_me:32132: checking for ut_user in struct utmp" >&5 -echo $ECHO_N "checking for ut_user in struct utmp... $ECHO_C" >&6 -if test "${ac_cv_type_struct_utmp_ut_user+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 32139 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmp x; x.ut_user; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32157: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32160: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32163: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32166: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_utmp_ut_user=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_utmp_ut_user=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32176: result: $ac_cv_type_struct_utmp_ut_user" >&5 -echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_user" >&6 -if test "$ac_cv_type_struct_utmp_ut_user" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_UTMP_UT_USER 1 -_ACEOF - - -fi - - - - -echo "$as_me:32191: checking for ut_exit in struct utmpx" >&5 -echo $ECHO_N "checking for ut_exit in struct utmpx... $ECHO_C" >&6 -if test "${ac_cv_type_struct_utmpx_ut_exit+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 32198 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmpx x; x.ut_exit; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32216: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32219: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32222: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32225: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_utmpx_ut_exit=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_utmpx_ut_exit=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32235: result: $ac_cv_type_struct_utmpx_ut_exit" >&5 -echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_exit" >&6 -if test "$ac_cv_type_struct_utmpx_ut_exit" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_UTMPX_UT_EXIT 1 -_ACEOF - - -fi - - - - -echo "$as_me:32250: checking for ut_syslen in struct utmpx" >&5 -echo $ECHO_N "checking for ut_syslen in struct utmpx... $ECHO_C" >&6 -if test "${ac_cv_type_struct_utmpx_ut_syslen+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -cat >conftest.$ac_ext <<_ACEOF -#line 32257 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -struct utmpx x; x.ut_syslen; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32275: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32278: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32281: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32284: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_struct_utmpx_ut_syslen=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_struct_utmpx_ut_syslen=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32294: result: $ac_cv_type_struct_utmpx_ut_syslen" >&5 -echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_syslen" >&6 -if test "$ac_cv_type_struct_utmpx_ut_syslen" = yes; then - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_STRUCT_UTMPX_UT_SYSLEN 1 -_ACEOF - - -fi - - - -echo "$as_me:32308: checking for int8_t" >&5 -echo $ECHO_N "checking for int8_t... $ECHO_C" >&6 -if test "${ac_cv_type_int8_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32314 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((int8_t *) 0) - return 0; -if (sizeof (int8_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32352: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32355: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32358: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32361: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_int8_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_int8_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32371: result: $ac_cv_type_int8_t" >&5 -echo "${ECHO_T}$ac_cv_type_int8_t" >&6 -if test $ac_cv_type_int8_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT8_T 1 -_ACEOF - - -fi -echo "$as_me:32381: checking for int16_t" >&5 -echo $ECHO_N "checking for int16_t... $ECHO_C" >&6 -if test "${ac_cv_type_int16_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32387 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((int16_t *) 0) - return 0; -if (sizeof (int16_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32425: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32428: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32431: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32434: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_int16_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_int16_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32444: result: $ac_cv_type_int16_t" >&5 -echo "${ECHO_T}$ac_cv_type_int16_t" >&6 -if test $ac_cv_type_int16_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT16_T 1 -_ACEOF - - -fi -echo "$as_me:32454: checking for int32_t" >&5 -echo $ECHO_N "checking for int32_t... $ECHO_C" >&6 -if test "${ac_cv_type_int32_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32460 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((int32_t *) 0) - return 0; -if (sizeof (int32_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32498: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32501: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32504: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32507: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_int32_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_int32_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32517: result: $ac_cv_type_int32_t" >&5 -echo "${ECHO_T}$ac_cv_type_int32_t" >&6 -if test $ac_cv_type_int32_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT32_T 1 -_ACEOF - - -fi -echo "$as_me:32527: checking for int64_t" >&5 -echo $ECHO_N "checking for int64_t... $ECHO_C" >&6 -if test "${ac_cv_type_int64_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32533 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((int64_t *) 0) - return 0; -if (sizeof (int64_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32571: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32574: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32577: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32580: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_int64_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_int64_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32590: result: $ac_cv_type_int64_t" >&5 -echo "${ECHO_T}$ac_cv_type_int64_t" >&6 -if test $ac_cv_type_int64_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT64_T 1 -_ACEOF - - -fi -echo "$as_me:32600: checking for u_int8_t" >&5 -echo $ECHO_N "checking for u_int8_t... $ECHO_C" >&6 -if test "${ac_cv_type_u_int8_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32606 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((u_int8_t *) 0) - return 0; -if (sizeof (u_int8_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32644: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32647: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32650: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32653: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_u_int8_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_u_int8_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32663: result: $ac_cv_type_u_int8_t" >&5 -echo "${ECHO_T}$ac_cv_type_u_int8_t" >&6 -if test $ac_cv_type_u_int8_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT8_T 1 -_ACEOF - - -fi -echo "$as_me:32673: checking for u_int16_t" >&5 -echo $ECHO_N "checking for u_int16_t... $ECHO_C" >&6 -if test "${ac_cv_type_u_int16_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32679 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((u_int16_t *) 0) - return 0; -if (sizeof (u_int16_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32717: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32720: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32723: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32726: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_u_int16_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_u_int16_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32736: result: $ac_cv_type_u_int16_t" >&5 -echo "${ECHO_T}$ac_cv_type_u_int16_t" >&6 -if test $ac_cv_type_u_int16_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT16_T 1 -_ACEOF - - -fi -echo "$as_me:32746: checking for u_int32_t" >&5 -echo $ECHO_N "checking for u_int32_t... $ECHO_C" >&6 -if test "${ac_cv_type_u_int32_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32752 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((u_int32_t *) 0) - return 0; -if (sizeof (u_int32_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32790: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32793: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32796: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32799: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_u_int32_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_u_int32_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32809: result: $ac_cv_type_u_int32_t" >&5 -echo "${ECHO_T}$ac_cv_type_u_int32_t" >&6 -if test $ac_cv_type_u_int32_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT32_T 1 -_ACEOF - - -fi -echo "$as_me:32819: checking for u_int64_t" >&5 -echo $ECHO_N "checking for u_int64_t... $ECHO_C" >&6 -if test "${ac_cv_type_u_int64_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32825 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((u_int64_t *) 0) - return 0; -if (sizeof (u_int64_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32863: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32866: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32869: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32872: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_u_int64_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_u_int64_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32882: result: $ac_cv_type_u_int64_t" >&5 -echo "${ECHO_T}$ac_cv_type_u_int64_t" >&6 -if test $ac_cv_type_u_int64_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT64_T 1 -_ACEOF - - -fi -echo "$as_me:32892: checking for uint8_t" >&5 -echo $ECHO_N "checking for uint8_t... $ECHO_C" >&6 -if test "${ac_cv_type_uint8_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32898 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((uint8_t *) 0) - return 0; -if (sizeof (uint8_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:32936: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:32939: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:32942: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:32945: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_uint8_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_uint8_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:32955: result: $ac_cv_type_uint8_t" >&5 -echo "${ECHO_T}$ac_cv_type_uint8_t" >&6 -if test $ac_cv_type_uint8_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT8_T 1 -_ACEOF - - -fi -echo "$as_me:32965: checking for uint16_t" >&5 -echo $ECHO_N "checking for uint16_t... $ECHO_C" >&6 -if test "${ac_cv_type_uint16_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 32971 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((uint16_t *) 0) - return 0; -if (sizeof (uint16_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:33009: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:33012: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:33015: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33018: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_uint16_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_uint16_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:33028: result: $ac_cv_type_uint16_t" >&5 -echo "${ECHO_T}$ac_cv_type_uint16_t" >&6 -if test $ac_cv_type_uint16_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT16_T 1 -_ACEOF - - -fi -echo "$as_me:33038: checking for uint32_t" >&5 -echo $ECHO_N "checking for uint32_t... $ECHO_C" >&6 -if test "${ac_cv_type_uint32_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 33044 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((uint32_t *) 0) - return 0; -if (sizeof (uint32_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:33082: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:33085: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:33088: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33091: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_uint32_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_uint32_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:33101: result: $ac_cv_type_uint32_t" >&5 -echo "${ECHO_T}$ac_cv_type_uint32_t" >&6 -if test $ac_cv_type_uint32_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT32_T 1 -_ACEOF - - -fi -echo "$as_me:33111: checking for uint64_t" >&5 -echo $ECHO_N "checking for uint64_t... $ECHO_C" >&6 -if test "${ac_cv_type_uint64_t+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 33117 "configure" -#include "confdefs.h" - -#ifdef HAVE_INTTYPES_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_BITYPES_H -#include -#endif -#ifdef HAVE_BIND_BITYPES_H -#include -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -#include -#endif - - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -if ((uint64_t *) 0) - return 0; -if (sizeof (uint64_t)) - return 0; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:33155: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:33158: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:33161: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33164: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_type_uint64_t=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_type_uint64_t=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:33174: result: $ac_cv_type_uint64_t" >&5 -echo "${ECHO_T}$ac_cv_type_uint64_t" >&6 -if test $ac_cv_type_uint64_t = yes; then - -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT64_T 1 -_ACEOF - - -fi - - - -crypto_lib=unknown - - -# Check whether --with-openssl or --without-openssl was given. -if test "${with_openssl+set}" = set; then - withval="$with_openssl" - -fi; - - -# Check whether --with-openssl-lib or --without-openssl-lib was given. -if test "${with_openssl_lib+set}" = set; then - withval="$with_openssl_lib" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:33201: error: No argument for --with-openssl-lib" >&5 -echo "$as_me: error: No argument for --with-openssl-lib" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_openssl" = "X"; then - with_openssl=yes -fi -fi; - - -# Check whether --with-openssl-include or --without-openssl-include was given. -if test "${with_openssl_include+set}" = set; then - withval="$with_openssl_include" - if test "$withval" = "yes" -o "$withval" = "no"; then - { { echo "$as_me:33214: error: No argument for --with-openssl-include" >&5 -echo "$as_me: error: No argument for --with-openssl-include" >&2;} - { (exit 1); exit 1; }; } -elif test "X$with_openssl" = "X"; then - with_openssl=yes -fi -fi; - -case "$with_openssl" in -yes) ;; -no) ;; -"") ;; -*) if test "$with_openssl_include" = ""; then - with_openssl_include="$with_openssl/include" - fi - if test "$with_openssl_lib" = ""; then - with_openssl_lib="$with_openssl/lib$abilibdirext" - fi - ;; -esac - - -DIR_des= - -echo "$as_me:33238: checking for crypto library" >&5 -echo $ECHO_N "checking for crypto library... $ECHO_C" >&6 - -openssl=no -if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then - - save_CPPFLAGS="$CPPFLAGS" - save_LIBS="$LIBS" - INCLUDE_des= - LIB_des= - if test "$with_openssl_include" != ""; then - INCLUDE_des="-I${with_openssl}/include" - fi - if test "$with_openssl_lib" != ""; then - LIB_des="-L${with_openssl}/lib" - fi - CPPFLAGS="${INCLUDE_des} ${CPPFLAGS}" - LIB_des="${LIB_des} -lcrypto" - LIB_des_a="$LIB_des" - LIB_des_so="$LIB_des" - LIB_des_appl="$LIB_des" - LIBS="${LIBS} ${LIB_des}" - cat >conftest.$ac_ext <<_ACEOF -#line 33261 "configure" -#include "confdefs.h" - - #include - #include - #include - #include - #include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - void *schedule = 0; - MD4_CTX md4; - MD5_CTX md5; - SHA_CTX sha1; - - MD4_Init(&md4); - MD5_Init(&md5); - SHA1_Init(&sha1); - - des_cbc_encrypt(0, 0, 0, schedule, 0, 0); - RC4(0, 0, 0, 0); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:33297: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:33300: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:33303: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33306: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - - crypto_lib=libcrypto openssl=yes - echo "$as_me:33310: result: libcrypto" >&5 -echo "${ECHO_T}libcrypto" >&6 -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - CPPFLAGS="$save_CPPFLAGS" - LIBS="$save_LIBS" -fi - -if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then - save_CPPFLAGS="$CPPFLAGS" - save_LIBS="$LIBS" - - cdirs= clibs= - for i in $LIB_krb4; do - case "$i" in - -L*) cdirs="$cdirs $i";; - -l*) clibs="$clibs $i";; - esac - done - - ires= - for i in $INCLUDE_krb4; do - CFLAGS="$i $save_CFLAGS" - cat >conftest.$ac_ext <<_ACEOF -#line 33337 "configure" -#include "confdefs.h" - - #undef KRB5 /* makes md4.h et al unhappy */ - #define KRB4 - #include - #include - #include - #include - #include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - MD4_CTX md4; - MD5_CTX md5; - SHA_CTX sha1; - - MD4_Init(&md4); - MD5_Init(&md5); - SHA1_Init(&sha1); - - des_cbc_encrypt(0, 0, 0, 0, 0, 0); - RC4(0, 0, 0, 0); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:33373: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:33376: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:33379: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33382: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - openssl=yes ires="$i"; break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext - cat >conftest.$ac_ext <<_ACEOF -#line 33391 "configure" -#include "confdefs.h" - - #undef KRB5 /* makes md4.h et al unhappy */ - #define KRB4 - #include - #include - #include - #include - #include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - MD4_CTX md4; - MD5_CTX md5; - SHA_CTX sha1; - - MD4_Init(&md4); - MD5_Init(&md5); - SHA1_Init(&sha1); - - des_cbc_encrypt(0, 0, 0, 0, 0, 0); - RC4(0, 0, 0, 0); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:33427: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:33430: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:33433: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33436: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ires="$i"; break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest.$ac_ext - done - lres= - for i in $cdirs; do - for j in $clibs; do - LIBS="$i $j $save_LIBS" - if test "$openssl" = yes; then - cat >conftest.$ac_ext <<_ACEOF -#line 33451 "configure" -#include "confdefs.h" - - #undef KRB5 /* makes md4.h et al unhappy */ - #define KRB4 - #include - #include - #include - #include - #include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - MD4_CTX md4; - MD5_CTX md5; - SHA_CTX sha1; - - MD4_Init(&md4); - MD5_Init(&md5); - SHA1_Init(&sha1); - - des_cbc_encrypt(0, 0, 0, 0, 0, 0); - RC4(0, 0, 0, 0); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:33487: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:33490: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:33493: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33496: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - lres="$i $j"; break 2 -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - else - cat >conftest.$ac_ext <<_ACEOF -#line 33506 "configure" -#include "confdefs.h" - - #undef KRB5 /* makes md4.h et al unhappy */ - #define KRB4 - #include - #include - #include - #include - #include - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - MD4_CTX md4; - MD5_CTX md5; - SHA_CTX sha1; - - MD4_Init(&md4); - MD5_Init(&md5); - SHA1_Init(&sha1); - - des_cbc_encrypt(0, 0, 0, 0, 0, 0); - RC4(0, 0, 0, 0); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:33542: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:33545: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:33548: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33551: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - lres="$i $j"; break 2 -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - fi - done - done - CFLAGS="$save_CFLAGS" - LIBS="$save_LIBS" - if test "$ires" -a "$lres"; then - INCLUDE_des="$ires" - LIB_des="$lres" - crypto_lib=krb4 - echo "$as_me:33568: result: same as krb4" >&5 -echo "${ECHO_T}same as krb4" >&6 - LIB_des_a='$(LIB_des)' - LIB_des_so='$(LIB_des)' - LIB_des_appl='$(LIB_des)' - fi -fi - -if test "$crypto_lib" = "unknown"; then - - DIR_des='des' - LIB_des='$(top_builddir)/lib/des/libdes.la' - LIB_des_a='$(top_builddir)/lib/des/.libs/libdes.a' - LIB_des_so='$(top_builddir)/lib/des/.libs/libdes.so' - LIB_des_appl="-ldes" - - echo "$as_me:33584: result: included libdes" >&5 -echo "${ECHO_T}included libdes" >&6 - -fi - -if test "$openssl" = "yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_OPENSSL 1 -_ACEOF - -fi - - -if test "$openssl" = yes; then - HAVE_OPENSSL_TRUE= - HAVE_OPENSSL_FALSE='#' -else - HAVE_OPENSSL_TRUE='#' - HAVE_OPENSSL_FALSE= -fi - - - - - - - - - - - - - -echo "$as_me:33618: checking for el_init" >&5 -echo $ECHO_N "checking for el_init... $ECHO_C" >&6 -if test "${ac_cv_funclib_el_init+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - -if eval "test \"\$ac_cv_func_el_init\" != yes" ; then - ac_save_LIBS="$LIBS" - for ac_lib in "" edit; do - case "$ac_lib" in - "") ;; - yes) ac_lib="" ;; - no) continue ;; - -l*) ;; - *) ac_lib="-l$ac_lib" ;; - esac - LIBS=" $ac_lib $LIB_tgetent $ac_save_LIBS" - cat >conftest.$ac_ext <<_ACEOF -#line 33636 "configure" -#include "confdefs.h" - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -el_init() - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:33654: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:33657: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:33660: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33663: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "if test -n \"$ac_lib\";then ac_cv_funclib_el_init=$ac_lib; else ac_cv_funclib_el_init=yes; fi";break -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - done - eval "ac_cv_funclib_el_init=\${ac_cv_funclib_el_init-no}" - LIBS="$ac_save_LIBS" -fi - -fi - - -eval "ac_res=\$ac_cv_funclib_el_init" - -if false; then - -for ac_func in el_init -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:33686: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 33692 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:33729: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:33732: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:33735: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33738: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:33748: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -fi -# el_init -eval "ac_tr_func=HAVE_`echo el_init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`" -eval "LIB_el_init=$ac_res" - -case "$ac_res" in - yes) - eval "ac_cv_func_el_init=yes" - eval "LIB_el_init=" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - echo "$as_me:33772: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - ;; - no) - eval "ac_cv_func_el_init=no" - eval "LIB_el_init=" - echo "$as_me:33778: result: no" >&5 -echo "${ECHO_T}no" >&6 - ;; - *) - eval "ac_cv_func_el_init=yes" - eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes" - cat >>confdefs.h <<_ACEOF -#define $ac_tr_func 1 -_ACEOF - - cat >>confdefs.h <<_ACEOF -#define $ac_tr_lib 1 -_ACEOF - - echo "$as_me:33792: result: yes, in $ac_res" >&5 -echo "${ECHO_T}yes, in $ac_res" >&6 - ;; -esac - - -if test "$ac_cv_func_el_init" = yes ; then - echo "$as_me:33799: checking for four argument el_init" >&5 -echo $ECHO_N "checking for four argument el_init... $ECHO_C" >&6 -if test "${ac_cv_func_el_init_four+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - - cat >conftest.$ac_ext <<_ACEOF -#line 33806 "configure" -#include "confdefs.h" -#include - #include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -el_init("", NULL, NULL, NULL); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:33825: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:33828: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:33831: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33834: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_el_init_four=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_el_init_four=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -fi -echo "$as_me:33844: result: $ac_cv_func_el_init_four" >&5 -echo "${ECHO_T}$ac_cv_func_el_init_four" >&6 - if test "$ac_cv_func_el_init_four" = yes; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_FOUR_VALUED_EL_INIT 1 -_ACEOF - - fi -fi - - -ac_foo=no -if test "$with_readline" = yes; then - : -elif test "$ac_cv_func_readline" = yes; then - : -elif test "$ac_cv_func_el_init" = yes; then - ac_foo=yes - LIB_readline="\$(top_builddir)/lib/editline/libel_compat.la \$(LIB_el_init) \$(LIB_tgetent)" -else - LIB_readline="\$(top_builddir)/lib/editline/libeditline.la \$(LIB_tgetent)" -fi - - -if test "$ac_foo" = yes; then - el_compat_TRUE= - el_compat_FALSE='#' -else - el_compat_TRUE='#' - el_compat_FALSE= -fi - - -cat >>confdefs.h <<\_ACEOF -#define HAVE_READLINE 1 -_ACEOF - - - - - -cat >>confdefs.h <<\_ACEOF -#define AUTHENTICATION 1 -_ACEOF - -cat >>confdefs.h <<\_ACEOF -#define ENCRYPTION 1 -_ACEOF - -cat >>confdefs.h <<\_ACEOF -#define DES_ENCRYPTION 1 -_ACEOF - -cat >>confdefs.h <<\_ACEOF -#define DIAGNOSTICS 1 -_ACEOF - -cat >>confdefs.h <<\_ACEOF -#define OLD_ENVIRON 1 -_ACEOF -if false; then - -cat >>confdefs.h <<\_ACEOF -#define ENV_HACK 1 -_ACEOF - -fi - -# Simple test for streamspty, based on the existance of getmsg(), alas -# this breaks on SunOS4 which have streams but BSD-like ptys -# -# And also something wierd has happend with dec-osf1, fallback to bsd-ptys - -case "$host" in -*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[01]*) - ;; -*) - echo "$as_me:33922: checking for getmsg" >&5 -echo $ECHO_N "checking for getmsg... $ECHO_C" >&6 -if test "${ac_cv_func_getmsg+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line 33928 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getmsg (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getmsg (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getmsg) || defined (__stub___getmsg) -choke me -#else -f = getmsg; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:33965: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:33968: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:33971: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:33974: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getmsg=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_func_getmsg=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:33984: result: $ac_cv_func_getmsg" >&5 -echo "${ECHO_T}$ac_cv_func_getmsg" >&6 - - if test "$ac_cv_func_getmsg" = "yes"; then - echo "$as_me:33988: checking if getmsg works" >&5 -echo $ECHO_N "checking if getmsg works... $ECHO_C" >&6 -if test "${ac_cv_func_getmsg_works+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test "$cross_compiling" = yes; then - ac_cv_func_getmsg_works=no -else - cat >conftest.$ac_ext <<_ACEOF -#line 33997 "configure" -#include "confdefs.h" - - #include - #include - - int main() - { - int ret; - ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL); - if(ret < 0 && errno == ENOSYS) - return 1; - return 0; - } - -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:34014: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:34017: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:34019: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:34022: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_getmsg_works=yes -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -ac_cv_func_getmsg_works=no -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi -echo "$as_me:34035: result: $ac_cv_func_getmsg_works" >&5 -echo "${ECHO_T}$ac_cv_func_getmsg_works" >&6 - if test "$ac_cv_func_getmsg_works" = "yes"; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_GETMSG 1 -_ACEOF - - -cat >>confdefs.h <<\_ACEOF -#define STREAMSPTY 1 -_ACEOF - - fi - fi - ;; -esac - - - - - - - -# Extract the first word of "compile_et", so it can be a program name with args. -set dummy compile_et; ac_word=$2 -echo "$as_me:34061: checking for $ac_word" >&5 -echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 -if test "${ac_cv_prog_COMPILE_ET+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test -n "$COMPILE_ET"; then - ac_cv_prog_COMPILE_ET="$COMPILE_ET" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_COMPILE_ET="compile_et" - echo "$as_me:34077: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done - -fi -fi -COMPILE_ET=$ac_cv_prog_COMPILE_ET -if test -n "$COMPILE_ET"; then - echo "$as_me:34087: result: $COMPILE_ET" >&5 -echo "${ECHO_T}$COMPILE_ET" >&6 -else - echo "$as_me:34090: result: no" >&5 -echo "${ECHO_T}no" >&6 -fi - - -krb_cv_compile_et="no" -if test "${COMPILE_ET}" = "compile_et"; then - -echo "$as_me:34098: checking whether compile_et has the features we need" >&5 -echo $ECHO_N "checking whether compile_et has the features we need... $ECHO_C" >&6 -cat > conftest_et.et <<'EOF' -error_table conf -prefix CONFTEST -index 1 -error_code CODE1, "CODE1" -index 128 -error_code CODE2, "CODE2" -end -EOF -if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then - save_CPPFLAGS="${save_CPPFLAGS}" - if test -d "/usr/include/et"; then - CPPFLAGS="-I/usr/include/et ${CPPFLAGS}" - fi - if test "$cross_compiling" = yes; then - { { echo "$as_me:34115: error: cannot run test program while cross compiling" >&5 -echo "$as_me: error: cannot run test program while cross compiling" >&2;} - { (exit 1); exit 1; }; } -else - cat >conftest.$ac_ext <<_ACEOF -#line 34120 "configure" -#include "confdefs.h" - -#include -#include -#include "conftest_et.h" -int main(){return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;} - -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:34130: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:34133: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:34135: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:34138: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - krb_cv_compile_et="yes" -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -( exit $ac_status ) -CPPFLAGS="${save_CPPFLAGS}" -fi -rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi -fi -echo "$as_me:34151: result: ${krb_cv_compile_et}" >&5 -echo "${ECHO_T}${krb_cv_compile_et}" >&6 -rm -fr conftest* -fi - -if test "${krb_cv_compile_et}" = "yes"; then - krb_cv_save_LIBS="${LIBS}" - LIBS="${LIBS} -lcom_err" - echo "$as_me:34159: checking for com_err" >&5 -echo $ECHO_N "checking for com_err... $ECHO_C" >&6 - cat >conftest.$ac_ext <<_ACEOF -#line 34162 "configure" -#include "confdefs.h" -#include -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ - - const char *p; - p = error_message(0); - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:34183: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:34186: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:34189: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:34192: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - krb_cv_com_err="yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - echo "$as_me:34201: result: ${krb_cv_com_err}" >&5 -echo "${ECHO_T}${krb_cv_com_err}" >&6 - LIBS="${krb_cv_save_LIBS}" -else - krb_cv_com_err="no" -fi - -if test "${krb_cv_com_err}" = "yes"; then - DIR_com_err="" - LIB_com_err="-lcom_err" - LIB_com_err_a="" - LIB_com_err_so="" - { echo "$as_me:34213: Using the already-installed com_err" >&5 -echo "$as_me: Using the already-installed com_err" >&6;} -else - COMPILE_ET="\$(top_builddir)/lib/com_err/compile_et" - DIR_com_err="com_err" - LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la" - LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a" - LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so" - { echo "$as_me:34221: Using our own com_err" >&5 -echo "$as_me: Using our own com_err" >&6;} -fi - - - - - - - - -echo "$as_me:34232: checking which authentication modules should be built" >&5 -echo $ECHO_N "checking which authentication modules should be built... $ECHO_C" >&6 - -LIB_AUTH_SUBDIRS= - -if test "$ac_cv_header_siad_h" = yes; then - LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia" -fi - -case "${host}" in -*-*-freebsd*) ac_cv_want_pam_krb4=no ;; -*) ac_cv_want_pam_krb4=yes ;; -esac - -if test "$ac_cv_want_pam_krb4" = yes -a \ - "$ac_cv_header_security_pam_modules_h" = yes -a \ - "$enable_shared" = yes; then - LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam" -fi - -case "${host}" in -*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;; -esac - -echo "$as_me:34256: result: $LIB_AUTH_SUBDIRS" >&5 -echo "${ECHO_T}$LIB_AUTH_SUBDIRS" >&6 - - - - -# This is done by AC_OUTPUT but we need the result here. -test "x$prefix" = xNONE && prefix=$ac_default_prefix -test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' - - - x="${bindir}" - eval y="$x" - while test "x$y" != "x$x"; do - x="$y" - eval y="$x" - done - -cat >>confdefs.h <<_ACEOF -#define BINDIR "$x" -_ACEOF - - x="${libdir}" - eval y="$x" - while test "x$y" != "x$x"; do - x="$y" - eval y="$x" - done - -cat >>confdefs.h <<_ACEOF -#define LIBDIR "$x" -_ACEOF - - x="${libexecdir}" - eval y="$x" - while test "x$y" != "x$x"; do - x="$y" - eval y="$x" - done - -cat >>confdefs.h <<_ACEOF -#define LIBEXECDIR "$x" -_ACEOF - - x="${localstatedir}" - eval y="$x" - while test "x$y" != "x$x"; do - x="$y" - eval y="$x" - done - -cat >>confdefs.h <<_ACEOF -#define LOCALSTATEDIR "$x" -_ACEOF - - x="${sbindir}" - eval y="$x" - while test "x$y" != "x$x"; do - x="$y" - eval y="$x" - done - -cat >>confdefs.h <<_ACEOF -#define SBINDIR "$x" -_ACEOF - - x="${sysconfdir}" - eval y="$x" - while test "x$y" != "x$x"; do - x="$y" - eval y="$x" - done - -cat >>confdefs.h <<_ACEOF -#define SYSCONFDIR "$x" -_ACEOF - - - -LTLIBOBJS=`echo "$LIBOBJS" | - sed 's,\.[^.]* ,.lo ,g;s,\.[^.]*$,.lo,'` - - - - - -ac_config_files="$ac_config_files Makefile include/Makefile include/kadm5/Makefile lib/Makefile lib/45/Makefile lib/auth/Makefile lib/auth/afskauthlib/Makefile lib/auth/pam/Makefile lib/auth/sia/Makefile lib/asn1/Makefile lib/com_err/Makefile lib/des/Makefile lib/editline/Makefile lib/gssapi/Makefile lib/hdb/Makefile lib/kadm5/Makefile lib/kafs/Makefile lib/kdfs/Makefile lib/krb5/Makefile lib/otp/Makefile lib/roken/Makefile lib/sl/Makefile lib/vers/Makefile kuser/Makefile kpasswd/Makefile kadmin/Makefile admin/Makefile kdc/Makefile appl/Makefile appl/afsutil/Makefile appl/ftp/Makefile appl/ftp/common/Makefile appl/ftp/ftp/Makefile appl/ftp/ftpd/Makefile appl/kx/Makefile appl/login/Makefile appl/otp/Makefile appl/popper/Makefile appl/push/Makefile appl/rsh/Makefile appl/rcp/Makefile appl/su/Makefile appl/xnlock/Makefile appl/telnet/Makefile appl/telnet/libtelnet/Makefile appl/telnet/telnet/Makefile appl/telnet/telnetd/Makefile appl/test/Makefile appl/kf/Makefile appl/dceutils/Makefile doc/Makefile tools/Makefile" - - -cat >confcache <<\_ACEOF -# This file is a shell script that caches the results of configure -# tests run on this system so they can be shared between configure -# scripts and configure runs, see configure's option --config-cache. -# It is not useful on other systems. If it contains results you don't -# want to keep, you may remove or edit it. -# -# config.status only pays attention to the cache file if you give it -# the --recheck option to rerun configure. -# -# `ac_cv_env_foo' variables (set or unset) will be overriden when -# loading this file, other *unset* `ac_cv_foo' will be assigned the -# following values. - -_ACEOF - -# The following way of writing the cache mishandles newlines in values, -# but we know of no workaround that is simple, portable, and efficient. -# So, don't put newlines in cache variables' values. -# Ultrix sh set writes to stderr and can't be redirected directly, -# and sets the high bit in the cache file unless we assign to the vars. -{ - (set) 2>&1 | - case `(ac_space=' '; set | grep ac_space) 2>&1` in - *ac_space=\ *) - # `set' does not quote correctly, so add quotes (double-quote - # substitution turns \\\\ into \\, and sed turns \\ into \). - sed -n \ - "s/'/'\\\\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" - ;; - *) - # `set' quotes correctly as required by POSIX, so do not add quotes. - sed -n \ - "s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p" - ;; - esac; -} | - sed ' - t clear - : clear - s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ - t end - /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ - : end' >>confcache -if cmp -s $cache_file confcache; then :; else - if test -w $cache_file; then - test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file" - cat confcache >$cache_file - else - echo "not updating unwritable cache $cache_file" - fi -fi -rm -f confcache - -test "x$prefix" = xNONE && prefix=$ac_default_prefix -# Let make expand exec_prefix. -test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' - -# VPATH may cause trouble with some makes, so we remove $(srcdir), -# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and -# trailing colons and then remove the whole line if VPATH becomes empty -# (actually we leave an empty line to preserve line numbers). -if test "x$srcdir" = x.; then - ac_vpsub='/^[ ]*VPATH[ ]*=/{ -s/:*\$(srcdir):*/:/; -s/:*\${srcdir}:*/:/; -s/:*@srcdir@:*/:/; -s/^\([^=]*=[ ]*\):*/\1/; -s/:*$//; -s/^[^=]*=[ ]*$//; -}' -fi - -DEFS=-DHAVE_CONFIG_H - -if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then - { { echo "$as_me:34422: error: conditional \"AMDEP\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"AMDEP\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_DB1_TRUE}" && test -z "${HAVE_DB1_FALSE}"; then - { { echo "$as_me:34429: error: conditional \"HAVE_DB1\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_DB1\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_DB3_TRUE}" && test -z "${HAVE_DB3_FALSE}"; then - { { echo "$as_me:34436: error: conditional \"HAVE_DB3\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_DB3\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_NDBM_TRUE}" && test -z "${HAVE_NDBM_FALSE}"; then - { { echo "$as_me:34443: error: conditional \"HAVE_NDBM\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_NDBM\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${have_err_h_TRUE}" && test -z "${have_err_h_FALSE}"; then - { { echo "$as_me:34450: error: conditional \"have_err_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"have_err_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${have_fnmatch_h_TRUE}" && test -z "${have_fnmatch_h_FALSE}"; then - { { echo "$as_me:34457: error: conditional \"have_fnmatch_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"have_fnmatch_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${have_ifaddrs_h_TRUE}" && test -z "${have_ifaddrs_h_FALSE}"; then - { { echo "$as_me:34464: error: conditional \"have_ifaddrs_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"have_ifaddrs_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${have_vis_h_TRUE}" && test -z "${have_vis_h_FALSE}"; then - { { echo "$as_me:34471: error: conditional \"have_vis_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"have_vis_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${have_glob_h_TRUE}" && test -z "${have_glob_h_FALSE}"; then - { { echo "$as_me:34478: error: conditional \"have_glob_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"have_glob_h\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${KRB4_TRUE}" && test -z "${KRB4_FALSE}"; then - { { echo "$as_me:34485: error: conditional \"KRB4\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"KRB4\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${KRB5_TRUE}" && test -z "${KRB5_FALSE}"; then - { { echo "$as_me:34492: error: conditional \"KRB5\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"KRB5\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${do_roken_rename_TRUE}" && test -z "${do_roken_rename_FALSE}"; then - { { echo "$as_me:34499: error: conditional \"do_roken_rename\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"do_roken_rename\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${DCE_TRUE}" && test -z "${DCE_FALSE}"; then - { { echo "$as_me:34506: error: conditional \"DCE\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"DCE\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${OTP_TRUE}" && test -z "${OTP_FALSE}"; then - { { echo "$as_me:34513: error: conditional \"OTP\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"OTP\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${CATMAN_TRUE}" && test -z "${CATMAN_FALSE}"; then - { { echo "$as_me:34520: error: conditional \"CATMAN\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"CATMAN\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${AIX_TRUE}" && test -z "${AIX_FALSE}"; then - { { echo "$as_me:34527: error: conditional \"AIX\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"AIX\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${AIX4_TRUE}" && test -z "${AIX4_FALSE}"; then - { { echo "$as_me:34534: error: conditional \"AIX4\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"AIX4\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_DLOPEN_TRUE}" && test -z "${HAVE_DLOPEN_FALSE}"; then - { { echo "$as_me:34541: error: conditional \"HAVE_DLOPEN\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_DLOPEN\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${AIX_DYNAMIC_AFS_TRUE}" && test -z "${AIX_DYNAMIC_AFS_FALSE}"; then - { { echo "$as_me:34548: error: conditional \"AIX_DYNAMIC_AFS\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"AIX_DYNAMIC_AFS\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${IRIX_TRUE}" && test -z "${IRIX_FALSE}"; then - { { echo "$as_me:34555: error: conditional \"IRIX\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"IRIX\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_X_TRUE}" && test -z "${HAVE_X_FALSE}"; then - { { echo "$as_me:34562: error: conditional \"HAVE_X\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_X\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${NEED_WRITEAUTH_TRUE}" && test -z "${NEED_WRITEAUTH_FALSE}"; then - { { echo "$as_me:34569: error: conditional \"NEED_WRITEAUTH\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"NEED_WRITEAUTH\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${HAVE_OPENSSL_TRUE}" && test -z "${HAVE_OPENSSL_FALSE}"; then - { { echo "$as_me:34576: error: conditional \"HAVE_OPENSSL\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"HAVE_OPENSSL\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi -if test -z "${el_compat_TRUE}" && test -z "${el_compat_FALSE}"; then - { { echo "$as_me:34583: error: conditional \"el_compat\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -echo "$as_me: error: conditional \"el_compat\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } -fi - -: ${CONFIG_STATUS=./config.status} -ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files $CONFIG_STATUS" -{ echo "$as_me:34593: creating $CONFIG_STATUS" >&5 -echo "$as_me: creating $CONFIG_STATUS" >&6;} -cat >$CONFIG_STATUS <<_ACEOF -#! $SHELL -# Generated by $as_me. -# Run this file to recreate the current configuration. -# Compiler output produced by configure, useful for debugging -# configure, is in config.log if it exists. - -debug=false -SHELL=\${CONFIG_SHELL-$SHELL} -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF - -## --------------------- ## -## M4sh Initialization. ## -## --------------------- ## - -# Be Bourne compatible -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: -elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then - set -o posix -fi - -# NLS nuisances. -# Support unset when possible. -if (FOO=FOO; unset FOO) >/dev/null 2>&1; then - as_unset=unset -else - as_unset=false -fi - -(set +x; test -n "`(LANG=C; export LANG) 2>&1`") && - { $as_unset LANG || test "${LANG+set}" != set; } || - { LANG=C; export LANG; } -(set +x; test -n "`(LC_ALL=C; export LC_ALL) 2>&1`") && - { $as_unset LC_ALL || test "${LC_ALL+set}" != set; } || - { LC_ALL=C; export LC_ALL; } -(set +x; test -n "`(LC_TIME=C; export LC_TIME) 2>&1`") && - { $as_unset LC_TIME || test "${LC_TIME+set}" != set; } || - { LC_TIME=C; export LC_TIME; } -(set +x; test -n "`(LC_CTYPE=C; export LC_CTYPE) 2>&1`") && - { $as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set; } || - { LC_CTYPE=C; export LC_CTYPE; } -(set +x; test -n "`(LANGUAGE=C; export LANGUAGE) 2>&1`") && - { $as_unset LANGUAGE || test "${LANGUAGE+set}" != set; } || - { LANGUAGE=C; export LANGUAGE; } -(set +x; test -n "`(LC_COLLATE=C; export LC_COLLATE) 2>&1`") && - { $as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set; } || - { LC_COLLATE=C; export LC_COLLATE; } -(set +x; test -n "`(LC_NUMERIC=C; export LC_NUMERIC) 2>&1`") && - { $as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set; } || - { LC_NUMERIC=C; export LC_NUMERIC; } -(set +x; test -n "`(LC_MESSAGES=C; export LC_MESSAGES) 2>&1`") && - { $as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set; } || - { LC_MESSAGES=C; export LC_MESSAGES; } - - -# Name of the executable. -as_me=`(basename "$0") 2>/dev/null || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)$' \| \ - . : '\(.\)' 2>/dev/null || -echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; } - /^X\/\(\/\/\)$/{ s//\1/; q; } - /^X\/\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - -# PATH needs CR, and LINENO needs CR and PATH. -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - -# The user is always right. -if test "${PATH_SEPARATOR+set}" != set; then - echo "#! /bin/sh" >conftest.sh - echo "exit 0" >>conftest.sh - chmod +x conftest.sh - if (PATH=".;."; conftest.sh) >/dev/null 2>&1; then - PATH_SEPARATOR=';' - else - PATH_SEPARATOR=: - fi - rm -f conftest.sh -fi - - - as_lineno_1=34688 - as_lineno_2=34689 - as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x$as_lineno_3" = "x$as_lineno_2" || { - # Find who we are. Look in the path if we contain no path at all - # relative or not. - case $0 in - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -done - - ;; - esac - # We did not find ourselves, most probably we were run as `sh COMMAND' - # in which case we are not to be found in the path. - if test "x$as_myself" = x; then - as_myself=$0 - fi - if test ! -f "$as_myself"; then - { { echo "$as_me:34713: error: cannot find myself; rerun with an absolute path" >&5 -echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;} - { (exit 1); exit 1; }; } - fi - case $CONFIG_SHELL in - '') - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for as_base in sh bash ksh sh5; do - case $as_dir in - /*) - if ("$as_dir/$as_base" -c ' - as_lineno_1=34728 - as_lineno_2=34729 - as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x$as_lineno_3" = "x$as_lineno_2" ') 2>/dev/null; then - CONFIG_SHELL=$as_dir/$as_base - export CONFIG_SHELL - exec "$CONFIG_SHELL" "$0" ${1+"$@"} - fi;; - esac - done -done -;; - esac - - # Create $as_me.lineno as a copy of $as_myself, but with 34743 - # uniformly replaced by the line number. The first 'sed' inserts a - # line-number line before each line; the second 'sed' does the real - # work. The second script uses 'N' to pair each line-number line - # with the numbered line, and appends trailing '-' during - # substitution so that 34748 is not a special case at line end. - # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the - # second 'sed' script. Blame Lee E. McMahon for sed's syntax. :-) - sed '=' <$as_myself | - sed ' - N - s,$,-, - : loop - s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3, - t loop - s,-$,, - s,^['$as_cr_digits']*\n,, - ' >$as_me.lineno && - chmod +x $as_me.lineno || - { { echo "$as_me:34762: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5 -echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;} - { (exit 1); exit 1; }; } - - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensible to this). - . ./$as_me.lineno - # Exit status is that of the last command. - exit -} - - -case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in - *c*,-n*) ECHO_N= ECHO_C=' -' ECHO_T=' ' ;; - *c*,* ) ECHO_N=-n ECHO_C= ECHO_T= ;; - *) ECHO_N= ECHO_C='\c' ECHO_T= ;; -esac - -if expr a : '\(a\)' >/dev/null 2>&1; then - as_expr=expr -else - as_expr=false -fi - -rm -f conf$$ conf$$.exe conf$$.file -echo >conf$$.file -if ln -s conf$$.file conf$$ 2>/dev/null; then - # We could just check for DJGPP; but this test a) works b) is more generic - # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04). - if test -f conf$$.exe; then - # Don't use ln at all; we don't have any links - as_ln_s='cp -p' - else - as_ln_s='ln -s' - fi -elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln -else - as_ln_s='cp -p' -fi -rm -f conf$$ conf$$.exe conf$$.file - -as_executable_p="test -f" - -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="sed y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" - -# Sed expression to map a string onto a valid variable name. -as_tr_sh="sed y%*+%pp%;s%[^_$as_cr_alnum]%_%g" - - -# IFS -# We need space, tab and new line, in precisely that order. -as_nl=' -' -IFS=" $as_nl" - -# CDPATH. -$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=$PATH_SEPARATOR; export CDPATH; } - -exec 6>&1 - -# Open the log real soon, to keep \$[0] and so on meaningful, and to -# report actual input values of CONFIG_FILES etc. instead of their -# values after options handling. Logging --version etc. is OK. -exec 5>>config.log -{ - echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX -## Running $as_me. ## -_ASBOX -} >&5 -cat >&5 <<_CSEOF - -This file was extended by Heimdal $as_me 0.4f, which was -generated by GNU Autoconf 2.53. Invocation command line was - - CONFIG_FILES = $CONFIG_FILES - CONFIG_HEADERS = $CONFIG_HEADERS - CONFIG_LINKS = $CONFIG_LINKS - CONFIG_COMMANDS = $CONFIG_COMMANDS - $ $0 $@ - -_CSEOF -echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5 -echo >&5 -_ACEOF - -# Files that config.status was made for. -if test -n "$ac_config_files"; then - echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS -fi - -if test -n "$ac_config_headers"; then - echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS -fi - -if test -n "$ac_config_links"; then - echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS -fi - -if test -n "$ac_config_commands"; then - echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS -fi - -cat >>$CONFIG_STATUS <<\_ACEOF - -ac_cs_usage="\ -\`$as_me' instantiates files from templates according to the -current configuration. - -Usage: $0 [OPTIONS] [FILE]... - - -h, --help print this help, then exit - -V, --version print version number, then exit - -d, --debug don't remove temporary files - --recheck update $as_me by reconfiguring in the same conditions - --file=FILE[:TEMPLATE] - instantiate the configuration file FILE - --header=FILE[:TEMPLATE] - instantiate the configuration header FILE - -Configuration files: -$config_files - -Configuration headers: -$config_headers - -Configuration commands: -$config_commands - -Report bugs to ." -_ACEOF - -cat >>$CONFIG_STATUS <<_ACEOF -ac_cs_version="\\ -Heimdal config.status 0.4f -configured by $0, generated by GNU Autoconf 2.53, - with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" - -Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001 -Free Software Foundation, Inc. -This config.status script is free software; the Free Software Foundation -gives unlimited permission to copy, distribute and modify it." -srcdir=$srcdir -INSTALL="$INSTALL" -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF -# If no file are specified by the user, then we need to provide default -# value. By we need to know if files were specified by the user. -ac_need_defaults=: -while test $# != 0 -do - case $1 in - --*=*) - ac_option=`expr "x$1" : 'x\([^=]*\)='` - ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'` - shift - set dummy "$ac_option" "$ac_optarg" ${1+"$@"} - shift - ;; - -*);; - *) # This is not an option, so the user has probably given explicit - # arguments. - ac_need_defaults=false;; - esac - - case $1 in - # Handling of the options. -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - echo "running $SHELL $0 " $ac_configure_args " --no-create --no-recursion" - exec $SHELL $0 $ac_configure_args --no-create --no-recursion ;; -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF - --version | --vers* | -V ) - echo "$ac_cs_version"; exit 0 ;; - --he | --h) - # Conflict between --help and --header - { { echo "$as_me:34945: error: ambiguous option: $1 -Try \`$0 --help' for more information." >&5 -echo "$as_me: error: ambiguous option: $1 -Try \`$0 --help' for more information." >&2;} - { (exit 1); exit 1; }; };; - --help | --hel | -h ) - echo "$ac_cs_usage"; exit 0 ;; - --debug | --d* | -d ) - debug=: ;; - --file | --fil | --fi | --f ) - shift - CONFIG_FILES="$CONFIG_FILES $1" - ac_need_defaults=false;; - --header | --heade | --head | --hea ) - shift - CONFIG_HEADERS="$CONFIG_HEADERS $1" - ac_need_defaults=false;; - - # This is an error. - -*) { { echo "$as_me:34964: error: unrecognized option: $1 -Try \`$0 --help' for more information." >&5 -echo "$as_me: error: unrecognized option: $1 -Try \`$0 --help' for more information." >&2;} - { (exit 1); exit 1; }; } ;; - - *) ac_config_targets="$ac_config_targets $1" ;; - - esac - shift -done - -_ACEOF - -cat >>$CONFIG_STATUS <<_ACEOF -# -# INIT-COMMANDS section. -# - -AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" - -_ACEOF - - - -cat >>$CONFIG_STATUS <<\_ACEOF -for ac_config_target in $ac_config_targets -do - case "$ac_config_target" in - # Handling of arguments. - "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;; - "include/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/Makefile" ;; - "include/kadm5/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/kadm5/Makefile" ;; - "lib/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;; - "lib/45/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/45/Makefile" ;; - "lib/auth/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/Makefile" ;; - "lib/auth/afskauthlib/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/afskauthlib/Makefile" ;; - "lib/auth/pam/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/pam/Makefile" ;; - "lib/auth/sia/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/sia/Makefile" ;; - "lib/asn1/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/asn1/Makefile" ;; - "lib/com_err/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/com_err/Makefile" ;; - "lib/des/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/des/Makefile" ;; - "lib/editline/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/editline/Makefile" ;; - "lib/gssapi/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/gssapi/Makefile" ;; - "lib/hdb/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/hdb/Makefile" ;; - "lib/kadm5/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/kadm5/Makefile" ;; - "lib/kafs/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/kafs/Makefile" ;; - "lib/kdfs/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/kdfs/Makefile" ;; - "lib/krb5/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/krb5/Makefile" ;; - "lib/otp/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/otp/Makefile" ;; - "lib/roken/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/roken/Makefile" ;; - "lib/sl/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/sl/Makefile" ;; - "lib/vers/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/vers/Makefile" ;; - "kuser/Makefile" ) CONFIG_FILES="$CONFIG_FILES kuser/Makefile" ;; - "kpasswd/Makefile" ) CONFIG_FILES="$CONFIG_FILES kpasswd/Makefile" ;; - "kadmin/Makefile" ) CONFIG_FILES="$CONFIG_FILES kadmin/Makefile" ;; - "admin/Makefile" ) CONFIG_FILES="$CONFIG_FILES admin/Makefile" ;; - "kdc/Makefile" ) CONFIG_FILES="$CONFIG_FILES kdc/Makefile" ;; - "appl/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/Makefile" ;; - "appl/afsutil/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/afsutil/Makefile" ;; - "appl/ftp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/Makefile" ;; - "appl/ftp/common/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/common/Makefile" ;; - "appl/ftp/ftp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftp/Makefile" ;; - "appl/ftp/ftpd/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftpd/Makefile" ;; - "appl/kx/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/kx/Makefile" ;; - "appl/login/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/login/Makefile" ;; - "appl/otp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/otp/Makefile" ;; - "appl/popper/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/popper/Makefile" ;; - "appl/push/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/push/Makefile" ;; - "appl/rsh/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/rsh/Makefile" ;; - "appl/rcp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/rcp/Makefile" ;; - "appl/su/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/su/Makefile" ;; - "appl/xnlock/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/xnlock/Makefile" ;; - "appl/telnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/Makefile" ;; - "appl/telnet/libtelnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/libtelnet/Makefile" ;; - "appl/telnet/telnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnet/Makefile" ;; - "appl/telnet/telnetd/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnetd/Makefile" ;; - "appl/test/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/test/Makefile" ;; - "appl/kf/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/kf/Makefile" ;; - "appl/dceutils/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/dceutils/Makefile" ;; - "doc/Makefile" ) CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; - "tools/Makefile" ) CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; - "depfiles" ) CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; - "include/config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS include/config.h" ;; - *) { { echo "$as_me:35048: error: invalid argument: $ac_config_target" >&5 -echo "$as_me: error: invalid argument: $ac_config_target" >&2;} - { (exit 1); exit 1; }; };; - esac -done - -# If the user did not use the arguments to specify the items to instantiate, -# then the envvar interface is used. Set only those that are not. -# We use the long form for the default assignment because of an extremely -# bizarre bug on SunOS 4.1.3. -if $ac_need_defaults; then - test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files - test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers - test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands -fi - -# Create a temporary directory, and hook for its removal unless debugging. -$debug || -{ - trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0 - trap '{ (exit 1); exit 1; }' 1 2 13 15 -} - -# Create a (secure) tmp directory for tmp files. -: ${TMPDIR=/tmp} -{ - tmp=`(umask 077 && mktemp -d -q "$TMPDIR/csXXXXXX") 2>/dev/null` && - test -n "$tmp" && test -d "$tmp" -} || -{ - tmp=$TMPDIR/cs$$-$RANDOM - (umask 077 && mkdir $tmp) -} || -{ - echo "$me: cannot create a temporary directory in $TMPDIR" >&2 - { (exit 1); exit 1; } -} - -_ACEOF - -cat >>$CONFIG_STATUS <<_ACEOF - -# -# CONFIG_FILES section. -# - -# No need to generate the scripts if there are no CONFIG_FILES. -# This happens for instance when ./config.status config.h -if test -n "\$CONFIG_FILES"; then - # Protect against being on the right side of a sed subst in config.status. - sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g; - s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF -s,@SHELL@,$SHELL,;t t -s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t -s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t -s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t -s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t -s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t -s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t -s,@exec_prefix@,$exec_prefix,;t t -s,@prefix@,$prefix,;t t -s,@program_transform_name@,$program_transform_name,;t t -s,@bindir@,$bindir,;t t -s,@sbindir@,$sbindir,;t t -s,@libexecdir@,$libexecdir,;t t -s,@datadir@,$datadir,;t t -s,@sysconfdir@,$sysconfdir,;t t -s,@sharedstatedir@,$sharedstatedir,;t t -s,@localstatedir@,$localstatedir,;t t -s,@libdir@,$libdir,;t t -s,@includedir@,$includedir,;t t -s,@oldincludedir@,$oldincludedir,;t t -s,@infodir@,$infodir,;t t -s,@mandir@,$mandir,;t t -s,@build_alias@,$build_alias,;t t -s,@host_alias@,$host_alias,;t t -s,@target_alias@,$target_alias,;t t -s,@DEFS@,$DEFS,;t t -s,@ECHO_C@,$ECHO_C,;t t -s,@ECHO_N@,$ECHO_N,;t t -s,@ECHO_T@,$ECHO_T,;t t -s,@LIBS@,$LIBS,;t t -s,@CC@,$CC,;t t -s,@CFLAGS@,$CFLAGS,;t t -s,@LDFLAGS@,$LDFLAGS,;t t -s,@CPPFLAGS@,$CPPFLAGS,;t t -s,@ac_ct_CC@,$ac_ct_CC,;t t -s,@EXEEXT@,$EXEEXT,;t t -s,@OBJEXT@,$OBJEXT,;t t -s,@CPP@,$CPP,;t t -s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t -s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t -s,@INSTALL_DATA@,$INSTALL_DATA,;t t -s,@PACKAGE@,$PACKAGE,;t t -s,@VERSION@,$VERSION,;t t -s,@ACLOCAL@,$ACLOCAL,;t t -s,@AUTOCONF@,$AUTOCONF,;t t -s,@AUTOMAKE@,$AUTOMAKE,;t t -s,@AUTOHEADER@,$AUTOHEADER,;t t -s,@MAKEINFO@,$MAKEINFO,;t t -s,@AMTAR@,$AMTAR,;t t -s,@install_sh@,$install_sh,;t t -s,@STRIP@,$STRIP,;t t -s,@ac_ct_STRIP@,$ac_ct_STRIP,;t t -s,@INSTALL_STRIP_PROGRAM@,$INSTALL_STRIP_PROGRAM,;t t -s,@AWK@,$AWK,;t t -s,@SET_MAKE@,$SET_MAKE,;t t -s,@DEPDIR@,$DEPDIR,;t t -s,@am__include@,$am__include,;t t -s,@am__quote@,$am__quote,;t t -s,@AMDEP_TRUE@,$AMDEP_TRUE,;t t -s,@AMDEP_FALSE@,$AMDEP_FALSE,;t t -s,@AMDEPBACKSLASH@,$AMDEPBACKSLASH,;t t -s,@CCDEPMODE@,$CCDEPMODE,;t t -s,@build@,$build,;t t -s,@build_cpu@,$build_cpu,;t t -s,@build_vendor@,$build_vendor,;t t -s,@build_os@,$build_os,;t t -s,@host@,$host,;t t -s,@host_cpu@,$host_cpu,;t t -s,@host_vendor@,$host_vendor,;t t -s,@host_os@,$host_os,;t t -s,@CANONICAL_HOST@,$CANONICAL_HOST,;t t -s,@YACC@,$YACC,;t t -s,@LEX@,$LEX,;t t -s,@LEXLIB@,$LEXLIB,;t t -s,@LEX_OUTPUT_ROOT@,$LEX_OUTPUT_ROOT,;t t -s,@LN_S@,$LN_S,;t t -s,@ECHO@,$ECHO,;t t -s,@RANLIB@,$RANLIB,;t t -s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t -s,@LIBTOOL@,$LIBTOOL,;t t -s,@WFLAGS@,$WFLAGS,;t t -s,@WFLAGS_NOUNUSED@,$WFLAGS_NOUNUSED,;t t -s,@WFLAGS_NOIMPLICITINT@,$WFLAGS_NOIMPLICITINT,;t t -s,@LIB_db_create@,$LIB_db_create,;t t -s,@LIB_dbopen@,$LIB_dbopen,;t t -s,@LIB_dbm_firstkey@,$LIB_dbm_firstkey,;t t -s,@HAVE_DB1_TRUE@,$HAVE_DB1_TRUE,;t t -s,@HAVE_DB1_FALSE@,$HAVE_DB1_FALSE,;t t -s,@HAVE_DB3_TRUE@,$HAVE_DB3_TRUE,;t t -s,@HAVE_DB3_FALSE@,$HAVE_DB3_FALSE,;t t -s,@HAVE_NDBM_TRUE@,$HAVE_NDBM_TRUE,;t t -s,@HAVE_NDBM_FALSE@,$HAVE_NDBM_FALSE,;t t -s,@DBLIB@,$DBLIB,;t t -s,@LIB_NDBM@,$LIB_NDBM,;t t -s,@VOID_RETSIGTYPE@,$VOID_RETSIGTYPE,;t t -s,@have_err_h_TRUE@,$have_err_h_TRUE,;t t -s,@have_err_h_FALSE@,$have_err_h_FALSE,;t t -s,@have_fnmatch_h_TRUE@,$have_fnmatch_h_TRUE,;t t -s,@have_fnmatch_h_FALSE@,$have_fnmatch_h_FALSE,;t t -s,@have_ifaddrs_h_TRUE@,$have_ifaddrs_h_TRUE,;t t -s,@have_ifaddrs_h_FALSE@,$have_ifaddrs_h_FALSE,;t t -s,@have_vis_h_TRUE@,$have_vis_h_TRUE,;t t -s,@have_vis_h_FALSE@,$have_vis_h_FALSE,;t t -s,@LIB_socket@,$LIB_socket,;t t -s,@LIB_gethostbyname@,$LIB_gethostbyname,;t t -s,@LIB_syslog@,$LIB_syslog,;t t -s,@LIB_gethostbyname2@,$LIB_gethostbyname2,;t t -s,@LIB_res_search@,$LIB_res_search,;t t -s,@LIB_dn_expand@,$LIB_dn_expand,;t t -s,@LIBOBJS@,$LIBOBJS,;t t -s,@have_glob_h_TRUE@,$have_glob_h_TRUE,;t t -s,@have_glob_h_FALSE@,$have_glob_h_FALSE,;t t -s,@LIB_getsockopt@,$LIB_getsockopt,;t t -s,@LIB_setsockopt@,$LIB_setsockopt,;t t -s,@LIB_hstrerror@,$LIB_hstrerror,;t t -s,@LIB_bswap16@,$LIB_bswap16,;t t -s,@LIB_bswap32@,$LIB_bswap32,;t t -s,@LIB_pidfile@,$LIB_pidfile,;t t -s,@LIB_getaddrinfo@,$LIB_getaddrinfo,;t t -s,@LIB_getnameinfo@,$LIB_getnameinfo,;t t -s,@LIB_freeaddrinfo@,$LIB_freeaddrinfo,;t t -s,@LIB_gai_strerror@,$LIB_gai_strerror,;t t -s,@LIB_crypt@,$LIB_crypt,;t t -s,@DIR_roken@,$DIR_roken,;t t -s,@LIB_roken@,$LIB_roken,;t t -s,@INCLUDES_roken@,$INCLUDES_roken,;t t -s,@INCLUDE_openldap@,$INCLUDE_openldap,;t t -s,@LIB_openldap@,$LIB_openldap,;t t -s,@INCLUDE_krb4@,$INCLUDE_krb4,;t t -s,@LIB_krb4@,$LIB_krb4,;t t -s,@EXTRA_LIB45@,$EXTRA_LIB45,;t t -s,@LIB_krb_enable_debug@,$LIB_krb_enable_debug,;t t -s,@LIB_krb_disable_debug@,$LIB_krb_disable_debug,;t t -s,@LIB_krb_get_our_ip_for_realm@,$LIB_krb_get_our_ip_for_realm,;t t -s,@LIB_krb_kdctimeofday@,$LIB_krb_kdctimeofday,;t t -s,@LIB_krb_get_kdc_time_diff@,$LIB_krb_get_kdc_time_diff,;t t -s,@KRB4_TRUE@,$KRB4_TRUE,;t t -s,@KRB4_FALSE@,$KRB4_FALSE,;t t -s,@KRB5_TRUE@,$KRB5_TRUE,;t t -s,@KRB5_FALSE@,$KRB5_FALSE,;t t -s,@do_roken_rename_TRUE@,$do_roken_rename_TRUE,;t t -s,@do_roken_rename_FALSE@,$do_roken_rename_FALSE,;t t -s,@LIB_kdb@,$LIB_kdb,;t t -s,@DCE_TRUE@,$DCE_TRUE,;t t -s,@DCE_FALSE@,$DCE_FALSE,;t t -s,@dpagaix_cflags@,$dpagaix_cflags,;t t -s,@dpagaix_ldadd@,$dpagaix_ldadd,;t t -s,@dpagaix_ldflags@,$dpagaix_ldflags,;t t -s,@LIB_otp@,$LIB_otp,;t t -s,@OTP_TRUE@,$OTP_TRUE,;t t -s,@OTP_FALSE@,$OTP_FALSE,;t t -s,@LIB_security@,$LIB_security,;t t -s,@NROFF@,$NROFF,;t t -s,@GROFF@,$GROFF,;t t -s,@CATMAN@,$CATMAN,;t t -s,@CATMAN_TRUE@,$CATMAN_TRUE,;t t -s,@CATMAN_FALSE@,$CATMAN_FALSE,;t t -s,@CATMANEXT@,$CATMANEXT,;t t -s,@INCLUDE_readline@,$INCLUDE_readline,;t t -s,@LIB_readline@,$LIB_readline,;t t -s,@INCLUDE_hesiod@,$INCLUDE_hesiod,;t t -s,@LIB_hesiod@,$LIB_hesiod,;t t -s,@AIX_TRUE@,$AIX_TRUE,;t t -s,@AIX_FALSE@,$AIX_FALSE,;t t -s,@AIX4_TRUE@,$AIX4_TRUE,;t t -s,@AIX4_FALSE@,$AIX4_FALSE,;t t -s,@LIB_dlopen@,$LIB_dlopen,;t t -s,@HAVE_DLOPEN_TRUE@,$HAVE_DLOPEN_TRUE,;t t -s,@HAVE_DLOPEN_FALSE@,$HAVE_DLOPEN_FALSE,;t t -s,@LIB_loadquery@,$LIB_loadquery,;t t -s,@AIX_DYNAMIC_AFS_TRUE@,$AIX_DYNAMIC_AFS_TRUE,;t t -s,@AIX_DYNAMIC_AFS_FALSE@,$AIX_DYNAMIC_AFS_FALSE,;t t -s,@AIX_EXTRA_KAFS@,$AIX_EXTRA_KAFS,;t t -s,@IRIX_TRUE@,$IRIX_TRUE,;t t -s,@IRIX_FALSE@,$IRIX_FALSE,;t t -s,@X_CFLAGS@,$X_CFLAGS,;t t -s,@X_PRE_LIBS@,$X_PRE_LIBS,;t t -s,@X_LIBS@,$X_LIBS,;t t -s,@X_EXTRA_LIBS@,$X_EXTRA_LIBS,;t t -s,@HAVE_X_TRUE@,$HAVE_X_TRUE,;t t -s,@HAVE_X_FALSE@,$HAVE_X_FALSE,;t t -s,@LIB_XauWriteAuth@,$LIB_XauWriteAuth,;t t -s,@LIB_XauReadAuth@,$LIB_XauReadAuth,;t t -s,@LIB_XauFileName@,$LIB_XauFileName,;t t -s,@NEED_WRITEAUTH_TRUE@,$NEED_WRITEAUTH_TRUE,;t t -s,@NEED_WRITEAUTH_FALSE@,$NEED_WRITEAUTH_FALSE,;t t -s,@LIB_logwtmp@,$LIB_logwtmp,;t t -s,@LIB_logout@,$LIB_logout,;t t -s,@LIB_openpty@,$LIB_openpty,;t t -s,@LIB_tgetent@,$LIB_tgetent,;t t -s,@LIB_getpwnam_r@,$LIB_getpwnam_r,;t t -s,@HAVE_OPENSSL_TRUE@,$HAVE_OPENSSL_TRUE,;t t -s,@HAVE_OPENSSL_FALSE@,$HAVE_OPENSSL_FALSE,;t t -s,@DIR_des@,$DIR_des,;t t -s,@INCLUDE_des@,$INCLUDE_des,;t t -s,@LIB_des@,$LIB_des,;t t -s,@LIB_des_a@,$LIB_des_a,;t t -s,@LIB_des_so@,$LIB_des_so,;t t -s,@LIB_des_appl@,$LIB_des_appl,;t t -s,@LIB_el_init@,$LIB_el_init,;t t -s,@el_compat_TRUE@,$el_compat_TRUE,;t t -s,@el_compat_FALSE@,$el_compat_FALSE,;t t -s,@COMPILE_ET@,$COMPILE_ET,;t t -s,@DIR_com_err@,$DIR_com_err,;t t -s,@LIB_com_err@,$LIB_com_err,;t t -s,@LIB_com_err_a@,$LIB_com_err_a,;t t -s,@LIB_com_err_so@,$LIB_com_err_so,;t t -s,@LIB_AUTH_SUBDIRS@,$LIB_AUTH_SUBDIRS,;t t -s,@LTLIBOBJS@,$LTLIBOBJS,;t t -CEOF - -_ACEOF - - cat >>$CONFIG_STATUS <<\_ACEOF - # Split the substitutions into bite-sized pieces for seds with - # small command number limits, like on Digital OSF/1 and HP-UX. - ac_max_sed_lines=48 - ac_sed_frag=1 # Number of current file. - ac_beg=1 # First line for current file. - ac_end=$ac_max_sed_lines # Line after last line for current file. - ac_more_lines=: - ac_sed_cmds= - while $ac_more_lines; do - if test $ac_beg -gt 1; then - sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag - else - sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag - fi - if test ! -s $tmp/subs.frag; then - ac_more_lines=false - else - # The purpose of the label and of the branching condition is to - # speed up the sed processing (if there are no `@' at all, there - # is no need to browse any of the substitutions). - # These are the two extra sed commands mentioned above. - (echo ':t - /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed - if test -z "$ac_sed_cmds"; then - ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed" - else - ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed" - fi - ac_sed_frag=`expr $ac_sed_frag + 1` - ac_beg=$ac_end - ac_end=`expr $ac_end + $ac_max_sed_lines` - fi - done - if test -z "$ac_sed_cmds"; then - ac_sed_cmds=cat - fi -fi # test -n "$CONFIG_FILES" - -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF -for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue - # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". - case $ac_file in - - | *:- | *:-:* ) # input from stdin - cat >$tmp/stdin - ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; - *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; - * ) ac_file_in=$ac_file.in ;; - esac - - # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories. - ac_dir=`(dirname "$ac_file") 2>/dev/null || -$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - { case "$ac_dir" in - [\\/]* | ?:[\\/]* ) as_incr_dir=;; - *) as_incr_dir=.;; -esac -as_dummy="$ac_dir" -for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do - case $as_mkdir_dir in - # Skip DOS drivespec - ?:) as_incr_dir=$as_mkdir_dir ;; - *) - as_incr_dir=$as_incr_dir/$as_mkdir_dir - test -d "$as_incr_dir" || - mkdir "$as_incr_dir" || - { { echo "$as_me:35392: error: cannot create \"$ac_dir\"" >&5 -echo "$as_me: error: cannot create \"$ac_dir\"" >&2;} - { (exit 1); exit 1; }; } - ;; - esac -done; } - - ac_builddir=. - -if test "$ac_dir" != .; then - ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` - # A "../" for each directory in $ac_dir_suffix. - ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'` -else - ac_dir_suffix= ac_top_builddir= -fi - -case $srcdir in - .) # No --srcdir option. We are building in place. - ac_srcdir=. - if test -z "$ac_top_builddir"; then - ac_top_srcdir=. - else - ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'` - fi ;; - [\\/]* | ?:[\\/]* ) # Absolute path. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir ;; - *) # Relative path. - ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_builddir$srcdir ;; -esac -# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be -# absolute. -ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd` -ac_abs_top_builddir=`cd "$ac_dir" && cd $ac_top_builddir && pwd` -ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd` -ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd` - - - case $INSTALL in - [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; - *) ac_INSTALL=$ac_top_builddir$INSTALL ;; - esac - - if test x"$ac_file" != x-; then - { echo "$as_me:35438: creating $ac_file" >&5 -echo "$as_me: creating $ac_file" >&6;} - rm -f "$ac_file" - fi - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ - if test x"$ac_file" = x-; then - configure_input= - else - configure_input="$ac_file. " - fi - configure_input=$configure_input"Generated from `echo $ac_file_in | - sed 's,.*/,,'` by configure." - - # First look for the input files in the build tree, otherwise in the - # src tree. - ac_file_inputs=`IFS=: - for f in $ac_file_in; do - case $f in - -) echo $tmp/stdin ;; - [\\/$]*) - # Absolute (can't be DOS-style, as IFS=:) - test -f "$f" || { { echo "$as_me:35461: error: cannot find input file: $f" >&5 -echo "$as_me: error: cannot find input file: $f" >&2;} - { (exit 1); exit 1; }; } - echo $f;; - *) # Relative - if test -f "$f"; then - # Build tree - echo $f - elif test -f "$srcdir/$f"; then - # Source tree - echo $srcdir/$f - else - # /dev/null tree - { { echo "$as_me:35474: error: cannot find input file: $f" >&5 -echo "$as_me: error: cannot find input file: $f" >&2;} - { (exit 1); exit 1; }; } - fi;; - esac - done` || { (exit 1); exit 1; } -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF - sed "$ac_vpsub -$extrasub -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF -:t -/@[a-zA-Z_][a-zA-Z_0-9]*@/!b -s,@configure_input@,$configure_input,;t t -s,@srcdir@,$ac_srcdir,;t t -s,@abs_srcdir@,$ac_abs_srcdir,;t t -s,@top_srcdir@,$ac_top_srcdir,;t t -s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t -s,@builddir@,$ac_builddir,;t t -s,@abs_builddir@,$ac_abs_builddir,;t t -s,@top_builddir@,$ac_top_builddir,;t t -s,@abs_top_builddir@,$ac_abs_top_builddir,;t t -s,@INSTALL@,$ac_INSTALL,;t t -" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out - rm -f $tmp/stdin - if test x"$ac_file" != x-; then - mv $tmp/out $ac_file - else - cat $tmp/out - rm -f $tmp/out - fi - -done -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF - -# -# CONFIG_HEADER section. -# - -# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where -# NAME is the cpp macro being defined and VALUE is the value it is being given. -# -# ac_d sets the value in "#define NAME VALUE" lines. -ac_dA='s,^\([ ]*\)#\([ ]*define[ ][ ]*\)' -ac_dB='[ ].*$,\1#\2' -ac_dC=' ' -ac_dD=',;t' -# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE". -ac_uA='s,^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)' -ac_uB='$,\1#\2define\3' -ac_uC=' ' -ac_uD=',;t' - -for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue - # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". - case $ac_file in - - | *:- | *:-:* ) # input from stdin - cat >$tmp/stdin - ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; - *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; - * ) ac_file_in=$ac_file.in ;; - esac - - test x"$ac_file" != x- && { echo "$as_me:35541: creating $ac_file" >&5 -echo "$as_me: creating $ac_file" >&6;} - - # First look for the input files in the build tree, otherwise in the - # src tree. - ac_file_inputs=`IFS=: - for f in $ac_file_in; do - case $f in - -) echo $tmp/stdin ;; - [\\/$]*) - # Absolute (can't be DOS-style, as IFS=:) - test -f "$f" || { { echo "$as_me:35552: error: cannot find input file: $f" >&5 -echo "$as_me: error: cannot find input file: $f" >&2;} - { (exit 1); exit 1; }; } - echo $f;; - *) # Relative - if test -f "$f"; then - # Build tree - echo $f - elif test -f "$srcdir/$f"; then - # Source tree - echo $srcdir/$f - else - # /dev/null tree - { { echo "$as_me:35565: error: cannot find input file: $f" >&5 -echo "$as_me: error: cannot find input file: $f" >&2;} - { (exit 1); exit 1; }; } - fi;; - esac - done` || { (exit 1); exit 1; } - # Remove the trailing spaces. - sed 's/[ ]*$//' $ac_file_inputs >$tmp/in - -_ACEOF - -# Transform confdefs.h into two sed scripts, `conftest.defines' and -# `conftest.undefs', that substitutes the proper values into -# config.h.in to produce config.h. The first handles `#define' -# templates, and the second `#undef' templates. -# And first: Protect against being on the right side of a sed subst in -# config.status. Protect against being in an unquoted here document -# in config.status. -rm -f conftest.defines conftest.undefs -# Using a here document instead of a string reduces the quoting nightmare. -# Putting comments in sed scripts is not portable. -# -# `end' is used to avoid that the second main sed command (meant for -# 0-ary CPP macros) applies to n-ary macro definitions. -# See the Autoconf documentation for `clear'. -cat >confdef2sed.sed <<\_ACEOF -s/[\\&,]/\\&/g -s,[\\$`],\\&,g -t clear -: clear -s,^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*\)\(([^)]*)\)[ ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp -t end -s,^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp -: end -_ACEOF -# If some macros were called several times there might be several times -# the same #defines, which is useless. Nevertheless, we may not want to -# sort them, since we want the *last* AC-DEFINE to be honored. -uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines -sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs -rm -f confdef2sed.sed - -# This sed command replaces #undef with comments. This is necessary, for -# example, in the case of _POSIX_SOURCE, which is predefined and required -# on some systems where configure will not decide to define it. -cat >>conftest.undefs <<\_ACEOF -s,^[ ]*#[ ]*undef[ ][ ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */, -_ACEOF - -# Break up conftest.defines because some shells have a limit on the size -# of here documents, and old seds have small limits too (100 cmds). -echo ' # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS -echo ' if egrep "^[ ]*#[ ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS -echo ' # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS -echo ' :' >>$CONFIG_STATUS -rm -f conftest.tail -while grep . conftest.defines >/dev/null -do - # Write a limited-size here document to $tmp/defines.sed. - echo ' cat >$tmp/defines.sed <>$CONFIG_STATUS - # Speed up: don't consider the non `#define' lines. - echo '/^[ ]*#[ ]*define/!b' >>$CONFIG_STATUS - # Work around the forget-to-reset-the-flag bug. - echo 't clr' >>$CONFIG_STATUS - echo ': clr' >>$CONFIG_STATUS - sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS - echo 'CEOF - sed -f $tmp/defines.sed $tmp/in >$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in -' >>$CONFIG_STATUS - sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail - rm -f conftest.defines - mv conftest.tail conftest.defines -done -rm -f conftest.defines -echo ' fi # egrep' >>$CONFIG_STATUS -echo >>$CONFIG_STATUS - -# Break up conftest.undefs because some shells have a limit on the size -# of here documents, and old seds have small limits too (100 cmds). -echo ' # Handle all the #undef templates' >>$CONFIG_STATUS -rm -f conftest.tail -while grep . conftest.undefs >/dev/null -do - # Write a limited-size here document to $tmp/undefs.sed. - echo ' cat >$tmp/undefs.sed <>$CONFIG_STATUS - # Speed up: don't consider the non `#undef' - echo '/^[ ]*#[ ]*undef/!b' >>$CONFIG_STATUS - # Work around the forget-to-reset-the-flag bug. - echo 't clr' >>$CONFIG_STATUS - echo ': clr' >>$CONFIG_STATUS - sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS - echo 'CEOF - sed -f $tmp/undefs.sed $tmp/in >$tmp/out - rm -f $tmp/in - mv $tmp/out $tmp/in -' >>$CONFIG_STATUS - sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail - rm -f conftest.undefs - mv conftest.tail conftest.undefs -done -rm -f conftest.undefs - -cat >>$CONFIG_STATUS <<\_ACEOF - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ - if test x"$ac_file" = x-; then - echo "/* Generated by configure. */" >$tmp/config.h - else - echo "/* $ac_file. Generated by configure. */" >$tmp/config.h - fi - cat $tmp/in >>$tmp/config.h - rm -f $tmp/in - if test x"$ac_file" != x-; then - if cmp -s $ac_file $tmp/config.h 2>/dev/null; then - { echo "$as_me:35682: $ac_file is unchanged" >&5 -echo "$as_me: $ac_file is unchanged" >&6;} - else - ac_dir=`(dirname "$ac_file") 2>/dev/null || -$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - { case "$ac_dir" in - [\\/]* | ?:[\\/]* ) as_incr_dir=;; - *) as_incr_dir=.;; -esac -as_dummy="$ac_dir" -for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do - case $as_mkdir_dir in - # Skip DOS drivespec - ?:) as_incr_dir=$as_mkdir_dir ;; - *) - as_incr_dir=$as_incr_dir/$as_mkdir_dir - test -d "$as_incr_dir" || - mkdir "$as_incr_dir" || - { { echo "$as_me:35710: error: cannot create \"$ac_dir\"" >&5 -echo "$as_me: error: cannot create \"$ac_dir\"" >&2;} - { (exit 1); exit 1; }; } - ;; - esac -done; } - - rm -f $ac_file - mv $tmp/config.h $ac_file - fi - else - cat $tmp/config.h - rm -f $tmp/config.h - fi - # Run the commands associated with the file. - case $ac_file in - include/config.h ) # update the timestamp -echo 'timestamp for include/config.h' >"include/stamp-h1" - ;; - esac -done -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF - -# -# CONFIG_COMMANDS section. -# -for ac_file in : $CONFIG_COMMANDS; do test "x$ac_file" = x: && continue - ac_dest=`echo "$ac_file" | sed 's,:.*,,'` - ac_source=`echo "$ac_file" | sed 's,[^:]*:,,'` - ac_dir=`(dirname "$ac_dest") 2>/dev/null || -$as_expr X"$ac_dest" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_dest" : 'X\(//\)[^/]' \| \ - X"$ac_dest" : 'X\(//\)$' \| \ - X"$ac_dest" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$ac_dest" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - ac_builddir=. - -if test "$ac_dir" != .; then - ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` - # A "../" for each directory in $ac_dir_suffix. - ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'` -else - ac_dir_suffix= ac_top_builddir= -fi - -case $srcdir in - .) # No --srcdir option. We are building in place. - ac_srcdir=. - if test -z "$ac_top_builddir"; then - ac_top_srcdir=. - else - ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'` - fi ;; - [\\/]* | ?:[\\/]* ) # Absolute path. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir ;; - *) # Relative path. - ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_builddir$srcdir ;; -esac -# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be -# absolute. -ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd` -ac_abs_top_builddir=`cd "$ac_dir" && cd $ac_top_builddir && pwd` -ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd` -ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd` - - - { echo "$as_me:35785: executing $ac_dest commands" >&5 -echo "$as_me: executing $ac_dest commands" >&6;} - case $ac_dest in - depfiles ) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do - # Strip MF so we end up with the name of the file. - mf=`echo "$mf" | sed -e 's/:.*$//'` - # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named `Makefile.in', but - # some people rename them; so instead we look at the file content. - # Grep'ing the first line is not enough: some people post-process - # each Makefile.in and add a new line on top of each file to say so. - # So let's grep whole file. - if grep '^#.*generated by automake' $mf > /dev/null 2>&1; then - dirpart=`(dirname "$mf") 2>/dev/null || -$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$mf" : 'X\(//\)[^/]' \| \ - X"$mf" : 'X\(//\)$' \| \ - X"$mf" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$mf" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - else - continue - fi - grep '^DEP_FILES *= *[^ #]' < "$mf" > /dev/null || continue - # Extract the definition of DEP_FILES from the Makefile without - # running `make'. - DEPDIR=`sed -n -e '/^DEPDIR = / s///p' < "$mf"` - test -z "$DEPDIR" && continue - # When using ansi2knr, U may be empty or an underscore; expand it - U=`sed -n -e '/^U = / s///p' < "$mf"` - test -d "$dirpart/$DEPDIR" || mkdir "$dirpart/$DEPDIR" - # We invoke sed twice because it is the simplest approach to - # changing $(DEPDIR) to its actual value in the expansion. - for file in `sed -n -e ' - /^DEP_FILES = .*\\\\$/ { - s/^DEP_FILES = // - :loop - s/\\\\$// - p - n - /\\\\$/ b loop - p - } - /^DEP_FILES = / s/^DEP_FILES = //p' < "$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do - # Make sure the directory exists. - test -f "$dirpart/$file" && continue - fdir=`(dirname "$file") 2>/dev/null || -$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$file" : 'X\(//\)[^/]' \| \ - X"$file" : 'X\(//\)$' \| \ - X"$file" : 'X\(/\)' \| \ - . : '\(.\)' 2>/dev/null || -echo X"$file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } - /^X\(\/\/\)[^/].*/{ s//\1/; q; } - /^X\(\/\/\)$/{ s//\1/; q; } - /^X\(\/\).*/{ s//\1/; q; } - s/.*/./; q'` - { case $dirpart/$fdir in - [\\/]* | ?:[\\/]* ) as_incr_dir=;; - *) as_incr_dir=.;; -esac -as_dummy=$dirpart/$fdir -for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do - case $as_mkdir_dir in - # Skip DOS drivespec - ?:) as_incr_dir=$as_mkdir_dir ;; - *) - as_incr_dir=$as_incr_dir/$as_mkdir_dir - test -d "$as_incr_dir" || - mkdir "$as_incr_dir" || - { { echo "$as_me:35862: error: cannot create $dirpart/$fdir" >&5 -echo "$as_me: error: cannot create $dirpart/$fdir" >&2;} - { (exit 1); exit 1; }; } - ;; - esac -done; } - - # echo "creating $dirpart/$file" - echo '# dummy' > "$dirpart/$file" - done -done - ;; - esac -done -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF - -{ (exit 0); exit 0; } -_ACEOF -chmod +x $CONFIG_STATUS -ac_clean_files=$ac_clean_files_save - - -# configure is writing to config.log, and then calls config.status. -# config.status does its own redirection, appending to config.log. -# Unfortunately, on DOS this fails, as config.log is still kept open -# by configure, so config.status won't be able to write to it; its -# output is simply discarded. So we exec the FD to /dev/null, -# effectively closing config.log, so it can be properly (re)opened and -# appended to by config.status. When coming back to configure, we -# need to make the FD available again. -if test "$no_create" != yes; then - ac_cs_success=: - exec 5>/dev/null - $SHELL $CONFIG_STATUS || ac_cs_success=false - exec 5>>config.log - # Use ||, not &&, to avoid exiting from the if with $? = 1, which - # would make configure fail if this is the last instruction. - $ac_cs_success || { (exit 1); exit 1; } -fi - - - -cat > include/newversion.h.in </dev/null | sed 1q` - Date=`date` - mv -f include/newversion.h.in include/version.h.in - sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h -fi diff --git a/crypto/heimdal/doc/Makefile b/crypto/heimdal/doc/Makefile deleted file mode 100644 index 28b638346f3d..000000000000 --- a/crypto/heimdal/doc/Makefile +++ /dev/null @@ -1,584 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# doc/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.6 1999/03/20 13:58:16 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 no-texinfo.tex - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -info_TEXINFOS = heimdal.texi -heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi -subdir = doc -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = -INFO_DEPS = heimdal.info -DVIS = heimdal.dvi -TEXINFOS = heimdal.texi -DIST_COMMON = $(heimdal_TEXINFOS) Makefile.am Makefile.in mdate-sh -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .dvi .info .ps .texi -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign doc/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool - -heimdal.info: heimdal.texi $(heimdal_TEXINFOS) -heimdal.dvi: heimdal.texi $(heimdal_TEXINFOS) - -.texi.info: - @cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9] - cd $(srcdir) \ - && $(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) \ - `echo $< | sed 's,.*/,,'` - -.texi.dvi: - TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" \ - MAKEINFO='$(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir)' \ - $(TEXI2DVI) $< - -.texi: - @cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9] - cd $(srcdir) \ - && $(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) \ - `echo $< | sed 's,.*/,,'` - -MAKEINFO = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run makeinfo -TEXI2DVI = texi2dvi -DVIPS = dvips -.dvi.ps: - $(DVIPS) $< -o $@ - -uninstall-info-am: - $(PRE_UNINSTALL) - @if (install-info --version && \ - install-info --version | fgrep -i -v debian) >/dev/null 2>&1; then \ - list='$(INFO_DEPS)'; \ - for file in $$list; do \ - echo " install-info --info-dir=$(DESTDIR)$(infodir) --remove $(DESTDIR)$(infodir)/$$file"; \ - install-info --info-dir=$(DESTDIR)$(infodir) --remove $(DESTDIR)$(infodir)/$$file; \ - done; \ - else :; fi - @$(NORMAL_UNINSTALL) - @list='$(INFO_DEPS)'; \ - for file in $$list; do \ - (if cd $(DESTDIR)$(infodir); then \ - echo " rm -f $$file $$file-[0-9] $$file-[0-9][0-9])"; \ - rm -f $$file $$file-[0-9] $$file-[0-9][0-9]; \ - else :; fi); \ - done - -dist-info: $(INFO_DEPS) - list='$(INFO_DEPS)'; \ - for base in $$list; do \ - d=$(srcdir); \ - for file in $$d/$$base*; do \ - relfile=`expr "$$file" : "$$d/\(.*\)"`; \ - test -f $(distdir)/$$relfile || \ - cp -p $$file $(distdir)/$$relfile; \ - done; \ - done - -mostlyclean-aminfo: - -rm -f heimdal.aux heimdal.cp heimdal.cps heimdal.dvi heimdal.fn heimdal.ky \ - heimdal.log heimdal.pg heimdal.ps heimdal.tmp heimdal.toc \ - heimdal.tp heimdal.vr - -maintainer-clean-aminfo: - cd $(srcdir) && \ - list='$(INFO_DEPS)'; for i in $$list; do \ - rm -f $$i; \ - if test "`echo $$i-[0-9]*`" != "$$i-[0-9]*"; then \ - rm -f $$i-[0-9]*; \ - fi; \ - done -tags: TAGS -TAGS: - -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-info dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(INFO_DEPS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(infodir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: $(DVIS) - -info: info-am - -info-am: $(INFO_DEPS) - -install-data-am: install-data-local install-info-am - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-info-am: $(INFO_DEPS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(infodir) - @list='$(INFO_DEPS)'; \ - for file in $$list; do \ - d=$(srcdir); \ - for ifile in echo $$d/$$file $$d/$$file-[0-9] $$d/$$file-[0-9][0-9]; do \ - if test -f $$ifile; then \ - relfile=`expr "$$ifile" : "$$d/\(.*\)"`; \ - echo " $(INSTALL_DATA) $$ifile $(DESTDIR)$(infodir)/$$relfile"; \ - $(INSTALL_DATA) $$ifile $(DESTDIR)$(infodir)/$$relfile; \ - else : ; fi; \ - done; \ - done - @$(POST_INSTALL) - @if (install-info --version && \ - install-info --version | fgrep -i -v debian) >/dev/null 2>&1; then \ - list='$(INFO_DEPS)'; \ - for file in $$list; do \ - echo " install-info --info-dir=$(DESTDIR)$(infodir) $(DESTDIR)$(infodir)/$$file";\ - install-info --info-dir=$(DESTDIR)$(infodir) $(DESTDIR)$(infodir)/$$file || :;\ - done; \ - else : ; fi -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-aminfo \ - maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-aminfo mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool dist-info distclean \ - distclean-generic distclean-libtool distdir dvi dvi-am info \ - info-am install install-am install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-aminfo maintainer-clean-generic mostlyclean \ - mostlyclean-aminfo mostlyclean-generic mostlyclean-libtool \ - uninstall uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt deleted file mode 100644 index a97ef9d191e0..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt +++ /dev/null @@ -1,412 +0,0 @@ -CAT working group M. Swift -Internet Draft J. Brezak -Document: draft-brezak-win2k-krb-rc4-hmac-01.txt Microsoft -Category: Informational October 1999 - - - The Windows 2000 RC4-HMAC Kerberos encryption type - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be - updated, replaced, or obsoleted by other documents at any time. It - is inappropriate to use Internet- Drafts as reference material or to - cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The Windows 2000 implementation of Kerberos introduces a new - encryption type based on the RC4 encryption algorithm and using an - MD5 HMAC for checksum. This is offered as an alternative to using - the existing DES based encryption types. - - The RC4-HMAC encryption types are used to ease upgrade of existing - Windows NT environments, provide strong crypto (128-bit key - lengths), and provide exportable (meet United States government - export restriction requirements) encryption. - - The Windows 2000 implementation of Kerberos contains new encryption - and checksum types for two reasons: for export reasons early in the - development process, 56 bit DES encryption could not be exported, - and because upon upgrade from Windows NT 4.0 to Windows 2000, - accounts will not have the appropriate DES keying material to do the - standard DES encryption. Furthermore, 3DES is not available for - export, and there was a desire to use a single flavor of encryption - in the product for both US and international products. - - As a result, there are two new encryption types and one new checksum - type introduced in Windows 2000. - - -2. Conventions used in this document - - - -Swift Category - Informational 1 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. Key Generation - - On upgrade from existing Windows NT domains, the user accounts would - not have a DES based key available to enable the use of DES base - encryption types specified in RFC 1510. The key used for RC4-HMAC is - the same as the existing Windows NT key (NT Password Hash) for - compatibility reasons. Once the account password is changed, the DES - based keys are created and maintained. Once the DES keys are - available DES based encryption types can be used with Kerberos. - - The RC4-HMAC String to key function is defined as follow: - - String2Key(password) - - K = MD4(UNICODE(password)) - - The RC4-HMAC keys are generated by using the Windows UNICODE version - of the password. Each Windows UNICODE character is encoded in - little-endian format of 2 octets each. Then performing an MD4 [6] - hash operation on just the UNICODE characters of the password (not - including the terminating zero octets). - -4. Basic Operations - - The MD5 HMAC function is defined in [3]. It is used in this - encryption type for checksum operations. Refer to [3] for details on - its operation. In this document this function is referred to as - HMAC(Key, Data) returning the checksum using the specified key on - the data. - - The basic MD5 hash operation is used in this encryption type and - defined in [7]. In this document this function is referred to as - MD5(Data) returning the checksum of the data. - - The basic RC4 encryption operation is used in this encryption type - and defined in [8]. In this document the function is referred to as - RC4(Key, Data) returning the encrypted data using the specified key - on the data. - - These encryption types use key derivation as defined in [9] (RFC- - 1510BIS) in Section titled "Key Derivation". With each message, the - message type (T) is used as a component of the keying material. - - All strings in this document are ASCII unless otherwise specified. - The lengths of ASCII encoded character strings include the trailing - terminator character (0). - - The concat(a,b,c,...) function will return the logical concatenation - (left to right) of the values of the arguments. - -Swift Category - Informational 2 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - - The nonce(n) function returns a pseudo-random number of "n" octets. - -5. Checksum Types - - There is one checksum type used in this encryption type. The - Kerberos constant for this type is: - #define KERB_CHECKSUM_HMAC_MD5 (-138) - - The function is defined as follows: - - K - is the Key - T - the message type, encoded as a little-endian four byte integer - - CHKSUM(K, T, data) - - Ksign = HMAC(K, "signature key") //includes zero octet at end - tmp = MD5(concat(T, data)) - CHKSUM = HMAC(Ksign, tmp) - - -6. Encryption Types - - There are two encryption types used in these encryption types. The - Kerberos constants for these types are: - #define KERB_ETYPE_RC4_HMAC 23 - #define KERB_ETYPE_RC4_HMAC_EXP 24 - - The basic encryption function is defined as follow: - - T = the message type, encoded as a little-endian four byte integer. - - ENCRYPT(K, T, data) - if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) - L = concat("fortybits", T) //includes zero octet at - //end of string constant - Else - L = T - Ksign = HMAC(K,L) - Confounder = nonce(8) // get an 8 octet nonce for a confounder - Checksum = HMAC(Ksign, concat(Confounder, data)) - Ke = Ksign - if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) - memset(&Ke[7], 0x0ab, 9) - Ke2 = HMAC(Ke, Checksum) - data = RC4(Ke2, data) - - The header field on the encrypted data in KDC messages is: - - typedef struct _RC4_MDx_HEADER { - UCHAR Checksum[16]; - UCHAR Confounder[8]; - } RC4_MDx_HEADER, *PRC4_MDx_HEADER; - -Swift Category - Informational 3 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -7. Key Strength Negotiation - - A Kerberos client and server can negotiate over key length if they - are using mutual authentication. If the client is unable to perform - full strength encryption, it may propose a key in the "subkey" field - of the authenticator, using a weaker encryption type. The server - must then either return the same key or suggest its own key in the - subkey field of the AP reply message. The key used to encrypt data - is derived from the key returned by the server. If the client is - able to perform strong encryption but the server is not, it may - propose a subkey in the AP reply without first being sent a subkey - in the authenticator. - -8. GSSAPI Kerberos V5 Mechanism Type - -8.1 Mechanism Specific Changes - - The GSSAPI per-message tokens also require new checksum and - encryption types. The GSS-API per-message tokens must be changed to - support these new encryption types (See [5] Section 1.2.2). The - sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption - is: - Byte 4..5 SEAL_ALG 0x10 0x00 - RC4 - - The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: - Byte 2..3 SGN ALG 0x11 0x00 - HMAC - - The only support quality of protection is: - #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0 - - In addition, when using an RC4 based encryption type, the sequence - number is sent in big-endian rather than little-endian order. - -8.2 GSSAPI Checksum Type - - The GSSAPI checksum type and algorithm is defined in Section 5. Only - the first 8 octets of the checksum are used. The resulting checksum - is stored in the SGN_CKSUM field (See [5] Section 1.2) for - GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). - -8.3 GSSAPI Encryption Types - - There are two encryption types for GSSAPI message tokens, one that - is 128 bits in strength, and one that is 56 bits in strength as - defined in Section 6. - - - -Swift Category - Informational 4 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - All padding is rounded up to 1 byte. One byte is needed to say that - there is 1 byte of padding. The DES based mechanism type uses 8 byte - padding. See [5] Section 1.2.2.3. - - The encryption mechanism used for GSS based messages is as follow: - - T = the message type, encoded as a little-endian four byte integer. - - GSS-ENCRYPT(K, T, data) - IV = SND_SEQ - K = XOR(K, 0xf0f0f0f0f0f0f0f0f0f0f0f0f0f0f0) - if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) - L = concat("fortybits", T) //includes zero octet at end - else - L = T - Ksign = HMAC(K, L) - Ke = Ksign - if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) - memset(&Ke[7], 0x0ab, 9) - Ke2 = HMAC(Ke, IV) - Data = RC4(Ke2, data) - SND_SEQ = RC4(Ke, seq#) - - The sequence number (SND_SEQ) and IV are used as defined in [5] - Section 1.2.2. - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -8. Security Considerations - - Care must be taken in implementing this encryption type because it - uses a stream cipher. If a different IV isnÆt used in each direction - when using a session key, the encryption is weak. By using the - sequence number as an IV, this is avoided. - -9. References - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for - Message Authentication", RFC 2104, February 1997 - - 4 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - - -Swift Category - Informational 5 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - - 5 Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, - June 1996 - - 6 R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April - 1992 - - 7 R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April - 1992 - - 8 RC4 is a proprietary encryption algorithm available under license - from RSA Data Security Inc. For licensing information, - contact: - RSA Data Security, Inc. - 100 Marine Parkway - Redwood City, CA 94065-1031 - - 9 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 04.txt, June 25, 1999 - - -10. Author's Addresses - - Mike Swift - Microsoft - One Microsoft Way - Redmond, Washington - Email: mikesw@microsoft.com - - John Brezak - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@microsoft.com - - - - - - - - - - - - - - - - - - - -Swift Category - Informational 6 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - -11. Full Copyright Statement - - Copyright (C) The Internet Society (1999). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Informational 7 - \ No newline at end of file diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt deleted file mode 100644 index 1fc9927dea4c..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt +++ /dev/null @@ -1,589 +0,0 @@ - - -CAT working group M. Swift -Internet Draft J. Brezak -Document: draft-brezak-win2k-krb-rc4-hmac-02.txt Microsoft -Category: Informational November 2000 - - - The Windows 2000 RC4-HMAC Kerberos encryption type - - -tatus of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be - updated, replaced, or obsoleted by other documents at any time. It - is inappropriate to use Internet- Drafts as reference material or to - cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -. Abstract - - The Windows 2000 implementation of Kerberos introduces a new - encryption type based on the RC4 encryption algorithm and using an - MD5 HMAC for checksum. This is offered as an alternative to using - the existing DES based encryption types. - - The RC4-HMAC encryption types are used to ease upgrade of existing - Windows NT environments, provide strong crypto (128-bit key - lengths), and provide exportable (meet United States government - export restriction requirements) encryption. - - The Windows 2000 implementation of Kerberos contains new encryption - and checksum types for two reasons: for export reasons early in the - development process, 56 bit DES encryption could not be exported, - and because upon upgrade from Windows NT 4.0 to Windows 2000, - accounts will not have the appropriate DES keying material to do the - standard DES encryption. Furthermore, 3DES is not available for - export, and there was a desire to use a single flavor of encryption - in the product for both US and international products. - - As a result, there are two new encryption types and one new checksum - type introduced in Windows 2000. - - -. Conventions used in this document - - - -wift Category - Informational 1 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -. Key Generation - - On upgrade from existing Windows NT domains, the user accounts would - not have a DES based key available to enable the use of DES base - encryption types specified in RFC 1510. The key used for RC4-HMAC is - the same as the existing Windows NT key (NT Password Hash) for - compatibility reasons. Once the account password is changed, the DES - based keys are created and maintained. Once the DES keys are - available DES based encryption types can be used with Kerberos. - - The RC4-HMAC String to key function is defined as follow: - - String2Key(password) - - K = MD4(UNICODE(password)) - - The RC4-HMAC keys are generated by using the Windows UNICODE version - of the password. Each Windows UNICODE character is encoded in - little-endian format of 2 octets each. Then performing an MD4 [6] - hash operation on just the UNICODE characters of the password (not - including the terminating zero octets). - - For an account with a password of "foo", this String2Key("foo") will - return: - - 0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, - 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc - -. Basic Operations - - The MD5 HMAC function is defined in [3]. It is used in this - encryption type for checksum operations. Refer to [3] for details on - its operation. In this document this function is referred to as - HMAC(Key, Data) returning the checksum using the specified key on - the data. - - The basic MD5 hash operation is used in this encryption type and - defined in [7]. In this document this function is referred to as - MD5(Data) returning the checksum of the data. - - RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A - compatible cipher is described in [8]. In this document the function - is referred to as RC4(Key, Data) returning the encrypted data using - the specified key on the data. - - These encryption types use key derivation as defined in [9] (RFC- - 1510BIS) in Section titled "Key Derivation". With each message, the - message type (T) is used as a component of the keying material. This - summarizes the different key derivation values used in the various - -wift Category - Informational 2 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - operations. Note that these differ from the key derivations used in - other Kerberos encryption types. - - T = 1 for TS-ENC-TS in the AS-Request - T = 8 for the AS-Reply - T = 7 for the Authenticator in the TGS-Request - T = 8 for the TGS-Reply - T = 2 for the Server Ticket in the AP-Request - T = 11 for the Authenticator in the AP-Request - T = 12 for the Server returned AP-Reply - T = 15 in the generation of checksum for the MIC token - T = 0 in the generation of sequence number for the MIC token - T = 13 in the generation of checksum for the WRAP token - T = 0 in the generation of sequence number for the WRAP token - T = 0 in the generation of encrypted data for the WRAPPED token - - All strings in this document are ASCII unless otherwise specified. - The lengths of ASCII encoded character strings include the trailing - terminator character (0). - - The concat(a,b,c,...) function will return the logical concatenation - (left to right) of the values of the arguments. - - The nonce(n) function returns a pseudo-random number of "n" octets. - -. Checksum Types - - There is one checksum type used in this encryption type. The - Kerberos constant for this type is: - #define KERB_CHECKSUM_HMAC_MD5 (-138) - - The function is defined as follows: - - K - is the Key - T - the message type, encoded as a little-endian four byte integer - - CHKSUM(K, T, data) - - Ksign = HMAC(K, "signaturekey") //includes zero octet at end - tmp = MD5(concat(T, data)) - CHKSUM = HMAC(Ksign, tmp) - - -. Encryption Types - - There are two encryption types used in these encryption types. The - Kerberos constants for these types are: - #define KERB_ETYPE_RC4_HMAC 23 - #define KERB_ETYPE_RC4_HMAC_EXP 24 - - The basic encryption function is defined as follow: - - T = the message type, encoded as a little-endian four byte integer. - -wift Category - Informational 3 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - BYTE L40[14] = "fortybits"; - BYTE SK = "signaturekey"; - - ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 10 + 4, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - add_8_random_bytes(data, data_len, conf_plus_data); - HMAC (K2, conf_plus_data, 8 + data_len, checksum); - HMAC (K1, checksum, 16, K3); - RC4(K3, conf_plus_data, 8 + data_len, edata + 16); - memcpy (edata, checksum, 16); - edata_len = 16 + 8 + data_len; - } - - DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - HMAC (K1, edata, 16, K3); // checksum is at edata - RC4(K3, edata + 16, edata_len - 16, edata + 16); - data_len = edata_len - 16 - 8; - memcpy (data, edata + 16 + 8, data_len); - - // verify generated and received checksums - HMAC (K2, edata + 16, edata_len - 16, checksum); - if (memcmp(edata, checksum, 16) != 0) - printf("CHECKSUM ERROR !!!!!!\n"); - } - - The header field on the encrypted data in KDC messages is: - - typedef struct _RC4_MDx_HEADER { - UCHAR Checksum[16]; - UCHAR Confounder[8]; - } RC4_MDx_HEADER, *PRC4_MDx_HEADER; - - The KDC message is encrypted using the ENCRYPT function not - including the Checksum in the RC4_MDx_HEADER. - - -wift Category - Informational 4 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -. Key Strength Negotiation - - A Kerberos client and server can negotiate over key length if they - are using mutual authentication. If the client is unable to perform - full strength encryption, it may propose a key in the "subkey" field - of the authenticator, using a weaker encryption type. The server - must then either return the same key or suggest its own key in the - subkey field of the AP reply message. The key used to encrypt data - is derived from the key returned by the server. If the client is - able to perform strong encryption but the server is not, it may - propose a subkey in the AP reply without first being sent a subkey - in the authenticator. - -. GSSAPI Kerberos V5 Mechanism Type - -.1 Mechanism Specific Changes - - The GSSAPI per-message tokens also require new checksum and - encryption types. The GSS-API per-message tokens must be changed to - support these new encryption types (See [5] Section 1.2.2). The - sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption - is: - Byte 4..5 SEAL_ALG 0x10 0x00 - RC4 - - The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: - Byte 2..3 SGN ALG 0x11 0x00 - HMAC - - The only support quality of protection is: - #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0 - - In addition, when using an RC4 based encryption type, the sequence - number is sent in big-endian rather than little-endian order. - - The Windows 2000 implementation also defines new GSSAPI flags in the - initial token passed when initializing a security context. These - flags are passed in the checksum field of the authenticator (See [5] - Section 1.1.1). - - GSS_C_DCE_STYLE - This flag was added for use with MicrosoftÆs - implementation of DCE RPC, which initially expected three legs of - authentication. Setting this flag causes an extra AP reply to be - sent from the client back to the server after receiving the serverÆs - AP reply. In addition, the context negotiation tokens do not have - GSSAPI framing - they are raw AP message and do not include object - identifiers. - #define GSS_C_DCE_STYLE 0x1000 - - - -wift Category - Informational 5 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the - server that it should only allow the server application to identify - the client by name and ID, but not to impersonate the client. - #define GSS_C_IDENTIFY_FLAG 0x2000 - - GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the - client wants to be informed of extended error information. In - particular, Windows 2000 status codes may be returned in the data - field of a Kerberos error message. This allows the client to - understand a server failure more precisely. In addition, the server - may return errors to the client that are normally handled at the - application layer in the server, in order to let the client try to - recover. After receiving an error message, the client may attempt to - resubmit an AP request. - #define GSS_C_EXTENDED_ERROR_FLAG 0x4000 - - These flags are only used if a client is aware of these conventions - when using the SSPI on the Windows platform, they are not generally - used by default. - - When NetBIOS addresses are used in the GSSAPI, they are identified - by the GSS_C_AF_NETBIOS value. This value is defined as: - #define GSS_C_AF_NETBIOS 0x14 - NetBios addresses are 16-octet addresses typically composed of 1 to th 15 characters, trailing blank (ascii char 20) filled, with a 16 - octet of 0x0. - -.2 GSSAPI Checksum Type - - The GSSAPI checksum type and algorithm is defined in Section 5. Only - the first 8 octets of the checksum are used. The resulting checksum - is stored in the SGN_CKSUM field (See [5] Section 1.2) for - GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). - - MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, - MIC_seq, MIC_checksum) - { - HMAC (K, SK, 13, K4); - T = 15; - memcpy (T_plus_hdr_plus_msg + 00, &T, 4); - memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8); - // 0101 1100 FFFFFFFF - memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); - MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); - HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); - memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K5); - }else{ - HMAC (K, &T, 4, K5); - -wift Category - Informational 6 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - } - if (fRC4_EXP) memset(K5+7, 0xAB, 9); - HMAC(K5, MIT_checksum, 8, K6); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K6, seq_plus_direction, 8, MIC_seq); - } - -.3 GSSAPI Encryption Types - - There are two encryption types for GSSAPI message tokens, one that - is 128 bits in strength, and one that is 56 bits in strength as - defined in Section 6. - - All padding is rounded up to 1 byte. One byte is needed to say that - there is 1 byte of padding. The DES based mechanism type uses 8 byte - padding. See [5] Section 1.2.2.3. - - The encryption mechanism used for GSS wrap based messages is as - follow: - - - WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, - WRAP_seq, WRAP_checksum, edata, edata_len) - { - HMAC (K, SK, 13, K7); - T = 13; - PAD = 1; - memcpy (T_hdr_conf_msg_pad + 00, &T, 4); - memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 - FFFFFFFF - memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); - memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); - MD5 (T_hdr_conf_msg_pad, - 4 + 8 + 8 + msg_len + 1, - MD5_of_T_hdr_conf_msg_pad); - HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); - memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 - bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K8); - }else{ - HMAC (K, &T, 4, K8); - } - if (fRC4_EXP) memset(K8+7, 0xAB, 9); - HMAC(K8, WRAP_checksum, 8, K9); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - -wift Category - Informational 7 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K9, seq_plus_direction, 8, WRAP_seq); - - for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte - of key with 0xF0 - T = 0; - if (fRC4_EXP){ - *(DWORD *)(L40+10) = T; - HMAC(K10, L40, 14, K11); - memset(K11+7, 0xAB, 9); - }else{ - HMAC(K10, &T, 4, K11); - } - HMAC(K11, seq_num, 4, K12); - RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, - edata); /* skip T & hdr */ - edata_len = 8 + msg_len + 1; // conf + msg_len + pad - } - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -. Security Considerations - - Care must be taken in implementing this encryption type because it - uses a stream cipher. If a different IV isnÆt used in each direction - when using a session key, the encryption is weak. By using the - sequence number as an IV, this is avoided. - -0. Acknowledgements - - We would like to thank Salil Dangi for the valuable input in - refining the descriptions of the functions and review input. - -1. References - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for - Message Authentication", RFC 2104, February 1997 - - 4 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - - -wift Category - Informational 8 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - 5 Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, - June 1996 - - 6 R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April - 1992 - - 7 R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April - 1992 - - 8 Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption - Algorithm", Work in Progress. - - 9 RC4 is a proprietary encryption algorithm available under license - from RSA Data Security Inc. For licensing information, contact: - - RSA Data Security, Inc. - 100 Marine Parkway - Redwood City, CA 94065-1031 - - 10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 04.txt, June 25, 1999 - - -2. Author's Addresses - - Mike Swift - Dept. of Computer Science - Sieg Hall - University of Washington - Seattle, WA 98105 - Email: mikesw@cs.washington.edu - - John Brezak - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@microsoft.com - - - - - - - - - - - - - - - -wift Category - Informational 9 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - -3. Full Copyright Statement - - "Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and - furnished to others, and derivative works that comment on or - otherwise explain it or assist in its implementation may be - prepared, copied, published and distributed, in whole or in - part, without restriction of any kind, provided that the above - copyright notice and this paragraph are included on all such - copies and derivative works. However, this document itself may - not be modified in any way, such as by removing the copyright - notice or references to the Internet Society or other Internet - organizations, except as needed for the purpose of developing - Internet standards in which case the procedures for copyrights - defined in the Internet Standards process must be followed, or - as required to translate it into languages other than English. - - The limited permissions granted above are perpetual and will - not be revoked by the Internet Society or its successors or - assigns. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -wift Category - Informational 10 - diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt deleted file mode 100644 index 202d44e8639c..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt +++ /dev/null @@ -1,587 +0,0 @@ -CAT working group M. Swift -Internet Draft J. Brezak -Document: draft-brezak-win2k-krb-rc4-hmac-03.txt Microsoft -Category: Informational June 2000 - - - The Windows 2000 RC4-HMAC Kerberos encryption type - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be - updated, replaced, or obsoleted by other documents at any time. It - is inappropriate to use Internet- Drafts as reference material or to - cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The Windows 2000 implementation of Kerberos introduces a new - encryption type based on the RC4 encryption algorithm and using an - MD5 HMAC for checksum. This is offered as an alternative to using - the existing DES based encryption types. - - The RC4-HMAC encryption types are used to ease upgrade of existing - Windows NT environments, provide strong crypto (128-bit key - lengths), and provide exportable (meet United States government - export restriction requirements) encryption. - - The Windows 2000 implementation of Kerberos contains new encryption - and checksum types for two reasons: for export reasons early in the - development process, 56 bit DES encryption could not be exported, - and because upon upgrade from Windows NT 4.0 to Windows 2000, - accounts will not have the appropriate DES keying material to do the - standard DES encryption. Furthermore, 3DES is not available for - export, and there was a desire to use a single flavor of encryption - in the product for both US and international products. - - As a result, there are two new encryption types and one new checksum - type introduced in Windows 2000. - - -2. Conventions used in this document - - - -Swift Category - Informational 1 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. Key Generation - - On upgrade from existing Windows NT domains, the user accounts would - not have a DES based key available to enable the use of DES base - encryption types specified in RFC 1510. The key used for RC4-HMAC is - the same as the existing Windows NT key (NT Password Hash) for - compatibility reasons. Once the account password is changed, the DES - based keys are created and maintained. Once the DES keys are - available DES based encryption types can be used with Kerberos. - - The RC4-HMAC String to key function is defined as follow: - - String2Key(password) - - K = MD4(UNICODE(password)) - - The RC4-HMAC keys are generated by using the Windows UNICODE version - of the password. Each Windows UNICODE character is encoded in - little-endian format of 2 octets each. Then performing an MD4 [6] - hash operation on just the UNICODE characters of the password (not - including the terminating zero octets). - - For an account with a password of "foo", this String2Key("foo") will - return: - - 0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, - 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc - -4. Basic Operations - - The MD5 HMAC function is defined in [3]. It is used in this - encryption type for checksum operations. Refer to [3] for details on - its operation. In this document this function is referred to as - HMAC(Key, Data) returning the checksum using the specified key on - the data. - - The basic MD5 hash operation is used in this encryption type and - defined in [7]. In this document this function is referred to as - MD5(Data) returning the checksum of the data. - - RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A - compatible cipher is described in [8]. In this document the function - is referred to as RC4(Key, Data) returning the encrypted data using - the specified key on the data. - - These encryption types use key derivation as defined in [9] (RFC- - 1510BIS) in Section titled "Key Derivation". With each message, the - message type (T) is used as a component of the keying material. This - summarizes the different key derivation values used in the various - -Swift Category - Informational 2 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - operations. Note that these differ from the key derivations used in - other Kerberos encryption types. - - T = 1 for TS-ENC-TS in the AS-Request - T = 8 for the AS-Reply - T = 7 for the Authenticator in the TGS-Request - T = 8 for the TGS-Reply - T = 2 for the Server Ticket in the AP-Request - T = 11 for the Authenticator in the AP-Request - T = 12 for the Server returned AP-Reply - T = 15 in the generation of checksum for the MIC token - T = 0 in the generation of sequence number for the MIC token - T = 13 in the generation of checksum for the WRAP token - T = 0 in the generation of sequence number for the WRAP token - T = 0 in the generation of encrypted data for the WRAPPED token - - All strings in this document are ASCII unless otherwise specified. - The lengths of ASCII encoded character strings include the trailing - terminator character (0). - - The concat(a,b,c,...) function will return the logical concatenation - (left to right) of the values of the arguments. - - The nonce(n) function returns a pseudo-random number of "n" octets. - -5. Checksum Types - - There is one checksum type used in this encryption type. The - Kerberos constant for this type is: - #define KERB_CHECKSUM_HMAC_MD5 (-138) - - The function is defined as follows: - - K - is the Key - T - the message type, encoded as a little-endian four byte integer - - CHKSUM(K, T, data) - - Ksign = HMAC(K, "signaturekey") //includes zero octet at end - tmp = MD5(concat(T, data)) - CHKSUM = HMAC(Ksign, tmp) - - -6. Encryption Types - - There are two encryption types used in these encryption types. The - Kerberos constants for these types are: - #define KERB_ETYPE_RC4_HMAC 23 - #define KERB_ETYPE_RC4_HMAC_EXP 24 - - The basic encryption function is defined as follow: - - T = the message type, encoded as a little-endian four byte integer. - -Swift Category - Informational 3 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - BYTE L40[14] = "fortybits"; - BYTE SK = "signaturekey"; - - ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 10 + 4, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - add_8_random_bytes(data, data_len, conf_plus_data); - HMAC (K2, conf_plus_data, 8 + data_len, checksum); - HMAC (K1, checksum, 16, K3); - RC4(K3, conf_plus_data, 8 + data_len, edata + 16); - memcpy (edata, checksum, 16); - edata_len = 16 + 8 + data_len; - } - - DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - HMAC (K1, edata, 16, K3); // checksum is at edata - RC4(K3, edata + 16, edata_len - 16, edata + 16); - data_len = edata_len - 16 - 8; - memcpy (data, edata + 16 + 8, data_len); - - // verify generated and received checksums - HMAC (K2, edata + 16, edata_len - 16, checksum); - if (memcmp(edata, checksum, 16) != 0) - printf("CHECKSUM ERROR !!!!!!\n"); - } - - The header field on the encrypted data in KDC messages is: - - typedef struct _RC4_MDx_HEADER { - UCHAR Checksum[16]; - UCHAR Confounder[8]; - } RC4_MDx_HEADER, *PRC4_MDx_HEADER; - - The KDC message is encrypted using the ENCRYPT function not - including the Checksum in the RC4_MDx_HEADER. - - -Swift Category - Informational 4 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -7. Key Strength Negotiation - - A Kerberos client and server can negotiate over key length if they - are using mutual authentication. If the client is unable to perform - full strength encryption, it may propose a key in the "subkey" field - of the authenticator, using a weaker encryption type. The server - must then either return the same key or suggest its own key in the - subkey field of the AP reply message. The key used to encrypt data - is derived from the key returned by the server. If the client is - able to perform strong encryption but the server is not, it may - propose a subkey in the AP reply without first being sent a subkey - in the authenticator. - -8. GSSAPI Kerberos V5 Mechanism Type - -8.1 Mechanism Specific Changes - - The GSSAPI per-message tokens also require new checksum and - encryption types. The GSS-API per-message tokens must be changed to - support these new encryption types (See [5] Section 1.2.2). The - sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption - is: - Byte 4..5 SEAL_ALG 0x10 0x00 - RC4 - - The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: - Byte 2..3 SGN ALG 0x11 0x00 - HMAC - - The only support quality of protection is: - #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0 - - In addition, when using an RC4 based encryption type, the sequence - number is sent in big-endian rather than little-endian order. - - The Windows 2000 implementation also defines new GSSAPI flags in the - initial token passed when initializing a security context. These - flags are passed in the checksum field of the authenticator (See [5] - Section 1.1.1). - - GSS_C_DCE_STYLE - This flag was added for use with Microsoft’s - implementation of DCE RPC, which initially expected three legs of - authentication. Setting this flag causes an extra AP reply to be - sent from the client back to the server after receiving the server’s - AP reply. In addition, the context negotiation tokens do not have - GSSAPI framing - they are raw AP message and do not include object - identifiers. - #define GSS_C_DCE_STYLE 0x1000 - - - -Swift Category - Informational 5 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the - server that it should only allow the server application to identify - the client by name and ID, but not to impersonate the client. - #define GSS_C_IDENTIFY_FLAG 0x2000 - - GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the - client wants to be informed of extended error information. In - particular, Windows 2000 status codes may be returned in the data - field of a Kerberos error message. This allows the client to - understand a server failure more precisely. In addition, the server - may return errors to the client that are normally handled at the - application layer in the server, in order to let the client try to - recover. After receiving an error message, the client may attempt to - resubmit an AP request. - #define GSS_C_EXTENDED_ERROR_FLAG 0x4000 - - These flags are only used if a client is aware of these conventions - when using the SSPI on the Windows platform, they are not generally - used by default. - - When NetBIOS addresses are used in the GSSAPI, they are identified - by the GSS_C_AF_NETBIOS value. This value is defined as: - #define GSS_C_AF_NETBIOS 0x14 - NetBios addresses are 16-octet addresses typically composed of 1 to th 15 characters, trailing blank (ascii char 20) filled, with a 16 - octet of 0x0. - -8.2 GSSAPI Checksum Type - - The GSSAPI checksum type and algorithm is defined in Section 5. Only - the first 8 octets of the checksum are used. The resulting checksum - is stored in the SGN_CKSUM field (See [5] Section 1.2) for - GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). - - MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, - MIC_seq, MIC_checksum) - { - HMAC (K, SK, 13, K4); - T = 15; - memcpy (T_plus_hdr_plus_msg + 00, &T, 4); - memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8); - // 0101 1100 FFFFFFFF - memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); - MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); - HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); - memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K5); - }else{ - HMAC (K, &T, 4, K5); - -Swift Category - Informational 6 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - } - if (fRC4_EXP) memset(K5+7, 0xAB, 9); - HMAC(K5, MIT_checksum, 8, K6); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K6, seq_plus_direction, 8, MIC_seq); - } - -8.3 GSSAPI Encryption Types - - There are two encryption types for GSSAPI message tokens, one that - is 128 bits in strength, and one that is 56 bits in strength as - defined in Section 6. - - All padding is rounded up to 1 byte. One byte is needed to say that - there is 1 byte of padding. The DES based mechanism type uses 8 byte - padding. See [5] Section 1.2.2.3. - - The encryption mechanism used for GSS wrap based messages is as - follow: - - - WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, - WRAP_seq, WRAP_checksum, edata, edata_len) - { - HMAC (K, SK, 13, K7); - T = 13; - PAD = 1; - memcpy (T_hdr_conf_msg_pad + 00, &T, 4); - memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 - FFFFFFFF - memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); - memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); - MD5 (T_hdr_conf_msg_pad, - 4 + 8 + 8 + msg_len + 1, - MD5_of_T_hdr_conf_msg_pad); - HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); - memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 - bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K8); - }else{ - HMAC (K, &T, 4, K8); - } - if (fRC4_EXP) memset(K8+7, 0xAB, 9); - HMAC(K8, WRAP_checksum, 8, K9); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - -Swift Category - Informational 7 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K9, seq_plus_direction, 8, WRAP_seq); - - for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte - of key with 0xF0 - T = 0; - if (fRC4_EXP){ - *(DWORD *)(L40+10) = T; - HMAC(K10, L40, 14, K11); - memset(K11+7, 0xAB, 9); - }else{ - HMAC(K10, &T, 4, K11); - } - HMAC(K11, seq_num, 4, K12); - RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, - edata); /* skip T & hdr */ - edata_len = 8 + msg_len + 1; // conf + msg_len + pad - } - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -9. Security Considerations - - Care must be taken in implementing this encryption type because it - uses a stream cipher. If a different IV isn’t used in each direction - when using a session key, the encryption is weak. By using the - sequence number as an IV, this is avoided. - -10. Acknowledgements - - We would like to thank Salil Dangi for the valuable input in - refining the descriptions of the functions and review input. - -11. References - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for - Message Authentication", RFC 2104, February 1997 - - 4 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - - -Swift Category - Informational 8 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - 5 Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, - June 1996 - - 6 R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April - 1992 - - 7 R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April - 1992 - - 8 Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption - Algorithm", Work in Progress. - - 9 RC4 is a proprietary encryption algorithm available under license - from RSA Data Security Inc. For licensing information, contact: - - RSA Data Security, Inc. - 100 Marine Parkway - Redwood City, CA 94065-1031 - - 10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 04.txt, June 25, 1999 - - -12. Author's Addresses - - Mike Swift - Dept. of Computer Science - Sieg Hall - University of Washington - Seattle, WA 98105 - Email: mikesw@cs.washington.edu - - John Brezak - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@microsoft.com - - - - - - - - - - - - - - - -Swift Category - Informational 9 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - -13. Full Copyright Statement - - "Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and - furnished to others, and derivative works that comment on or - otherwise explain it or assist in its implementation may be - prepared, copied, published and distributed, in whole or in - part, without restriction of any kind, provided that the above - copyright notice and this paragraph are included on all such - copies and derivative works. However, this document itself may - not be modified in any way, such as by removing the copyright - notice or references to the Internet Society or other Internet - organizations, except as needed for the purpose of developing - Internet standards in which case the procedures for copyrights - defined in the Internet Standards process must be followed, or - as required to translate it into languages other than English. - - The limited permissions granted above are perpetual and will - not be revoked by the Internet Society or its successors or - assigns. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Informational 10 - diff --git a/crypto/heimdal/doc/standardisation/draft-foo b/crypto/heimdal/doc/standardisation/draft-foo deleted file mode 100644 index 8174d4678f8d..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-foo +++ /dev/null @@ -1,171 +0,0 @@ - - - - - - -Network Working Group Assar Westerlund - SICS -Internet-Draft October, 1997 -Expire in six months - - Kerberos over IPv6 - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - To view the entire list of current Internet-Drafts, please check the - "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow - Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), - munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or - ftp.isi.edu (US West Coast). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - This document specifies the address types and transport types - necessary for using Kerberos [RFC1510] over IPv6 [RFC1883]. - -Specification - - IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB - order. The type of IPv6 addresses is twenty-four (24). - - The following addresses (see [RFC1884]) MUST not appear in any - Kerberos packet: - - the Unspecified Address - the Loopback Address - Link-Local addresses - - IPv4-mapped IPv6 addresses MUST be represented as addresses of type - 2. - - - - -Westerlund [Page 1] - -Internet Draft Kerberos over IPv6 October, 1997 - - - Communication with the KDC over IPv6 MUST be done as in section 8.2.1 - of [RFC1510]. - -Discussion - - [RFC1510] suggests using the address family constants in - from BSD. This cannot be done for IPv6 as these - numbers have diverged and are different on different BSD-derived - systems. [RFC2133] does not either specify a value for AF_INET6. - Thus a value has to be decided and the implementations have to - convert between the value used in Kerberos HostAddress and the local - AF_INET6. - - There are a few different address types in IPv6, see [RFC1884]. Some - of these are used for quite special purposes and it makes no sense to - include them in Kerberos packets. - - It is necessary to represent IPv4-mapped addresses as Internet - addresses (type 2) to be compatible with Kerberos implementations - that only support IPv4. - -Security considerations - - This memo does not introduce any known security considerations in - addition to those mentioned in [RFC1510]. - -References - - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - [RFC1883] Deering, S., Hinden, R., "Internet Protocol, Version 6 - (IPv6) Specification", RFC 1883, December 1995. - - [RFC1884] Hinden, R., Deering, S., "IP Version 6 Addressing - Architecture", RFC 1884, December 1995. - - [RFC2133] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic - Socket Interface Extensions for IPv6", RFC2133, April 1997. - -Author's Address - - Assar Westerlund - Swedish Institute of Computer Science - Box 1263 - S-164 29 KISTA - Sweden - - - - -Westerlund [Page 2] - -Internet Draft Kerberos over IPv6 October, 1997 - - - Phone: +46-8-7521526 - Fax: +46-8-7517230 - EMail: assar@sics.se - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Westerlund [Page 3] - diff --git a/crypto/heimdal/doc/standardisation/draft-foo.ms b/crypto/heimdal/doc/standardisation/draft-foo.ms deleted file mode 100644 index 62b109afa52c..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-foo.ms +++ /dev/null @@ -1,136 +0,0 @@ -.pl 10.0i -.po 0 -.ll 7.2i -.lt 7.2i -.nr LL 7.2i -.nr LT 7.2i -.ds LF Westerlund -.ds RF [Page %] -.ds CF -.ds LH Internet Draft -.ds RH October, 1997 -.ds CH Kerberos over IPv6 -.hy 0 -.ad l -.in 0 -.ta \n(.luR -Network Working Group Assar Westerlund - SICS -Internet-Draft October, 1997 -Expire in six months - -.ce -Kerberos over IPv6 - -.ti 0 -Status of this Memo - -.in 3 -This document is an Internet-Draft. Internet-Drafts are working -documents of the Internet Engineering Task Force (IETF), its -areas, and its working groups. Note that other groups may also -distribute working documents as Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six -months and may be updated, replaced, or obsoleted by other -documents at any time. It is inappropriate to use Internet- -Drafts as reference material or to cite them other than as -"work in progress." - -To view the entire list of current Internet-Drafts, please check -the "1id-abstracts.txt" listing contained in the Internet-Drafts -Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net -(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East -Coast), or ftp.isi.edu (US West Coast). - -Distribution of this memo is unlimited. Please send comments to the - mailing list. - -.ti 0 -Abstract - -.in 3 -This document specifies the address types and transport types -necessary for using Kerberos [RFC1510] over IPv6 [RFC1883]. - -.ti 0 -Specification - -.in 3 -IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB -order. The type of IPv6 addresses is twenty-four (24). - -The following addresses (see [RFC1884]) MUST not appear in any -Kerberos packet: - -the Unspecified Address -.br -the Loopback Address -.br -Link-Local addresses - -IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - -Communication with the KDC over IPv6 MUST be done as in section -8.2.1 of [RFC1510]. - -.ti 0 -Discussion - -.in 3 -[RFC1510] suggests using the address family constants in - from BSD. This cannot be done for IPv6 as these -numbers have diverged and are different on different BSD-derived -systems. [RFC2133] does not either specify a value for AF_INET6. -Thus a value has to be decided and the implementations have to convert -between the value used in Kerberos HostAddress and the local AF_INET6. - -There are a few different address types in IPv6, see [RFC1884]. Some -of these are used for quite special purposes and it makes no sense to -include them in Kerberos packets. - -It is necessary to represent IPv4-mapped addresses as Internet -addresses (type 2) to be compatible with Kerberos implementations that -only support IPv4. - -.ti 0 -Security considerations - -.in 3 -This memo does not introduce any known security considerations in -addition to those mentioned in [RFC1510]. - -.ti 0 -References - -.in 3 -[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network -Authentication Service (V5)", RFC 1510, September 1993. - -[RFC1883] Deering, S., Hinden, R., "Internet Protocol, Version 6 -(IPv6) Specification", RFC 1883, December 1995. - -[RFC1884] Hinden, R., Deering, S., "IP Version 6 Addressing -Architecture", RFC 1884, December 1995. - -[RFC2133] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic -Socket Interface Extensions for IPv6", RFC2133, April 1997. - -.ti 0 -Author's Address - -Assar Westerlund -.br -Swedish Institute of Computer Science -.br -Box 1263 -.br -S-164 29 KISTA -.br -Sweden - -Phone: +46-8-7521526 -.br -Fax: +46-8-7517230 -.br -EMail: assar@sics.se diff --git a/crypto/heimdal/doc/standardisation/draft-foo2 b/crypto/heimdal/doc/standardisation/draft-foo2 deleted file mode 100644 index 0fa695f640f8..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-foo2 +++ /dev/null @@ -1,171 +0,0 @@ - - - - - - -Network Working Group Assar Westerlund - SICS -Internet-Draft Johan Danielsson -November, 1997 PDC, KTH -Expire in six months - - Kerberos over TCP - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - To view the entire list of current Internet-Drafts, please check the - "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow - Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), - munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or - ftp.isi.edu (US West Coast). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - This document specifies how the communication should be done between - a client and a KDC using Kerberos [RFC1510] with TCP as the transport - protocol. - -Specification - - This draft specifies an extension to section 8.2.1 of RFC1510. - - A Kerberos server MAY accept requests on TCP port 88 (decimal). - - The data sent from the client to the KDC should consist of 4 bytes - containing the length, in network byte order, of the Kerberos - request, followed by the request (AS-REQ or TGS-REQ) itself. The - reply from the KDC should consist of the length of the reply packet - (4 bytes, network byte order) followed by the packet itself (AS-REP, - TGS-REP, or KRB-ERROR). - - - - -Westerlund, Danielsson [Page 1] - -Internet Draft Kerberos over TCP November, 1997 - - - C->S: Open connection to TCP port 88 at the server - C->S: length of request - C->S: AS-REQ or TGS-REQ - S->C: length of reply - S->C: AS-REP, TGS-REP, or KRB-ERROR - -Discussion - - Even though the preferred way of sending kerberos packets is over UDP - there are several occasions when it's more practical to use TCP. - - Mainly, it's usually much less cumbersome to get TCP through - firewalls than UDP. - - In theory, there's no reason for having explicit length fields, that - information is already encoded in the ASN1 encoding of the Kerberos - packets. But having explicit lengths makes it unnecessary to have to - decode the ASN.1 encoding just to know how much data has to be read. - - Another way of signaling the end of the request of the reply would be - to do a half-close after the request and a full-close after the - reply. This does not work well with all kinds of firewalls. - -Security considerations - - This memo does not introduce any known security considerations in - addition to those mentioned in [RFC1510]. - -References - - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - -Authors' Addresses - - Assar Westerlund - Swedish Institute of Computer Science - Box 1263 - S-164 29 KISTA - Sweden - - Phone: +46-8-7521526 - Fax: +46-8-7517230 - EMail: assar@sics.se - - Johan Danielsson - PDC, KTH - S-100 44 STOCKHOLM - - - -Westerlund, Danielsson [Page 2] - -Internet Draft Kerberos over TCP November, 1997 - - - Sweden - - Phone: +46-8-7907885 - Fax: +46-8-247784 - EMail: joda@pdc.kth.se - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Westerlund, Danielsson [Page 3] - diff --git a/crypto/heimdal/doc/standardisation/draft-foo2.ms b/crypto/heimdal/doc/standardisation/draft-foo2.ms deleted file mode 100644 index 7e0fa0a6281b..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-foo2.ms +++ /dev/null @@ -1,145 +0,0 @@ -.pl 10.0i -.po 0 -.ll 7.2i -.lt 7.2i -.nr LL 7.2i -.nr LT 7.2i -.ds LF Westerlund, Danielsson -.ds RF [Page %] -.ds CF -.ds LH Internet Draft -.ds RH November, 1997 -.ds CH Kerberos over TCP -.hy 0 -.ad l -.in 0 -.ta \n(.luR -.nf -Network Working Group Assar Westerlund - SICS -Internet-Draft Johan Danielsson -November, 1997 PDC, KTH -Expire in six months -.fi - -.ce -Kerberos over TCP - -.ti 0 -Status of this Memo - -.in 3 -This document is an Internet-Draft. Internet-Drafts are working -documents of the Internet Engineering Task Force (IETF), its -areas, and its working groups. Note that other groups may also -distribute working documents as Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six -months and may be updated, replaced, or obsoleted by other -documents at any time. It is inappropriate to use Internet- -Drafts as reference material or to cite them other than as -"work in progress." - -To view the entire list of current Internet-Drafts, please check -the "1id-abstracts.txt" listing contained in the Internet-Drafts -Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net -(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East -Coast), or ftp.isi.edu (US West Coast). - -Distribution of this memo is unlimited. Please send comments to the - mailing list. - -.ti 0 -Abstract - -.in 3 -This document specifies how the communication should be done between a -client and a KDC using Kerberos [RFC1510] with TCP as the transport -protocol. - -.ti 0 -Specification - -This draft specifies an extension to section 8.2.1 of RFC1510. - -A Kerberos server MAY accept requests on TCP port 88 (decimal). - -The data sent from the client to the KDC should consist of 4 bytes -containing the length, in network byte order, of the Kerberos request, -followed by the request (AS-REQ or TGS-REQ) itself. The reply from -the KDC should consist of the length of the reply packet (4 bytes, -network byte order) followed by the packet itself (AS-REP, TGS-REP, or -KRB-ERROR). - -.nf -C->S: Open connection to TCP port 88 at the server -C->S: length of request -C->S: AS-REQ or TGS-REQ -S->C: length of reply -S->C: AS-REP, TGS-REP, or KRB-ERROR -.fi - -.ti 0 -Discussion - -Even though the preferred way of sending kerberos packets is over UDP -there are several occasions when it's more practical to use TCP. - -Mainly, it's usually much less cumbersome to get TCP through firewalls -than UDP. - -In theory, there's no reason for having explicit length fields, that -information is already encoded in the ASN1 encoding of the Kerberos -packets. But having explicit lengths makes it unnecessary to have to -decode the ASN.1 encoding just to know how much data has to be read. - -Another way of signaling the end of the request of the reply would be -to do a half-close after the request and a full-close after the reply. -This does not work well with all kinds of firewalls. - -.ti 0 -Security considerations - -.in 3 -This memo does not introduce any known security considerations in -addition to those mentioned in [RFC1510]. - -.ti 0 -References - -.in 3 -[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network -Authentication Service (V5)", RFC 1510, September 1993. - -.ti 0 -Authors' Addresses - -Assar Westerlund -.br -Swedish Institute of Computer Science -.br -Box 1263 -.br -S-164 29 KISTA -.br -Sweden - -Phone: +46-8-7521526 -.br -Fax: +46-8-7517230 -.br -EMail: assar@sics.se - -Johan Danielsson -.br -PDC, KTH -.br -S-100 44 STOCKHOLM -.br -Sweden - -Phone: +46-8-7907885 -.br -Fax: +46-8-247784 -.br -EMail: joda@pdc.kth.se diff --git a/crypto/heimdal/doc/standardisation/draft-foo3 b/crypto/heimdal/doc/standardisation/draft-foo3 deleted file mode 100644 index 2b8b7bb5775c..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-foo3 +++ /dev/null @@ -1,227 +0,0 @@ - - - - - - -Network Working Group Assar Westerlund - SICS -Internet-Draft Johan Danielsson -November, 1997 PDC, KTH -Expire in six months - - Kerberos vs firewalls - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - To view the entire list of current Internet-Drafts, please check the - "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow - Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), - munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or - ftp.isi.edu (US West Coast). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - -Introduction - - Kerberos[RFC1510] is a protocol for authenticating parties - communicating over insecure networks. - - Firewalling is a technique for achieving an illusion of security by - putting restrictions on what kinds of packets and how these are sent - between the internal (so called "secure") network and the global (or - "insecure") Internet. - -Definitions - - client: the user, process, and host acquiring tickets from the KDC - and authenticating itself to the kerberised server. - - KDC: the Kerberos Key Distribution Center - - - - -Westerlund, Danielsson [Page 1] - -Internet Draft Kerberos vs firewalls November, 1997 - - - Kerberised server: the server using Kerberos to authenticate the - client, for example telnetd. - -Firewalls - - A firewall is usually placed between the "inside" and the "outside" - networks, and is supposed to protect the inside from the evils on the - outside. There are different kinds of firewalls. The main - differences are in the way they forward packets. - - o+ The most straight forward type is the one that just imposes - restrictions on incoming packets. Such a firewall could be - described as a router that filters packets that match some - criteria. - - o+ They may also "hide" some or all addresses on the inside of the - firewall, replacing the addresses in the outgoing packets with the - address of the firewall (aka network address translation, or NAT). - NAT can also be used without any packet filtering, for instance - when you have more than one host sharing a single address (for - example, with a dialed-in PPP connection). - - There are also firewalls that does NAT both on the inside and the - outside (a server on the inside will see this as a connection from - the firewall). - - o+ A third type is the proxy type firewall, that parses the contents - of the packets, basically acting as a server to the client, and as - a client to the server (man-in-the-middle). If Kerberos is to be - used with this kind of firewall, a protocol module that handles - KDC requests has to be written. - - This type of firewall might also cause extra trouble when used with - kerberised versions of protocols that the proxy understands, in - addition to the ones mentioned below. This is the case with the FTP - Security Extensions [RFC2228], that adds a new set of commands to the - FTP protocol [RFC959], for integrity, confidentiality, and privacy - protecting commands. When transferring data, the FTP protocol uses a - separate data channel, and an FTP proxy will have to look out for - commands that start a data transfer. If all commands are encrypted, - this is impossible. A protocol that doesn't suffer from this is the - Telnet Authentication Option [RFC1416] that does all authentication - and encryption in-bound. - -Scenarios - - Here the different scenarios we have considered are described, the - problems they introduce and the proposed ways of solving them. - - - -Westerlund, Danielsson [Page 2] - -Internet Draft Kerberos vs firewalls November, 1997 - - - Combinations of these can also occur. - - Client behind firewall - - This is the most typical and common scenario. First of all the - client needs some way of communicating with the KDC. This can be - done with whatever means and is usually much simpler when the KDC is - able to communicate over TCP. - - Apart from that, the client needs to be sure that the ticket it will - acquire from the KDC can be used to authenticate to a server outside - its firewall. For this, it needs to add the address(es) of potential - firewalls between itself and the KDC/server, to the list of its own - addresses when requesting the ticket. We are not aware of any - protocol for determining this set of addresses, thus this will have - to be manually configured in the client. - - The client could also request a ticket with no addresses, but some - KDCs and servers might not accept such a ticket. - - With the ticket in possession, communication with the kerberised - server will not need to be any different from communicating between a - non-kerberised client and server. - - Kerberised server behind firewall - - The kerberised server does not talk to the KDC at all so nothing - beyond normal firewall-traversal techniques for reaching the server - itself needs to be applied. - - The kerberised server needs to be able to retrieve the original - address (before its firewall) that the request was sent for. If this - is done via some out-of-band mechanism or it's directly able to see - it doesn't matter. - - KDC behind firewall - - The same restrictions applies for a KDC as for any other server. - -Specification - -Security considerations - - This memo does not introduce any known security considerations in - addition to those mentioned in [RFC1510]. - -References - - - - -Westerlund, Danielsson [Page 3] - -Internet Draft Kerberos vs firewalls November, 1997 - - - [RFC959] Postel, J. and Reynolds, J., "File Transfer Protocol (FTP)", - RFC 969, October 1985 - - [RFC1416] Borman, D., "Telnet Authentication Option", RFC 1416, - February 1993. - - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - [RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions", - RFC2228, October 1997. - -Authors' Addresses - - Assar Westerlund - Swedish Institute of Computer Science - Box 1263 - S-164 29 KISTA - Sweden - - Phone: +46-8-7521526 - Fax: +46-8-7517230 - EMail: assar@sics.se - - Johan Danielsson - PDC, KTH - S-100 44 STOCKHOLM - Sweden - - Phone: +46-8-7907885 - Fax: +46-8-247784 - EMail: joda@pdc.kth.se - - - - - - - - - - - - - - - - - - - -Westerlund, Danielsson [Page 4] - diff --git a/crypto/heimdal/doc/standardisation/draft-foo3.ms b/crypto/heimdal/doc/standardisation/draft-foo3.ms deleted file mode 100644 index c024ca355cd4..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-foo3.ms +++ /dev/null @@ -1,260 +0,0 @@ -.\" even if this file is called .ms, it's using the me macros. -.\" to format try something like `nroff -me' -.\" level 2 heading -.de HH -.$p "\\$2" "" "\\$1" -.$0 "\\$2" -.. -.\" make sure footnotes produce the right thing with nroff -.ie t \ -\{\ -.ds { \v'-0.4m'\x'\\n(0x=0*-0.2m'\s-3 -.ds } \s0\v'0.4m' -.\} -.el \ -\{\ -.ds { [ -.ds } ] -.\} -.ds * \\*{\\n($f\\*}\k* -.\" page footer -.fo 'Westerlund, Danielsson''[Page %]' -.\" date -.ds RH \*(mo, 19\n(yr -.\" left margin -.nr lm 6 -.\" heading indent per level -.nr si 3n -.\" footnote indent -.nr fi 0 -.\" paragraph indent -.nr po 0 -.\" don't hyphenate -.hy 0 -.\" left adjustment -.ad l -.\" indent 0 -.in 0 -.\" line length 16cm and page length 25cm (~10 inches) -.ll 16c -.pl 25c -.ta \n(.luR -.nf -Network Working Group Assar Westerlund - SICS -Internet-Draft Johan Danielsson -\*(RH PDC, KTH -Expire in six months -.fi - -.\" page header, has to be set here so it won't appear on page 1 -.he 'Internet Draft'Kerberos vs firewalls'\*(RH' -.ce -.b "Kerberos vs firewalls" - -.HH 1 "Status of this Memo" -.lp -This document is an Internet-Draft. Internet-Drafts are working -documents of the Internet Engineering Task Force (IETF), its areas, -and its working groups. Note that other groups may also distribute -working documents as Internet-Drafts. -.lp -Internet-Drafts are draft documents valid for a maximum of six months -and may be updated, replaced, or obsoleted by other documents at any -time. It is inappropriate to use Internet- Drafts as reference -material or to cite them other than as \*(lqwork in progress.\*(rq -.lp -To view the entire list of current Internet-Drafts, please check the -\*(lq1id-abstracts.txt\*(rq listing contained in the Internet-Drafts -Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), -munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or -ftp.isi.edu (US West Coast). -.lp -Distribution of this memo is unlimited. Please send comments to the - mailing list. -.HH 1 "Abstract" -.lp -Kerberos and firewalls both deal with security, but doesn't get along -very well. This memo discusses ways to use Kerberos in a firewalled -environment. -.HH 1 "Introduction" -.lp -Kerberos[RFC1510] -.(d -[RFC1510] -Kohl, J. and Neuman, C., \*(lqThe Kerberos Network Authentication -Service (V5)\*(rq, RFC 1510, September 1993. -.)d -is a protocol for authenticating parties communicating over insecure -networks. Firewalling is a technique for achieving an illusion of -security by putting restrictions on what kinds of packets and how -these are sent between the internal (so called \*(lqsecure\*(rq) -network and the global (or \*(lqinsecure\*(rq) Internet. The problems -with firewalls are many, but to name a few: -.np -Firewalls usually doesn't allow people to use UDP. The reason for this -is that UDP is (by firewall advocates) considered insecure. This -belief is probably based on the fact that many \*(lqinsecure\*(rq -protocols (like NFS) use UDP. UDP packets are also considered easy to -fake. -.np -Firewalls usually doesn't allow people to connect to arbitrary ports, -such as the ports used when talking to the KDC. -.np -In many non-computer organisations, the computer staff isn't what -you'd call \*(lqwizards\*(rq; a typical case is an academic -institution, where someone is taking care of the computers part time, -and is doing research the rest of the time. Adding a complex device -like a firewall to an environment like this, often leads to poorly run -systems that is more a hindrance for the legitimate users than to -possible crackers. -.lp -The easiest way to deal with firewalls is to ignore them, however in -some cases this just isn't possible. You might have users that are -stuck behind a firewall, but also has to access your system, or you -might find yourself behind a firewall, for instance when out -travelling. -.lp -To make it possible for people to use Kerberos from behind a firewall, -there are several things to consider. -.(q -.i -Add things to do when stuck behind a firewall, like talking about the -problem with local staff, making them open some port in the firewall, -using some other port, or proxy. -.r -.)q -.HH 1 "Firewalls" -.lp -A firewall is usually placed between the \*(lqinside\*(rq and the -\*(lqoutside\*(rq networks, and is supposed to protect the inside from the -evils on the outside. There are different kinds of firewalls. The -main differences are in the way they forward (or doesn't) packets. -.ip \(bu -The most straight forward type is the one that just imposes -restrictions on incoming packets. Such a firewall could be described -as a router that filters packets that match some criteria. -.ip \(bu -They may also \*(lqhide\*(rq some or all addresses on the inside of the -firewall, replacing the addresses in the outgoing packets with the -address of the firewall (aka network address translation, or NAT). NAT -can also be used without any packet filtering, for instance when you -have more than one host sharing a single address (e.g with a dialed-in -PPP connection). -.ip -There are also firewalls that does NAT both on the inside and the -outside (a server on the inside will see this as a connection from the -firewall). -.ip \(bu -A third type is the proxy type firewall, that parses the contents of -the packets, basically acting as a server to the client, and as a -client to the server (man-in-the-middle). If Kerberos is to be used -with this kind of firewall, a protocol module that handles KDC -requests has to be written\**. -.(f -\**Instead of writing a new module for Kerberos, it can be possible to -hitch a ride on some other protocol, that's already beeing handled by -the proxy. -.)f -.lp -The last type of firewall might also cause extra trouble when used -with kerberised versions of protocols that the proxy understands, in -addition to the ones mentioned below. This is the case with the FTP -Security Extensions [RFC2228], -.(d -[RFC2228] -Horowitz, M. and Lunt, S., \*(lqFTP Security Extensions\*(rq, RFC2228, -October 1997. -.)d -that adds a new set of commands to the FTP protocol [RFC959], -.(d -[RFC959] Postel, J. and Reynolds, J., \*(lqFile Transfer Protocol -(FTP)\*(rq, RFC 969, October 1985 -.)d -for integrity, confidentiality, and privacy protecting commands, and -data. When transferring data, the FTP protocol uses a separate data -channel, and an FTP proxy will have to look out for commands that -start a data transfer. If all commands are encrypted, this is -impossible. A protocol that doesn't suffer from this is the Telnet -Authentication Option [RFC1416] -.(d -[RFC1416] -Borman, D., \*(lqTelnet Authentication Option\*(rq, RFC 1416, February -1993. -.)d -that does all -authentication and encryption in-bound. -.HH 1 "Scenarios" -.lp -Here the different scenarios we have considered are described, the -problems they introduce and the proposed ways of solving them. -Combinations of these can also occur. -.HH 2 "Client behind firewall" -.lp -This is the most typical and common scenario. First of all the client -needs some way of communicating with the KDC. This can be done with -whatever means and is usually much simpler when the KDC is able to -communicate over TCP. -.lp -Apart from that, the client needs to be sure that the ticket it will -acquire from the KDC can be used to authenticate to a server outside -its firewall. For this, it needs to add the address(es) of potential -firewalls between itself and the KDC/server, to the list of its own -addresses when requesting the ticket. We are not aware of any -protocol for determining this set of addresses, thus this will have to -be manually configured in the client. -.lp -The client could also request a ticket with no addresses. This is not -a recommended way to solve this problem. The address was put into the -ticket to make it harder to use a stolen ticket. A ticket without -addresses will therefore be less \*(lqsecure.\*(rq RFC1510 also says that -the KDC may refuse to issue, and the server may refuse to accept an -address-less ticket. -.lp -With the ticket in possession, communication with the kerberised -server will not need to be any different from communicating between a -non-kerberised client and server. -.HH 2 "Kerberised server behind firewall" -.lp -The kerberised server does not talk to the KDC at all, so nothing -beyond normal firewall-traversal techniques for reaching the server -itself needs to be applied. -.lp -If the firewall rewrites the clients address, the server will have to -use some other (possibly firewall specific) protocol to retrieve the -original address. If this is not possible, the address field will have -to be ignored. This has the same effect as if there were no addresses -in the ticket (see the discussion above). -.HH 2 "KDC behind firewall" -.lp -The KDC is in this respect basically just like any other server. -.\" .uh "Specification" -.HH 1 "Security considerations" -.lp -Since the whole network behind a NAT-type firewall looks like one -computer from the outside, any security added by the addresses in the -ticket will be lost. -.HH 1 "References" -.lp -.pd -.HH 1 "Authors' Addresses" -.lp -.nf -Assar Westerlund -Swedish Institute of Computer Science -Box 1263 -S-164 29 KISTA -.sp -Phone: +46-8-7521526 -Fax: +46-8-7517230 -EMail: assar@sics.se -.sp 2 -Johan Danielsson -Center for Parallel Computers -KTH -S-100 44 STOCKHOLM -.sp -Phone: +46-8-7906356 -Fax: +46-8-247784 -EMail: joda@pdc.kth.se -.fi \ No newline at end of file diff --git a/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt b/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt deleted file mode 100644 index 89e64524c475..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt +++ /dev/null @@ -1,1594 +0,0 @@ - -DHC Working Group Ken Hornstein -INTERNET-DRAFT NRL -Category: Standards Track Ted Lemon - Internet Engines, Inc. -20 February 2000 Bernard Aboba -Expires: September 1, 2000 Microsoft - Jonathan Trostle - Cisco Systems - - DHCP Authentication Via Kerberos V - -This document is an Internet-Draft and is in full conformance with all -provisions of Section 10 of RFC2026. - -Internet-Drafts are working documents of the Internet Engineering Task -Force (IETF), its areas, and its working groups. Note that other groups -may also distribute working documents as Internet- Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months -and may be updated, replaced, or obsoleted by other documents at any -time. It is inappropriate to use Internet-Drafts as reference material -or to cite them other than as "work in progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -The distribution of this memo is unlimited. - -1. Copyright Notice - -Copyright (C) The Internet Society (2000). All Rights Reserved. - -2. Abstract - -The Dynamic Host Configuration Protocol (DHCP) provides a mechanism for -host configuration. In some circumstances, it is useful for the DHCP -client and server to be able to mutually authenticate as well as to -guarantee the integrity of DHCP packets in transit. This document -describes how Kerberos V may be used in order to allow a DHCP client and -server to mutually authenticate as well as to protect the integrity of -the DHCP exchange. The protocol described in this document is capable of -handling both intra-realm and inter-realm authentication. - - - - - - -Hornstein, et al. Standards Track [Page 1] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -3. Introduction - -The Dynamic Host Configuration Protocol (DHCP) provides a mechanism for -host configuration. In some circumstances, it is useful for the DHCP -client and server to be able to mutually authenticate as well as to -guarantee the integrity of DHCP packets in transit. This document -describes how Kerberos V may be used in order to allow a DHCP client and -server to mutually authenticate as well as to protect the integrity of -the DHCP exchange. The protocol described in this document is capable -of handling both intra-realm and inter-realm authentication. - -3.1. Terminology - -This document uses the following terms: - -DHCP client - A DHCP client or "client" is an Internet host using DHCP to - obtain configuration parameters such as a network address. - -DHCP server - A DHCP server or "server" is an Internet host that returns - configuration parameters to DHCP clients. - -Home KDC The KDC corresponding to the DHCP client's realm. - -Local KDC The KDC corresponding to the DHCP server's realm. - -3.2. Requirements language - -In this document, the key words "MAY", "MUST, "MUST NOT", "optional", -"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as -described in [1]. - -4. Protocol overview - -In DHCP authentication via Kerberos V, DHCP clients and servers utilize -a Kerberos session key in order to compute a message integrity check -value included within the DHCP authentication option. The message -integrity check serves to authenticate as well as integrity protect the -messages, while remaining compatible with the operation of a DHCP relay. -Replay protection is also provided by a replay counter within the -authentication option, as described in [3]. - -Each server maintains a list of session keys and identifiers for -clients, so that the server can retrieve the session key and identifier -used by a client to which the server has provided previous configuration -information. Each server MUST save the replay counter from the previous -authenticated message. To avoid replay attacks, the server MUST discard - - - -Hornstein, et al. Standards Track [Page 2] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -any incoming message whose replay counter is not strictly greater than -the replay counter from the previous message. - -DHCP authentication, described in [3], must work within the existing -DHCP state machine described in [4]. For a client in INIT state, this -means that the client must obtain a valid TGT, as well as a session key, -within the two round-trips provided by the -DHCPDISCOVER/OFFER/REQUEST/ACK sequence. - -In INIT state, the DHCP client submits an incomplete AS_REQ to the DHCP -server within the DHCPDISCOVER message. The DHCP server then completes -the AS_REQ using the IP address to be assigned to the client, and -submits this to the client's home KDC in order to obtain a TGT on the -client's behalf. Once the home KDC responds with an AS_REP, the DHCP -server extracts the client TGT and submits this along with its own TGT -to the home KDC, in order to obtain a user-to-user ticket to the DHCP -client. The AS_REP as well as the AP_REQ are included by the DHCP server -in the DHCPOFFER. The DHCP client can then decrypt the AS_REP to obtain -a home realm TGT and TGT session key, using the latter to decrypt the -user-to-user ticket to obtain the user-to-user session key. It is the -user-to-user session key that is used to authenticate and integrity -protect the client's DHCPREQUEST, and DHCPDECLINE messages. Similarly, -this same session key is used to compute the integrity attribute in the -server's DHCPOFFER, DHCPACK and DHCPNAK messages, as described in [3]. - -In the INIT-REBOOT, REBINDING, or RENEWING states, the server can submit -the home realm TGT in the DHCPREQUEST, along with authenticating and -integrity protecting the message using an integrity attribute within the -authentication option. The integrity attribute is computed using the -existing session key. The DHCP server can then return a renewed user- -to-user ticket within the DHCPACK message. The authenticated DHCPREQUEST -message from a client in INIT-REBOOT state can only be validated by -servers that used the same session key to compute the integrity -attribute in their DHCPOFFER messages. - -Other servers will discard the DHCPREQUEST messages. Thus, only servers -that used the user-to-user session key selected by the client will be -able to determine that their offered configuration information was not -selected, returning the offered network address to the server's pool of -available addresses. The servers that cannot validate the DHCPREQUEST -message will eventually return their offered network addresses to their -pool of available addresses as described in section 3.1 of the DHCP -specification [4]. - -When sending a DHCPINFORM, there are two possible procedures. If the -client knows the DHCP server it will be interacting with, then it can -obtain a ticket to the DHCP server from the local realm KDC. This will -require obtaining a TGT to its home realm, as well as possibly a cross- - - - -Hornstein, et al. Standards Track [Page 3] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -realm TGT to the local realm if the local and home realms differ. Once -the DHCP client has a local realm TGT, it can then request a DHCP server -ticket in a TGS_REQ. The DHCP client can then include AP_REQ and -integrity attributes within the DHCPINFORM. The integrity attribute is -computed as described in [3], using the session key obtained from the -TGS_REP. The DHCP server replies with a DHCPACK/DHCPNAK, authenticated -using the same session key. - -If the DHCP client does not know the DHCP server it is interacting with -then it will not be able to obtain a ticket to it and a different -procedure is needed. In this case, the client will include in the -DHCPINFORM an authentication option with a ticket attribute containing -its home realm TGT. The DHCP server will then use this TGT in order to -request a user-to-user ticket from the home KDC in a TGS_REQ. The DHCP -server will return the user-to-user ticket and will authenticate and -integrity protect the DHCPACK/DHCPNAK message. This is accomplished by -including AP_REQ and integrity attributes within the authentication -option included with the DHCPACK/DHCPNAK messages. - -In order to support the DHCP client's ability to authenticate the DHCP -server in the case where the server name is unknown, the Kerberos -principal name for the DHCP server must be of type KRB_NT_SRV_HST with -the service name component equal to 'dhcp'. For example, the DHCP server -principal name for the host srv.foo.org would be of the form -dhcp/srv.foo.org. The client MUST validate that the DHCP server -principal name has the above format. This convention requires that the -administrator ensure that non-DHCP server principals do not have names -that match the above format. - -4.1. Authentication Option Format - -A summary of the authentication option format for DHCP authentication -via Kerberos V is shown below. The fields are transmitted from left to -right. - -0 1 2 3 -0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Code | Length | Protocol | Algorithm | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Global Replay Counter | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Global Replay Counter | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Attributes... -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - -Code - - - -Hornstein, et al. Standards Track [Page 4] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - TBD - DHCP Authentication - -Length - - The length field is a single octet and indicates the length of the - Protocol, Algorith, and Authentication Information fields. Octets - outside the range of the length field should be ignored on reception. - -Protocol - - TBD - DHCP Kerberos V authentication - -Algorithm - - The algorithm field is a single octet and defines the specific - algorithm to be used for computation of the authentication option. - Values for the field are as follows: - - 0 - reserved - 1 - HMAC-MD5 - 2 - HMAC-SHA - 3 - 255 reserved - -Global Replay Counter - - As described in [3], the global replay counter field is 8 octets in - length. It MUST be set to the value of a monotonically increasing - counter. Using a counter value such as the current time of day (e.g., - an NTP-format timestamp [10]) can reduce the danger of replay - attacks. - -Attributes - - The attributes field consists of type-length-value attributes of the - following format: - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type | Reserved | Payload Length | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Attribute value... - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - -Type - The type field is a single octet and is defined as follows: - - 0 - Integrity check - - - -Hornstein, et al. Standards Track [Page 5] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - 1 - TICKET - 2 - Authenticator - 3 - EncTicketPart - 10 - AS_REQ - 11 - AS_REP - 12 - TGS_REQ - 13 - TGS_REP - 14 - AP_REQ - 15 - AP_REP - 20 - KRB_SAFE - 21 - KRB_PRIV - 22 - KRB_CRED - 25 - EncASRepPart - 26 - EncTGSRepPart - 27 - EncAPRepPart - 28 - EncKrbPrvPart - 29 - EncKrbCredPart - 30 - KRB_ERROR - - Note that the values of the Type field are the same as in the - Kerberos MSG-TYPE field. As a result, no new number spaces are - created for IANA administration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Hornstein, et al. Standards Track [Page 6] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - The following attribute types are allowed within the following - messages: - - DISCOVER OFFER REQUEST DECLINE # Attribute - -------------------------------------------------------- - 0 1 1 1 0 Integrity check - 0 0 0-1 0 1 Ticket - 1 0 0 0 10 AS_REQ - 0 1 0 0 11 AS_REP - 0 1 0 0 14 AP_REQ - 0 0-1 0 0 30 KRB_ERROR - - RELEASE ACK NAK INFORM INFORM # Attribute - w/known w/unknown - server server - --------------------------------------------------------------- - 1 1 1 1 0 0 Integrity check - 0 0 0 0 1 1 Ticket - 0 0 0 0 0 10 AS_REQ - 0 0 0 0 0 11 AS_REP - 0 0-1 0 1 0 14 AP_REQ - 0 0 0-1 0 0 30 KRB_ERROR - -4.2. Client behavior - -The following section, which incorporates material from [3], describes -client behavior in detail. - -4.2.1. INIT state - -When in INIT state, the client behaves as follows: - - -[1] As described in [3], the client MUST include the authentication - request option in its DHCPDISCOVER message along with option 61 - [11] to identify itself uniquely to the server. An AS_REQ attribute - MUST be included within the authentication request option. This - (incomplete) AS_REQ will set the FORWARDABLE and RENEWABLE flags - and MAY include pre-authentication data (PADATA) if the client - knows what PADATA its home KDC will require. The ADDRESSES field in - the AS_REQ will be ommitted since the client does not yet know its - IP address. The ETYPE field will be set to an encryption type that - the client can accept. - -[2] The client MUST validate DHCPOFFER messages that include an - authentication option. Messages including an authentication option - with a KRB_ERROR attribute and no integrity attribute are treated - as though they are unauthenticated. More typically, authentication - - - -Hornstein, et al. Standards Track [Page 7] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - options within the DHCPOFFER message will include AS_REP, AP_REQ, - and integrity attributes. To validate the authentication option, - the client decrypts the enc-part of the AS_REP in order to obtain - the TGT session key. This is used to decrypt the enc-part of the - AP_REQ in order to obtain the user-to-user session key. The user- - to-user session key is then used to compute the message integrity - check as described in [3], and the computed value is compared to - the value within the integrity attribute. The client MUST discard - any messages which fail to pass validation and MAY log the - validation failure. - - As described in [3], the client selects one DHCPOFFER message as - its selected configuration. If none of the DHCPOFFER messages - received by the client include an authentication option, the client - MAY choose an unauthenticated message as its selected - configuration. DHCPOFFER messages including an authentication - option with a KRB_ERROR attribute and no integrity attribute are - treated as though they are unauthenticated. The client SHOULD be - configurable to accept or reject unauthenticated DHCPOFFER - messages. - -[3] The client replies with a DHCPREQUEST message that MUST include an - authentication option. The authentication option MUST include an - integrity attribute, computed as described in [3], using the user - to user session key recovered in step 2. - -[4] As noted in [3], the client MUST validate a DHCPACK message from - the server that includes an authentication option. DHCPACK or - DHCPNAK messages including an authentication option with a - KRB_ERROR attribute and no integrity attribute are treated as - though they are unauthenticated. The client MUST silently discard - the DHCPACK if the message fails to pass validation and MAY log the - validation failure. If the DHCPACK fails to pass validation, the - client MUST revert to the INIT state and return to step 1. The - client MAY choose to remember which server replied with an invalid - DHCPACK message and discard subsequent messages from that server. - -4.2.2. INIT-REBOOT state - -When in INIT-REBOOT state, if the user-to-user ticket is still valid, -the client MUST re-use the session key from the DHCP server user-to-user -ticket in its DHCPREQUEST message. This is used to generate the -integrity attribute contained within the authentication option, as -described in [3]. In the DHCPREQUEST, the DHCP client also includes its -home realm TGT in a ticket attribute in the authentication option in -order to assist the DHCP server in renewing the user-to-user ticket. To -ensure that the user-to-user ticket remains valid throughout the DHCP -lease period so that the renewal process can proceed, the Kerberos - - - -Hornstein, et al. Standards Track [Page 8] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -ticket lifetime SHOULD be set to exceed the DHCP lease time. If the -user-to-user ticket is expired, then the client MUST return to the INIT -state. - -The client MAY choose to accept unauthenticated DHCPACK/DHCPNAK messages -if no authenticated messages were received. DHCPACK/DHCPNAK messages -with an authentication option containing a KRB_ERROR attribute and no -integrity attribute are treated as though they are unauthenticated. The -client MUST treat the receipt (or lack thereof) of any DHCPACK/DHCPNAK -messages as specified in section 3.2 of the DHCP specification [4]. - -4.2.3. RENEWING state - -When in RENEWING state, the DHCP client can be assumed to have a valid -IP address, as well as a TGT to the home realm, a user-to-user ticket -provided by the DHCP server, and a session key with the DHCP server, all -obtained during the original DHCP conversation. If the user-to-user -ticket is still valid, the client MUST re-use the session key from the -user-to-user ticket in its DHCPREQUEST message to generate the integrity -attribute contained within the authentication option. - -Since the DHCP client can renew the TGT to the home realm, it is -possible for it to continue to hold a valid home realm TGT. However, -since the DHCP client did not obtain the user-to-user ticket on its own, -it will need to rely on the DHCP server to renew this ticket. In the -DHCPREQUEST, the DHCP client includes its home realm TGT in a ticket -attribute in the authentication option in order to assist the DHCP -server in renewing the user-to-user ticket. - -If the DHCP server user-to-user ticket is expired, then the client MUST -return to INIT state. To ensure that the user-to-user ticket remains -valid throughout the DHCP lease period so that the renewal process can -proceed, the Kerberos ticket lifetime SHOULD be set to exceed the DHCP -lease time. If client receives no DHCPACK messages or none of the -DHCPACK messages pass validation, the client behaves as if it had not -received a DHCPACK message in section 4.4.5 of the DHCP specification -[4]. - -4.2.4. REBINDING state - -When in REBINDING state, the DHCP client can be assumed to have a valid -IP address, as well as a TGT to the home realm, a user-to-user ticket -and a session key with the DHCP server, all obtained during the original -DHCP conversation. If the user-to-user ticket is still valid, the -client MUST re-use the session key from the user-to-user ticket in its -DHCPREQUEST message to generate the integrity attribute contained within -the authentication option, as described in [3]. - - - - -Hornstein, et al. Standards Track [Page 9] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -Since the DHCP client can renew the TGT to the home realm, it is -possible for it to continue to hold a valid home realm TGT. However, -since the DHCP client did not obtain the user-to-user ticket on its own, -it will need to rely on the DHCP server to renew this ticket. In the -DHCPREQUEST, the DHCP client includes its home realm TGT in a ticket -attribute in the authentication option in order to assist the DHCP -server in renewing the user-to-user ticket. - -If the user-to-user ticket is expired, then the client MUST return to -INIT state. To ensure that the user-to-user ticket remains valid -throughout the DHCP lease period so that the renewal process can -proceed, the Kerberos ticket lifetime SHOULD be set to exceed the DHCP -lease time. If client receives no DHCPACK messages or none of the -DHCPACK messages pass validation, the client behaves as if it had not -received a DHCPACK message in section 4.4.5 of the DHCP specification -[4]. - -4.2.5. DHCPRELEASE message - -Clients sending a DHCPRELEASE MUST include an authentication option. The -authentication option MUST include an integrity attribute, computed as -described in [3], using the user to user session key. - -4.2.6. DHCPDECLINE message - -Clients sending a DHCPDECLINE MUST include an authentication option. The -authentication option MUST include an integrity attribute, computed as -described in [3], using the user to user session key. - -4.2.7. DHCPINFORM message - -Since the client already has some configuration information, it can be -assumed that it has the ability to obtain a home or local realm TGT -prior to sending the DHCPINFORM. - -If the DHCP client knows which DHCP server it will be interacting with, -then it SHOULD include an authentication option containing AP_REQ and -integrity attributes within the DHCPINFORM. The DHCP client first -requests a TGT to the local realm via an AS_REQ and then using the TGT -returned in the AS_REP to request a ticket to the DHCP server from the -local KDC in a TGS_REQ. The session key obtained from the TGS_REP will -be used to generate the integrity attribute as described in [3]. - -If the DHCP client does not know what DHCP server it will be talking to, -then it cannot obtain a ticket to the DHCP server. In this case, the -DHCP client MAY send an unauthenticated DHCPINFORM or it MAY include an -authentication option including a ticket attribute only. The ticket -attribute includes a TGT for the home realm. The client MUST validate - - - -Hornstein, et al. Standards Track [Page 10] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -that the DHCP server name in the received Kerberos AP_REQ message is of -the form dhcp/.... as described in section 4. - -The client MAY choose to accept unauthenticated DHCPACK/DHCPNAK messages -if no authenticated messages were received. DHCPACK/DHCPNAK messages -with an authentication option containing a KRB_ERROR attribute and no -integrity attribute are treated as though they are unauthenticated. The -client MUST treat the receipt (or lack thereof) of any DHCPACK/DHCPNAK -messages as specified in section 3.2 of the DHCP specification [4]. - -4.3. Server behavior - -This section, which relies on material from [3], describes the behavior -of a server in response to client messages. - -4.3.1. After receiving a DHCPDISCOVER message - -For installations where IP addresses are required within tickets, the -DHCP server MAY complete the AS_REQ by filling in the ADDRESSES field -based on the IP address that it will include in the DHCPOFFER. The DHCP -server sends the AS_REQ to the home KDC with the FORWARDABLE flag set. -The home KDC then replies to the DHCP server with an AS_REP. The DHCP -server extracts the client TGT from the AS_REP and forms a TGS_REQ, -which it sends to the home KDC. - -If the DHCP server and client are in different realms, then the DHCP -server will need to obtain a TGT to the home realm from the KDC of its -own (local) realm prior to sending the TGS_REQ. The TGS_REQ includes the -DHCP server's TGT within the home realm, has the ENC-TKT-IN-SKEY flag -set and includes the client home realm TGT in the ADDITIONAL-TICKETS -field, thus requesting a user-to ticket to the DHCP client. The home -KDC then returns a user-to-user ticket in a TGS_REP. The user-to-user -ticket is encrypted in the client's home realm TGT session key. - -In order to recover the user-to-user session key, the DHCP server -decrypts the enc-part of the TGS_REP. To accomplish this, the DHCP -server uses the session key that it shares with the home realm, obtained -in the AS_REQ/AS_REP conversation that it used to obtain its own TGT to -the home realm. - -The DHCP server then sends a DHCPOFFER to the client, including AS_REP, -AP_REQ and integrity attributes within the authentication option. The -AS_REP attribute encapsulates the AS_REP sent to the DHCP server by the -home KDC. The AP_REQ attribute includes an AP_REQ constructed by the -DHCP server based on the TGS_REP sent to it by the home KDC. The server -also includes an integrity attribute generated as specified in [3] from -the user-to-user session key. The server MUST record the user-to-user -session key selected for the client and use that session key for - - - -Hornstein, et al. Standards Track [Page 11] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -validating subsequent messages with the client. - -4.3.2. After receiving a DHCPREQUEST message - -The DHCP server uses the user-to-user session key in order to validate -the integrity attribute contained within the authentication option, -using the method specified in [3]. If the message fails to pass -validation, it MUST discard the message and MAY choose to log the -validation failure. - -If the message passes the validation procedure, the server responds as -described in [4], including an integrity attribute computed as specified -in [3] within the DHCPACK or DHCPNAK message. - -If the authentication option included within the DHCPREQUEST message -contains a ticket attribute then the DHCP server will use the home realm -TGT included in the ticket attribute in order to renew the user-to-user -ticket, which it returns in an AP_REQ attribute within the DHCPACK. -DHCPACK or DHCPNAK messages then include an integrity attribute -generated as specified in [3], using the new user-to-user session key -included within the AP_REQ. - -4.3.3. After receiving a DHCPINFORM message - -The server MAY choose to accept unauthenticated DHCPINFORM messages, or -only accept authenticated DHCPINFORM messages based on a site policy. - -When a client includes an authentication option in a DHCPINFORM message, -the server MUST respond with an authenticated DHCPACK or DHCPNAK -message. If the DHCPINFORM message includes an authentication option -including AP_REQ and integrity attributes, the DHCP server decrypts the -AP_REQ attribute and then recovers the session key. The DHCP server than -validates the integrity attribute included in the authentication option -using the session key. If the integrity attribute is invalid then the -DHCP server MUST silently discard the DHCPINFORM message. - -If the authentication option only includes a ticket attribute and no -integrity or AP_REQ attributes, then the DHCP server should assume that -the client needs the server to obtain a user-to-user ticket from the -home realm KDC. In this case, the DHCP server includes the client home -realm TGT and its own home realm TGT in a TGS_REQ to the home realm KDC. -It then receives a user-to-user ticket from the home realm KDC in a -TGS_REP. The DHCP server will then include AP_REQ and integrity -attributes within the DHCPACK/DHCPNAK. - -If the client does not include an authentication option in the -DHCPINFORM, the server can either respond with an unauthenticated -DHCPACK message, or a DHCPNAK if the server does not accept - - - -Hornstein, et al. Standards Track [Page 12] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -unauthenticated clients. - -4.3.4. After receiving a DHCPRELEASE message - -The DHCP server uses the session key in order to validate the integrity -attribute contained within the authentication option, using the method -specified in [3]. If the message fails to pass validation, it MUST -discard the message and MAY choose to log the validation failure. - -If the message passes the validation procedure, the server responds as -described in [4], marking the client's network address as not allocated. - -4.3.5. After receiving a DHCPDECLINE message - -The DHCP server uses the session key in order to validate the integrity -attribute contained within the authentication option, using the method -specified in [3]. If the message fails to pass validation, it MUST -discard the message and MAY choose to log the validation failure. - -If the message passes the validation procedure, the server proceeds as -described in [4]. - -4.4. Error handling - -When an error condition occurs during a Kerberos exchange, Kerberos -error messages can be returned by either side. These Kerberos error -messages MAY be logged by the receiving and sending parties. - -In some cases, it may be possible for these error messages to be -included within the authentication option via the KRB_ERROR attribute. -However, in most cases, errors will result in messages being silently -discarded and so no response will be returned. - -For example, if the home KDC returns a KRB_ERROR in response to the -AS_REQ submitted by the DHCP server on the client's behalf, then the -DHCP server will conclude that the DHCPDISCOVER was not authentic, and -will silently discard it. - -However, if the AS_REQ included PADATA and the home KDC responds with an -AS_REP, then the DHCP server can conclude that the client is authentic. -If the subsequent TGS_REQ is unsuccessful, with a KRB_ERROR returned by -the home KDC in the TGS_REP, then the fault may lie with the DHCP server -rather than with the client. In this case, the DHCP server MAY choose to -return a KRB_ERROR within the authentication option included in the -DHCPOFFER. The client will then treat this as an unauthenticated -DHCPOFFER. - - - - - -Hornstein, et al. Standards Track [Page 13] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -Similarly, if the integrity attribute contained in the DHCPOFFER proves -invalid, the client will silently discard the DHCPOFFER and instead -accept an offer from another server if one is available. If the -integrity attribute included in the DHCPACK/DHCPNAK proves invalid, then -the client behaves as if it did not receive a DHCPACK/DHCPNAK. - -When in INIT-REBOOT, REBINDING or RENEWING state, the client will -include a ticket attribute and integrity attribute within the -authentication option of the DHCPREQUEST, in order to assist the DHCP -server in renewing the user-to-user ticket. If the integrity attribute -is invalid, then the DHCP server MUST silently discard the DHCPREQUEST. - -However, if the integrity attribute is successfully validated by the -DHCP server, but the home realm TGT included in the ticket attribute is -invalid (e.g. expired), then the DHCP server will receive a KRB_ERROR in -response to its TGS_REQ to the home KDC. In this case, the DHCP server -MAY respond with a DHCPNAK including a KRB_ERROR attribute and no -integrity attribute within the authentication option. This will force -the client back to the INIT state, where it can receive a valid home -realm TGT. - -Where the client included PADATA in the AS_REQ attribute of the -authentication option within the DHCPDISCOVER and the AS_REQ was -successfully validated by the KDC, the DHCP server will conclude that -the DHCP client is authentic. In this case if the client successfully -validates the integrity attribute in the DHCPOFFER, but the server does -not validate the integrity attribute in the client's DHCPREQUEST, the -server MAY choose to respond with an authenticated DHCPNAK containing a -KRB_ERROR attribute. - -4.5. PKINIT issues - -When public key authentication is supported with Kerberos as described -in [8], the client certificate and a signature accompany the initial -request in the preauthentication fields. As a result, it is conceivable -that the incomplete AS_REQ included in the DHCPDISCOVER packet may -exceed the size of a single DHCP option, or even the MTU size. As noted -in [4], a single option may be as large as 255 octets. If the value to -be passed is larger than this the client concatenates together the -values of multiple instances of the same option. - -4.6. Examples - -4.6.1. INIT state - -In the intra-realm case where the DHCP Kerberos mutual authentication is -successful, the conversation will appear as follows: - - - - -Hornstein, et al. Standards Track [Page 14] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - (Integrity) -> - <- DHCPACK - (Integrity) - -In the case where the KDC returns a KRB_ERROR in response to the AS_REQ, -the server will silently discard the DHCPDISCOVER and the conversation -will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ) -> - AS_REQ -> - <- KRB_ERROR - -In the inter-realm case where the DHCP Kerberos mutual authentication is -successful, the conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -DHCPDISCOVER -(Incomplete - AS_REQ) -> - AS_REQ -> - <- AS_REP - TGS_REQ -> - (cross realm, - for home - KDC) - - - -Hornstein, et al. Standards Track [Page 15] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - <- TGS_REP - - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - (Integrity) -> - <- DHCPACK - (Integrity) - -In the case where the client includes PADATA in the AS_REQ attribute -within the authentication option of the DHCPDISCOVER and the KDC returns -an error-free AS_REP indicating successful validation of the PADATA, the -DHCP server will conclude that the DHCP client is authentic. If the KDC -then returns a KRB_ERROR in response to the TGS_REQ, indicating a fault -that lies with the DHCP server, the server MAY choose not to silently -discard the DHCPDISCOVER. Instead it MAY respond with a DHCPOFFER -including a KRB_ERROR attribute within the authentication option. The -client will then treat this as an unauthenticated DHCPOFFER. The -conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ - w/PADATA) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- KRB_ERROR - <- DHCPOFFER, - (KRB_ERROR) -DHCPREQUEST -> - <- DHCPACK - -In the intra-realm case where the client included PADATA in the AS_REQ -attribute of the authentication option and the AS_REQ was successfully -validated by the KDC, the DHCP server will conclude that the DHCP client -is authentic. In this case if the client successfully validates the -integrity attribute in the DHCPOFFER, but the server does not validate -the integrity attribute in the client's DHCPREQUEST, the server MAY - - - -Hornstein, et al. Standards Track [Page 16] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -choose to respond with an authenticated DHCPNAK containing a KRB_ERROR -attribute. The conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ - w/PADATA) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - (Integrity) -> - <- DHCNAK - (KRB_ERROR, - Integrity) -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -In the intra-realm case where the DHCP client cannot validate the -integrity attribute in the DHCPOFFER, the client silently discards the -DHCPOFFER. The conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER - (Incomplete - AS_REQ) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - - - -Hornstein, et al. Standards Track [Page 17] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - [To another server] - (Integrity) -> - -In the intra-realm case where the DHCP client cannot validate the -integrity attribute in the DHCPACK, the client reverts to INIT state. -The conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -DHCPDISCOVER -(Incomplete - AS_REQ) -> - AS_REQ -> - <- AS_REP - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPOFFER, - (AS_REP, - AP_REQ, - Integrity) -DHCPREQUEST - (Integrity) -> - <- DHCPACK - (Integrity) -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -4.6.2. INIT-REBOOT, RENEWING or REBINDING - -In the intra-realm or inter-realm case where the original user-to-user -ticket is still valid, and the DHCP server still has a valid TGT to the -home realm, the conversation will appear as follows: - - DHCP DHCP Home - Client Server KDC --------------- ------------- --------- - -DHCPREQUEST - (TGT, - Integrity) -> - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPACK - (AP_REQ, - - - -Hornstein, et al. Standards Track [Page 18] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - Integrity) - -In the intra-realm or inter-realm case where the DHCP server validates -the integrity attribute in the DHCPREQUEST, but receives a KRB_ERROR in -response to the TGS_REQ to the KDC, the DHCP sever MAY choose not to -silently discard the DHCPREQUEST and MAY return an authenticated DHCPNAK -to the client instead, using the user-to-user session key previously -established with the client. The conversation appears as follows: - - DHCP DHCP Home - Client Server KDC --------------- ------------- --------- - -DHCPREQUEST - (TGT, - Integrity) -> - TGS_REQ - U-2-U -> - <- KRB_ERROR - <- DHCPNAK - (KRB_ERROR, - Integrity) -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -In the intra-realm or inter-realm case where the DHCP server cannot -validate the integrity attribute in the DHCPREQUEST, the DHCP server -MUST silently discard the DHCPREQUEST and the conversation will appear -as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- - -DHCPREQUEST - (TGT, - Integrity) -> - Silent discard -[Sequence repeats - until timeout] - -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -In the intra-realm or inter-realm case where the original user-to-user -ticket is still valid, the server validates the integrity attribute in - - - -Hornstein, et al. Standards Track [Page 19] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -the DHCPREQUEST, but the client fails to validate the integrity -attribute in the DHCPACK, the client will silently discard the DHCPACK. -The conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- - -DHCPREQUEST - (TGT, - Integrity) -> - - <- DHCPACK - (AP_REQ, - Integrity) -DHCPDISCOVER - (Incomplete - AS_REQ) -> - -4.6.3. DHCPINFORM (with known DHCP server) - -In the case where the DHCP client knows the DHCP server it will be -interacting with, the DHCP client will obtain a ticket to the DHCP -server and will include AP_REQ and integrity attributes within the -DHCPINFORM. - -Where the DHCP Kerberos mutual authentication is successful, the -conversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -AS_REQ -> - <- AS_REP -TGS_REQ -> - <- TGS_REP -DHCPINFORM - (AP_REQ, - Integrity) -> - <- DHCPACK - (Integrity) - -In the inter-realm case where the DHCP Kerberos mutual authentication is -successful, the conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- - - - -Hornstein, et al. Standards Track [Page 20] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -AS_REQ -> - <- AS_REP -TGS_REQ -> - <- TGS_REP -TGS_REQ -> - <- TGS_REP -DHCPINFORM - (AP_REQ, - Integrity) -> - <- DHCPACK - (Integrity) - -In the inter-realm case where the DHCP server fails to validate the -integrity attribute in the DHCPINFORM, the server MUST silently discard -the DHCPINFORM. The conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -TGS_REQ -> - <- TGS_REP -TGS_REQ -> - <- TGS_REP -DHCPINFORM - (AP_REQ, - Integrity) -> - <- DHCPACK - (Integrity) -DHCPINFORM - (AP_REQ, - Integrity) -> - -In the inter-realm case where the DHCP client fails to validate the -integrity attribute in the DHCPACK, the client MUST silently discard the -DHCPACK. The conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -TGS_REQ -> - <- TGS_REP -TGS_REQ -> - <- TGS_REP -DHCPINFORM - - - -Hornstein, et al. Standards Track [Page 21] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - (AP_REQ, - Integrity) -> - -4.6.4. DHCPINFORM (with unknown DHCP server) - -In the case where the DHCP client does not know the DHCP server it will -be interacting with, the DHCP client will only include a ticket -attribute within the DHCPINFORM. Thus the DHCP server will not be able -to validate the authentication option. - -Where the DHCP client is able to validate the DHCPACK and no error -occur, the onversation will appear as follows: - - DHCP DHCP - Client Server KDC --------------- ------------- --------- -AS_REQ -> - <- AS_REP -DHCPINFORM - (Ticket) -> - TGS_REQ - U-2-U -> - <- TGS_REP - <- DHCPACK - (AP_REQ, - Integrity) - -In the inter-realm case where the DHCP server needs to obtain a TGT to -the home realm, and where the client successfully validates the DHCPACK, -the conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -DHCPINFORM - (Ticket) -> - AS_REQ -> - <- AS_REP - TGS_REQ -> - (cross realm, - for home - KDC) - <- TGS_REP - - TGS_REQ - U-2-U -> - - - -Hornstein, et al. Standards Track [Page 22] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - <- TGS_REP - <- DHCPACK - (AP_REQ, - Integrity) - -In the inter-realm case where the local KDC returns a KRB_ERROR in -response to the TGS_REQ from the DHCP server, the DHCP server MAY return -a KRB_ERROR within the DHCP authentication option included in a DHCPNAK. -The conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -DHCPINFORM - (Ticket) -> - AS_REQ -> - <- AS_REP - TGS_REQ -> - (cross realm, - for home - KDC) - <- KRB_ERROR - <- DHCPNAK - (KRB_ERROR) - - -In the inter-realm case where the DHCP client fails to validate the -integrity attribute in the DHCPACK, the client MUST silently discard the -DHCPACK. The conversation will appear as follows: - - DHCP DHCP Home Local - Client Server KDC KDC --------------- ------------- --------- --------- -AS_REQ -> - <- AS_REP -DHCPINFORM - (Ticket) -> - AS_REQ -> - <- AS_REP - TGS_REQ -> - (cross realm, - for home - KDC) - <- TGS_REP - - TGS_REQ - - - -Hornstein, et al. Standards Track [Page 23] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - - U-2-U -> - <- TGS_REP - <- DHCPACK - (AP_REQ, - Integrity) -DHCPINFORM - (Ticket) -> - -5. References - - -[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997. - -[2] Kohl, J., Neuman, C., "The Kerberos Network Authentication Service - (V5)", RFC 1510, September 1993. - -[3] Droms, R., Arbaugh, W., "Authentication for DHCP Messages", - Internet draft (work in progress), draft-ietf-dhc- - authentication-11.txt, June 1999. - -[4] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March - 1997. - -[5] Alexander, S., Droms, R., "DHCP Options and BOOTP Vendor - Extensions", RFC 2132, March 1997. - -[6] Perkins, C., "IP Mobility Support", RFC 2002, October 1996. - -[7] Jain, V., Congdon, P., Roese, J., "Network Port Authentication", - IEEE 802.1 PAR submission, June 1999. - -[8] Tung, B., Neuman, C., Hur, M., Medvinsky, A., Medvinsky, S., Wray, - J., Trostle, J., "Public Key Cryptography for Initial - Authentication in Kerberos", Internet draft (work in progress), - draft-ietf-cat-kerberos-pk-init-09.txt, June 1999. - -[9] Tung, B., Ryutov, T., Neuman, C., Tsudik, G., Sommerfeld, B., - Medvinsky, A., Hur, M., "Public Key Cryptography for Cross-Realm - Authentication in Kerberos", Internet draft (work in progress), - draft-ietf-cat-kerberos-pk-cross-04.txt, June 1999. - -[10] Mills, D., "Network Time Protocol (Version 3)", RFC-1305, March - 1992. - -[11] Henry, M., "DHCP Option 61 UUID Type Definition", Internet draft - (work in progress), draft-henry-DHCP-opt61-UUID-type-00.txt, - November 1998. - - - -Hornstein, et al. Standards Track [Page 24] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -6. Security Considerations - -DHCP authentication, described in [3], addresses the following threats: - - Modification of messages - Rogue servers - Unauthorized clients - -This section describes how DHCP authentication via Kerberos V addresses -each of these threats. - -6.1. Client security - -As noted in [3], it may be desirable to ensure that IP addresses are -only allocated to authorized clients. This can serve to protect against -denial of service attacks. To address this issue it is necessary for -DHCP client messages to be authenticated. In order to guard against -message modification, it is also necessary for DHCP client messages to -be integrity protected. - -Note that this protocol does not make use of KRB_SAFE, so as to allow -modification of mutable fields by the DHCP relay. Replay protection is -therefore provided within the DHCP authentication option itself. - -In DHCP authentication via Kerberos V the DHCP client will authenticate, -integrity and replay-protect the DHCPREQUEST, DHCPDECLINE and -DHCPRELEASE messages using a user-to-user session key obtained by the -DHCP server from the home KDC. If the DHCP client knows the DHCP server -it will be interacting with, then the DHCP client MAY also authenticate, -integrity and replay-protect the DHCPINFORM message using a session key -obtained from the local realm KDC for the DHCP server it expects to -converse with. - -Since the client has not yet obtained a session key, DHCPDISCOVER -packets cannot be authenticated using the session key. However, the -client MAY include pre-authentication data in the PADATA field included -in the DHCPDISCOVER packet. Since the PADATA will then be used by the -DHCP server to request a ticket on the client's behalf, the DHCP server -will learn from the AS_REP whether the PADATA was acceptable or not. -Therefore in this case, the DHCPDISCOVER will be authenticated but not -integrity protected. - -Where the DHCP client does not know the DHCP server it will be -interacting with ahead of time, the DHCPINFORM message will not be -authenticated, integrity or replay protected. - -Note that snooping of PADATA and TGTs on the wire may provide an -attacker with a means of mounting a dictionary attack, since these items - - - -Hornstein, et al. Standards Track [Page 25] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -are typically encrypted with a key derived from the user's password. -Thus use of strong passwords and/or pre-authentication methods utilizing -strong cryptography (see [8]) are recommended. - -6.2. Network access control - -DHCP authentication has been proposed as a method of limiting access to -network media that are not physically secured such as wireless LANs and -ports in college residence halls. However, it is not particularly well -suited to this purpose since even if address allocation is denied an -inauthentic client may use a statically assigned IP address instead, or -may attempt to access the network using non-IP protocols. As a result, -other methods, described in [6]-[7], have been proposed for controlling -access to wireless media and switched LANs. - -6.3. Server security - -As noted in [3], it may be desirable to protect against rogue DHCP -servers put on the network either intentionally or by accident. To -address this issue it is necessary for DHCP server messages to be -authenticated. In order to guard against message modification, it is -also necessary for DHCP server messages to be integrity protected. -Replay protection is also provided within the DHCP authentication -option. - -All messages sent by the DHCP server are authenticated and integrity and -replaly protected using a session key. This includes the DHCPOFFER, -DHCPACK, and DHCPNAK messages. The session key is used to compute the -DHCP authentication option, which is verified by the client. - -In order to provide protection against rogue servers it is necessary to -prevent rogue servers from obtaining the credentials necessary to act as -a DHCP server. As noted in Section 4, the Kerberos principal name for -the DHCP server must be of type KRB_NT_SRV_HST with the service name -component equal to 'dhcp'. The client MUST validate that the DHCP server -principal name has the above format. This convention requires that the -administrator ensure that non-DHCP server principals do not have names -that match the above format. - -7. IANA Considerations - -This draft does not create any new number spaces for IANA -administration. - -8. Acknowledgements - -The authors would like to acknowledge Ralph Droms and William Arbaugh, -authors of the DHCP authentication draft [3]. This draft incorporates - - - -Hornstein, et al. Standards Track [Page 26] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -material from their work; however, any mistakes in this document are -solely the responsibility of the authors. - -9. Authors' Addresses - -Ken Hornstein -US Naval Research Laboratory -Bldg A-49, Room 2 -4555 Overlook Avenue -Washington DC 20375 USA - -Phone: +1 (202) 404-4765 -EMail: kenh@cmf.nrl.navy.mil - -Ted Lemon -Internet Engines, Inc. -950 Charter Street -Redwood City, CA 94063 - -Phone: +1 (650) 779 6031 -Email: mellon@iengines.net - -Bernard Aboba -Microsoft Corporation -One Microsoft Way -Redmond, WA 98052 - -Phone: +1 (425) 936-6605 -EMail: bernarda@microsoft.com - -Jonathan Trostle -170 W. Tasman Dr. -San Jose, CA 95134, U.S.A. - -Email: jtrostle@cisco.com -Phone: +1 (408) 527-6201 - - -10. Intellectual Property Statement - -The IETF takes no position regarding the validity or scope of any -intellectual property or other rights that might be claimed to pertain -to the implementation or use of the technology described in this -document or the extent to which any license under such rights might or -might not be available; neither does it represent that it has made any -effort to identify any such rights. Information on the IETF's -procedures with respect to rights in standards-track and standards- -related documentation can be found in BCP-11. Copies of claims of - - - -Hornstein, et al. Standards Track [Page 27] - - -INTERNET-DRAFT DHCP Authentication Via Kerberos V 20 February 2000 - - -rights made available for publication and any assurances of licenses to -be made available, or the result of an attempt made to obtain a general -license or permission for the use of such proprietary rights by -implementors or users of this specification can be obtained from the -IETF Secretariat. - -The IETF invites any interested party to bring to its attention any -copyrights, patents or patent applications, or other proprietary rights -which may cover technology that may be required to practice this -standard. Please address the information to the IETF Executive -Director. - -11. Full Copyright Statement - -Copyright (C) The Internet Society (2000). All Rights Reserved. -This document and translations of it may be copied and furnished to -others, and derivative works that comment on or otherwise explain it or -assist in its implmentation may be prepared, copied, published and -distributed, in whole or in part, without restriction of any kind, -provided that the above copyright notice and this paragraph are included -on all such copies and derivative works. However, this document itself -may not be modified in any way, such as by removing the copyright notice -or references to the Internet Society or other Internet organizations, -except as needed for the purpose of developing Internet standards in -which case the procedures for copyrights defined in the Internet -Standards process must be followed, or as required to translate it into -languages other than English. The limited permissions granted above are -perpetual and will not be revoked by the Internet Society or its -successors or assigns. This document and the information contained -herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE -INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE -INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED -WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - -12. Expiration Date - -This memo is filed as , and -expires October 1, 2000. - - - - - - - - - - - - -Hornstein, et al. Standards Track [Page 28] - - diff --git a/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt b/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt deleted file mode 100644 index 4dcff486b936..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt +++ /dev/null @@ -1,244 +0,0 @@ -Network Working Group M. Horowitz - Cygnus Solutions -Internet-Draft March, 1997 - - - Key Derivation for Authentication, Integrity, and Privacy - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as ``work in progress.'' - - To learn the current status of any Internet-Draft, please check the - ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow - Directories on ds.internic.net (US East Coast), nic.nordu.net - (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific - Rim). - - Distribution of this memo is unlimited. Please send comments to the - author. - -Abstract - - Recent advances in cryptography have made it desirable to use longer - cryptographic keys, and to make more careful use of these keys. In - particular, it is considered unwise by some cryptographers to use the - same key for multiple purposes. Since most cryptographic-based - systems perform a range of functions, such as authentication, key - exchange, integrity, and encryption, it is desirable to use different - cryptographic keys for these purposes. - - This RFC does not define a particular protocol, but defines a set of - cryptographic transformations for use with arbitrary network - protocols and block cryptographic algorithm. - - -Deriving Keys - - In order to use multiple keys for different functions, there are two - possibilities: - - - Each protocol ``key'' contains multiple cryptographic keys. The - implementation would know how to break up the protocol ``key'' for - use by the underlying cryptographic routines. - - - The protocol ``key'' is used to derive the cryptographic keys. - The implementation would perform this derivation before calling - - - -Horowitz [Page 1] - -Internet Draft Key Derivation March, 1997 - - - the underlying cryptographic routines. - - In the first solution, the system has the opportunity to provide - separate keys for different functions. This has the advantage that - if one of these keys is broken, the others remain secret. However, - this comes at the cost of larger ``keys'' at the protocol layer. In - addition, since these ``keys'' may be encrypted, compromising the - cryptographic key which is used to encrypt them compromises all the - component keys. Also, the not all ``keys'' are used for all possible - functions. Some ``keys'', especially those derived from passwords, - are generated from limited amounts of entropy. Wasting some of this - entropy on cryptographic keys which are never used is unwise. - - The second solution uses keys derived from a base key to perform - cryptographic operations. By carefully specifying how this key is - used, all of the advantages of the first solution can be kept, while - eliminating some disadvantages. In particular, the base key must be - used only for generating the derived keys, and this derivation must - be non-invertible and entropy-preserving. Given these restrictions, - compromise of one derived keys does not compromise the other subkeys. - Attack of the base key is limited, since it is only used for - derivation, and is not exposed to any user data. - - Since the derived key has as much entropy as the base keys (if the - cryptosystem is good), password-derived keys have the full benefit of - all the entropy in the password. - - To generate a derived key from a base key: - - Derived Key = DK(Base Key, Well-Known Constant) - - where - - DK(Key, Constant) = n-truncate(E(Key, Constant)) - - In this construction, E(Key, Plaintext) is a block cipher, Constant - is a well-known constant defined by the protocol, and n-truncate - truncates its argument by taking the first n bits; here, n is the key - size of E. - - If the output of E is is shorter than n bits, then some entropy in - the key will be lost. If the Constant is smaller than the block size - of E, then it must be padded so it may be encrypted. If the Constant - is larger than the block size, then it must be folded down to the - block size to avoid chaining, which affects the distribution of - entropy. - - In any of these situations, a variation of the above construction is - used, where the folded Constant is encrypted, and the resulting - output is fed back into the encryption as necessary (the | indicates - concatentation): - - K1 = E(Key, n-fold(Constant)) - K2 = E(Key, K1) - - - -Horowitz [Page 2] - -Internet Draft Key Derivation March, 1997 - - - K3 = E(Key, K2) - K4 = ... - - DK(Key, Constant) = n-truncate(K1 | K2 | K3 | K4 ...) - - n-fold is an algorithm which takes m input bits and ``stretches'' - them to form n output bits with no loss of entropy, as described in - [Blumenthal96]. In this document, n-fold is always used to produce n - bits of output, where n is the key size of E. - - If the size of the Constant is not equal to the block size of E, then - the Constant must be n-folded to the block size of E. This number is - used as input to E. If the block size of E is less than the key - size, then the output from E is taken as input to a second invocation - of E. This process is repeated until the number of bits accumulated - is greater than or equal to the key size of E. When enough bits have - been computed, the first n are taken as the derived key. - - Since the derived key is the result of one or more encryptions in the - base key, deriving the base key from the derived key is equivalent to - determining the key from a very small number of plaintext/ciphertext - pairs. Thus, this construction is as strong as the cryptosystem - itself. - - -Deriving Keys from Passwords - - When protecting information with a password or other user data, it is - necessary to convert an arbitrary bit string into an encryption key. - In addition, it is sometimes desirable that the transformation from - password to key be difficult to reverse. A simple variation on the - construction in the prior section can be used: - - Key = DK(n-fold(Password), Well-Known Constant) - - The n-fold algorithm is reversible, so recovery of the n-fold output - is equivalent to recovery of Password. However, recovering the n- - fold output is difficult for the same reason recovering the base key - from a derived key is difficult. - - - - Traditionally, the transformation from plaintext to ciphertext, or - vice versa, is determined by the cryptographic algorithm and the key. - A simple way to think of derived keys is that the transformation is - determined by the cryptographic algorithm, the constant, and the key. - - For interoperability, the constants used to derive keys for different - purposes must be specified in the protocol specification. The - constants must not be specified on the wire, or else an attacker who - determined one derived key could provide the associated constant and - spoof data using that derived key, rather than the one the protocol - designer intended. - - - - -Horowitz [Page 3] - -Internet Draft Key Derivation March, 1997 - - - Determining which parts of a protocol require their own constants is - an issue for the designer of protocol using derived keys. - - -Security Considerations - - This entire document deals with security considerations relating to - the use of cryptography in network protocols. - - -Acknowledgements - - I would like to thank Uri Blumenthal, Hugo Krawczyk, and Bill - Sommerfeld for their contributions to this document. - - -References - - [Blumenthal96] Blumenthal, U., "A Better Key Schedule for DES-Like - Ciphers", Proceedings of PRAGOCRYPT '96, 1996. - - -Author's Address - - Marc Horowitz - Cygnus Solutions - 955 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 354 7688 - Email: marc@cygnus.com - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz [Page 4] diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt deleted file mode 100644 index ccba35eeb4ab..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt +++ /dev/null @@ -1,62 +0,0 @@ - - -A new Request for Comments is now available in online RFC libraries. - - - RFC 2078 - - Title: Generic Security Service Application Program - Interface, Version 2 - Author: J. Linn - Date: January 1997 - Mailbox: John.Linn@ov.com - Pages: 85 - Characters: 185990 - Obsoletes: 1508 - - URL: ftp://ds.internic.net/rfc/rfc2078.txt - - -This memo revises RFC-1508, making specific, incremental changes in -response to implementation experience and liaison requests. It is -intended, therefore, that this memo or a successor version thereto -will become the basis for subsequent progression of the GSS-API -specification on the standards track. This document is a product of -the Common Authentication Technology Working Group. - -This is now a Proposed Standard Protocol. - -This document specifies an Internet standards track protocol for the -Internet community, and requests discussion and suggestions for -improvements. Please refer to the current edition of the "Internet -Official Protocol Standards" (STD 1) for the standardization state and -status of this protocol. Distribution of this memo is unlimited. - -This announcement is sent to the IETF list and the RFC-DIST list. -Requests to be added to or deleted from the IETF distribution list -should be sent to IETF-REQUEST@CNRI.RESTON.VA.US. Requests to be -added to or deleted from the RFC-DIST distribution list should -be sent to RFC-DIST-REQUEST@ISI.EDU. - -Details on obtaining RFCs via FTP or EMAIL may be obtained by sending -an EMAIL message to rfc-info@ISI.EDU with the message body -help: ways_to_get_rfcs. For example: - - To: rfc-info@ISI.EDU - Subject: getting rfcs - - help: ways_to_get_rfcs - -Requests for special distribution should be addressed to either the -author of the RFC in question, or to admin@DS.INTERNIC.NET. Unless -specifically noted otherwise on the RFC itself, all RFCs are for -unlimited distribution. - -Submissions for Requests for Comments should be sent to -RFC-EDITOR@ISI.EDU. Please consult RFC 1543, Instructions to RFC -Authors, for further information. - - -Joyce K. Reynolds and Mary Kennedy -USC/Information Sciences Institute - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt deleted file mode 100644 index 518f4c63d171..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt +++ /dev/null @@ -1,6188 +0,0 @@ - - Internet draft J.Wray - IETF Common Authentication Technology WG Digital Equipment Corporation - March 1997 - - - - Generic Security Service API Version 2 : C-bindings - - - 1. STATUS OF THIS MEMO - - This document is an Internet Draft. Internet Drafts are working - documents of the Internet Engineering Task Force (IETF), its Areas, and - its Working Groups. Note that other groups may also distribute working - documents as Internet Drafts. Internet Drafts are draft documents valid - for a maximum of six months. Internet Drafts may be updated, replaced, - or obsoleted by other documents at any time. It is not appropriate to - use Internet Drafts as reference material or to cite them other than as - a "working draft" or "work in progress." Please check the I-D abstract - listing contained in each Internet Draft directory to learn the current - status of this or any other Internet Draft. - - Comments on this document should be sent to "cat-ietf@MIT.EDU", the IETF - Common Authentication Technology WG discussion list. - - - 2. ABSTRACT - - This draft document specifies C language bindings for Version 2 of the - Generic Security Service Application Program Interface (GSSAPI), which - is described at a language-independent conceptual level in other drafts - [GSSAPI]. It revises RFC-1509, making specific incremental changes in - response to implementation experience and liaison requests. It is - intended, therefore, that this draft or a successor version thereof will - become the basis for subsequent progression of the GSS-API specification - on the standards track. - - The Generic Security Service Application Programming Interface provides - security services to its callers, and is intended for implementation - atop a variety of underlying cryptographic mechanisms. Typically, - GSSAPI callers will be application protocols into which security - enhancements are integrated through invocation of services provided by - the GSSAPI. The GSSAPI allows a caller application to authenticate a - principal identity associated with a peer application, to delegate - rights to a peer, and to apply security services such as confidentiality - and integrity on a per-message basis. - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 1] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 3. INTRODUCTION - - The Generic Security Service Application Programming Interface [GSSAPI] - provides security services to calling applications. It allows a - communicating application to authenticate the user associated with - another application, to delegate rights to another application, and to - apply security services such as confidentiality and integrity on a per- - message basis. - - There are four stages to using the GSSAPI: - - (a) The application acquires a set of credentials with which it may - prove its identity to other processes. The application's - credentials vouch for its global identity, which may or may not be - related to any local username under which it may be running. - - (b) A pair of communicating applications establish a joint security - context using their credentials. The security context is a pair - of GSSAPI data structures that contain shared state information, - which is required in order that per-message security services may - be provided. Examples of state that might be shared between - applications as part of a security context are cryptographic keys, - and message sequence numbers. As part of the establishment of a - security context, the context initiator is authenticated to the - responder, and may require that the responder is authenticated in - turn. The initiator may optionally give the responder the right - to initiate further security contexts, acting as an agent or - delegate of the initiator. This transfer of rights is termed - delegation, and is achieved by creating a set of credentials, - similar to those used by the initiating application, but which may - be used by the responder. - - To establish and maintain the shared information that makes up the - security context, certain GSSAPI calls will return a token data - structure, which is a cryptographically protected opaque data - type. The caller of such a GSSAPI routine is responsible for - transferring the token to the peer application, encapsulated if - necessary in an application-application protocol. On receipt of - such a token, the peer application should pass it to a - corresponding GSSAPI routine which will decode the token and - extract the information, updating the security context state - information accordingly. - - (c) Per-message services are invoked to apply either: - - (i) integrity and data origin authentication, or - - (ii) confidentiality, integrity and data origin authentication - - to application data, which are treated by GSSAPI as arbitrary - octet-strings. An application transmitting a message that it - - - - Wray Document Expiration: 1 September 1997 [Page 2] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - wishes to protect will call the appropriate GSSAPI routine - (gss_get_mic or gss_wrap) to apply protection, specifying the - appropriate security context, and send the resulting token to the - receiving application. The receiver will pass the received token - (and, in the case of data protected by gss_get_mic, the - accompanying message-data) to the corresponding decoding routine - (gss_verify_mic or gss_unwrap) to remove the protection and - validate the data. - - (d) At the completion of a communications session (which may extend - across several transport connections), each application calls a - GSSAPI routine to delete the security context. Multiple contexts - may also be used (either successively or simultaneously) within a - single communications association, at the option of the - applications. - - - 4. GSSAPI ROUTINES - - This section lists the routines that make up the GSSAPI, and offers a - brief description of the purpose of each routine. Detailed descriptions - of each routine are listed in alphabetical order in section 7. - - Table 4-1 GSSAPI Credential-management Routines - - ROUTINE SECTION FUNCTION - - gss_acquire_cred 7.2 Assume a global identity; - Obtain a GSSAPI credential - handle for pre-existing - credentials. - - gss_add_cred 7.3 Construct credentials - incrementally - - gss_inquire_cred 7.21 Obtain information about - a credential. - - gss_inquire_cred_by_mech 7.22 Obtain per-mechanism information - about a credential. - - gss_release_cred 7.27 Discard a credential handle. - - - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 3] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Table 4-2 GSSAPI Context-level Routines - - ROUTINE SECTION FUNCTION - - gss_init_sec_context 7.19 Initiate a security context - with a peer application - - - gss_accept_sec_context 7.1 Accept a security context - initiated by a peer - application - - gss_delete_sec_context 7.9 Discard a security context - - gss_process_context_token 7.25 Process a token on a security - context from a peer - application - - gss_context_time 7.7 Determine for how long a - context will remain valid - - gss_inquire_context 7.20 Obtain information about a - security context - - gss_wrap_size_limit 7.33 Determine token-size limit for - gss_wrap on a context - - gss_export_sec_context 7.14 Transfer a security context to - another process - - gss_import_sec_context 7.17 Import a transferred context - - - - - Table 4-3 GSSAPI Per-message Routines - - ROUTINE SECTION FUNCTION - - gss_get_mic 7.15 Calculate a cryptographic - Message Integrity Code (MIC) - for a message; integrity service - - gss_verify_mic 7.32 Check a MIC against a message; - verify integrity of a received - message - - gss_wrap 7.36 Attach a MIC to a message, and - optionally encrypt the message - content; confidentiality service - - - - - Wray Document Expiration: 1 September 1997 [Page 4] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - gss_unwrap 7.31 Verify a message with attached - MIC, and decrypt message - content if necessary. - - - - - Table 4-4 GSSAPI Name manipulation Routines - - ROUTINE SECTION FUNCTION - - gss_import_name 7.16 Convert a contiguous string name - to internal-form - - gss_display_name 7.10 Convert internal-form name - to text - - gss_compare_name 7.6 Compare two internal-form names - - gss_release_name 7.28 Discard an internal-form name - - gss_inquire_names_for_mech 7.24 List the name-types supported - by a specified mechanism - - gss_inquire_mechs_for_name 7.23 List mechanisms that support - a given nametype - - gss_canonicalize_name 7.5 Convert an internal name to - an MN. - - gss_export_name 7.13 Convert an MN to export form - - gss_duplicate_name 7.12 Create a copy of an internal name - - - - - Table 4-5 GSSAPI Miscellaneous Routines - - ROUTINE SECTION FUNCTION - - gss_display_status 7.11 Convert a GSSAPI status code - to text - - gss_indicate_mechs 7.18 Determine available underlying - authentication mechanisms - - gss_release_buffer 7.26 Discard a buffer - - gss_release_oid_set 7.29 Discard a set of object - identifiers - - - - Wray Document Expiration: 1 September 1997 [Page 5] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - gss_create_empty_oid_set 7.8 Create a set containing no - object identifiers - - gss_add_oid_set_member 7.4 Add an object identifier to - a set - - gss_test_oid_set_member 7.30 Determines whether an object - identifier is a member of a set - - - - - - Individual GSSAPI implementations may augment these routines by - providing additional mechanism-specific routines if required - functionality is not available from the generic forms. Applications are - encouraged to use the generic routines wherever possible on portability - grounds. - - - 5. DATA TYPES AND CALLING CONVENTIONS - - The following conventions are used by the GSSAPI C-language bindings: - - 5.1. Integer types - - GSSAPI uses the following integer data type: - - OM_uint32 32-bit unsigned integer - - Where guaranteed minimum bit-count is important, this portable data type - is used by the GSSAPI routine definitions. Individual GSSAPI - implementations will include appropriate typedef definitions to map this - type onto a built-in data type. If the platform supports the X/Open - xom.h header file, the OM_uint32 definition contained therein should be - used; the GSSAPI header file in Appendix A contains logic that will - detect the prior inclusion of xom.h, and will not attempt to re-declare - OM_uint32. If the X/Open header file is not available on the platform, - the GSSAPI implementation should use the smallest natural unsigned - integer type that provides at least 32 bits of precision. - - 5.2. String and similar data - - Many of the GSSAPI routines take arguments and return values that - describe contiguous octet-strings. All such data is passed between the - GSSAPI and the caller using the gss_buffer_t data type. This data type - is a pointer to a buffer descriptor, which consists of a length field - that contains the total number of bytes in the datum, and a value field - which contains a pointer to the actual datum: - - - - - - Wray Document Expiration: 1 September 1997 [Page 6] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - Storage for data returned to the application by a GSSAPI routine using - the gss_buffer_t conventions is allocated by the GSSAPI routine. The - application may free this storage by invoking the gss_release_buffer - routine. Allocation of the gss_buffer_desc object is always the - responsibility of the application; unused gss_buffer_desc objects may - be initialized to the value GSS_C_EMPTY_BUFFER. - - 5.2.1. Opaque data types - - Certain multiple-word data items are considered opaque data types at the - GSSAPI, because their internal structure has no significance either to - the GSSAPI or to the caller. Examples of such opaque data types are the - input_token parameter to gss_init_sec_context (which is opaque to the - caller), and the input_message parameter to gss_wrap (which is opaque to - the GSSAPI). Opaque data is passed between the GSSAPI and the - application using the gss_buffer_t datatype. - - 5.2.2. Character strings - - Certain multiple-word data items may be regarded as simple ISO Latin-1 - character strings. Examples are the printable strings passed to - gss_import_name via the input_name_buffer parameter. Some GSSAPI - routines also return character strings. All such character strings are - passed between the application and the GSSAPI implementation using the - gss_buffer_t datatype, which is a pointer to a gss_buffer_desc object. - - When a gss_buffer_desc object describes a printable string, the length - field of the gss_buffer_desc should only count printable characters - within the string. In particular, a trailing NUL character should NOT - be included in the length count, nor should either the GSSAPI - implementation or the application assume the presence of an uncounted - trailing NUL. - - 5.3. Object Identifiers - - Certain GSSAPI procedures take parameters of the type gss_OID, or Object - identifier. This is a type containing ISO-defined tree-structured - values, and is used by the GSSAPI caller to select an underlying - security mechanism and to specify namespaces. A value of type gss_OID - has the following structure: - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - - - - Wray Document Expiration: 1 September 1997 [Page 7] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - The elements field of this structure points to the first byte of an - octet string containing the ASN.1 BER encoding of the value portion of - the normal BER TLV encoding of the gss_OID. The length field contains - the number of bytes in this value. For example, the gss_OID value - corresponding to {iso(1) identified-organization(3) icd-ecma(12) - member-company(2) dec(1011) cryptoAlgorithms(7) DASS(5)}, meaning the - DASS X.509 authentication mechanism, has a length field of 7 and an - elements field pointing to seven octets containing the following octal - values: 53,14,2,207,163,7,5. GSSAPI implementations should provide - constant gss_OID values to allow applications to request any supported - mechanism, although applications are encouraged on portability grounds - to accept the default mechanism. gss_OID values should also be provided - to allow applications to specify particular name types (see section - 5.10). Applications should treat gss_OID_desc values returned by GSSAPI - routines as read-only. In particular, the application should not - attempt to deallocate them with free(). The gss_OID_desc datatype is - equivalent to the X/Open OM_object_identifier datatype[XOM]. - - 5.4. Object Identifier Sets - - Certain GSSAPI procedures take parameters of the type gss_OID_set. This - type represents one or more object identifiers (section 5.3). A - gss_OID_set object has the following structure: - - typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - The count field contains the number of OIDs within the set. The - elements field is a pointer to an array of gss_OID_desc objects, each of - which describes a single OID. gss_OID_set values are used to name the - available mechanisms supported by the GSSAPI, to request the use of - specific mechanisms, and to indicate which mechanisms a given credential - supports. - - All OID sets returned to the application by GSSAPI are dynamic objects - (the gss_OID_set_desc, the "elements" array of the set, and the - "elements" array of each member OID are all dynamically allocated), and - this storage must be deallocated by the application using the - gss_release_oid_set() routine. - - - 5.5. Credentials - - A credential handle is a caller-opaque atomic datum that identifies a - GSSAPI credential data structure. It is represented by the caller- - opaque type gss_cred_id_t, which should be implemented as a pointer or - arithmetic type. If a pointer implementation is chosen, care must be - taken to ensure that two gss_cred_id_t values may be compared with the - == operator. - - - - Wray Document Expiration: 1 September 1997 [Page 8] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSSAPI credentials can contain mechanism-specific principal - authentication data for multiple mechanisms. A GSSAPI credential is - composed of a set of credential-elements, each of which is applicable to - a single mechanism. A credential may contain at most one credential- - element for each supported mechanism. A credential-element identifies - the data needed by a single mechanism to authenticate a single - principal, and conceptually contains two credential-references that - describing the actual mechanism-specific authentication data, one to be - used by GSSAPI for initiating contexts, and one to be used for - accepting contexts. For mechanisms that do not distinguish between - acceptor and initiator credentials, both references would point to the - same underlying mechanism-specific authentication data. - - Credentials describe a set of mechanism-specific principals, and give - their holder the ability to act as any of those principals. All - principal identities asserted by a single GSSAPI credential should - belong to the same entity, although enforcement of this property is an - implementation-specific matter. The GSSAPI does not make the actual - credentials available to applications; instead a credential handle is - used to identify a particular credential, held internally by GSSAPI. - The combination of GSSAPI credential handle and mechanism identifies the - principal whose identity will be asserted by the credential when used - with that mechanism. - - The gss_init_sec_context and gss_accept_sec_context routines allow the - value GSS_C_NO_CREDENTIAL to be specified as their credential handle - parameter. This special credential-handle indicates a desire by the - application to act as a default principal. While individual GSSAPI - implementations are free to determine such default behavior as - appropriate to the mechanism, the following default behavior by these - routines is recommended for portability: - - (a) gss_init_sec_context - - (i) If there is only a single principal capable of initiating - security contexts for the chosen mechanism that the - application is authorized to act on behalf of, then that - principal shall be used, otherwise - - (ii) If the platform maintains a concept of a default network- - identity for the chosen mechanism, and if the application is - authorized to act on behalf of that identity for the purpose - of initiating security contexts, then the principal - corresponding to that identity shall be used, otherwise - - (iii) If the platform maintains a concept of a default local - identity, and provides a means to map local identities into - network-identities for the chosen mechanism, and if the - application is authorized to act on behalf of the network- - identity image of the default local identity for the purpose - of initiating security contexts using the chosen mechanism, - - - - Wray Document Expiration: 1 September 1997 [Page 9] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - then the principal corresponding to that identity shall be - used, otherwise - - (iv) A user-configurable default identity should be used. - - (b) gss_accept_sec_context - - (i) If there is only a single authorized principal identity - capable of accepting security contexts for the chosen - mechanism, then that principal shall be used, otherwise - - (ii) If the mechanism can determine the identity of the target - principal by examining the context-establishment token, and - if the accepting application is authorized to act as that - principal for the purpose of accepting security contexts - using the chosen mechanism, then that principal identity - shall be used, otherwise - - (iii) If the mechanism supports context acceptance by any - principal, and if mutual authentication was not requested, - any principal that the application is authorized to accept - security contexts under using the chosen mechanism may be - used, otherwise - - (iv) A user-configurable default identity shall be used. - - The purpose of the above rules is to allow security contexts to be - established by both initiator and acceptor using the default behavior - wherever possible. Applications requesting default behavior are likely - to be more portable across mechanisms and platforms than ones that use - gss_acquire_cred to request a specific identity. - - 5.6. Contexts - - The gss_ctx_id_t data type contains a caller-opaque atomic value that - identifies one end of a GSSAPI security context. It should be - implemented as a pointer or arithmetic type. If a pointer type is - chosen, care should be taken to ensure that two gss_ctx_id_t values may - be compared with the == operator. - - The security context holds state information about each end of a peer - communication, including cryptographic state information. - - 5.7. Authentication tokens - - A token is a caller-opaque type that GSSAPI uses to maintain - synchronization between the context data structures at each end of a - GSSAPI security context. The token is a cryptographically protected - octet-string, generated by the underlying mechanism at one end of a - GSSAPI security context for use by the peer mechanism at the other end. - Encapsulation (if required) and transfer of the token are the - - - - Wray Document Expiration: 1 September 1997 [Page 10] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - responsibility of the peer applications. A token is passed between the - GSSAPI and the application using the gss_buffer_t conventions. - - 5.8. Interprocess tokens - - Certain GSSAPI routines are intended to transfer data between processes - in multi-process programs. These routines use a caller-opaque octet- - string, generated by the GSSAPI in one process for use by the GSSAPI in - another process. The calling application is responsible for - transferring such tokens between processes in an OS-specific manner. - Note that, while GSSAPI implementors are encouraged to avoid placing - sensitive information within interprocess tokens, or to - cryptographically protect them, many implementations will be unable to - avoid placing key material or other sensitive data within them. It is - the application's responsibility to ensure that interprocess tokens are - protected in transit, and transferred only to processes that are - trustworthy. An interprocess token is passed between the GSSAPI and the - application using the gss_buffer_t conventions. - - 5.9. Status values - - One or more status codes are returned by each GSSAPI routine. Two - distinct sorts of status codes are returned. These are termed GSS - status codes and Mechanism status codes. - - 5.9.1. GSS status codes - - GSSAPI routines return GSS status codes as their OM_uint32 function - value. These codes indicate errors that are independent of the - underlying mechanism(s) used to provide the security service. The - errors that can be indicated via a GSS status code are either generic - API routine errors (errors that are defined in the GSS-API - specification) or calling errors (errors that are specific to these - language bindings). - - A GSS status code can indicate a single fatal generic API error from the - routine and a single calling error. In addition, supplementary status - information may be indicated via the setting of bits in the - supplementary info field of a GSS status code. - - These errors are encoded into the 32-bit GSS status code as follows: - - MSB LSB - |------------------------------------------------------------| - | Calling Error | Routine Error | Supplementary Info | - |------------------------------------------------------------| - Bit 31 24 23 16 15 0 - - - Hence if a GSS-API routine returns a GSS status code whose upper 16 bits - contain a non-zero value, the call failed. If the calling error field - - - - Wray Document Expiration: 1 September 1997 [Page 11] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - is non-zero, the invoking application's call of the routine was - erroneous. Calling errors are defined in table 5-1. If the routine - error field is non-zero, the routine failed for one of the routine- - specific reasons listed below in table 5-2. Whether or not the upper 16 - bits indicate a failure or a success, the routine may indicate - additional information by setting bits in the supplementary info field - of the status code. The meaning of individual bits is listed below in - table 5-3. - - Table 5-1 Calling Errors - - Name Value in Meaning - Field - GSS_S_CALL_INACCESSIBLE_READ 1 A required input - parameter could - not be read. - GSS_S_CALL_INACCESSIBLE_WRITE 2 A required output - parameter could - not be written. - GSS_S_CALL_BAD_STRUCTURE 3 A parameter was - malformed - - - - - Table 5-2 Routine Errors - - Name Value in Meaning - Field - - GSS_S_BAD_MECH 1 An unsupported mechanism was - requested - GSS_S_BAD_NAME 2 An invalid name was supplied - GSS_S_BAD_NAMETYPE 3 A supplied name was of an - unsupported type - GSS_S_BAD_BINDINGS 4 Incorrect channel bindings - were supplied - GSS_S_BAD_STATUS 5 An invalid status code was - supplied - GSS_S_BAD_SIG 6 A token had an invalid - GSS_S_BAD_MIC MIC - GSS_S_NO_CRED 7 No credentials were supplied, - or the credentials were - unavailable or inaccessible. - GSS_S_NO_CONTEXT 8 No context has been - established - GSS_S_DEFECTIVE_TOKEN 9 A token was invalid - GSS_S_DEFECTIVE_CREDENTIAL 10 A credential was invalid - GSS_S_CREDENTIALS_EXPIRED 11 The referenced credentials - have expired - - - - - Wray Document Expiration: 1 September 1997 [Page 12] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_CONTEXT_EXPIRED 12 The context has expired - GSS_S_FAILURE 13 Miscellaneous failure - (see text) - GSS_S_BAD_QOP 14 The quality-of-protection - requested could not be - provide - GSS_S_UNAUTHORIZED 15 The operation is forbidden by - local security policy - GSS_S_UNAVAILABLE 16 The operation or option is not - available - GSS_S_DUPLICATE_ELEMENT 17 The requested credential element - already exists - GSS_S_NAME_NOT_MN 18 The provided name was not a - mechanism name. - - - - - - Table 5-3 Supplementary Status Bits - - Name Bit Number Meaning - GSS_S_CONTINUE_NEEDED 0 (LSB) The routine must be called - again to complete its function. - See routine documentation for - detailed description. - GSS_S_DUPLICATE_TOKEN 1 The token was a duplicate of - an earlier token - GSS_S_OLD_TOKEN 2 The token's validity period - has expired - GSS_S_UNSEQ_TOKEN 3 A later token has already been - processed - GSS_S_GAP_TOKEN 4 An expected per-message token - was not received - - - The routine documentation also uses the name GSS_S_COMPLETE, which is a - zero value, to indicate an absence of any API errors or supplementary - information bits. - - All GSS_S_xxx symbols equate to complete OM_uint32 status codes, rather - than to bitfield values. For example, the actual value of the symbol - GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is 3 << 16. - - The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and - GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS status - code and removes all but the relevant field. For example, the value - obtained by applying GSS_ROUTINE_ERROR to a status code removes the - calling errors and supplementary info fields, leaving only the routine - errors field. The values delivered by these macros may be directly - compared with a GSS_S_xxx symbol of the appropriate type. The macro - - - - Wray Document Expiration: 1 September 1997 [Page 13] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_ERROR() is also provided, which when applied to a GSS status code - returns a non-zero value if the status code indicated a calling or - routine error, and a zero value otherwise. All macros defined by GSS- - API evaluate their argument(s) exactly once. - - A GSS-API implementation may choose to signal calling errors in a - platform-specific manner instead of, or in addition to the routine - value; routine errors and supplementary info should be returned via - routine status values only. - - 5.9.2. Mechanism-specific status codes - - GSS-API routines return a minor_status parameter, which is used to - indicate specialized errors from the underlying security mechanism. - This parameter may contain a single mechanism-specific error, indicated - by a OM_uint32 value. - - The minor_status parameter will always be set by a GSS-API routine, even - if it returns a calling error or one of the generic API errors indicated - above as fatal, although most other output parameters may remain unset - in such cases. However, output parameters that are expected to return - pointers to storage allocated by a routine must always be set by the - routine, even in the event of an error, although in such cases the GSS- - API routine may elect to set the returned parameter value to NULL to - indicate that no storage was actually allocated. Any length field - associated with such pointers (as in a gss_buffer_desc structure) should - also be set to zero in such cases. - - The GSS status code GSS_S_FAILURE is used to indicate that the - underlying mechanism detected an error for which no specific GSS status - code is defined. The mechanism status code will provide more details - about the error. - - 5.10. Names - - A name is used to identify a person or entity. GSS-API authenticates - the relationship between a name and the entity claiming the name. - - Since different authentication mechanisms may employ different - namespaces for identifying their principals, GSSAPI's naming support is - necessarily complex in multi-mechanism environments (or even in some - single-mechanism environments where the underlying mechanism supports - multiple namespaces). - - Two distinct representations are defined for names: - - (a) An internal form. This is the GSSAPI "native" format for names, - represented by the implementation-specific gss_name_t type. It is - opaque to GSSAPI callers. A single gss_name_t object may contain - multiple names from different namespaces, but all names should - refer to the same entity. An example of such an internal name - - - - Wray Document Expiration: 1 September 1997 [Page 14] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - would be the name returned from a call to the gss_inquire_cred - routine, when applied to a credential containing credential - elements for multiple authentication mechanisms employing - different namespaces. This gss_name_t object will contain a - distinct name for the entity for each authentication mechanism. - - For GSSAPI implementations supporting multiple namespaces, objects - of type gss_name_t must contain sufficient information to - determine the namespace to which each primitive name belongs. - - (b) Mechanism-specific contiguous octet-string forms. A format - capable of containing a single name (from a single namespace). - Contiguous string names are always accompanied by an object - identifier specifying the namespace to which the name belongs, and - their format is dependent on the authentication mechanism that - employs the name. Many, but not all, contiguous string names will - be printable, and may therefore be used by GSSAPI applications for - communication with their users. - - Routines (gss_import_name and gss_display_name) are provided to convert - names between contiguous string representations and the internal - gss_name_t type. gss_import_name may support multiple syntaxes for each - supported namespace, allowing users the freedom to choose a preferred - name representation. gss_display_name should use an implementation- - chosen printable syntax for each supported name-type. - - If an application calls gss_display_name(), passing the internal name - resulting from a call to gss_import_name(), there is no guarantee the - the resulting contiguous string name will be the same as the original - imported string name. Nor do name-space identifiers necessarily survive - unchanged after a journey through the internal name-form. An example of - this might be a mechanism that authenticates X.500 names, but provides - an algorithmic mapping of Internet DNS names into X.500. That - mechanism's implementation of gss_import_name() might, when presented - with a DNS name, generate an internal name that contained both the - original DNS name and the equivalent X.500 name. Alternatively, it might - only store the X.500 name. In the latter case, gss_display_name() would - most likely generate a printable X.500 name, rather than the original - DNS name. - - The process of authentication delivers to the context acceptor an - internal name. Since this name has been authenticated by a single - mechanism, it contains only a single name (even if the internal name - presented by the context initiator to gss_init_sec_context had multiple - components). Such names are termed internal mechanism names, or "MN"s - and the names emitted by gss_accept_sec_context() are always of this - type. Since some applications may require MNs without wanting to incur - the overhead of an authentication operation, a second function, - gss_canonicalize_name(), is provided to convert a general internal name - into an MN. - - - - - Wray Document Expiration: 1 September 1997 [Page 15] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Comparison of internal-form names may be accomplished via the - gss_compare_name() routine, which returns true if the two names being - compared refer to the same entity. This removes the need for the - application program to understand the syntaxes of the various printable - names that a given GSS-API implementation may support. Since GSSAPI - assumes that all primitive names contained within a given internal name - refer to the same entity, gss_compare_name() can return true if the two - names have at least one primitive name in common. If the implementation - embodies knowledge of equivalence relationships between names taken from - different namespaces, this knowledge may also allow successful - comparison of internal names containing no overlapping primitive - elements. - - When used in large access control lists, the overhead of invoking - gss_import_name() and gss_compare_name() on each name from the ACL may - be prohibitive. As an alternative way of supporting this case, GSSAPI - defines a special form of the contiguous string name which may be - compared directly (e.g. with memcmp()). Contigous names suitable for - comparison are generated by the gss_export_name() routine, which - requires an MN as input. Exported names may be re-imported by the - gss_import_name() routine, and the resulting internal name will also be - an MN. The gss_OID constant GSS_C_NT_EXPORT_NAME indentifies the - "export name" type, and the value of this constant is given in Appendix - A. Structurally, an exported name object consists of a header - containing an OID identifying the mechanism that authenticated the name, - and a trailer containing the name itself, where the syntax of the - trailer is defined by the individual mechanism specification. The - precise format of an export name is defined in the language-independent - GSSAPI specification [GSSAPI]. - - Note that the results obtained by using gss_compare_name() will in - general be different from those obtained by invoking - gss_canonicalize_name() and gss_export_name(), and then comparing the - exported names. The first series of operation determines whether two - (unauthenticated) names identify the same principal; the second whether - a particular mechanism would authenticate them as the same principal. - These two operations will in general give the same results only for MNs. - - The gss_name_t datatype should be implemented as a pointer type. To - allow the compiler to aid the application programmer by performing - type-checking, the use of (void *) is discouraged. A pointer to an - implementation-defined type is the preferred choice. - - Storage is allocated by routines that return gss_name_t values. A - procedure, gss_release_name, is provided to free storage associated with - an internal-form name. - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 16] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 5.11. Channel Bindings - - GSS-API supports the use of user-specified tags to identify a given - context to the peer application. These tags are intended to be used to - identify the particular communications channel that carries the context. - Channel bindings are communicated to the GSS-API using the following - structure: - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - The initiator_addrtype and acceptor_addrtype fields denote the type of - addresses contained in the initiator_address and acceptor_address - buffers. The address type should be one of the following: - - GSS_C_AF_UNSPEC Unspecified address type - GSS_C_AF_LOCAL Host-local address type - GSS_C_AF_INET Internet address type (e.g. IP) - GSS_C_AF_IMPLINK ARPAnet IMP address type - GSS_C_AF_PUP pup protocols (eg BSP) address type - GSS_C_AF_CHAOS MIT CHAOS protocol address type - GSS_C_AF_NS XEROX NS address type - GSS_C_AF_NBS nbs address type - GSS_C_AF_ECMA ECMA address type - GSS_C_AF_DATAKIT datakit protocols address type - GSS_C_AF_CCITT CCITT protocols - GSS_C_AF_SNA IBM SNA address type - GSS_C_AF_DECnet DECnet address type - GSS_C_AF_DLI Direct data link interface address type - GSS_C_AF_LAT LAT address type - GSS_C_AF_HYLINK NSC Hyperchannel address type - GSS_C_AF_APPLETALK AppleTalk address type - GSS_C_AF_BSC BISYNC 2780/3780 address type - GSS_C_AF_DSS Distributed system services address type - GSS_C_AF_OSI OSI TP4 address type - GSS_C_AF_X25 X25 - GSS_C_AF_NULLADDR No address specified - - Note that these symbols name address families rather than specific - addressing formats. For address families that contain several - alternative address forms, the initiator_address and acceptor_address - fields must contain sufficient information to determine which address - form is used. When not otherwise specified, addresses should be - specified in network byte-order (that is, native byte-ordering for the - address family). - - - - - Wray Document Expiration: 1 September 1997 [Page 17] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Conceptually, the GSS-API concatenates the initiator_addrtype, - initiator_address, acceptor_addrtype, acceptor_address and - application_data to form an octet string. The mechanism calculates a - MIC over this octet string, and binds the MIC to the context - establishment token emitted by gss_init_sec_context. The same bindings - are presented by the context acceptor to gss_accept_sec_context, and a - MIC is calculated in the same way. The calculated MIC is compared with - that found in the token, and if the MICs differ, gss_accept_sec_context - will return a GSS_S_BAD_BINDINGS error, and the context will not be - established. Some mechanisms may include the actual channel binding - data in the token (rather than just a MIC); applications should - therefore not use confidential data as channel-binding components. - Individual mechanisms may impose additional constraints on addresses and - address types that may appear in channel bindings. For example, a - mechanism may verify that the initiator_address field of the channel - bindings presented to gss_init_sec_context contains the correct network - address of the host system. Portable applications should therefore - ensure that they either provide correct information for the address - fields, or omit addressing information, specifying GSS_C_AF_NULLADDR as - the address-types. - - 5.12. Optional parameters - - Various parameters are described as optional. This means that they - follow a convention whereby a default value may be requested. The - following conventions are used for omitted parameters. These - conventions apply only to those parameters that are explicitly - documented as optional. - - 5.12.1. gss_buffer_t types - - Specify GSS_C_NO_BUFFER as a value. For an input parameter this - signifies that default behavior is requested, while for an output - parameter it indicates that the information that would be returned via - the parameter is not required by the application. - - 5.12.2. Integer types (input) - - Individual parameter documentation lists values to be used to indicate - default actions. - - 5.12.3. Integer types (output) - - Specify NULL as the value for the pointer. - - 5.12.4. Pointer types - - Specify NULL as the value. - - - - - - - Wray Document Expiration: 1 September 1997 [Page 18] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 5.12.5. Object IDs - - Specify GSS_C_NO_OID as the value. - - 5.12.6. Object ID Sets - - Specify GSS_C_NO_OID_SET as the value. - - 5.12.7. Channel Bindings - - Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings are - not to be used. - - - 6. ADDITIONAL CONTROLS - - This section discusses the optional services that a context initiator - may request of the GSS-API at context establishment. Each of these - services is requested by setting a flag in the req_flags input parameter - to gss_init_sec_context. - - The optional services currently defined are: - - Delegation - The (usually temporary) transfer of rights from initiator - to acceptor, enabling the acceptor to authenticate itself as an - agent of the initiator. - - Mutual Authentication - In addition to the initiator authenticating its - identity to the context acceptor, the context acceptor should also - authenticate itself to the initiator. - - Replay detection - In addition to providing message integrity services, - gss_get_mic and gss_wrap should include message numbering - information to enable gss_verify_mic and gss_unwrap to detect if a - message has been duplicated. - - Out-of-sequence detection - In addition to providing message integrity - services, gss_get_mic and gss_wrap should include message - sequencing information to enable gss_verify_mic and gss_unwrap to - detect if a message has been received out of sequence. - - Anonymous authentication - The establishment of the security context - should not reveal the initiator's identity to the context - acceptor. - - Any currently undefined bits within such flag arguments should be - ignored by GSS-API implementations when presented by an application, and - should be set to zero when returned to the application by the GSS-API - implementation. - - - - - - Wray Document Expiration: 1 September 1997 [Page 19] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Some mechanisms may not support all optional services, and some - mechanisms may only support some services in conjunction with others. - Both gss_init_sec_context and gss_accept_sec_context inform the - applications which services will be available from the context when the - establishment phase is complete, via the ret_flags output parameter. In - general, if the security mechanism is capable of providing a requested - service, it should do so, even if additional services must be enabled in - order to provide the requested service. If the mechanism is incapable - of providing a requested service, it should proceed without the service, - leaving the application to abort the context establishment process if it - considers the requested service to be mandatory. - - Some mechanisms may specify that support for some services is optional, - and that implementors of the mechanism need not provide it. This is - most commonly true of the confidentiality service, often because of - legal restrictions on the use of data-encryption, but may apply to any - of the services. Such mechanisms are required to send at least one - token from acceptor to initiator during context establishment when the - initiator indicates a desire to use such a service, so that the - initiating GSSAPI can correctly indicate whether the service is - supported by the acceptor's GSSAPI. - - 6.1. Delegation - - The GSS-API allows delegation to be controlled by the initiating - application via a boolean parameter to gss_init_sec_context(), the - routine that establishes a security context. Some mechanisms do not - support delegation, and for such mechanisms attempts by an application - to enable delegation are ignored. - - The acceptor of a security context for which the initiator enabled - delegation will receive (via the delegated_cred_handle parameter of - gss_accept_sec_context) a credential handle that contains the delegated - identity, and this credential handle may be used to initiate subsequent - GSSAPI security contexts as an agent or delegate of the initiator. If - the original initiator's identity is "A" and the delegate's identity is - "B", then, depending on the underlying mechanism, the identity embodied - by the delegated credential may be either "A" or "B acting for A". - - For many mechanisms that support delegation, a simple boolean does not - provide enough control. Examples of additional aspects of delegation - control that a mechanism might provide to an application are duration of - delegation, network addresses from which delegation is valid, and - constraints on the tasks that may be performed by a delegate. Such - controls are presently outside the scope of the GSS-API. GSS-API - implementations supporting mechanisms offering additional controls - should provide extension routines that allow these controls to be - exercised (perhaps by modifying the initiator's GSS-API credential prior - to its use in establishing a context). However, the simple delegation - control provided by GSS-API should always be able to over-ride other - mechanism-specific delegation controls - If the application instructs - - - - Wray Document Expiration: 1 September 1997 [Page 20] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - gss_init_sec_context() that delegation is not desired, then the - implementation must not permit delegation to occur. This is an - exception to the general rule that a mechanism may enable services even - if they are not requested - delegation may only be provide at the - explicit request of the application. - - 6.2. Mutual authentication - - Usually, a context acceptor will require that a context initiator - authenticate itself so that the acceptor may make an access-control - decision prior to performing a service for the initiator. In some - cases, the initiator may also request that the acceptor authenticate - itself. GSS-API allows the initiating application to request this - mutual authentication service by setting a flag when calling - gss_init_sec_context. - - The initiating application is informed as to whether or not mutual - authentication is being requested of the context acceptor. Note that - some mechanisms may not support mutual authentication, and other - mechanisms may always perform mutual authentication, whether or not the - initiating application requests it. In particular, mutual - authentication my be required by some mechanisms in order to support - replay or out-of-sequence message detection, and for such mechanisms a - request for either of these services will automatically enable mutual - authentication. - - 6.3. Replay and out-of-sequence detection - - The GSS-API may provide detection of mis-ordered message once a security - context has been established. Protection may be applied to messages by - either application, by calling either gss_get_mic or gss_wrap, and - verified by the peer application by calling gss_verify_mic or - gss_unwrap. - - gss_get_mic calculates a cryptographic checksum of an application - message, and returns that checksum in a token. The application should - pass both the token and the message to the peer application, which - presents them to gss_verify_mic. - - gss_wrap calculates a cryptographic checksum of an application message, - and places both the checksum and the message inside a single token. The - application should pass the token to the peer application, which - presents it to gss_unwrap to extract the message and verify the - checksum. - - Either pair of routines may be capable of detecting out-of-sequence - message delivery, or duplication of messages. Details of such mis- - ordered messages are indicated through supplementary status bits in the - major status code returned by gss_verify_mic or gss_unwrap. The - relevant supplementary bits are: - - - - - Wray Document Expiration: 1 September 1997 [Page 21] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_DUPLICATE_TOKEN - The token is a duplicate of one that has already - been received and processed. Contexts that do not claim to - provide replay detection may still set this bit if the duplicate - message is processed immediately after the original, with no - intervening messages. - - GSS_S_OLD_TOKEN - The token is too old to determine whether or not it is - a duplicate. Contexts supporting out-of-sequence detection but - not replay detection should always set this bit if - GSS_S_UNSEQ_TOKEN is set; contexts that support replay detection - should only set this bit if the token is so old that it cannot be - checked for duplication. - - GSS_S_UNSEQ_TOKEN - A later token has already been processed. - - GSS_S_GAP_TOKEN - An earlier token has not yet been received. - - A mechanism need not maintain a list of all tokens that have been - processed in order to support these status codes. A typical mechanism - might retain information about only the most recent "N" tokens - processed, allowing it to distinguish duplicates and missing tokens - within the most recent "N" messages; the receipt of a token older than - the most recent "N" would result in a GSS_S_OLD_TOKEN status. - - 6.4. Anonymous Authentication - - In certain situations, an application may wish to initiate the - authentication process to authenticate a peer, without revealing its own - identity. As an example, consider an application providing access to a - database containing medical information, and offering unrestricted - access to the service. A client of such a service might wish to - authenticate the service (in order to establish trust in any information - retrieved from it), but might not wish the service to be able to obtain - the client's identity (perhaps due to privacy concerns about the - specific inquiries, or perhaps simply to avoid being placed on mailing- - lists). - - In normal use of the GSS-API, the initiator's identity is made available - to the acceptor as a result of the context establishment process. - However, context initiators may request that their identity not be - revealed to the context acceptor. Many mechanisms do not support - anonymous authentication, and for such mechanisms the request will not - be honored. An authentication token will be still be generated, but the - application is always informed if a requested service is unavailable, - and has the option to abort context establishment if anonymity is valued - above the other security services that would require a context to be - established. - - In addition to informing the application that a context is established - anonymously (via the ret_flags outputs from gss_init_sec_context and - gss_accept_sec_context), the optional src_name output from - - - - Wray Document Expiration: 1 September 1997 [Page 22] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - gss_accept_sec_context and gss_inquire_context will, for such contexts, - return a reserved internal-form name, defined by the implementation. - When presented to gss_display_name, this reserved internal-form name - will result in a printable name that is syntactically distinguishable - from any valid principal name supported by the implementation, - associated with a name-type object identifier with the value - GSS_C_NT_ANONYMOUS, whose value us given in Appendix A. The printable - form of an anonymous name should be chosen such that it implies - anonymity, since this name may appear in, for example, audit logs. For - example, the string "" might be a good choice, if no valid - printable names supported by the implementation can begin with "<" and - end with ">". - - 6.5. Confidentiality - - If a context supports the confidentiality service, gss_wrap may be used - to encrypt application messages. Messages are selectively encrypted, - under the control of the conf_req_flag input parameter to gss_wrap. - - 6.6. Inter-process context transfer - - GSSAPI V2 provides routines (gss_export_sec_context and - gss_import_sec_context) which allow a security context to be transferred - between processes on a single machine. The most common use for such a - feature is a client-server design where the server is implemented as a - single process that accepts incoming security contexts, which then - launches child processes to deal with the data on these contexts. In - such a design, the child processes must have access to the security - context data structure created within the parent by its call to - gss_accept_sec_context so that they can use per-message protection - services and delete the security context when the communication session - ends. - - Since the security context data structure is expected to contain - sequencing information, it is impractical in general to share a context - between processes. Thus GSSAPI provides a call (gss_export_sec_context) - that the process which currently owns the context can call to declare - that it has no intention to use the context subsequently, and to create - an inter-process token containing information needed by the adopting - process to successfully import the context. After successful completion - of this call, the original security context is made inaccessible to the - calling process by GSSAPI, and any context handles referring to this - context are no longer valid. The originating process transfers the - inter-process token to the adopting process, which passes it to - gss_import_sec_context, and a fresh gss_ctx_id_t is created such that it - is functionally identical to the original context. - - The inter-process token may contain sensitive data from the original - security context (including cryptographic keys). Applications using - inter-process tokens to transfer security contexts must take appropriate - steps to protect these tokens in transit. - - - - Wray Document Expiration: 1 September 1997 [Page 23] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Implementations are not required to support the inter-process transfer - of security contexts. The ability to transfer a security context is - indicated when the context is created, by gss_init_sec_context or - gss_accept_sec_context setting the GSS_C_TRANS_FLAG bit in their - ret_flags parameter. - - - 6.7. The use of incomplete contexts - - Some mechanisms may allow the per-message services to be used before the - context establishment process is complete. For example, a mechanism may - include sufficient information in its initial context-level token for - the context acceptor to immediately decode messages protected with - gss_wrap or gss_get_mic. For such a mechanism, the initiating - application need not wait until subsequent context-level tokens have - been sent and received before invoking the per-message protection - services. - - The ability of a context to provide per-message services in advance of - complete context establishment is indicated by the setting of the - GSS_C_PROT_READY_FLAG bit in the ret_flags parameter from - gss_init_sec_context and gss_accept_sec_context. Applications wishing - to use per-message protection services on partially-established contexts - should check this flag before attempting to invoke gss_wrap or - gss_get_mic. - - - - 7. GSS-API routine descriptions - - In addition to the explicit major status codes documented here, the code - GSS_S_FAILURE may be returned by any routine, indicating an - implementation-specific or mechanism-specific error condition, further - details of which are reported via the minor_status parameter. - - - - - - - - - - - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 24] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.1. gss_accept_sec_context - - OM_uint32 gss_accept_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t - input_chan_bindings, - const gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) - - Purpose: - - Allows a remotely initiated security context between the application and - a remote peer to be established. The routine may return a output_token - which should be transferred to the peer application, where the peer - application will present it to gss_init_sec_context. If no token need - be sent, gss_accept_sec_context will indicate this by setting the length - field of the output_token argument to zero. To complete the context - establishment, one or more reply tokens may be required from the peer - application; if so, gss_accept_sec_context will return a status flag of - GSS_S_CONTINUE_NEEDED, in which case it should be called again when the - reply token is received from the peer application, passing the token to - gss_accept_sec_context via the input_token parameters. - - Portable applications should be constructed to use the token length and - return status to determine whether a token needs to be sent or waited - for. Thus a typical portable caller should always invoke - gss_accept_sec_context within a loop: - - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - ... - - do { - receive_token_from_peer(input_token); - maj_stat = gss_accept_sec_context(&min_stat, - &context_hdl, - cred_hdl, - input_token, - input_bindings, - &client_name, - &mech_type, - output_token, - &ret_flags, - &time_rec, - &deleg_cred); - - - - Wray Document Expiration: 1 September 1997 [Page 25] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - if (GSS_ERROR(maj_stat)) { - report_error(maj_stat, min_stat); - }; - if (output_token->length != 0) { - send_token_to_peer(output_token); - gss_release_buffer(&min_stat, - output_token) - }; - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - }; - } while (maj_stat & GSS_S_CONTINUE_NEEDED); - - - Whenever the routine returns a major status that includes the value - GSS_S_CONTINUE_NEEDED, the context is not fully established and the - following restrictions apply to the output parameters: - - (a) The value returned via the time_rec parameter is undefined - - (b) Unless the accompanying ret_flags parameter contains the bit - GSS_C_PROT_READY_FLAG, indicating that per-message services may be - applied in advance of a successful completion status, the value - returned via the mech_type parameter may be undefined until the - routine returns a major status value of GSS_S_COMPLETE. - - (c) The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG, - GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG, - GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the - ret_flags parameter should contain the values that the - implementation expects would be valid if context establishment - were to succeed. - - The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits - within ret_flags should indicate the actual state at the time - gss_accept_sec_context returns, whether or not the context is - fully established. - - Although this requires that GSSAPI implementations set the - GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller - (i.e. when accompanied by a GSS_S_COMPLETE status code), - applications should not rely on this behavior as the flag was not - defined in Version 1 of the GSSAPI. Instead, applications should - be prepared to use per-message services after a successful context - establishment, according to the GSS_C_INTEG_FLAG and - GSS_C_CONF_FLAG values. - - - - - Wray Document Expiration: 1 September 1997 [Page 26] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - All other bits within the ret_flags argument should be set to - zero. - - - While the routine returns GSS_S_CONTINUE_NEEDED, the values returned via - the ret_flags argument indicate the services that the implementation - expects to be available from the established context. - - If the initial call of gss_accept_sec_context() fails, the - implementation should not create a context object, and should leave the - value of the context_handle parameter set to GSS_C_NO_CONTEXT to - indicate this. In the event of a failure on a subsequent call, the - implementation is permitted to delete the "half-built" security context - (in which case it should set the context_handle parameter to - GSS_C_NO_CONTEXT), but the preferred behavior is to leave the security - context (and the context_handle parameter) untouched for the application - to delete (using gss_delete_sec_context). - - Parameters: - - context_handle gss_ctx_id_t, read/modify - context handle for new context. Supply - GSS_C_NO_CONTEXT for first call; use value - returned in subsequent calls. Once - gss_accept_sec_context() has returned a value - via this parameter, resources have been assigned - to the corresponding context, and must be - freed by the application after use with a call - to gss_delete_sec_context(). - - - acceptor_cred_handle gss_cred_id_t, read - Credential handle claimed by context acceptor. - Specify GSS_C_NO_CREDENTIAL to accept the - context as a default principal. If - GSS_C_NO_CREDENTIAL is specified, but no - default acceptor principal is defined, - GSS_S_NO_CRED will be returned. - - input_token_buffer buffer, opaque, read - token obtained from remote application. - - input_chan_bindings channel bindings, read, optional - Application-specified bindings. Allows - application to securely bind channel - identification information to the security - context. If channel bindings are not - used, specify GSS_C_NO_CHANNEL_BINDINGS. - - src_name gss_name_t, modify, optional - Authenticated name of context initiator. - - - - Wray Document Expiration: 1 September 1997 [Page 27] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - After use, this name should be deallocated by - passing it to gss_release_name(). If not - required, specify NULL. - - mech_type Object ID, modify, optional - Security mechanism used. The returned - OID value will be a pointer into static - storage, and should be treated as read-only - by the caller (in particular, it does not - need to be freed). If not required, specify - NULL. - - output_token buffer, opaque, modify - Token to be passed to peer application. If the - length field of the returned token buffer is 0, - then no token need be passed to the peer - application. If a non-zero length field is - returned, the associated storage must be freed - after use by the application with a call to - gss_release_buffer(). - - ret_flags bit-mask, modify, optional - Contains various independent flags, each of - which indicates that the context supports a - specific service option. If not needed, - specify NULL. Symbolic names are - provided for each flag, and the symbolic names - corresponding to the required flags - should be logically-ANDed with the ret_flags - value to test whether a given option is - supported by the context. The flags are: - GSS_C_DELEG_FLAG - True - Delegated credentials are available - via the delegated_cred_handle - parameter - False - No credentials were delegated - GSS_C_MUTUAL_FLAG - True - Remote peer asked for mutual - authentication - False - Remote peer did not ask for mutual - authentication - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will not - be detected - - - - Wray Document Expiration: 1 September 1997 [Page 28] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_C_CONF_FLAG - True - Confidentiality service may be invoked - by calling the gss_wrap routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or gss_wrap - routines. - False - Per-message integrity service - unavailable. - GSS_C_ANON_FLAG - True - The initiator does not wish to - be authenticated; the src_name - parameter (if requested) contains - an anonymous internal name. - False - The initiator has been - authenticated normally. - GSS_C_PROT_READY_FLAG - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - if the accompanying major status return - value is either GSS_S_COMPLETE or - GSS_S_CONTINUE_NEEDED. - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the accompanying major status - return value is GSS_S_COMPLETE. - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferrable. - All other bits should be set to zero. - - time_rec Integer, modify, optional - number of seconds for which the context - will remain valid. Specify NULL if not required. - - delegated_cred_handle - gss_cred_id_t, modify, optional - credential handle for credentials received from - context initiator. Only valid if deleg_flag in - ret_flags is true, in which case an explicit - - - - Wray Document Expiration: 1 September 1997 [Page 29] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - credential handle (i.e. not GSS_C_NO_CREDENTIAL) - will be returned; if deleg_flag is false, - gss_accept_context() will set this parameter to - GSS_C_NO_CREDENTIAL. If a credential handle is - returned, the associated resources must be released - by the application after use with a call to - gss_release_cred(). Specify NULL if not required. - - - minor_status Integer, modify - Mechanism specific status code. - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer application - is required to complete the context, and that - gss_accept_sec_context must be called again with that - token. - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the - input_token failed. - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks performed - on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for context - acceptance, or the credential handle did not reference - any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - - GSS_S_BAD_BINDINGS The input_token contains different channel bindings - to those specified via the input_chan_bindings - parameter. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did not - refer to a valid context. - - GSS_S_BAD_SIG The input_token contains an invalid MIC. - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal error - during context establishment. - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of a - token already processed. This is a fatal error during - context establishment. - - - - - - Wray Document Expiration: 1 September 1997 [Page 30] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_BAD_MECH The received token specified a mechanism that is not - supported by the implementation or the provided - credential. - - - - - - - - 7.2. gss_acquire_cred - - - OM_uint32 gss_acquire_cred ( - OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec) - - Purpose: - - Allows an application to acquire a handle for a pre-existing credential - by name. GSS-API implementations must impose a local access-control - policy on callers of this routine to prevent unauthorized callers from - acquiring credentials to which they are not entitled. This routine is - not intended to provide a ``login to the network'' function, as such a - function would involve the creation of new credentials rather than - merely acquiring a handle to existing credentials. Such functions, if - required, should be defined in implementation-specific extensions to the - API. - - If desired_name is GSS_C_NO_NAME, the call is interpreted as a request - for a credential handle that will invoke default behavior when passed to - gss_init_sec_context() (if cred_usage is GSS_C_INITIATE or GSS_C_BOTH) - or gss_accept_sec_context() (if cred_usage is GSS_C_ACCEPT or - GSS_C_BOTH). - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways of - obtaining GSS-API initiator credentials from the system login process. - Some implementations may therefore not support the acquisition of - GSS_C_INITIATE or GSS_C_BOTH credentials via gss_acquire_cred for any - name other than an empty name. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may chooses to delay the actual acquisition until the - credential is required (e.g. by gss_init_sec_context or - - - - Wray Document Expiration: 1 September 1997 [Page 31] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - gss_accept_sec_context). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call of - gss_inquire_cred immediately following the call of gss_acquire_cred must - return valid credential data, and may therefore incur the overhead of a - deferred credential acquisition. - - Parameters: - - desired_name gss_name_t, read - Name of principal whose credential - should be acquired - - time_req Integer, read, optional - number of seconds that credentials - should remain valid. Specify GSS_C_INDEFINITE - to request that the credentials have the maximum - permitted lifetime. - - desired_mechs Set of Object IDs, read, optional - set of underlying security mechanisms that - may be used. GSS_C_NO_OID_SET may be used - to obtain an implementation-specific default. - - cred_usage gss_cred_usage_t, read - GSS_C_BOTH - Credentials may be used - either to initiate or accept - security contexts. - GSS_C_INITIATE - Credentials will only be - used to initiate security - contexts. - GSS_C_ACCEPT - Credentials will only be used to - accept security contexts. - - output_cred_handle gss_cred_id_t, modify - The returned credential handle. Resources - associated with this credential handle must - be released by the application after use - with a call to gss_release_cred(). - - actual_mechs Set of Object IDs, modify, optional - The set of mechanisms for which the - credential is valid. Storage associated - with the returned OID-set must be released by - the application after use with a call to - gss_release_oid_set(). Specify NULL if not - required. - - time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid. If the - implementation does not support expiration of - - - - Wray Document Expiration: 1 September 1997 [Page 32] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - credentials, the value GSS_C_INDEFINITE will - be returned. Specify NULL if not required - - minor_status Integer, modify - Mechanism specific status code. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Unavailable mechanism requested - - GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is not - supported - - GSS_S_BAD_NAME Value supplied for desired_name parameter is ill- - formed. - - GSS_S_CREDENTIALS_EXPIRED The credentials could not be acquired because - they have expired. - - GSS_S_NO_CRED No credentials were found for the specified name. - - - - - - - - 7.3. gss_add_cred - - - OM_uint32 gss_add_cred ( - OM_uint32 * minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * initiator_time_rec, - OM_uint32 * acceptor_time_rec) - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 33] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Purpose: - - Adds a credential-element to a credential. The credential-element is - identified by the name of the principal to which it refers. GSSAPI - implementations must impose a local access-control policy on callers of - this routine to prevent unauthorized callers from acquiring credential- - elements to which they are not entitled. This routine is not intended to - provide a ``login to the network'' function, as such a function would - involve the creation of new mechanism-specific authentication data, - rather than merely acquiring a GSSAPI handle to existing data. Such - functions, if required, should be defined in implementation-specific - extensions to the API. - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways of - obtaining GSS-API initiator credentials from the system login process. - Some implementations may therefore not support the acquisition of - GSS_C_INITIATE or GSS_C_BOTH credentials via gss_acquire_cred. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may chooses to delay the actual acquisition until the - credential is required (e.g. by gss_init_sec_context or - gss_accept_sec_context). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call of - gss_inquire_cred immediately following the call of gss_acquire_cred must - return valid credential data, and may therefore incur the overhead of a - deferred credential acquisition. - - This routine can be used to either create a new credential containing - all credential-elements of the original in addition to the newly-acquire - credential-element, or to add the new credential-element to an existing - credential. If NULL is specified for the output_cred_handle parameter - argument, the new credential-element will be added to the credential - identified by input_cred_handle; if a valid pointer is specified for the - output_cred_handle parameter, a new credential and handle will be - created. - - If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle, the - gss_add_cred will create its output_cred_handle based on default - behavior. That is, the call will have the same effect as if the - application had first made a call to gss_acquire_cred(), specifying the - same usage and passing GSS_C_NO_NAME as the desired_name parameter to - obtain an explicit credential handle embodying default behavior, passed - this credential handle to gss_add_cred(), and finally called - gss_release_cred() on the first credential handle. - - If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle parameter, - a non-NULL output_cred_handle must be supplied. - - Parameters: - - - - - Wray Document Expiration: 1 September 1997 [Page 34] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - minor_status Integer, modify - Mechanism specific status code. - - input_cred_handle gss_cred_id_t, read, optional - The credential to which a credential-element - will be added. If GSS_C_NO_CREDENTIAL is - specified, the routine will create the new - credential based on default behavior (see - description above). Note that, while the - credential-handle is not modified by - gss_add_cred(), the underlying credential - will be modified if output_credential_handle - is NULL. - - desired_name gss_name_t, read. - Name of principal whose credential - should be acquired. - - desired_mech Object ID, read - Underlying security mechanism with which the - credential may be used. - - cred_usage gss_cred_usage_t, read - GSS_C_BOTH - Credential may be used - either to initiate or accept - security contexts. - GSS_C_INITIATE - Credential will only be - used to initiate security - contexts. - GSS_C_ACCEPT - Credential will only be used to - accept security contexts. - - initiator_time_req Integer, read, optional - number of seconds that the credential - should remain valid for initiating security - contexts. This argument is ignored if the - created credentials are of type GSS_C_ACCEPT. - Specify GSS_C_INDEFINITE to request that the - credentials have the maximum permitted initiator - lifetime. - - acceptor_time_req Integer, read, optional - number of seconds that the credential - should remain valid for accepting security - contexts. This argument is ignored if the - created credentials are of type GSS_C_INITIATE. - Specify GSS_C_INDEFINITE to request that the - credentials have the maximum permitted initiator - lifetime. - - - - - Wray Document Expiration: 1 September 1997 [Page 35] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - output_cred_handle gss_cred_id_t, modify, optional - The returned credential handle, containing - the new credential-element and all the - credential-elements from input_cred_handle. - If a valid pointer to a gss_cred_id_t is - supplied for this parameter, gss_add_cred - creates a new credential handle containing all - credential-elements from the input_cred_handle - and the newly acquired credential-element; if - NULL is specified for this parameter, the newly - acquired credential-element will be added - to the credential identified by input_cred_handle. - The resources associated with any credential - handle returned via this parameter must be - released by the application after use with a - call to gss_release_cred(). - - actual_mechs Set of Object IDs, modify, optional - The complete set of mechanisms for which - the new credential is valid. Storage for - the returned OID-set must be freed by the - application after use with a call to - gss_release_oid_set(). Specify NULL if - not required. - - initiator_time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid for - initiating contexts using the specified - mechanism. If the implementation or mechanism - does not support expiration of credentials, the - value GSS_C_INDEFINITE will be returned. Specify - NULL if not required - - acceptor_time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid for - accepting security contexts using the specified - mechanism. If the implementation or mechanism - does not support expiration of credentials, the - value GSS_C_INDEFINITE will be returned. Specify - NULL if not required - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Unavailable mechanism requested - - GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is not - supported - - - - - Wray Document Expiration: 1 September 1997 [Page 36] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_BAD_NAME Value supplied for desired_name parameter is ill- - formed. - - GSS_S_DUPLICATE_ELEMENT The credential already contains an element for - the requested mechanism with overlapping usage and - validity period. - - GSS_S_CREDENTIALS_EXPIRED The required credentials could not be added - because they have expired. - - GSS_S_NO_CRED No credentials were found for the specified name. - - - - - - - - 7.4. gss_add_oid_set_member - - OM_uint32 gss_add_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member_oid, - gss_OID_set * oid_set) - - Purpose: - - Add an Object Identifier to an Object Identifier set. This routine is - intended for use in conjunction with gss_create_empty_oid_set when - constructing a set of mechanism OIDs for input to gss_acquire_cred. - - The oid_set parameter must refer to an OID-set that was created by - GSSAPI (e.g. a set returned by gss_create_empty_oid_set()). GSSAPI - creates a copy of the member_oid and inserts this copy into the set, - expanding the storage allocated to the OID-set's elements array if - necessary. The routine may add the new member OID anywhere within the - elements array, and implementations should verify that the new - member_oid is not already contained within the elements array. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - member_oid Object ID, read - The object identifier to copied into - the set. - - oid_set Set of Object ID, modify - The set in which the object identifier - should be inserted. - - - - Wray Document Expiration: 1 September 1997 [Page 37] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - 7.5. gss_canonicalize_name - - OM_uint32 gss_canonicalize_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t * output_name) - - Purpose: - - Generate a canonical mechanism name (MN) from an arbitrary internal - name. The mechanism name is the name that would be returned to a - context acceptor on successful authentication of a context where the - initiator used the input_name in a successful call to gss_acquire_cred, - specifying an OID set containing as its only member, - followed by a call to gss_init_sec_context, specifying as - the authentication mechanism. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name gss_name_t, read - The name for which a canonical form is - desired - - mech_type Object ID, read - The authentication mechanism for which the - canonical form of the name is desired. The - desired mechanism must be specified explicitly; - no default is provided. - - output_name gss_name_t, modify - The resultant canonical name. Storage - associated with this name must be freed by - the application after use with a call to - gss_release_name(). - - Function value: GSS status code - - - - - Wray Document Expiration: 1 September 1997 [Page 38] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_COMPLETE Successful completion. - - GSS_S_BAD_MECH The identified mechanism is not supported. - - GSS_S_BAD_NAMETYPE The provided internal name contains no elements that - could be processed by the sepcified mechanism. - - GSS_S_BAD_NAME The provided internal name was ill-formed. - - - - - - - - 7.6. gss_compare_name - - OM_uint32 gss_compare_name ( - OM_uint32 * minor_status, - const gss_name_t name1, - const gss_name_t name2, - int * name_equal) - - Purpose: - - Allows an application to compare two internal-form names to determine - whether they refer to the same entity. - - If either name presented to gss_compare_name denotes an anonymous - principal, the routines should indicate that the two names do not refer - to the same identity. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - name1 gss_name_t, read - internal-form name - - name2 gss_name_t, read - internal-form name - - name_equal boolean, modify - non-zero - names refer to same entity - zero - names refer to different entities - (strictly, the names are not known - to refer to the same identity). - - Function value: GSS status code - - - - - Wray Document Expiration: 1 September 1997 [Page 39] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The two names were of incomparable types. - - GSS_S_BAD_NAME One or both of name1 or name2 was ill-formed - - - - - - - - 7.7. gss_context_time - - OM_uint32 gss_context_time ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 * time_rec) - - Purpose: - - Determines the number of seconds for which the specified context will - remain valid. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context to be interrogated. - - time_rec Integer, modify - Number of seconds that the context will remain - valid. If the context has already expired, - zero will be returned. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a valid - context - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 40] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.8. gss_create_empty_oid_set - - OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * oid_set) - - Purpose: - - Create an object-identifier set containing no object identifiers, to - which members may be subsequently added using the - gss_add_oid_set_member() routine. These routines are intended to be - used to construct sets of mechanism object identifiers, for input to - gss_acquire_cred. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - oid_set Set of Object IDs, modify - The empty object identifier set. - The routine will allocate the - gss_OID_set_desc object, which the - application must free after use with - a call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - 7.9. gss_delete_sec_context - - OM_uint32 gss_delete_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token) - - Purpose: - - Delete a security context. gss_delete_sec_context will delete the local - data structures associated with the specified security context, and may - generate an output_token, which when passed to the peer - gss_process_context_token will instruct it to do likewise. If no token - is required by the mechanism, the GSS-API should set the length field of - the output_token (if provided) to zero. No further security services - - - - Wray Document Expiration: 1 September 1997 [Page 41] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - may be obtained using the context specified by context_handle. - - In addition to deleting established security contexts, - gss_delete_sec_context must also be able to delete "half-built" security - contexts resulting from an incomplete sequence of - gss_init_sec_context()/gss_accept_sec_context() calls. - - The output_token parameter is retained for compatibility with version 1 - of the GSS-API. It is recommended that both peer applications invoke - gss_delete_sec_context passing the value GSS_C_NO_BUFFER for the - output_token parameter, indicating that no token is required, and that - gss_delete_sec_context should simply delete local context data - structures. If the application does pass a valid buffer to - gss_delete_sec_context, mechanisms are encouraged to return a zero- - length token, indicating that no peer action is necessary, and that no - token should be transferred by the application. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, modify - context handle identifying context to delete. - After deleting the context, the GSSAPI will set - this context handle to GSS_C_NO_CONTEXT. - - output_token buffer, opaque, modify, optional - token to be sent to remote application to - instruct it to also delete the context. It - is recommended that applications specify - GSS_C_NO_BUFFER for this parameter, requesting - local deletion only. If a buffer parameter is - provided by the application, the mechanism may - return a token in it; mechanisms that implement - only local deletion should set the length field of - this token to zero to indicate to the application - that no token is to be sent to the peer. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT No valid context was supplied - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 42] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.10. gss_display_name - - OM_uint32 gss_display_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type) - - Purpose: - - Allows an application to obtain a textual representation of an opaque - internal-form name for display purposes. The syntax of a printable - name is defined by the GSS-API implementation. - - If input_name denotes an anonymous principal, the implementation should - return the gss_OID value GSS_C_NT_ANONYMOUS as the output_name_type, and - a textual name that is syntactically distinct from all valid supported - printable names in output_name_buffer. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - input_name gss_name_t, read - name to be displayed - - output_name_buffer buffer, character-string, modify - buffer to receive textual name string. - The application must free storage associated - with this name after use with a call to - gss_release_buffer(). - - output_name_type Object ID, modify, optional - The type of the returned name. The returned - gss_OID will be a pointer into static storage, - and should be treated as read-only by the caller - (in particular, it does not need to be freed). - Specify NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME input_name was ill-formed - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 43] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.11. gss_display_status - - OM_uint32 gss_display_status ( - OM_uint32 * minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 * message_context, - gss_buffer_t status_string) - - Purpose: - - Allows an application to obtain a textual representation of a GSS-API - status code, for display to the user or for logging purposes. Since - some status values may indicate multiple conditions, applications may - need to call gss_display_status multiple times, each call generating a - single text string. The message_context parameter is used by - gss_acquire_cred to store state information about which error messages - have already been extracted from a given status_value; message_context - must be initialized to 0 by the application prior to the first call, and - gss_display_status will return a non-zero value in this parameter if - there are further messages to extract. The message_context parameter - contains all state information required by gss_display_status in order - to extract further messages from the status_value; even when a non-zero - value is returned in this parameter, the application is not required to - call gss_display_status again unless subsequent messages are desired. - The following code extracts all messages from a given status code and - prints them to stderr: - - - OM_uint32 message_context; - OM_uint32 status_code; - OM_uint32 maj_status; - OM_uint32 min_status; - gss_buffer_desc status_string; - - ... - - message_context = 0; - - do { - - maj_status = gss_display_status (&min_status, - status_code, - GSS_C_GSS_CODE, - GSS_C_NO_OID, - &message_context, - &status_string) - - fprintf(stderr, - "%.*s\n", - - - - Wray Document Expiration: 1 September 1997 [Page 44] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - status_string.length, - status_string.value); - - gss_release_buffer(&min_status, - &status_string); - - } while (message_context != 0); - - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - status_value Integer, read - Status value to be converted - - status_type Integer, read - GSS_C_GSS_CODE - status_value is a GSS status - code - GSS_C_MECH_CODE - status_value is a mechanism - status code - - mech_type Object ID, read, optional - Underlying mechanism (used to interpret a - minor status value) Supply GSS_C_NO_OID to - obtain the system default. - - message_context Integer, read/modify - Should be initialized to zero by the - application prior to the first call. - On return from gss_display_status(), - a non-zero status_value parameter indicates - that additional messages may be extracted - from the status code via subsequent calls - to gss_display_status(), passing the same - status_value, status_type, mech_type, and - message_context parameters. - - status_string buffer, character string, modify - textual interpretation of the status_value. - Storage associated with this parameter must - be freed by the application after use with - a call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - Wray Document Expiration: 1 September 1997 [Page 45] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_BAD_MECH Indicates that translation in accordance with an - unsupported mechanism type was requested - - GSS_S_BAD_STATUS The status value was not recognized, or the status - type was neither GSS_C_GSS_CODE nor GSS_C_MECH_CODE. - - - - - - - - 7.12. gss_duplicate_name - - OM_uint32 gss_duplicate_name ( - OM_uint32 * minor_status, - const gss_name_t src_name, - gss_name_t * dest_name) - - Purpose: - - Create an exact duplicate of the existing internal name src_name. The - new dest_name will be independent of src_name (i.e. src_name and - dest_name must both be released, and the release of one shall not affect - the validity of the other). - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - src_name gss_name_t, read - internal name to be duplicated. - - dest_name gss_name_t, modify - The resultant copy of . - Storage associated with this name must - be freed by the application after use - with a call to gss_release_name(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The src_name parameter was ill-formed. - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 46] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.13. gss_export_name - - OM_uint32 gss_export_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name) - - Purpose: - - To produce a canonical contiguous string representation of a mechanism - name (MN), suitable for direct comparison (e.g. with memcmp) for use in - authorization functions (e.g. matching entries in an access-control - list). - - The parameter must specify a valid MN (i.e. an internal - name generated by gss_accept_sec_context or by gss_canonicalize_name). - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name gss_name_t, read - The MN to be exported - - exported_name gss_buffer_t, octet-string, modify - The canonical contiguous string form of - . Storage associated with - this string must freed by the application - after use with gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NAME_NOT_MN The provided internal name was not a mechanism name. - - GSS_S_BAD_NAME The provide internal name was ill-formed. - - GSS_S_BAD_NAMETYPE The internal name was of a type not supported by the - GSSAPI implementation. - - - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 47] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.14. gss_export_sec_context - - OM_uint32 gss_export_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t interprocess_token) - - Purpose: - - Provided to support the sharing of work between multiple processes. - This routine will typically be used by the context-acceptor, in an - application where a single process receives incoming connection requests - and accepts security contexts over them, then passes the established - context to one or more other processes for message exchange. - gss_export_sec_context() deactivates the security context for the - calling process and creates an interprocess token which, when passed to - gss_import_sec_context in another process, will re-activate the context - in the second process. Only a single instantiation of a given context - may be active at any one time; a subsequent attempt by a context - exporter to access the exported security context will fail. - - The implementation may constrain the set of processes by which the - interprocess token may be imported, either as a function of local - security policy, or as a result of implementation decisions. For - example, some implementations may constrain contexts to be passed only - between processes that run under the same account, or which are part of - the same process group. - - The interprocess token may contain security-sensitive information (for - example cryptographic keys). While mechanisms are encouraged to either - avoid placing such sensitive information within interprocess tokens, or - to encrypt the token before returning it to the application, in a - typical object-library GSSAPI implementation this may not be possible. - Thus the application must take care to protect the interprocess token, - and ensure that any process to which the token is transferred is - trustworthy. - - If creation of the interprocess token is succesful, the implementation - shall deallocate all process-wide resources associated with the security - context, and set the context_handle to GSS_C_NO_CONTEXT. In the event - of an error that makes it impossible to complete the export of the - security context, the implementation must not return an interprocess - token, and should strive to leave the security context referenced by the - context_handle parameter untouched. If this is impossible, it is - permissible for the implementation to delete the security context, - providing it also sets the context_handle parameter to GSS_C_NO_CONTEXT. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - - - Wray Document Expiration: 1 September 1997 [Page 48] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - context_handle gss_ctx_id_t, modify - context handle identifying the context to transfer. - - interprocess_token buffer, opaque, modify - token to be transferred to target process. - Storage associated with this token must be - freed by the application after use with a - call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has expired - - GSS_S_NO_CONTEXT The context was invalid - - GSS_S_UNAVAILABLE The operation is not supported. - - - - - - - - 7.15. gss_get_mic - - OM_uint32 gss_get_mic ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t msg_token) - - Purpose: - - Generates a cryptographic MIC for the supplied message, and places the - MIC in a token for transfer to the peer application. The qop_req - parameter allows a choice between several cryptographic algorithms, if - supported by the chosen mechanism. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - will be sent - - - - - Wray Document Expiration: 1 September 1997 [Page 49] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - qop_req gss_qop_t, read, optional - Specifies requested quality of protection. - Callers are encouraged, on portability grounds, - to accept the default quality of protection - offered by the chosen mechanism, which may be - requested by specifying GSS_C_QOP_DEFAULT for - this parameter. If an unsupported protection - strength is requested, gss_get_mic will return a - major_status of GSS_S_BAD_QOP. - - message_buffer buffer, opaque, read - message to be protected - - msg_token buffer, opaque, modify - buffer to receive token. The application must - free storage associated with this buffer after - use with a call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a valid - context - - GSS_S_BAD_QOP The specified QOP is not supported by the mechanism. - - - - - - - - 7.16. gss_import_name - - OM_uint32 gss_import_name ( - OM_uint32 * minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t * output_name) - - Purpose: - - Convert a contiguous string name to internal form. In general, the - internal name returned (via the parameter) will not be an - MN; the exception to this is if the indicates that the - contiguous string provided via the parameter is of - type GSS_C_NT_EXPORT_NAME, in which case the returned internal name will - be an MN for the mechanism that exported the name. - - - - - Wray Document Expiration: 1 September 1997 [Page 50] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name_buffer buffer, octet-string, read - buffer containing contiguous string name to convert - - input_name_type Object ID, read, optional - Object ID specifying type of printable - name. Applications may specify either - GSS_C_NO_OID to use a mechanism-specific - default printable syntax, or an OID registered - by the GSS-API implementation to name a - specific namespace. - - output_name gss_name_t, modify - returned name in internal form. Storage - associated with this name must be freed - by the application after use with a call - to gss_release_name(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The input_name_type was unrecognized - - GSS_S_BAD_NAME The input_name parameter could not be interpreted as a - name of the specified type - - - - - - - - - 7.17. gss_import_sec_context - - OM_uint32 gss_import_sec_context ( - OM_uint32 * minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t * context_handle) - - Purpose: - - Allows a process to import a security context established by another - process. A given interprocess token may be imported only once. See - gss_export_sec_context. - - - - - Wray Document Expiration: 1 September 1997 [Page 51] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - interprocess_token buffer, opaque, modify - token received from exporting process - - context_handle gss_ctx_id_t, modify - context handle of newly reactivated context. - Resources associated with this context handle - must be released by the application after use - with a call to gss_delete_sec_context(). - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion. - - GSS_S_NO_CONTEXT The token did not contain a valid context reference. - - GSS_S_DEFECTIVE_TOKEN The token was invalid. - - GSS_S_UNAVAILABLE The operation is unavailable. - - GSS_S_UNAUTHORIZED Local policy prevents the import of this context by - the current process.. - - - - - - - - 7.18. gss_indicate_mechs - - OM_uint32 gss_indicate_mechs ( - OM_uint32 * minor_status, - gss_OID_set * mech_set) - - Purpose: - - Allows an application to determine which underlying security mechanisms - are available. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - - - - Wray Document Expiration: 1 September 1997 [Page 52] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - mech_set set of Object IDs, modify - set of implementation-supported mechanisms. - The returned gss_OID_set value will be a - dynamically-allocated OID set, that should - be released by the caller after use with a - call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - 7.19. gss_init_sec_context - - OM_uint32 gss_init_sec_context ( - OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t - input_chan_bindings, - const gss_buffer_t input_token - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec ) - - Purpose: - - Initiates the establishment of a security context between the - application and a remote peer. Initially, the input_token parameter - should be specified either as GSS_C_NO_BUFFER, or as a pointer to a - gss_buffer_desc object whose length field contains the value zero. The - routine may return a output_token which should be transferred to the - peer application, where the peer application will present it to - gss_accept_sec_context. If no token need be sent, gss_init_sec_context - will indicate this by setting the length field of the output_token - argument to zero. To complete the context establishment, one or more - reply tokens may be required from the peer application; if so, - gss_init_sec_context will return a status containing the supplementary - information bit GSS_S_CONTINUE_NEEDED. In this case, - gss_init_sec_context should be called again when the reply token is - received from the peer application, passing the reply token to - gss_init_sec_context via the input_token parameters. - - - - Wray Document Expiration: 1 September 1997 [Page 53] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Portable applications should be constructed to use the token length and - return status to determine whether a token needs to be sent or waited - for. Thus a typical portable caller should always invoke - gss_init_sec_context within a loop: - - int context_established = 0; - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - ... - input_token->length = 0; - - while (!context_established) { - maj_stat = gss_init_sec_context(&min_stat, - cred_hdl, - &context_hdl, - target_name, - desired_mech, - desired_services, - desired_time, - input_bindings, - input_token, - &actual_mech, - output_token, - &actual_services, - &actual_time); - if (GSS_ERROR(maj_stat)) { - report_error(maj_stat, min_stat); - }; - if (output_token->length != 0) { - send_token_to_peer(output_token); - gss_release_buffer(&min_stat, - output_token) - }; - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - }; - if (maj_stat & GSS_S_CONTINUE_NEEDED) { - receive_token_from_peer(input_token); - } else { - context_established = 1; - }; - }; - - Whenever the routine returns a major status that includes the value - GSS_S_CONTINUE_NEEDED, the context is not fully established and the - following restrictions apply to the output parameters: - - - - - - Wray Document Expiration: 1 September 1997 [Page 54] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - (a) The value returned via the time_rec parameter is undefined - - (b) Unless the accompanying ret_flags parameter contains the bit - GSS_C_PROT_READY_FLAG, indicating that per-message services may be - applied in advance of a successful completion status, the value - returned via the actual_mech_type parameter is undefined until the - routine returns a major status value of GSS_S_COMPLETE. - - (c) The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG, - GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG, - GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the - ret_flags parameter should contain the values that the - implementation expects would be valid if context establishment - were to succeed. In particular, if the application has requested - a service such as delegation or anonymous authentication via the - req_flags argument, and such a service is unavailable from the - underlying mechanism, gss_init_sec_context should generate a token - that will not provide the service, and indicate via the ret_flags - argument that the service will not be supported. The application - may choose to abort the context establishment by calling - gss_delete_sec_context (if it cannot continue in the absence of - the service), or it may choose to transmit the token and continue - context establishment (if the service was merely desired but not - mandatory). - - The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits - within ret_flags should indicate the actual state at the time - gss_init_sec_context returns, whether or not the context is fully - established. - - Although this requires that GSSAPI implementations set the - GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller - (i.e. when accompanied by a GSS_S_COMPLETE status code), - applications should not rely on this behavior as the flag was not - defined in Version 1 of the GSSAPI. Instead, applications should - be prepared to use per-message services after a successful context - establishment, according to the GSS_C_INTEG_FLAG and - GSS_C_CONF_FLAG values. - - All other bits within the ret_flags argument should be set to - zero. - - If the initial call of gss_init_sec_context() fails, the implementation - should not create a context object, and should leave the value of the - context_handle parameter set to GSS_C_NO_CONTEXT to indicate this. In - the event of a failure on a subsequent call, the implementation is - permitted to delete the "half-built" security context (in which case it - should set the context_handle parameter to GSS_C_NO_CONTEXT), but the - preferred behavior is to leave the security context untouched for the - application to delete (using gss_delete_sec_context). - - - - - Wray Document Expiration: 1 September 1997 [Page 55] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - initiator_cred_handle gss_cred_id_t, read, optional - handle for credentials claimed. Supply - GSS_C_NO_CREDENTIAL to act as a default - initiator principal. If no default - initiator is defined, the function will - return GSS_S_NO_CRED. - - context_handle gss_ctx_id_t, read/modify - context handle for new context. Supply - GSS_C_NO_CONTEXT for first call; use value - returned by first call in continuation calls. - Resources associated with this context-handle - must be released by the application after use - with a call to gee_delete_sec_context(). - - target_name gss_name_t, read - Name of target - - mech_type OID, read, optional - Object ID of desired mechanism. Supply - GSS_C_NO_OID to obtain an implementation - specific default - - req_flags bit-mask, read - Contains various independent flags, each of - which requests that the context support a - specific service option. Symbolic - names are provided for each flag, and the - symbolic names corresponding to the required - flags should be logically-ORed - together to form the bit-mask value. The - flags are: - - GSS_C_DELEG_FLAG - True - Delegate credentials to remote peer - False - Don't delegate - GSS_C_MUTUAL_FLAG - True - Request that remote peer - authenticate itself - False - Authenticate self to remote peer - only - GSS_C_REPLAY_FLAG - True - Enable replay detection for - messages protected with gss_wrap - or gss_get_mic - False - Don't attempt to detect - replayed messages - - - Wray Document Expiration: 1 September 1997 [Page 56] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_C_SEQUENCE_FLAG - True - Enable detection of out-of-sequence - protected messages - False - Don't attempt to detect - out-of-sequence messages - GSS_C_ANON_FLAG - True - Do not reveal the initiator's - identity to the acceptor. - False - Authenticate normally. - - time_req Integer, read, optional - Desired number of seconds for which context - should remain valid. Supply 0 to request a - default validity period. - - input_chan_bindings channel bindings, read, optional - Application-specified bindings. Allows - application to securely bind channel - identification information to the security - context. Specify GSS_C_NO_CHANNEL_BINDINGS - if channel bindings are not used. - - input_token buffer, opaque, read, optional (see text) - Token received from peer application. - Supply GSS_C_NO_BUFFER, or a pointer to - a buffer containing the value GSS_C_EMPTY_BUFFER - on initial call. - - actual_mech_type OID, modify, optional - Actual mechanism used. The OID returned via - this parameter will be a pointer to static - storage that should be treated as read-only; - In particular the application should not attempt - to free it. Specify NULL if not required. - - output_token buffer, opaque, modify - token to be sent to peer application. If - the length field of the returned buffer is - zero, no token need be sent to the peer - application. Storage associated with this - buffer must be freed by the application - after use with a call to gss_release_buffer(). - - ret_flags bit-mask, modify, optional - Contains various independent flags, each of which - indicates that the context supports a specific - service option. Specify NULL if not - required. Symbolic names are provided - for each flag, and the symbolic names - corresponding to the required flags should be - - - - Wray Document Expiration: 1 September 1997 [Page 57] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - logically-ANDed with the ret_flags value to test - whether a given option is supported by the - context. The flags are: - - GSS_C_DELEG_FLAG - True - Credentials were delegated to - the remote peer - False - No credentials were delegated - GSS_C_MUTUAL_FLAG - True - Remote peer has been asked to - authenticated itself - False - Remote peer has not been asked to - authenticate itself - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will - not be detected - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling gss_wrap routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or gss_wrap - routines. - False - Per-message integrity service - unavailable. - GSS_C_ANON_FLAG - True - The initiator's identity has not been - revealed, and will not be revealed if - any emitted token is passed to the - acceptor. - False - The initiator's identity has been or - will be authenticated normally. - GSS_C_PROT_READY_FLAG - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available for - use if the accompanying major status - return value is either GSS_S_COMPLETE or - GSS_S_CONTINUE_NEEDED. - - - - Wray Document Expiration: 1 September 1997 [Page 58] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the accompanying major status - return value is GSS_S_COMPLETE. - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferrable. - All other bits should be set to zero. - - time_rec Integer, modify, optional - number of seconds for which the context - will remain valid. If the implementation does - not support context expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer application - is required to complete the context, and that - gss_init_sec_context must be called again with that - token. - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the - input_token failed - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks performed - on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for context - initiation, or the credential handle did not reference - any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired - - GSS_S_BAD_BINDINGS The input_token contains different channel bindings - to those specified via the input_chan_bindings - parameter - - GSS_S_BAD_SIG The input_token contains an invalid MIC, or a MIC that - could not be verified - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal error - during context establishment - - - - - Wray Document Expiration: 1 September 1997 [Page 59] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of a - token already processed. This is a fatal error during - context establishment. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did not - refer to a valid context - - GSS_S_BAD_NAMETYPE The provided target_name parameter contained an - invalid or unsupported type of name - - GSS_S_BAD_NAME The provided target_name parameter was ill-formed. - - GSS_S_BAD_MECH The specified mechanism is not supported by the - provided credential, or is unrecognized by the - implementation. - - - - - - - - 7.20. gss_inquire_context - - OM_uint32 gss_inquire_context ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_name_t * src_name, - gss_name_t * targ_name, - OM_uint32 * lifetime_rec, - gss_OID * mech_type, - OM_uint32 * ctx_flags, - int * locally_initiated, - int * open ) - - Purpose: - - Obtains information about a security context. The caller must already - have obtained a handle that refers to the context, although the context - need not be fully established. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - context_handle gss_ctx_id_t, read - A handle that refers to the security context. - - src_name gss_name_t, modify, optional - The name of the context initiator. - - - - Wray Document Expiration: 1 September 1997 [Page 60] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - If the context was established using anonymous - authentication, and if the application invoking - gss_inquire_context is the context acceptor, - an anonymous name will be returned. Storage - associated with this name must be freed by the - application after use with a call to - gss_release_name(). Specify NULL if not - required. - - targ_name gss_name_t, modify, optional - The name of the context acceptor. - Storage associated with this name must be - freed by the application after use with a call - to gss_release_name(). Specify NULL if not - Specify NULL if not required. - - lifetime_rec Integer, modify, optional - The number of seconds for which the context - will remain valid. If the context has - expired, this parameter will be set to zero. - If the implementation does not support - context expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - mech_type gss_OID, modify, optional - The security mechanism providing the - context. The returned OID will be a - pointer to static storage that should - be treated as read-only by the application; - in particular the application should not - attempt to free it. Specify NULL if not - required. - - ctx_flags bit-mask, modify, optional - Contains various independent flags, each of - which indicates that the context supports - (or is expected to support, if ctx_open is - false) a specific service option. If not - needed, specify NULL. Symbolic names are - provided for each flag, and the symbolic names - corresponding to the required flags - should be logically-ANDed with the ret_flags - value to test whether a given option is - supported by the context. The flags are: - - GSS_C_DELEG_FLAG - True - Credentials were delegated from - the initiator to the acceptor. - False - No credentials were delegated - - - - Wray Document Expiration: 1 September 1997 [Page 61] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - GSS_C_MUTUAL_FLAG - True - The acceptor was authenticated - to the initiator - False - The acceptor did not authenticate - itself. - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will not - be detected - GSS_C_CONF_FLAG - True - Confidentiality service may be invoked - by calling gss_wrap routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or gss_wrap - routines. - False - Per-message integrity service - unavailable. - GSS_C_ANON_FLAG - True - The initiator's identity will not - be revealed to the acceptor. - The src_name parameter (if - requested) contains an anonymous - internal name. - False - The initiator has been - authenticated normally. - GSS_C_PROT_READY_FLAG - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - for use. - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the context is fully - established (i.e. if the open parameter - is non-zero). - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferrable. - - Wray Document Expiration: 1 September 1997 [Page 62] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - - - locally_initiated Boolean, modify - Non-zero if the invoking application is the - context initiator. - Specify NULL if not required. - - open Boolean, modify - Non-zero if the context is fully established; - Zero if a context-establishment token - is expected from the peer application. - Specify NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT The referenced context could not be accessed. - - GSS_S_CONTEXT_EXPIRED The context has expired. If the lifetime_rec - parameter was requested, it will be set to 0. - - - - - - - - 7.21. gss_inquire_cred - - OM_uint32 gss_inquire_cred ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms ) - - Purpose: - - Obtains information about a credential. The caller must already have - obtained a handle that refers to the credential. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - cred_handle gss_cred_id_t, read - A handle that refers to the target credential. - Specify GSS_C_NO_CREDENTIAL to inquire about - the default initiator principal. - - - Wray Document Expiration: 1 September 1997 [Page 63] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - - name gss_name_t, modify, optional - The name whose identity the credential asserts. - Storage associated with this name should be freed - by the application after use with a call to - gss_release_name(). Specify NULL if not required. - - lifetime Integer, modify, optional - The number of seconds for which the credential - will remain valid. If the credential has - expired, this parameter will be set to zero. - If the implementation does not support - credential expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - cred_usage gss_cred_usage_t, modify, optional - How the credential may be used. One of the - following: - GSS_C_INITIATE - GSS_C_ACCEPT - GSS_C_BOTH - Specify NULL if not required. - - mechanisms gss_OID_set, modify, optional - Set of mechanisms supported by the credential. - Storage associated with this OID set must be - freed by the application after use with a call - to gss_release_oid_set(). Specify NULL if not - required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED The referenced credentials could not be accessed. - - GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. If - the lifetime parameter was not passed as NULL, it will - be set to 0. - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 64] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.22. gss_inquire_cred_by_mech - - OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t * name, - OM_uint32 * initiator_lifetime, - OM_uint32 * acceptor_lifetime, - gss_cred_usage_t * cred_usage ) - - Purpose: - - Obtains per-mechanism information about a credential. The caller must - already have obtained a handle that refers to the credential. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - cred_handle gss_cred_id_t, read - A handle that refers to the target credential. - Specify GSS_C_NO_CREDENTIAL to inquire about - the default initiator principal. - - mech_type gss_OID, read - The mechanism for which information should be - returned. - - name gss_name_t, modify, optional - The name whose identity the credential asserts. - Storage associated with this name must be - freed by the application after use with a call - to gss_release_name(). Specify NULL if not - required. - - initiator_lifetime Integer, modify, optional - The number of seconds for which the credential - will remain capable of initiating security contexts - under the specified mechanism. If the credential - can no longer be used to initiate contexts, or if - the credential usage for this mechanism is - GSS_C_ACCEPT, - this parameter will be set to zero. If the - implementation does not support expiration of - initiator credentials, the value GSS_C_INDEFINITE - will be returned. Specify NULL if not required. - - acceptor_lifetime Integer, modify, optional - The number of seconds for which the credential - - - - Wray Document Expiration: 1 September 1997 [Page 65] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - will remain capable of accepting security contexts - under the specified mechanism. If the credential - can no longer be used to accept contexts, or if - the credential usage for this mechanism is - GSS_C_INITIATE, this parameter will be set to zero. - If the implementation does not support expiration - of acceptor credentials, the value GSS_C_INDEFINITE - will be returned. Specify NULL if not required. - - cred_usage gss_cred_usage_t, modify, optional - How the credential may be used with the specified - mechanism. One of the following: - GSS_C_INITIATE - GSS_C_ACCEPT - GSS_C_BOTH - Specify NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED The referenced credentials could not be accessed. - - GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. If - the lifetime parameter was not passed as NULL, it will - be set to 0. - - - - - - - - 7.23. gss_inquire_mechs_for_name - - OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_OID_set * mech_types ) - - Purpose: - - Returns the set of mechanisms supported by the GSSAPI implementation - that may be able to process the specified name. - - Each mechanism returned will recognize at least one element within the - name. It is permissible for this routine to be implemented within a - mechanism-independent GSSAPI layer, using the type information contained - within the presented name, and based on registration information - - - - Wray Document Expiration: 1 September 1997 [Page 66] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - provided by individual mechanism implementations. This means that the - returned mech_types set may indicate that a particular mechanism will - understand the name when in fact it would refuse to accept the name as - input to gss_canonicalize_name, gss_init_sec_context, gss_acquire_cred - or gss_add_cred (due to some property of the specific name, as opposed - to the name type). Thus this routine should be used only as a pre- - filter for a call to a subsequent mechanism-specific routine. - - - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - input_name gss_name_t, read - The name to which the inquiry relates. - - mech_types gss_OID_set, modify - Set of mechanisms that may support the - specified name. The returned OID set - must be freed by the caller after use - with a call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The input_name parameter was ill-formed. - - GSS_S_BAD_NAMETYPE The input_name parameter contained an invalid or - unsupported type of name - - - - - - - 7.24. gss_inquire_names_for_mech - - OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * minor_status, - const gss_OID mechanism, - gss_OID_set * name_types) - - Purpose: - - Returns the set of nametypes supported by the specified mechanism. - - - - - - - Wray Document Expiration: 1 September 1997 [Page 67] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - mechanism gss_OID, read - The mechanism to be interrogated. - - name_types gss_OID_set, modify - Set of name-types supported by the specified - mechanism. The returned OID set must be - freed by the application after use with a - call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - 7.25. gss_process_context_token - - OM_uint32 gss_process_context_token ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer) - - Purpose: - - Provides a way to pass a token to the security service. Used with - tokens emitted by gss_delete_sec_context. Note that mechanisms are - encouraged to perform local deletion, and not emit tokens from - gss_delete_sec_context. This routine, therefore, is primarily for - backwards compatibility with V1 applications. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - context handle of context on which token is to - be processed - - token_buffer buffer, opaque, read - token to process - - - - - Wray Document Expiration: 1 September 1997 [Page 68] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the - token failed - - GSS_S_NO_CONTEXT The context_handle did not refer to a valid context - - - - - - - - 7.26. gss_release_buffer - - OM_uint32 gss_release_buffer ( - OM_uint32 * minor_status, - gss_buffer_t buffer) - - Purpose: - - Free storage associated with a buffer. The storage must have been - allocated by a GSS-API routine. In addition to freeing the associated - storage, the routine will zero the length field in the descriptor to - which the buffer parameter refers. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - buffer buffer, modify - The storage associated with the buffer will be - deleted. The gss_buffer_desc object will not - be freed, but its length field will be zeroed. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 69] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.27. gss_release_cred - - OM_uint32 gss_release_cred ( - OM_uint32 * minor_status, - gss_cred_id_t * cred_handle) - - Purpose: - - Informs GSS-API that the specified credential handle is no longer - required by the application, and frees associated resources. - - Parameters: - - cred_handle gss_cred_id_t, modify, optional - Opaque handle identifying credential - to be released. If GSS_C_NO_CREDENTIAL - is supplied, the routine will complete - successfully, but will do nothing. - - minor_status Integer, modify - Mechanism specific status code. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED Credentials could not be accessed. - - - - - - - - 7.28. gss_release_name - - OM_uint32 gss_release_name ( - OM_uint32 * minor_status, - gss_name_t * name) - - Purpose: - - Free GSSAPI-allocated storage by associated with an internal-form name. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - name gss_name_t, modify - The name to be deleted - - - - Wray Document Expiration: 1 September 1997 [Page 70] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The name parameter did not contain a valid name - - - - - - - - 7.29. gss_release_oid_set - - OM_uint32 gss_release_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * set) - - Purpose: - - Free storage associated with a GSSAPI-generated gss_OID_set object. The - set parameter must refer to an OID-set that was returned from a GSSAPI - routine. gss_release_oid_set() will free the storage associated with - each individual member OID, the OID set's elements array, and the - gss_OID_set_desc. - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - set Set of Object IDs, modify - The storage associated with the gss_OID_set - will be deleted. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 71] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - 7.30. gss_test_oid_set_member - - OM_uint32 gss_test_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member, - const gss_OID_set set, - int * present) - - Purpose: - - Interrogate an Object Identifier set to determine whether a specified - Object Identifier is a member. This routine is intended to be used with - OID sets returned by gss_indicate_mechs(), gss_acquire_cred(), and - gss_inquire_cred(), but will also work with user-generated sets. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - member Object ID, read - The object identifier whose presence - is to be tested. - - set Set of Object ID, read - The Object Identifier set. - - present Boolean, modify - non-zero if the specified OID is a member - of the set, zero if not. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - 7.31. gss_unwrap - - OM_uint32 gss_unwrap ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state) - - - - - Wray Document Expiration: 1 September 1997 [Page 72] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Purpose: - - Converts a message previously protected by gss_wrap back to a usable - form, verifying the embedded MIC. The conf_state parameter indicates - whether the message was encrypted; the qop_state parameter indicates the - strength of protection that was used to provide the confidentiality and - integrity services. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - arrived - - input_message_buffer buffer, opaque, read - protected message - - output_message_buffer buffer, opaque, modify - Buffer to receive unwrapped message. - Storage associated with this buffer must - be freed by the application after use use - with a call to gss_release_buffer(). - - conf_state boolean, modify, optional - Non-zero - Confidentiality and integrity protection - were used - Zero - Integrity service only was used - Specify NULL if not required - - qop_state gss_qop_t, modify, optional - Quality of protection gained from MIC. - Specify NULL if not required - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The MIC was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct MIC - for the message, but it had already been processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct MIC for - the message, but it is too old to check for - duplication. - - - - - Wray Document Expiration: 1 September 1997 [Page 73] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC for - the message, but has been verified out of sequence; a - later token has already been received. - - GSS_S_GAP_TOKEN The token was valid, and contained a correct MIC for - the message, but has been verified out of sequence; - an earlier expected token has not yet been received. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a valid - context - - - - - - - - 7.32. gss_verify_mic - - OM_uint32 gss_verify_mic ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state) - - Purpose: - - Verifies that a cryptographic MIC, contained in the token parameter, - fits the supplied message. The qop_state parameter allows a message - recipient to determine the strength of protection that was applied to - the message. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - arrived - - message_buffer buffer, opaque, read - Message to be verified - - token_buffer buffer, opaque, read - Token associated with message - - - - - Wray Document Expiration: 1 September 1997 [Page 74] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - qop_state gss_qop_t, modify, optional - quality of protection gained from MIC - Specify NULL if not required - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The MIC was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct MIC - for the message, but it had already been processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct MIC for - the message, but it is too old to check for - duplication. - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC for - the message, but has been verified out of sequence; a - later token has already been received. - - GSS_S_GAP_TOKEN The token was valid, and contained a correct MIC for - the message, but has been verified out of sequence; - an earlier expected token has not yet been received. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a valid - context - - - - - - - - 7.33. gss_wrap - - OM_uint32 gss_wrap ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer ) - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 75] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - Purpose: - - Attaches a cryptographic MIC and optionally encrypts the specified - input_message. The output_message contains both the MIC and the - message. The qop_req parameter allows a choice between several - cryptographic algorithms, if supported by the chosen mechanism. - - Since some application-level protocols may wish to use tokens emitted by - gss_wrap() to provide "secure framing", implementations should support - the wrapping of zero-length messages. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - will be sent - - conf_req_flag boolean, read - Non-zero - Both confidentiality and integrity - services are requested - Zero - Only integrity service is requested - - qop_req gss_qop_t, read, optional - Specifies required quality of protection. A - mechanism-specific default may be requested by - setting qop_req to GSS_C_QOP_DEFAULT. If an - unsupported protection strength is requested, - gss_wrap will return a major_status of - GSS_S_BAD_QOP. - - input_message_buffer buffer, opaque, read - Message to be protected - - conf_state boolean, modify, optional - Non-zero - Confidentiality, data origin - authentication and integrity - services have been applied - Zero - Integrity and data origin services only - has been applied. - Specify NULL if not required - - output_message_buffer buffer, opaque, modify - Buffer to receive protected message. - Storage associated with this message must - be freed by the application after use with - a call to gss_release_buffer(). - - Function value: GSS status code - - - - Wray Document Expiration: 1 September 1997 [Page 76] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a valid - context - - GSS_S_BAD_QOP The specified QOP is not supported by the mechanism. - - - - - - - - 7.34. gss_wrap_size_limit - - OM_uint32 gss_wrap_size_limit ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 * max_input_size) - - Purpose: - - Allows an application to determine the maximum message size that, if - presented to gss_wrap with the same conf_req_flag and qop_req - parameters, will result in an output token containing no more than - req_output_size bytes. - - This call is intended for use by applications that communicate over - protocols that impose a maximum message size. It enables the - application to fragment messages prior to applying protection. - - Successful completion of this call does not guarantee that gss_wrap will - be able to protect a message of length max_input_size bytes, since this - ability may depend on the availability of system resources at the time - that gss_wrap is called. However, if the implementation itself imposes - an upper limit on the length of messages that may be processed by - gss_wrap, the implementation should not return a value via - max_input_bytes that is greater than this length. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - context_handle gss_ctx_id_t, read - A handle that refers to the security over - - - - Wray Document Expiration: 1 September 1997 [Page 77] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - which the messages will be sent. - - conf_req_flag Boolean, read - Indicates whether gss_wrap will be asked - to apply confidentiality protection in - addition to integrity protection. See - the routine description for gss_wrap - for more details. - - qop_req gss_qop_t, read - Indicates the level of protection that - gss_wrap will be asked to provide. See - the routine description for gss_wrap for - more details. - - req_output_size Integer, read - The desired maximum size for tokens emitted - by gss_wrap. - - max_input_size Integer, modify - The maximum input message size that may - be presented to gss_wrap in order to - guarantee that the emitted token shall - be no larger than req_output_size bytes. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT The referenced context could not be accessed. - - GSS_S_CONTEXT_EXPIRED The context has expired. - - GSS_S_BAD_QOP The specified QOP is not supported by the mechanism. - - - - - - - - - - - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 78] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - APPENDIX A. GSS-API C header file gssapi.h - - C-language GSS-API implementations should include a copy of the - following header-file. - - #ifndef GSSAPI_H_ - #define GSSAPI_H_ - - - - /* - * First, include stddef.h to get size_t defined. - */ - #include - - /* - * If the platform supports the xom.h header file, it should be - * included here. - */ - #include - - - - /* - * Now define the three implementation-dependent types. - */ - typedef gss_ctx_id_t; - typedef gss_cred_id_t; - typedef gss_name_t; - - /* - * The following type must be defined as the smallest natural - * unsigned integer supported by the platform that has at least - * 32 bits of precision. - */ - typedef gss_uint32; - - - #ifdef OM_STRING - /* - * We have included the xom.h header file. Verify that OM_uint32 - * is defined correctly. - */ - - #if sizeof(gss_uint32) != sizeof(OM_uint32) - #error Incompatible definition of OM_uint32 from xom.h - #endif - - typedef OM_object_identifier gss_OID_desc, *gss_OID; - - #else - - - - Wray Document Expiration: 1 September 1997 [Page 79] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - /* - * We can't use X/Open definitions, so roll our own. - */ - - typedef gss_uint32 OM_uint32; - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - #endif - - typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - - /* - * For now, define a QOP-type as an OM_uint32 - */ - typedef OM_uint32 gss_qop_t; - - typedef int gss_cred_usage_t; - - /* - * Flag bits for context-level services. - */ - #define GSS_C_DELEG_FLAG 1 - #define GSS_C_MUTUAL_FLAG 2 - #define GSS_C_REPLAY_FLAG 4 - #define GSS_C_SEQUENCE_FLAG 8 - #define GSS_C_CONF_FLAG 16 - #define GSS_C_INTEG_FLAG 32 - #define GSS_C_ANON_FLAG 64 - #define GSS_C_PROT_READY_FLAG 128 - #define GSS_C_TRANS_FLAG 256 - - - - Wray Document Expiration: 1 September 1997 [Page 80] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - /* - * Credential usage options - */ - #define GSS_C_BOTH 0 - #define GSS_C_INITIATE 1 - #define GSS_C_ACCEPT 2 - - /* - * Status code types for gss_display_status - */ - #define GSS_C_GSS_CODE 1 - #define GSS_C_MECH_CODE 2 - - /* - * The constant definitions for channel-bindings address families - */ - #define GSS_C_AF_UNSPEC 0 - #define GSS_C_AF_LOCAL 1 - #define GSS_C_AF_INET 2 - #define GSS_C_AF_IMPLINK 3 - #define GSS_C_AF_PUP 4 - #define GSS_C_AF_CHAOS 5 - #define GSS_C_AF_NS 6 - #define GSS_C_AF_NBS 7 - #define GSS_C_AF_ECMA 8 - #define GSS_C_AF_DATAKIT 9 - #define GSS_C_AF_CCITT 10 - #define GSS_C_AF_SNA 11 - #define GSS_C_AF_DECnet 12 - #define GSS_C_AF_DLI 13 - #define GSS_C_AF_LAT 14 - #define GSS_C_AF_HYLINK 15 - #define GSS_C_AF_APPLETALK 16 - #define GSS_C_AF_BSC 17 - #define GSS_C_AF_DSS 18 - #define GSS_C_AF_OSI 19 - #define GSS_C_AF_X25 21 - - #define GSS_C_AF_NULLADDR 255 - - /* - * Various Null values - */ - #define GSS_C_NO_NAME ((gss_name_t) 0) - #define GSS_C_NO_BUFFER ((gss_buffer_t) 0) - #define GSS_C_NO_OID ((gss_OID) 0) - #define GSS_C_NO_OID_SET ((gss_OID_set) 0) - #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) - #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) - #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) - #define GSS_C_EMPTY_BUFFER {0, NULL} - - - - Wray Document Expiration: 1 September 1997 [Page 81] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - /* - * Some alternate names for a couple of the above - * values. These are defined for V1 compatibility. - */ - #define GSS_C_NULL_OID GSS_C_NO_OID - #define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET - - /* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero - * (as done here) to mean "default protection", or to a specific - * explicit QOP value. However, a value of 0 should always be - * interpreted by a GSSAPI implementation as a request for the - * default protection level. - */ - #define GSS_C_QOP_DEFAULT 0 - - /* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ - #define GSS_C_INDEFINITE 0xfffffffful - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_USER_NAME; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_MACHINE_UID_NAME; - - /* - - - - Wray Document Expiration: 1 September 1997 [Page 82] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_STRING_UID_NAME; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 2(gss-host-based-services)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point - * to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_ANONYMOUS; - - - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_EXPORT_NAME; - - - - - - Wray Document Expiration: 1 September 1997 [Page 83] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - /* Major status codes */ - - #define GSS_S_COMPLETE 0 - - /* - * Some "helper" definitions to make the status code macros obvious. - */ - #define GSS_C_CALLING_ERROR_OFFSET 24 - #define GSS_C_ROUTINE_ERROR_OFFSET 16 - #define GSS_C_SUPPLEMENTARY_OFFSET 0 - #define GSS_C_CALLING_ERROR_MASK 0377ul - #define GSS_C_ROUTINE_ERROR_MASK 0377ul - #define GSS_C_SUPPLEMENTARY_MASK 0177777ul - - /* - * The macros that test status codes for error conditions. - * Note that the GSS_ERROR() macro has changed slightly from - * the V1 GSSAPI so that it now evaluates its argument - * only once. - */ - #define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) - #define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) - #define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) - #define GSS_ERROR(x) \ - (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ - (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) - - - /* - * Now the actual status code definitions - */ - - /* - * Calling errors: - */ - #define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) - #define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) - #define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - - /* - * Routine errors: - */ - #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) - - - - Wray Document Expiration: 1 September 1997 [Page 84] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_MIC GSS_S_BAD_SIG - #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) - - /* - * Supplementary info bits: - */ - #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) - #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) - #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) - #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) - #define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) - - - /* - * Finally, function prototypes for the GSS-API routines. - */ - - OM_uint32 gss_acquire_cred - (OM_uint32 *, /* minor_status */ - const gss_name_t, /* desired_name */ - OM_uint32, /* time_req */ - const gss_OID_set, /* desired_mechs */ - gss_cred_usage_t, /* cred_usage */ - gss_cred_id_t *, /* output_cred_handle */ - gss_OID_set *, /* actual_mechs */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_release_cred - (OM_uint32 *, /* minor_status */ - gss_cred_id_t * /* cred_handle */ - ); - - OM_uint32 gss_init_sec_context - (OM_uint32 *, /* minor_status */ - const gss_cred_id_t, /* initiator_cred_handle */ - gss_ctx_id_t *, /* context_handle */ - - - - Wray Document Expiration: 1 September 1997 [Page 85] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - const gss_name_t, /* target_name */ - const gss_OID, /* mech_type */ - OM_uint32, /* req_flags */ - OM_uint32, /* time_req */ - const gss_channel_bindings_t, - /* input_chan_bindings */ - const gss_buffer_t, /* input_token */ - gss_OID *, /* actual_mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32 *, /* ret_flags */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_accept_sec_context - (OM_uint32 *, /* minor_status */ - gss_ctx_id_t *, /* context_handle */ - const gss_cred_id_t, /* acceptor_cred_handle */ - const gss_buffer_t, /* input_token_buffer */ - const gss_channel_bindings_t, - /* input_chan_bindings */ - gss_name_t *, /* src_name */ - gss_OID *, /* mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32 *, /* ret_flags */ - OM_uint32 *, /* time_rec */ - gss_cred_id_t * /* delegated_cred_handle */ - ); - - OM_uint32 gss_process_context_token - (OM_uint32 *, /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t /* token_buffer */ - ); - - OM_uint32 gss_delete_sec_context - (OM_uint32 *, /* minor_status */ - gss_ctx_id_t *, /* context_handle */ - gss_buffer_t /* output_token */ - ); - - OM_uint32 gss_context_time - (OM_uint32 *, /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_get_mic - (OM_uint32 *, /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - gss_qop_t, /* qop_req */ - const gss_buffer_t, /* message_buffer */ - - - - Wray Document Expiration: 1 September 1997 [Page 86] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - gss_buffer_t /* message_token */ - ); - - - OM_uint32 gss_verify_mic - (OM_uint32 *, /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t, /* message_buffer */ - const gss_buffer_t, /* token_buffer */ - gss_qop_t * /* qop_state */ - ); - - OM_uint32 gss_wrap - (OM_uint32 *, /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - const gss_buffer_t, /* input_message_buffer */ - int *, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - - - OM_uint32 gss_unwrap - (OM_uint32 *, /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int *, /* conf_state */ - gss_qop_t * /* qop_state */ - ); - - - - OM_uint32 gss_display_status - (OM_uint32 *, /* minor_status */ - OM_uint32, /* status_value */ - int, /* status_type */ - const gss_OID, /* mech_type */ - OM_uint32 *, /* message_context */ - gss_buffer_t /* status_string */ - ); - - OM_uint32 gss_indicate_mechs - (OM_uint32 *, /* minor_status */ - gss_OID_set * /* mech_set */ - ); - - OM_uint32 gss_compare_name - (OM_uint32 *, /* minor_status */ - const gss_name_t, /* name1 */ - - - - Wray Document Expiration: 1 September 1997 [Page 87] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - const gss_name_t, /* name2 */ - int * /* name_equal */ - ); - - OM_uint32 gss_display_name - (OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ - gss_OID * /* output_name_type */ - ); - - OM_uint32 gss_import_name - (OM_uint32 *, /* minor_status */ - const gss_buffer_t, /* input_name_buffer */ - const gss_OID, /* input_name_type */ - gss_name_t * /* output_name */ - ); - - OM_uint32 gss_export_name - (OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - gss_buffer_t /* exported_name */ - ); - - OM_uint32 gss_release_name - (OM_uint32 *, /* minor_status */ - gss_name_t * /* input_name */ - ); - - OM_uint32 gss_release_buffer - (OM_uint32 *, /* minor_status */ - gss_buffer_t /* buffer */ - ); - - OM_uint32 gss_release_oid_set - (OM_uint32 *, /* minor_status */ - gss_OID_set * /* set */ - ); - - OM_uint32 gss_inquire_cred - (OM_uint32 *, /* minor_status */ - const gss_cred_id_t, /* cred_handle */ - gss_name_t *, /* name */ - OM_uint32 *, /* lifetime */ - gss_cred_usage_t *, /* cred_usage */ - gss_OID_set * /* mechanisms */ - ); - - OM_uint32 gss_inquire_context ( - OM_uint32 *, /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - - - - Wray Document Expiration: 1 September 1997 [Page 88] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - gss_name_t *, /* src_name */ - gss_name_t *, /* targ_name */ - OM_uint32 *, /* lifetime_rec */ - gss_OID *, /* mech_type */ - OM_uint32 *, /* ctx_flags */ - int *, /* locally_initiated */ - int * /* open */ - ); - - OM_uint32 gss_wrap_size_limit ( - OM_uint32 *, /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - OM_uint32, /* req_output_size */ - OM_uint32 * /* max_input_size */ - ); - - - OM_uint32 gss_add_cred ( - OM_uint32 *, /* minor_status */ - const gss_cred_id_t, /* input_cred_handle */ - const gss_name_t, /* desired_name */ - const gss_OID, /* desired_mech */ - gss_cred_usage_t, /* cred_usage */ - OM_uint32, /* initiator_time_req */ - OM_uint32, /* acceptor_time_req */ - gss_cred_id_t *, /* output_cred_handle */ - gss_OID_set *, /* actual_mechs */ - OM_uint32 *, /* initiator_time_rec */ - OM_uint32 * /* acceptor_time_rec */ - ); - - - OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 *, /* minor_status */ - const gss_cred_id_t, /* cred_handle */ - const gss_OID, /* mech_type */ - gss_name_t *, /* name */ - OM_uint32 *, /* initiator_lifetime */ - OM_uint32 *, /* acceptor_lifetime */ - gss_cred_usage_t * /* cred_usage */ - ); - - OM_uint32 gss_export_sec_context ( - OM_uint32 *, /* minor_status */ - gss_ctx_id_t *, /* context_handle */ - gss_buffer_t /* interprocess_token */ - ); - - OM_uint32 gss_import_sec_context ( - - - - Wray Document Expiration: 1 September 1997 [Page 89] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - OM_uint32 *, /* minor_status */ - const gss_buffer_t, /* interprocess_token */ - gss_ctx_id_t * /* context_handle */ - ); - - OM_uint32 gss_create_empty_oid_set ( - OM_uint32 *, /* minor_status */ - gss_OID_set * /* oid_set */ - ); - - OM_uint32 gss_add_oid_set_member ( - OM_uint32 *, /* minor_status */ - const gss_OID, /* member_oid */ - gss_OID_set * /* oid_set */ - ); - - OM_uint32 gss_test_oid_set_member ( - OM_uint32 *, /* minor_status */ - const gss_OID, /* member */ - const gss_OID_set, /* set */ - int * /* present */ - ); - - OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 *, /* minor_status */ - const gss_OID, /* mechanism */ - gss_OID_set * /* name_types */ - ); - - OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - gss_OID_set * /* mech_types */ - ); - - OM_uint32 gss_canonicalize_name ( - OM_uint32 *, /* minor_status */ - const gss_name_t, /* input_name */ - const gss_OID, /* mech_type */ - gss_name_t * /* output_name */ - ); - - OM_uint32 gss_duplicate_name ( - OM_uint32 *, /* minor_status */ - const gss_name_t, /* src_name */ - gss_name_t * /* dest_name */ - ); - - /* - * The following routines are obsolete variants of gss_get_mic, - * gss_verify_mic, gss_wrap and gss_unwrap. They should be - - - - Wray Document Expiration: 1 September 1997 [Page 90] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - * provided by GSSAPI V2 implementations for backwards - * compatibility with V1 applications. Distinct entrypoints - * (as opposed to #defines) should be provided, both to allow - * GSSAPI V1 applications to link against GSSAPI V2 implementations, - * and to retain the slight parameter type differences between the - * obsolete versions of these routines and their current forms. - */ - - OM_uint32 gss_sign - (OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - - - OM_uint32 gss_verify - (OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* token_buffer */ - int * /* qop_state */ - ); - - OM_uint32 gss_seal - (OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int *, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - - - OM_uint32 gss_unseal - (OM_uint32 *, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int *, /* conf_state */ - int * /* qop_state */ - ); - - - - - #endif /* GSSAPI_H_ */ - - - - - - Wray Document Expiration: 1 September 1997 [Page 91] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - APPENDIX B. Additional constraints for application binary portability - - The purpose of this C-bindings document is to encourage source-level - portability of applications across GSS-API implementations on different - platforms and atop different mechanisms. Additional goals that have not - been explicitly addressed by this document are link-time and run-time - portability. - - Link-time portability provides the ability to compile an application - against one implementation of GSS-API, and then link it against a - different implementation on the same platform. It is a stricter - requirement than source-level portability. - - Run-time portability differs from link-time portability only on those - platforms that implement dynamically loadable GSS-API implementations, - but do not offer load-time symbol resolution. On such platforms, run- - time portability is a stricter requirement than link-time portability, - and will typically include the precise placement of the various GSS-API - routines within library entrypoint vectors. - - Individual platforms will impose their own rules that must be followed - to achieve link-time (and run-time, if different) portability. In order - to ensure either form of binary portability, an ABI specification must - be written for GSS-API implementations on that platform. However, it is - recognized that there are some issues that are likely to be common to - all such ABI specifications. This appendix is intended to be a - repository for such common issues, and contains some suggestions that - individual ABI specifications may choose to reference. Since machine - architectures vary greatly, it may not be possible or desirable to - follow these suggestions on all platforms. - - B.1. Pointers - - While ANSI-C provides a single pointer type for each declared type, plus - a single (void *) type, some platforms (notably those using segmented - memory architectures) augment this with various modified pointer types - (e.g. far pointers, near pointers). These language bindings assume - ANSI-C, and thus do not address such non-standard implementations. - GSS-API implementations for such platforms must choose an appropriate - memory model, and should use it consistently throughout. For example, - if a memory model is chosen that requires the use of far pointers when - passing routine parameters, then far pointers should also be used within - the structures defined by GSS-API. - - B.2. Internal structure alignment - - GSS-API defines several data-structures containing differently-sized - fields. An ABI specification should include a detailed description of - how the fields of such structures are aligned, and if there is any - internal padding in these data structures. The use of compiler defaults - for the platform is recommended. - - - - Wray Document Expiration: 1 September 1997 [Page 92] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - B.3. Handle types - - The C bindings specify that the gss_cred_id_t and gss_ctx_id_t types - should be implemented as either pointer or arithmetic types, and that if - pointer types are used, care should be taken to ensure that two handles - may be compared with the == operator. Note that ANSI-C does not - guarantee that two pointer values may be compared with the == operator - unless either the two pointers point to members of a single array, or at - least one of the pointers contains a NULL value. - - For binary portability, additional constraints are required. The - following is an attempt at defining platform-independent constraints. - - (a) The size of the handle type must be the same as sizeof(void *), - using the appropriate memory model. - - (b) The == operator for the chosen type must be a simple bit-wise - comparison. That is, for two in-memory handle objects h1 and h2, - the boolean value of the expression - - (h1 == h2) - - should always be the same as the boolean value of the expression - - (memcmp(&h1, &h2, sizeof(h1)) == 0) - - (c) The actual use of the type (void *) for handle types is - discouraged, not for binary portability reasons, but since it - effectively disables much of the compile-time type-checking that - the compiler can otherwise perform, and is therefore not - "programmer-friendly". If a pointer implementation is desired, - and if the platform's implementation of pointers permits, the - handles should be implemented as pointers to distinct - implementation-defined types. - - B.4. The gss_name_t type - - The gss_name_t type, representing the internal name object, should be - implemented as a pointer type. The use of the (void *) type is - discouraged as it does not allow the compiler to perform strong type- - checking. However, the pointer type chosen should be of the same size - as the (void *) type. Provided this rule is obeyed, ABI specifications - need not further constrain the implementation of gss_name_t objects. - - B.5. The int and size_t types - - Some platforms may support differently sized implementations of the - "int" and "size_t" types, perhaps chosen through compiler switches, and - perhaps dependent on memory model. An ABI specification for such a - platform should include required implementations for these types. It is - recommended that the default implementation (for the chosen memory - - - - Wray Document Expiration: 1 September 1997 [Page 93] - - - - - - - - INTERNET-DRAFT GSS-API V2 - C bindings March 1997 - - - - model, if appropriate) is chosen. - - B.6. Procedure-calling conventions - - Some platforms support a variety of different binary conventions for - calling procedures. Such conventions cover things like the format of - the stack frame, the order in which the routine parameters are pushed - onto the stack, whether or not a parameter count is pushed onto the - stack, whether some argument(s) or return values are to be passed in - registers, and whether the called routine or the caller is responsible - for removing the stack frame on return. For such platforms, an ABI - specification should specify which calling convention is to be used for - GSSAPI implementations. - - - REFERENCES - - [GSSAPI] J. Linn, "Generic Security Service Application Program - Interface, Version 2", Internet-Draft draft-ietf-cat-gssv2- - 08, 26 August 1996. (This Internet-Draft, like all other - Internet-Drafts, is not an archival document and is subject - to change or deletion. It is available at the time of this - writing by anonymous ftp from ds.internic.net, directory - internet-drafts. Would-be readers should check for successor - Internet-Draft versions or Internet RFCs before relying on - this document.) - - [XOM] OSI Object Management API Specification, Version 2.0 t", - X.400 API Association & X/Open Company Limited, August 24, - 1990. Specification of datatypes and routines for - manipulating information objects. - - - AUTHOR'S ADDRESS - - John Wray Internet email: Wray@tuxedo.enet.dec.com - Digital Equipment Corporation Telephone: +1-508-486-5210 - 550 King Street, LKG2-2/Z7 - Littleton, MA 01460 - USA - - - - - - - - - - - - - - - Wray Document Expiration: 1 September 1997 [Page 94] - - - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt deleted file mode 100644 index 208d057f24c8..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt +++ /dev/null @@ -1,301 +0,0 @@ -INTERNET-DRAFT Mike Swift -draft-ietf-cat-iakerb-04.txt Microsoft -Updates: RFC 1510 Jonathan Trostle -July 2000 Cisco Systems - - - Initial Authentication and Pass Through Authentication - Using Kerberos V5 and the GSS-API (IAKERB) - - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance - with all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This draft expires on January 31st, 2001. - - -1. Abstract - - This document defines an extension to the Kerberos protocol - specification (RFC 1510 [1]) and GSSAPI Kerberos mechanism (RFC - 1964 [2]) that enables a client to obtain Kerberos tickets for - services where: - - (1) The client knows its principal name and password, but not - its realm name (applicable in the situation where a user is already - on the network but needs to authenticate to an ISP, and the user - does not know his ISP realm name). - (2) The client is able to obtain the IP address of the service in - a realm which it wants to send a request to, but is otherwise unable - to locate or communicate with a KDC in the service realm or one of - the intermediate realms. (One example would be a dial up user who - does not have direct IP connectivity). - (3) The client does not know the realm name of the service. - - -2. Motivation - - When authenticating using Kerberos V5, clients obtain tickets from - a KDC and present them to services. This method of operation works - - well in many situations, but is not always applicable since it - requires the client to know its own realm, the realm of the target - service, the names of the KDC's, and to be able to connect to the - KDC's. - - This document defines an extension to the Kerberos protocol - specification (RFC 1510) [1] that enables a client to obtain - Kerberos tickets for services where: - - (1) The client knows its principal name and password, but not - its realm name (applicable in the situation where a user is already - on the network but needs to authenticate to an ISP, and the user - does not know his ISP realm name). - (2) The client is able to obtain the IP address of the service in - a realm which it wants to send a request to, but is otherwise unable - to locate or communicate with a KDC in the service realm or one of - the intermediate realms. (One example would be a dial up user who - does not have direct IP connectivity). - (3) The client does not know the realm name of the service. - - In this proposal, the client sends KDC request messages directly - to application servers if one of the above failure cases develops. - The application server acts as a proxy, forwarding messages back - and forth between the client and various KDC's (see Figure 1). - - - Client <---------> App Server <----------> KDC - proxies - - - Figure 1: IAKERB proxying - - - In the case where the client has sent a TGS_REQ message to the - application server without a realm name in the request, the - application server will forward an error message to the client - with its realm name in the e-data field of the error message. - The client will attempt to proceed using conventional Kerberos. - -3. When Clients Should Use IAKERB - - We list several, but possibly not all, cases where the client - should use IAKERB. In general, the existing Kerberos paradigm - where clients contact the KDC to obtain service tickets should - be preserved where possible. - - (a) AS_REQ cases: - - (i) The client is unable to locate the user's KDC or the KDC's - in the user's realm are not responding, or - (ii) The user has not entered a name which can be converted - into a realm name (and the realm name cannot be derived from - a certificate). - - (b) TGS_REQ cases: - - (i) the client determines that the KDC(s) in either an - intermediate realm or the service realm are not responding or - - the client is unable to locate a KDC, - - (ii) the client is not able to generate the application server - realm name. - - -4. GSSAPI Encapsulation - - The mechanism ID for IAKERB GSS-API Kerberos, in accordance with the - mechanism proposed by SPNEGO for negotiating protocol variations, is: - {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - gssapi(2) krb5(2) initialauth(4)} - - The AS request, AS reply, TGS request, and TGS reply messages are all - encapsulated using the format defined by RFC1964 [2]. This consists - of the GSS-API token framing defined in appendix B of RFC1508 [3]: - - InitialContextToken ::= - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType - -- MechType is OBJECT IDENTIFIER - -- representing "Kerberos V5" - innerContextToken ANY DEFINED BY thisMech - -- contents mechanism-specific; - -- ASN.1 usage within innerContextToken - -- is not required - } - - The innerContextToken consists of a 2-byte TOK_ID field (defined - below), followed by the Kerberos V5 KRB-AS-REQ, KRB-AS-REP, - KRB-TGS-REQ, or KRB-TGS-REP messages, as appropriate. The TOK_ID field - shall be one of the following values, to denote that the message is - either a request to the KDC or a response from the KDC. - - Message TOK_ID - KRB-KDC-REQ 00 03 - KRB-KDC-REP 01 03 - - -5. The Protocol - - a. The user supplies a password (AS_REQ): Here the Kerberos client - will send an AS_REQ message to the application server if it cannot - locate a KDC for the user's realm, or such KDC's do not respond, - or the user does not enter a name from which the client can derive - the user's realm name. The client sets the realm field of the - request equal to its own realm if the realm name is known, - otherwise the realm length is set to 0. Upon receipt of the AS_REQ - message, the application server checks if the client has included - a realm. - - If the realm was not included in the original request, the - application server must determine the realm and add it to the - AS_REQ message before forwarding it. If the application server - cannot determine the client realm, it returns the - KRB_AP_ERR_REALM_REQUIRED error-code in an error message to - the client: - - KRB_AP_ERR_REALM_REQUIRED 77 - - The error message can be sent in response to either an AS_REQ - message, or in response to a TGS_REQ message, in which case the - realm and principal name of the application server are placed - into the realm and sname fields respectively, of the KRB-ERROR - message. In the AS_REQ case, once the realm is filled in, the - application server forwards the request to a KDC in the user's - realm. It will retry the request if necessary, and forward the - KDC response back to the client. - - At the time the user enters a username and password, the client - should create a new credential with an INTERNAL NAME [3] that can - be used as an input into the GSS_Acquire_cred function call. - - This functionality is useful when there is no trust relationship - between the user's logon realm and the target realm (Figure 2). - - - User Realm KDC - / - / - / - / 2,3 - 1,4 / - Client<-------------->App Server - - - 1 Client sends AS_REQ to App Server - 2 App server forwards AS_REQ to User Realm KDC - 3 App server receives AS_REP from User Realm KDC - 4 App server sends AS_REP back to Client - - - Figure 2: IAKERB AS_REQ - - - - b. The user does not supply a password (TGS_REQ): The user includes a - TGT targetted at the user's realm, or an intermediate realm, in a - TGS_REQ message. The TGS_REQ message is sent to the application - server. - - If the client has included the realm name in the TGS request, then - the application server will forward the request to a KDC in the - request TGT srealm. It will forward the response back to the client. - - If the client has not included the realm name in the TGS request, - then the application server will return its realm name and principal - name to the client using the KRB_AP_ERR_REALM_REQUIRED error - described above. Sending a TGS_REQ message to the application server - without a realm name in the request, followed by a TGS request using - the returned realm name and then sending an AP request with a mutual - authentication flag should be subject to a local policy decision - (see security considerations below). Using the returned server - principal name in a TGS request followed by sending an AP request - message using the received ticket MUST NOT set any mutual - authentication flags. - - -6. Addresses in Tickets - - In IAKERB, the machine sending requests to the KDC is the server and - not the client. As a result, the client should not include its - addresses in any KDC requests for two reasons. First, the KDC may - reject the forwarded request as being from the wrong client. Second, - in the case of initial authentication for a dial-up client, the client - machine may not yet possess a network address. Hence, as allowed by - RFC1510 [1], the addresses field of the AS and TGS requests should be - blank and the caddr field of the ticket should similarly be left blank. - - -7. Combining IAKERB with Other Kerberos Extensions - - This protocol is usable with other proposed Kerberos extensions such as - PKINIT (Public Key Cryptography for Initial Authentication in Kerberos - [4]). In such cases, the messages which would normally be sent to the - KDC by the GSS runtime are instead sent by the client application to the - server, which then forwards them to a KDC. - - -8. Security Considerations - - A principal is identified by its principal name and realm. A client - that sends a TGS request to an application server without the request - realm name will only be able to mutually authenticate the server - up to its principal name. Thus when requesting mutual authentication, - it is preferable if clients can either determine the server realm name - beforehand, or apply some policy checks to the realm name obtained from - the returned error message. - - -9. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments 1510. - - [2] J. Linn. The Kerberos Version 5 GSS-API Mechanism. Request - for Comments 1964 - - [3] J. Linn. Generic Security Service Application Program Interface. - Request for Comments 1508 - - [4] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray, - J. Trostle, Public Key Cryptography for Initial Authentication in - Kerberos, http://www.ietf.org/internet-drafts/draft-ietf-cat-kerberos- - pkinit-10.txt. - - -10. This draft expires on January 31st, 2001. - - -11. Authors' Addresses - - Michael Swift - Microsoft - One Microsoft Way - Redmond, Washington, 98052, U.S.A. - Email: mikesw@microsoft.com - - Jonathan Trostle - 170 W. Tasman Dr. - San Jose, CA 95134, U.S.A. - Email: jtrostle@cisco.com - Phone: (408) 527-6201 diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt deleted file mode 100644 index e235bec58c02..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt +++ /dev/null @@ -1,311 +0,0 @@ - - - - -Network Working Group M. Horowitz - Stonecast, Inc. -Internet-Draft August, 1998 - - Kerberos Change Password Protocol - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as ``work in progress.'' - - To learn the current status of any Internet-Draft, please check the - ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow - Directories on ftp.ietf.org (US East Coast), nic.nordu.net - (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific - Rim). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - The Kerberos V5 protocol [RFC1510] does not describe any mechanism - for users to change their own passwords. In order to promote - interoperability between workstations, personal computers, terminal - servers, routers, and KDC's from multiple vendors, a common password - changing protocol is required. - - - -Overview - - When a user wishes to change his own password, or is required to by - local policy, a simple request of a password changing service is - necessary. This service must be implemented on at least one host for - each Kerberos realm, probably on one of the kdc's for that realm. - The service must accept requests on UDP port 464 (kpasswd), and may - accept requests on TCP port 464 as well. - - The protocol itself consists of a single request message followed by - a single reply message. For UDP transport, each message must be - fully contained in a single UDP packet. - - - - - - - - -Horowitz [Page 1] - -Internet Draft Kerberos Change Password Protocol August, 1998 - - -Request Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REQ length | AP-REQ data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - message length (16 bits) - Contains the length of the message, including this field, in bytes - (big-endian integer) - protocol version number (16 bits) - Contains the hex constant 0x0001 (big-endian integer) - AP-REQ length (16 bits) - length (big-endian integer) of AP-REQ data, in bytes. - AP-REQ data, as described in RFC1510 (variable length) - This AP-REQ must be for the service principal - kadmin/changepw@REALM, where REALM is the REALM of the user who - wishes to change his password. The Ticket in the AP-REQ must be - derived from an AS request (thus having the INITIAL flag set), and - must include a subkey in the Authenticator. - KRB-PRIV message, as described in RFC1510 (variable length) - This KRB-PRIV message must be generated using the subkey in the - Authenticator in the AP-REQ data. The user-data component of the - message must consist of the user's new password. - - The server must verify the AP-REQ message, decrypt the new password, - perform any local policy checks (such as password quality, history, - authorization, etc.) required, then set the password to the new value - specified. - - The principal whose password is to be changed is the principal which - authenticated to the password changing service. This protocol does - not address administrators who want to change passwords of principal - besides their own. - - -Reply Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REP length | AP-REP data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV or KRB-ERROR message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - message length (16 bits) - - - -Horowitz [Page 2] - -Internet Draft Kerberos Change Password Protocol August, 1998 - - - Contains the length of the message, including this field, in bytes - (big-endian integer), - protocol version number (16 bits) - Contains the hex constant 0x0001 (big-endian integer) - AP-REP length (16 bits) - length of AP-REP data, in bytes. If the the length is zero, then - the last field will contain a KRB-ERROR message instead of a KRB- - PRIV message. - AP-REP data, as described in RFC1510 (variable length) - The AP-REP corresponding to the AP-REQ in the request packet. - KRB-PRIV or KRB-ERROR message, as described in RFC1510 (variable - length) - If the AP-REP length is zero, then this field contains a KRB-ERROR - message. Otherwise, it contains a KRB-PRIV message. This KRB- - PRIV message must be generated using the subkey in the - Authenticator in the AP-REQ data. - - The user-data component of the KRB-PRIV message, or e-data - component of the KRB-ERROR message, must consist of the following - data: - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | result code | result string / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - result code (16 bits) - The result code must have one of the following values (big- - endian integer): - 0x0000 if the request succeeds. (This value is not permitted - in a KRB-ERROR message.) - 0x0001 if the request fails due to being malformed - 0x0002 if the request fails due to a "hard" error processing - the request (for example, there is a resource or other - problem causing the request to fail) - 0x0003 if the request fails due to an error in authentication - processing - 0x0004 if the request fails due to a "soft" error processing - the request (for example, some policy or other similar - consideration is causing the request to be rejected). - 0xFFFF if the request fails for some other reason. - Although only a few non-zero result codes are specified here, - the client should accept any non-zero result code as indicating - failure. - result string (variable length) - This field should contain information which the server thinks - might be useful to the user, such as feedback about policy - failures. The string must be encoded in UTF-8. It may be - omitted if the server does not wish to include it. If it is - present, the client should display the string to the user. - This field is analogous to the string which follows the numeric - code in SMTP, FTP, and similar protocols. - - - - -Horowitz [Page 3] - -Internet Draft Kerberos Change Password Protocol August, 1998 - - -Dropped and Modified Messages - - An attacker (or simply a lossy network) could cause either the - request or reply to be dropped, or modified by substituting a KRB- - ERROR message in the reply. - - If a request is dropped, no modification of the password/key database - will take place. If a reply is dropped, the server will (assuming a - valid request) make the password change. However, the client cannot - distinguish between these two cases. - - In this situation, the client should construct a new authenticator, - re-encrypt the request, and retransmit. If the original request was - lost, the server will treat this as a valid request, and the password - will be changed normally. If the reply was lost, then the server - should take care to notice that the request was a duplicate of the - prior request, because the "new" password is the current password, - and the password change time is within some implementation-defined - replay time window. The server should then return a success reply - (an AP-REP message with result code == 0x0000) without actually - changing the password or any other information (such as modification - timestamps). - - If a success reply was replaced with an error reply, then the - application performing the request would return an error to the user. - In this state, the user's password has been changed, but the user - believes that it has not. If the user attempts to change the - password again, this will probably fail, because the user cannot - successfully provide the old password to get an INITIAL ticket to - make the request. This situation requires administrative - intervention as if a password was lost. This situation is, - unfortunately, impossible to prevent. - - -Security Considerations - - This document deals with changing passwords for Kerberos. Because - Kerberos is used for authentication and key distribution, it is - important that this protocol use the highest level of security - services available to a particular installation. Mutual - authentication is performed, so that the server knows the request is - valid, and the client knows that the request has been received and - processed by the server. - - There are also security issues relating to dropped or modified - messages which are addressed explicitly. - - -References - - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - - - - -Horowitz [Page 4] - -Internet Draft Kerberos Change Password Protocol August, 1998 - - -Author's Address - - Marc Horowitz - Stonecast, Inc. - 108 Stow Road - Harvard, MA 01451 - - Phone: +1 978 456 9103 - Email: marc@stonecast.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz [Page 5] - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt deleted file mode 100644 index 2583a84da0a4..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt +++ /dev/null @@ -1,127 +0,0 @@ - - - - - - -Network Working Group M. Horowitz - Cygnus Solutions -Internet-Draft November, 1996 - - - Triple DES with HMAC-SHA1 Kerberos Encryption Type - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as ``work in progress.'' - - To learn the current status of any Internet-Draft, please check the - ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow - Directories on ds.internic.net (US East Coast), nic.nordu.net - (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific - Rim). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - This document defines a new encryption type and a new checksum type - for use with Kerberos V5 [RFC1510]. This encryption type is based on - the Triple DES cryptosystem and the HMAC-SHA1 [Krawczyk96] message - authentication algorithm. - - The des3-cbc-hmac-sha1 encryption type has been assigned the value 7. - The hmac-sha1-des3 checksum type has been assigned the value 12. - - -Encryption Type des3-cbc-hmac-sha1 - - EncryptedData using this type must be generated as described in - [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC - mode. The keyed hash algorithm is HMAC-SHA1. Unless otherwise - specified, a zero IV must be used. If the length of the input data - is not a multiple of the block size, zero octets must be used to pad - the plaintext to the next eight-octet boundary. The counfounder must - be eight random octets (one block). - - -Checksum Type hmac-sha1-des3 - - Checksums using this type must be generated as described in - [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. - - - -Horowitz [Page 1] - -Internet Draft Kerberos Triple DES with HMAC-SHA1 November, 1996 - - -Common Requirements - - Where the Triple DES key is represented as an EncryptionKey, it shall - be represented as three DES keys, with parity bits, concatenated - together. The key shall be represented with the most significant bit - first. - - When keys are generated by the derivation function, a key length of - 168 bits shall be used. The output bit string will be converted to a - valid Triple DES key by inserting DES parity bits after every seventh - bit. - - Any implementation which implements either of the encryption or - checksum types in this document must support both. - - -Security Considerations - - This entire document defines encryption and checksum types for use - with Kerberos V5. - - -References - - [Horowitz96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-00.txt, November 1996. - [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - -Author's Address - - Marc Horowitz - Cygnus Solutions - 955 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 354 7688 - Email: marc@cygnus.com - - - - - - - - - - - - - - - -Horowitz [Page 2] - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt deleted file mode 100644 index 46a415852706..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt +++ /dev/null @@ -1,250 +0,0 @@ - - - - - -Network Working Group M. Horowitz - Cygnus Solutions -Internet-Draft November, 1996 - - - Key Derivation for Kerberos V5 - -Status of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as ``work in progress.'' - - To learn the current status of any Internet-Draft, please check the - ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow - Directories on ds.internic.net (US East Coast), nic.nordu.net - (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific - Rim). - - Distribution of this memo is unlimited. Please send comments to the - mailing list. - -Abstract - - In the Kerberos protocol [RFC1510], cryptographic keys are used in a - number of places. In order to minimize the effect of compromising a - key, it is desirable to use a different key for each of these places. - Key derivation [Horowitz96] can be used to construct different keys - for each operation from the keys transported on the network. For - this to be possible, a small change to the specification is - necessary. - - -Overview - - Under RFC1510 as stated, key derivation could be specified as a set - of encryption types which share the same key type. The constant for - each derivation would be a function of the encryption type. However, - it is generally accepted that, for interoperability, key types and - encryption types must map one-to-one onto each other. (RFC 1510 is - being revised to address this issue.) Therefore, to use key - derivcation with Kerberos V5 requires a small change to the - specification. - - For each place where a key is used in Kerberos, a ``key usage'' must - be specified for that purpose. The key, key usage, and - encryption/checksum type together describe the transformation from - plaintext to ciphertext, or plaintext to checksum. For backward - - - -Horowitz [Page 1] - -Internet Draft Key Derivation for Kerberos V5 November, 1996 - - - compatibility, old encryption types would be defined independently of - the key usage. - - -Key Usage Values - - This is a complete list of places keys are used in the kerberos - protocol, with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) - - 10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) - 11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) - 12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) - - 13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) - 14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) - 15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) - - 16. Data which is defined in some specification outside of - Kerberos to be encrypted using an RFC1510 encryption type. - 17. Data which is defined in some specification outside of - Kerberos to be checksummed using an RFC1510 checksum type. - - A few of these key usages need a little clarification. A service - which receives an AP-REQ has no way to know if the enclosed Ticket - was part of an AS-REP or TGS-REP. Therefore, key usage 2 must always - - - -Horowitz [Page 2] - -Internet Draft Key Derivation for Kerberos V5 November, 1996 - - - be used for generating a Ticket, whether it is in response to an AS- - REQ or TGS-REQ. - - There might exist other documents which define protocols in terms of - the RFC1510 encryption types or checksum types. Such documents would - not know about key usages. In order that these documents continue to - be meaningful until they are updated, key usages 16 and 17 must be - used to derive keys for encryption and checksums, respectively. New - protocols defined in terms of the Kerberos encryption and checksum - types should use their own key usages. Key usages may be registered - with IANA to avoid conflicts. Key usages shall be unsigned 32 bit - integers. Zero is not permitted. - - -Defining Cryptosystems Using Key Derivation - - Kerberos requires that the ciphertext component of EncryptedData be - tamper-resistant as well as confidential. This implies encryption - and integrity functions, which must each use their own separate keys. - So, for each key usage, two keys must be generated, one for - encryption (Ke), and one for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - - where the key usage is represented as a 32 bit integer in network - byte order. The ciphertest must be generated from the plaintext as - follows: - - ciphertext = E(Ke, confounder | length | plaintext | padding) | - H(Ki, confounder | length | plaintext | padding) - - The confounder and padding are specific to the encryption algorithm - E. - - When generating a checksum only, there is no need for a confounder or - padding. Again, a new key (Kc) must be used. Checksums must be - generated from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - - MAC = H(Kc, length | plaintext) - - Note that each enctype is described by an encryption algorithm E and - a keyed hash algorithm H, and each checksum type is described by a - keyed hash algorithm H. HMAC, with an appropriate hash, is - recommended for use as H. - - -Security Considerations - - This entire document addresses shortcomings in the use of - cryptographic keys in Kerberos V5. - - - - -Horowitz [Page 3] - -Internet Draft Key Derivation for Kerberos V5 November, 1996 - - -Acknowledgements - - I would like to thank Uri Blumenthal, Sam Hartman, and Bill - Sommerfeld for their contributions to this document. - - -References - - [Horowitz96] Horowitz, M., "Key Derivation for Authentication, - Integrity, and Privacy", draft-horowitz-key-derivation-00.txt, - November 1996. [RFC1510] Kohl, J. and Neuman, C., "The Kerberos - Network Authentication Service (V5)", RFC 1510, September 1993. - - -Author's Address - - Marc Horowitz - Cygnus Solutions - 955 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 354 7688 - Email: marc@cygnus.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz [Page 4] - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt deleted file mode 100644 index c5e4d05e7e3e..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt +++ /dev/null @@ -1,252 +0,0 @@ - -INTERNET-DRAFT Ari Medvinsky -draft-ietf-cat-kerberos-err-msg-00.txt Matt Hur -Updates: RFC 1510 Dominique Brezinski -expires September 30, 1997 CyberSafe Corporation - Gene Tsudik - Brian Tung - ISI - -Integrity Protection for the Kerberos Error Message - -0. Status Of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - To learn the current status of any Internet-Draft, please check - the "1id-abstracts.txt" listing contained in the Internet-Drafts - Shadow Directories on ds.internic.net (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-init-03.txt, and expires June xx, 1997. - Please send comments to the authors. - -1. Abstract - - The Kerberos error message, as defined in RFC 1510, is transmitted - to the client without any integrity assurance. Therefore, the - client has no means to distinguish between a valid error message - sent from the KDC and one sent by an attacker. This draft describes - a method for assuring the integrity of Kerberos error messages, and - proposes a consistent format for the e-data field in the KRB_ERROR - message. This e-data format enables the storage of cryptographic - checksums by providing an extensible mechanism for specifying e-data - types. - - -2. Motivation - - In the Kerberos protocol [1], if an error occurs for AS_REQ, - TGS_REQ, or AP_REQ, a clear text error message is returned to the - client. An attacker may exploit this vulnerability by sending a - false error message as a reply to any of the above requests. For - example, an attacker may send the KDC_ERR_KEY_EXPIRED error message - in order to force a user to change their password in hope that the - new key will not be as strong as the current key, and thus, easier - to break. - - Since false error messages may be utilized by an attacker, a - Kerberos client should have a means for determining how much trust - to place in a given error message. The rest of this draft - describes a method for assuring the integrity of Kerberos error - messages. - - -3. Approach - - We propose taking a cryptographic checksum over the entire KRB-ERROR - message. This checksum would be returned as part of the error - message and would enable the client to verify the integrity of the - error message. For interoperability reasons, no new fields are - added to the KRB-ERROR message. Instead, the e-data field (see - figure 1) is utilized to carry the cryptographic checksum. - - -3.1 Cryptographic checksums in error messages for AS_REQ, - TGS_REQ & AP_REQ - - If an error occurs for the AS request, the only key that is - available to the KDC is the shared secret (the key derived from the - clients password) registered in the KDCs database. The KDC will - use this key to sign the error message, if and only if, the client - already proved knowledge of the shared secret in the AS request - (e.g. via PA-ENC-TIMESTAMP in preauth data). This policy is needed - to prevent an attacker from getting the KDC to send a signed error - message and then launching an off-line attack in order to obtain a - key of a given principal. - - If an error occurs for a TGS or an AP request, the server will use - the session key sealed in the clients ticket granting ticket to - compute the checksum over the error message. If the checksum could - not be computed (e.g. error while decrypting the ticket) the error - message is returned to the client without the checksum. The client - then has the option to treat unprotected error messages differently. - - - KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno [0] integer, - msg-type [1] integer, - ctime [2] KerberosTime OPTIONAL, - cusec [3] INTEGER OPTIONAL, - stime [4] KerberosTime, - susec [5] INTEGER, - error-code [6] INTEGER, - crealm [7] Realm OPTIONAL, - cname [8] PrincipalName OPTIONAL, - realm [9] Realm, --Correct realm - sname [10] PrincipalName, --Correct name - e-text [11] GeneralString OPTIONAL, - e-data [12] OCTET STRING OPTIONAL - } - Figure 1 - - -3.2 Format of the e-data field - - We propose to place the cryptographic checksum in the e-data field. - First, we review the format of the e-data field, as specified in - RFC 1510. The format of e-data is specified only in two cases [2]. - "If the error code is KDC_ERR_PREAUTH_REQUIRED, then the e-data - field will contain an encoding of a sequence of padata fields": - - METHOD-DATA ::= SEQUENCE of PA-DATA - PA-DATA ::= SEQUENCE { - padata-type [1] INTEGER, - padata-value [2] OCTET STRING - } - - The second case deals with the KRB_AP_ERR_METHOD error code. The - e-data field will contain an encoding of the following sequence: - - METHOD-DATA ::= SEQUENCE { - method-type [0] INTEGER, - method-data [1] OCTET STRING OPTIONAL - } - - method-type indicates the required alternate authentication method. - - It should be noted that, in the case of KRB_AP_ERR_METHOD, a signed - checksum is not returned as part of the error message, since the - error code indicates that the Kerberos credentials provided in the - AP_REQ message are unacceptable. - - We propose that the e-data field have the following format for all - error-codes (except KRB_AP_ERR_METHOD): - - E-DATA ::= SEQUENCE { - data-type [1] INTEGER, - data-value [2] OCTET STRING, - } - - The data-type field specifies the type of information that is - carried in the data-value field. Thus, to send a cryptographic - checksum back to the client, the data-type is set to CHECKSUM, the - data-value is set to the ASN.1 encoding of the following sequence: - - Checksum ::= SEQUENCE { - cksumtype [0] INTEGER, - checksum [1] OCTET STRING - } - - -3.3 Computing the checksum - - After the error message is filled out, the error structure is - converted into ASN.1 representation. A cryptographic checksum is - then taken over the encoded error message; the result is placed in - the error message structure, as the last item in the e-data field. - To send the error message, ASN.1 encoding is again performed over - the error message, which now includes the cryptographic checksum. - - -3.4 Verifying the integrity of the error message - - In addition to verifying the cryptographic checksum for the error - message, the client must verify that the error message is bound to - its request. This is done by comparing the ctime field in the - error message to its counterpart in the request message. - - -4. E-DATA types - - Since the e-data types must not conflict with preauthentication data - types, we propose that the preauthentication data types in the range - of 2048 and above be reserved for use as e-data types. - - We define the following e-data type in support of integrity checking - for the Kerberos error message: - - CHECKSUM = 2048 -- the keyed checksum described above - - -5. Discussion - - -5.1 e-data types - - The extension for Kerberos error messages, as outlined above, is - extensible to allow for definition of other error data types. - We propose that the following e-data types be reserved: - - KDCTIME = 2049 - The error data would consist of the KDCs time in KerberosTime. - This data would be used by the client to adjust for clock skew. - - REDIRECT = 2050 - The error data would consist of a hostname. The hostname would - indicate the authoritative KDC from which to obtain a TGT. - - -5.2 e-data types vs. error code specific data formats - - Since RFC 1510 does not define an error data type, the data format - must be explicitly specified for each error code. This draft has - proposed an extension to RFC 1510 that would introduce the concept - of error data types. This would allow for a manageable set of data - types to be used for any error message. The authors assume that - the introduction of this e-data structure will not break any - existing Kerberos implementations. - - -6. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments: 1510 - [2] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments: 1510 p.67 - - -7. Authors - - Ari Medvinsky - Matthew Hur - Dominique Brezinski - - CyberSafe Corporation - 1605 NW Sammamish Road - Suite 310 - Issaquah, WA 98027-5378 - Phone: (206) 391-6000 - Fax: (206) 391-0508 - http:/www.cybersafe.com - - - Brian Tung - Gene Tsudik - - USC Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey CA 90292-6695 - Phone: (310) 822-1511 - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt deleted file mode 100644 index b3ec336b6513..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt +++ /dev/null @@ -1,174 +0,0 @@ -INTERNET-DRAFT Jonathan Trostle -draft-ietf-cat-kerberos-extra-tgt-02.txt Cisco Systems -Updates: RFC 1510 Michael M. Swift -expires January 30, 2000 University of WA - - - Extension to Kerberos V5 For Additional Initial Encryption - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance - with all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - This document defines an extension to the Kerberos protocol - specification (RFC 1510) [1] to enable a preauthentication field in - the AS_REQ message to carry a ticket granting ticket. The session - key from this ticket granting ticket will be used to - cryptographically strengthen the initial exchange in either the - conventional Kerberos V5 case or in the case the user stores their - encrypted private key on the KDC [2]. - - -2. Motivation - - In Kerberos V5, the initial exchange with the KDC consists of the - AS_REQ and AS_REP messages. For users, the encrypted part of the - AS_REP message is encrypted in a key derived from a password. - Although a password policy may be in place to prevent dictionary - attacks, brute force attacks may still be a concern due to - insufficient key length. - - This draft specifies an extension to the Kerberos V5 protocol to - allow a ticket granting ticket to be included in an AS_REQ message - preauthentication field. The session key from this ticket granting - ticket will be used to cryptographically strengthen the initial - - exchange in either the conventional Kerberos V5 case or in the case - the user stores their encrypted private key on the KDC [2]. The - session key from the ticket granting ticket is combined with the - user password key (key K2 in the encrypted private key on KDC - option) using HMAC to obtain a new triple des key that is used in - place of the user key in the initial exchange. The ticket granting - ticket could be obtained by the workstation using its host key. - -3. The Extension - - The following new preauthentication type is proposed: - - PA-EXTRA-TGT 22 - - The preauthentication-data field contains a ticket granting ticket - encoded as an ASN.1 octet string. The server realm of the ticket - granting ticket must be equal to the realm in the KDC-REQ-BODY of - the AS_REQ message. In the absence of a trust relationship, the - local Kerberos client should send the AS_REQ message without this - extension. - - In the conventional (non-pkinit) case, we require the RFC 1510 - PA-ENC-TIMESTAMP preauthentication field in the AS_REQ message. - If neither it or the PA-PK-KEY-REQ preauthentication field is - included in the AS_REQ message, the KDC will reply with a - KDC_ERR_PREAUTH_FAILED error message. - - We propose the following new etypes: - - des3-cbc-md5-xor 16 - des3-cbc-sha1-xor 17 - - The encryption key is obtained by: - - (1) Obtaining an output M from the HMAC-SHA1 function [3] using - the user password key (the key K2 in the encrypted private - key on KDC option of pkinit) as the text and the triple des - session key as the K input in HMAC: - - M = H(K XOR opad, H(K XOR ipad, text)) where H = SHA1. - - The session key from the accompanying ticket granting ticket - must be a triple des key when one of the triple des xor - encryption types is used. - (2) Concatenate the output M (20 bytes) with the first 8 non-parity - bits of the triple-des ticket granting ticket session key to - get 168 bits that will be used for the new triple-des encryption - key. - (3) Set the parity bits of the resulting key. - - The resulting triple des key is used to encrypt the timestamp - for the PA-ENC-TIMESTAMP preauthentication value (or in the - encrypted private key on KDC option of pkinit, it is used in - place of the key K2 to both sign in the PA-PK-KEY-REQ and for - encryption in the PA-PK-KEY-REP preauthentication types). - - If the KDC decrypts the encrypted timestamp and it is not within - the appropriate clock skew period, the KDC will reply with the - KDC_ERR_PREAUTH_FAILED error. The same error will also be sent if - the above ticket granting ticket fails to decrypt properly, or if - it is not a valid ticket. - - The KDC will create the shared triple des key from the ticket - granting ticket session key and the user password key (the key K2 - in the encrypted private key on KDC case) using HMAC as specified - above and use it to validate the AS_REQ message and then to - encrypt the encrypted part of the AS_REP message (use it in place - of the key K2 for encryption in the PA-PK-KEY-REP preauthentication - field). - - Local workstation policy will determine the exact behaviour of - the Kerberos client with respect to the extension protocol. For - example, the client should consult policy to decide when to use - use the extension. This policy could be dependent on the user - identity, or whether the workstation is in the same realm as the - user. One possibility is for the workstation logon to fail if - the extension is not used. Another possibility is for the KDC - to set a flag in tickets issued when this extension is used. - - A similar idea was proposed in OSF DCE RFC 26.0 [4]; there a - preauthentication field containing a ticket granting ticket, - a randomly generated subkey encrypted in the session key from - the ticket, and a timestamp structure encrypted in the user - password and then the randomly generated subkey was proposed. - Some advantages of the current proposal are that the KDC has two - fewer decryptions to perform per request and the client does not - have to generate a random key. - -4. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments 1510. - - [2] B. Tung, C. Neuman, J. Wray, A. Medvinsky, M. Hur, J. Trostle. - Public Key Cryptography for Initial Authentication in Kerberos. - ftp://ds.internic.net/internet-drafts/ - draft-ietf-cat-kerberos-pkinit-08.txt - - [3] H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-Hashing for - Message Authentication. Request for Comments 2104. - - [4] J. Pato. Using Pre-authentication to Avoid Password Guessing - Attacks. OSF DCE SIG Request for Comments 26.0. - -5. Acknowledgement: We thank Ken Hornstein for some helpful comments. - -6. Expires January 30, 2000. - -7. Authors' Addresses - - Jonathan Trostle - 170 W. Tasman Dr. - San Jose, CA 95134, U.S.A. - - Email: jtrostle@cisco.com - Phone: (408) 527-6201 - - Michael Swift - Email: mikesw@cs.washington.edu diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt deleted file mode 100644 index d09a2ded5bc5..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt +++ /dev/null @@ -1,5 +0,0 @@ -This Internet-Draft has expired and is no longer available. - -Unrevised documents placed in the Internet-Drafts directories have a -maximum life of six months. After that time, they must be updated, or -they will be deleted. This document was deleted on March 20, 2000. diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt deleted file mode 100644 index 4b193c57390c..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt +++ /dev/null @@ -1,282 +0,0 @@ -INTERNET-DRAFT Brian Tung -draft-ietf-cat-kerberos-pk-cross-01.txt Tatyana Ryutov -Updates: RFC 1510 Clifford Neuman -expires September 30, 1997 Gene Tsudik - ISI - Bill Sommerfeld - Hewlett-Packard - Ari Medvinsky - Matthew Hur - CyberSafe Corporation - - - Public Key Cryptography for Cross-Realm Authentication in Kerberos - - -0. Status Of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as ``work in - progress.'' - - To learn the current status of any Internet-Draft, please check - the ``1id-abstracts.txt'' listing contained in the Internet-Drafts - Shadow Directories on ds.internic.net (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-cross-01.txt, and expires September 30, - 1997. Please send comments to the authors. - - -1. Abstract - - This document defines extensions to the Kerberos protocol - specification (RFC 1510, "The Kerberos Network Authentication - Service (V5)", September 1993) to provide a method for using - public key cryptography during cross-realm authentication. The - methods defined here specify the way in which message exchanges - are to be used to transport cross-realm secret keys protected by - encryption under public keys certified as belonging to KDCs. - - -2. Motivation - - The advantages provided by public key cryptography--ease of - recoverability in the event of a compromise, the possibility of - an autonomous authentication infrastructure, to name a few--have - produced a demand for use by Kerberos authentication protocol. A - draft describing the use of public key cryptography in the initial - authentication exchange in Kerberos has already been submitted. - This draft describes its use in cross-realm authentication. - - The principal advantage provided by public key cryptography in - cross-realm authentication lies in the ability to leverage the - existing public key infrastructure. It frees the Kerberos realm - administrator from having to maintain separate keys for each other - realm with which it wishes to exchange authentication information, - or to utilize a hierarchical arrangement, which may pose problems - of trust. - - Even with the multi-hop cross-realm authentication, there must be - some way to locate the path by which separate realms are to be - transited. The current method, which makes use of the DNS-like - realm names typical to Kerberos, requires trust of the intermediate - KDCs. - - The methods described in this draft allow a realm to specify, at - the time of authentication, which certification paths it will - trust. A shared key for cross-realm authentication can be - established, for a period of time. Furthermore, these methods are - transparent to the client, so that only the KDC's need to be - modified to use them. - - It is not necessary to implement the changes described in the - "Public Key Cryptography for Initial Authentication" draft to make - use of the changes in this draft. We solicit comments about the - interaction between the two protocol changes, but as of this - writing, the authors do not perceive any obstacles to using both. - - -3. Protocol Amendments - - We assume that the user has already obtained a TGT. To perform - cross-realm authentication, the user sends a request to the local - KDC as per RFC 1510. If the two realms share a secret key, then - cross-realm authentication proceeds as usual. Otherwise, the - local KDC may attempt to establish a shared key with the remote - KDC using public key cryptography, and exchange this key through - the cross-realm ticket granting ticket. - - We will consider the specific channel on which the message - exchanges take place in Section 5 below. - - -3.1. Changes to the Cross-Realm Ticket Granting Ticket - - In order to avoid the need for changes to the "installed base" of - Kerberos application clients and servers, the only protocol change - is to the way in which cross-realm ticket granting tickets (TGTs) - are encrypted; as these tickets are opaque to clients and servers, - the only change visible to them will be the increased size of the - tickets. - - Cross-realm TGTs are granted by a local KDC to authenticate a user - to a remote KDC's ticket granting service. In standard Kerberos, - they are encrypted using a shared secret key manually configured - into each KDC. - - In order to incorporate public key cryptography, we define a new - encryption type, "ENCTYPE_PK_CROSS". Operationally, this encryption - type transforms an OCTET STRING of plaintext (normally an EncTktPart) - into the following SEQUENCE: - - PKCrossOutput ::= SEQUENCE { - certificate [0] OCTET STRING OPTIONAL, - -- public key certificate - -- of local KDC - encSharedKey [1] EncryptedData, - -- of type EncryptionKey - -- containing random symmetric key - -- encrypted using public key - -- of remote KDC - sigSharedKey [2] Signature, - -- of encSharedKey - -- using signature key - -- of local KDC - pkEncData [3] EncryptedData, - -- (normally) of type EncTktPart - -- encrypted using encryption key - -- found in encSharedKey - } - - PKCROSS operates as follows: when a client submits a request for - cross-realm authentication, the local KDC checks to see if it has - a long-term shared key established for that realm. If so, it uses - this key as per RFC 1510. - - If not, it sends a request for information to the remote KDC. The - content of this message is immaterial, as it does not need to be - processed by the remote KDC; for the sake of consistency, we define - it as follows: - - RemoteRequest ::= [APPLICATION 41] SEQUENCE { - nonce [0] INTEGER - } - - The remote KDC replies with a list of all trusted certifiers and - all its (the remote KDC's) certificates. We note that this response - is universal and does not depend on which KDC makes the request: - - RemoteReply ::= [APPLICATION 42] SEQUENCE { - trustedCertifiers [0] SEQUENCE OF PrincipalName, - certificates[1] SEQUENCE OF Certificate, - encTypeToUse [1] SEQUENCE OF INTEGER - -- encryption types usable - -- for encrypting pkEncData - } - - Certificate ::= SEQUENCE { - CertType [0] INTEGER, - -- type of certificate - -- 1 = X.509v3 (DER encoding) - -- 2 = PGP (per PGP draft) - CertData [1] OCTET STRING - -- actual certificate - -- type determined by CertType - } -- from pk-init draft - - Upon receiving this reply, the local KDC determines whether it has - a certificate the remote KDC trusts, and whether the remote KDC has - a certificate the local KDC trusts. If so, it issues a ticket - encrypted using the ENCTYPE_PK_CROSS encryption type defined above. - - -3.2. Profile Caches - - We observe that using PKCROSS as specified above requires two - private key operations: a signature generation by the local KDC and - a decryption by the remote KDC. This cost can be reduced in the - long term by judicious caching of the encSharedKey and the - sigSharedKey. - - Let us define a "profile" as the encSharedKey and sigSharedKey, in - conjunction with the associated remote realm name and decrypted - shared key (the key encrypted in the encSharedKey). - - To optimize these interactions, each KDC maintains two caches, one - for outbound profiles and one for inbound profiles. When generating - an outbound TGT for another realm, the local KDC first checks to see - if the corresponding entry exists in the outbound profile cache; if - so, it uses its contents to form the first three fields of the - PKCrossOutput; the shared key is used to encrypt the data for the - fourth field. If not, the components are generated fresh and stored - in the outbound profile cache. - - Upon receipt of the TGT, the remote realm checks its inbound profile - cache for the corresponding entry. If it exists, then it uses the - contents of the entry to decrypt the data encrypted in the pkEncData. - If not, then it goes through the full process of verifying and - extracting the shared key; if this is successful, then a new entry - is created in the inbound profile cache. - - The inbound profile cache should support multiple entries per realm, - in the event that the initiating realm is replicated. - - -4. Finding Realms Supporting PKCROSS - - If either the local realm or the destination realm does not support - PKCROSS, or both do not, the mechanism specified in Section 3 can - still be used in obtaining the desired remote TGT. - - In the reference Kerberos implementations, the default behavior is - to traverse a path up and down the realm name hierarchy, if the - two realms do not share a key. There is, however, the possibility - of using cross links--i.e., keys shared between two realms that - are non-contiguous in the realm name hierarchy--to shorten the - path, both to minimize delay and the number of intermediate realms - that need to be trusted. - - PKCROSS can be used as a way to provide cross-links even in the - absence of shared keys. If the client is aware that one or two - intermediate realms support PKCROSS, then a combination of - PKCROSS and conventional cross-realm authentication can be used - to reach the final destination realm. - - We solicit discussion on the best methods for clients and KDCs to - determine or advertise support for PKCROSS. - - -5. Message Ports - - We have not specified the port on which KDCs supporting PKCROSS - should listen to receive the request for information messages noted - above. We solicit discussion on which port should be used. We - propose to use the standard Kerberos ports (well-known 88 or 750), - but another possibility is to use a completely different port. - - We also solicit discussion on what other approaches can be taken to - obtain the information in the RemoteReply (e.g., secure DNS or some - other repository). - - -6. Expiration Date - - This Internet-Draft will expire on September 30, 1997. - - -7. Authors' Addresses - - Brian Tung - Tatyana Ryutov - Clifford Neuman - Gene Tsudik - USC/Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey, CA 90292-6695 - Phone: +1 310 822 1511 - E-Mail: {brian, tryutov, bcn, gts}@isi.edu - - Bill Sommerfeld - Hewlett Packard - 300 Apollo Drive - Chelmsford MA 01824 - Phone: +1 508 436 4352 - E-Mail: sommerfeld@apollo.hp.com - - Ari Medvinsky - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road Suite 310 - Issaquah WA 98027-5378 - Phone: +1 206 391 6000 - E-mail: {ari.medvinsky, matt.hur}@cybersafe.com diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt deleted file mode 100644 index 1ab2b03e079d..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt +++ /dev/null @@ -1,523 +0,0 @@ - -INTERNET-DRAFT Matthew Hur -draft-ietf-cat-kerberos-pk-cross-06.txt CyberSafe Corporation -Updates: RFC 1510 Brian Tung -expires October 10, 2000 Tatyana Ryutov - Clifford Neuman - Gene Tsudik - ISI - Ari Medvinsky - Keen.com - Bill Sommerfeld - Hewlett-Packard - - - Public Key Cryptography for Cross-Realm Authentication in Kerberos - - -0. Status Of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC 2026. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may - also distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as ``work in - progress.'' - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - - - To learn the current status of any Internet-Draft, please check - the ``1id-abstracts.txt'' listing contained in the Internet-Drafts - Shadow Directories on ftp.ietf.org (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-cross-06.txt, and expires May 15, 1999. - Please send comments to the authors. - - -1. Abstract - - This document defines extensions to the Kerberos protocol - specification [1] to provide a method for using public key - cryptography to enable cross-realm authentication. The methods - defined here specify the way in which message exchanges are to be - used to transport cross-realm secret keys protected by encryption - under public keys certified as belonging to KDCs. - - -2. Introduction - - The Kerberos authentication protocol [2] can leverage the - advantages provided by public key cryptography. PKINIT [3] - describes the use of public key cryptography in the initial - authentication exchange in Kerberos. PKTAPP [4] describes how an - application service can essentially issue a kerberos ticket to - itself after utilizing public key cryptography for authentication. - Another informational document species the use of public key - crypography for anonymous authentication in Kerberos [5]. This - specification describes the use of public key crpytography in cross- - realm authentication. - - Without the use of public key cryptography, administrators must - maintain separate keys for every realm which wishes to exchange - authentication information with another realm (which implies n(n-1) - keys), or they must utilize a hierachichal arrangement of realms, - which may complicate the trust model by requiring evaluation of - transited realms. - - Even with the multi-hop cross-realm authentication, there must be - some way to locate the path by which separate realms are to be - transited. The current method, which makes use of the DNS-like - realm names typical to Kerberos, requires trust of the intermediate - KDCs. - - PKCROSS utilizes a public key infrastructure (PKI) [6] to simplify - the administrative burden of maintaining cross-realm keys. Such - usage leverages a PKI for a non-centrally-administratable environment - (namely, inter-realm). Thus, a shared key for cross-realm - authentication can be established for a set period of time, and a - remote realm is able to issue policy information that is returned to - itself when a client requests cross-realm authentication. Such policy - information may be in the form of restrictions [7]. Furthermore, - these methods are transparent to the client; therefore, only the KDCs - need to be modified to use them. In this way, we take advantage of - the the distributed trust management capabilities of public key - crypography while maintaining the advantages of localized trust - management provided by Kerberos. - - - Although this specification utilizes the protocol specfied in the - PKINIT specification, it is not necessary to implement client - changes in order to make use of the changes in this document. - - -3. Objectives - - The objectives of this specification are as follows: - - 1. Simplify the administration required to establish Kerberos - cross-realm keys. - - 2. Avoid modification of clients and application servers. - - 3. Allow remote KDC to control its policy on cross-realm - keys shared between KDCs, and on cross-realm tickets - presented by clients. - - 4. Remove any need for KDCs to maintain state about keys - shared with other KDCs. - - 5. Leverage the work done for PKINIT to provide the public key - protocol for establishing symmetric cross realm keys. - - -4. Definitions - - The following notation is used throughout this specification: - KDC_l ........... local KDC - KDC_r ........... remote KDC - XTKT_(l,r) ...... PKCROSS ticket that the remote KDC issues to the - local KDC - TGT_(c,r) ....... cross-realm TGT that the local KDC issues to the - client for presentation to the remote KDC - - This specification defines the following new types to be added to the - Kerberos specification: - PKCROSS kdc-options field in the AS_REQ is bit 9 - TE-TYPE-PKCROSS-KDC 2 - TE-TYPE-PKCROSS-CLIENT 3 - - This specification defines the following ASN.1 type for conveying - policy information: - CrossRealmTktData ::= SEQUENCE OF TypedData - - This specification defines the following types for policy information - conveyed in CrossRealmTktData: - PLC_LIFETIME 1 - PLC_SET_TKT_FLAGS 2 - PLC_NOSET_TKT_FLAGS 3 - - TicketExtensions are defined per the Kerberos specification [8]: - TicketExtensions ::= SEQUENCE OF TypedData - Where - TypedData ::= SEQUENCE { - data-type[0] INTEGER, - data-value[1] OCTET STRING OPTIONAL - } - - -5. Protocol Specification - - We assume that the client has already obtained a TGT. To perform - cross-realm authentication, the client does exactly what it does - with ordinary (i.e. non-public-key-enabled) Kerberos; the only - changes are in the KDC; although the ticket which the client - forwards to the remote realm may be changed. This is acceptable - since the client treats the ticket as opaque. - - -5.1. Overview of Protocol - - The basic operation of the PKCROSS protocol is as follows: - - 1. The client submits a request to the local KDC for - credentials for the remote realm. This is just a typical - cross realm request that may occur with or without PKCROSS. - - 2. The local KDC submits a PKINIT request to the remote KDC to - obtain a "special" PKCROSS ticket. This is a standard - PKINIT request, except that PKCROSS flag (bit 9) is set in - the kdc-options field in the AS_REQ. - - 3. The remote KDC responds as per PKINIT, except that - the ticket contains a TicketExtension, which contains - policy information such as lifetime of cross realm tickets - issued by KDC_l to a client. The local KDC must reflect - this policy information in the credentials it forwards to - the client. Call this ticket XTKT_(l,r) to indicate that - this ticket is used to authenticate the local KDC to the - remote KDC. - - 4. The local KDC passes a ticket, TGT_(c,r) (the cross realm - TGT between the client and remote KDC), to the client. - This ticket contains in its TicketExtension field the - ticket, XTKT_(l,r), which contains the cross-realm key. - The TGT_(c,r) ticket is encrypted using the key sealed in - XTKT_(l,r). (The TicketExtension field is not encrypted.) - The local KDC may optionally include another TicketExtension - type that indicates the hostname and/or IP address for the - remote KDC. - - 5. The client submits the request directly to the remote - KDC, as before. - - 6. The remote KDC extracts XTKT_(l,r) from the TicketExtension - in order to decrypt the encrypted part of TGT_(c,r). - - -------------------------------------------------------------------- - - Client Local KDC (KDC_l) Remote KDC (KDC_r) - ------ ----------------- ------------------ - Normal Kerberos - request for - cross-realm - ticket for KDC_r - ----------------------> - - PKINIT request for - XTKT(l,r) - PKCROSS flag - set in the AS-REQ - * -------------------------> - - PKINIT reply with - XTKT_(l,r) and - policy info in - ticket extension - <-------------------------- * - - Normal Kerberos reply - with TGT_(c,r) and - XTKT(l,r) in ticket - extension - <--------------------------------- - - Normal Kerberos - cross-realm TGS-REQ - for remote - application - service with - TGT_(c,r) and - XTKT(l,r) in ticket - extension - -------------------------------------------------> - - Normal Kerberos - cross-realm - TGS-REP - <--------------------------------------------------------------- - - * Note that the KDC to KDC messages occur only periodically, since - the local KDC caches the XTKT_(l,r). - -------------------------------------------------------------------- - - - Sections 5.2 through 5.4 describe in detail steps 2 through 4 - above. Section 5.6 describes the conditions under which steps - 2 and 3 may be skipped. - - Note that the mechanism presented above requires infrequent KDC to - KDC communication (as dictated by policy - this is discussed - later). Without such an exchange, there are the following issues: - 1) KDC_l would have to issue a ticket with the expectation that - KDC_r will accept it. - 2) In the message that the client sends to KDC_r, KDC_l would have - to authenticate KDC_r with credentials that KDC_r trusts. - 3) There is no way for KDC_r to convey policy information to KDC_l. - 4) If, based on local policy, KDC_r does not accept a ticket from - KDC_l, then the client gets stuck in the middle. To address such - an issue would require modifications to standard client - processing behavior. - Therefore, the infreqeunt use of KDC to KDC communication assures - that inter-realm KDC keys may be established in accordance with local - policies and that clients may continue to operate without - modification. - - -5.2. Local KDC's Request to Remote KDC - - When the local KDC receives a request for cross-realm authentication, - it first checks its ticket cache to see if it has a valid PKCROSS - ticket, XTKT_(l,r). If it has a valid XTKT_(l,r), then it does not - need to send a request to the remote KDC (see section 5.5). - - If the local KDC does not have a valid XTKT_(l,r), it sends a - request to the remote KDC in order to establish a cross realm key and - obtain the XTKT_(l,r). This request is in fact a PKINIT request as - described in the PKINIT specification; i.e., it consists of an AS-REQ - with a PA-PK-AS-REQ included as a preauthentication field. Note, - that the AS-REQ MUST have the PKCROSS flag (bit 9) set in the - kdc_options field of the AS-REQ. Otherwise, this exchange exactly - follows the description given in the PKINIT specification. In - addition, the naming - - -5.3. Remote KDC's Response to Local KDC - - When the remote KDC receives the PKINIT/PKCROSS request from the - local KDC, it sends back a PKINIT response as described in - the PKINIT specification with the following exception: the encrypted - part of the Kerberos ticket is not encrypted with the krbtgt key; - instead, it is encrypted with the ticket granting server's PKCROSS - key. This key, rather than the krbtgt key, is used because it - encrypts a ticket used for verifying a cross realm request rather - than for issuing an application service ticket. Note that, as a - matter of policy, the session key for the XTKT_(l,r) MAY be of - greater strength than that of a session key for a normal PKINIT - reply, since the XTKT_(l,r) SHOULD be much longer lived than a - normal application service ticket. - - In addition, the remote KDC SHOULD include policy information in the - XTKT_(l,r). This policy information would then be reflected in the - cross-realm TGT, TGT_(c,r). Otherwise, the policy for TGT_(c,r) - would be dictated by KDC_l rather than by KDC_r. The local KDC MAY - enforce a more restrictive local policy when creating a cross-realm - ticket, TGT_(c,r). For example, KDC_r may dictate a lifetime - policy of eight hours, but KDC_l may create TKT_(c,r) with a - lifetime of four hours, as dictated by local policy. Also, the - remote KDC MAY include other information about itself along with the - PKCROSS ticket. These items are further discussed in section 6 - below. - - -5.4. Local KDC's Response to Client - - Upon receipt of the PKINIT/CROSS response from the remote KDC, - the local KDC formulates a response to the client. This reply - is constructed exactly as in the Kerberos specification, except - for the following: - - A) The local KDC places XTKT_(l,r) in the TicketExtension field of - the client's cross-realm, ticket, TGT_(c,r), for the remote realm. - Where - data-type equals 3 for TE-TYPE-PKCROSS-CLIENT - data-value is ASN.1 encoding of XTKT_(l,r) - - B) The local KDC adds the name of its CA to the transited field of - TGT_(c,r). - - -5.5 Remote KDC's Processing of Client Request - - When the remote KDC, KDC_r, receives a cross-realm ticket, - TGT_(c,r), and it detects that the ticket contains a ticket - extension of type TE-TYPE-PKCROSS-CLIENT, KDC_r must first decrypt - the ticket, XTKT_(l,r), that is encoded in the ticket extension. - KDC_r uses its PKCROSS key in order to decrypt XTKT_(l,r). KDC_r - then uses the key obtained from XTKT_(l,r) in order to decrypt the - cross-realm ticket, TGT_(c,r). - - KDC_r MUST verify that the cross-realm ticket, TGT_(c,r) is in - compliance with any policy information contained in XTKT_(l,r) (see - section 6). If the TGT_(c,r) is not in compliance with policy, then - the KDC_r responds to the client with a KRB-ERROR message of type - KDC_ERR_POLICY. - - -5.6. Short-Circuiting the KDC-to-KDC Exchange - - As we described earlier, the KDC to KDC exchange is required only - for establishing a symmetric, inter-realm key. Once this key is - established (via the PKINIT exchange), no KDC to KDC communication - is required until that key needs to be renewed. This section - describes the circumstances under which the KDC to KDC exchange - described in Sections 5.2 and 5.3 may be skipped. - - The local KDC has a known lifetime for TGT_(c,r). This lifetime may - be determined by policy information included in XTKT_(l,r), and/or - it may be determined by local KDC policy. If the local KDC already - has a ticket XTKT(l,r), and the start time plus the lifetime for - TGT_(c,r) does not exceed the expiration time for XTGT_(l,r), then - the local KDC may skip the exchange with the remote KDC, and issue a - cross-realm ticket to the client as described in Section 5.4. - - Since the remote KDC may change its PKCROSS key (referred to in - Section 5.2) while there are PKCROSS tickets still active, it SHOULD - cache the old PKCROSS keys until the last issued PKCROSS ticket - expires. Otherwise, the remote KDC will respond to a client with a - KRB-ERROR message of type KDC_ERR_TGT_REVOKED. - - -6. Extensions for the PKCROSS Ticket - - As stated in section 5.3, the remote KDC SHOULD include policy - information in XTKT_(l,r). This policy information is contained in - a TicketExtension, as defined by the Kerberos specification, and the - authorization data of the ticket will contain an authorization - record of type AD-IN-Ticket-Extensions. The TicketExtension defined - for use by PKCROSS is TE-TYPE-PKCROSS-KDC. - Where - data-type equals 2 for TE-TYPE-PKCROSS-KDC - data-value is ASN.1 encoding of CrossRealmTktData - - CrossRealmTktData ::= SEQUENCE OF TypedData - - - ------------------------------------------------------------------ - CrossRealmTktData types and the corresponding data are interpreted - as follows: - - ASN.1 data - type value interpretation encoding - ---------------- ----- -------------- ---------- - PLC_LIFETIME 1 lifetime (in seconds) INTEGER - for TGT_(c,r) - - cross-realm tickets - issued for clients by - TGT_l - - PLC_SET_TKT_FLAGS 2 TicketFlags that must BITSTRING - be set - - format defined by - Kerberos specification - - PLC_NOSET_TKT_FLAGS 3 TicketFlags that must BITSTRING - not be set - - format defined by - Kerberos specification - - Further types may be added to this table. - ------------------------------------------------------------------ - - -7. Usage of Certificates - - In the cases of PKINIT and PKCROSS, the trust in a certification - authority is equivalent to Kerberos cross realm trust. For this - reason, an implementation MAY choose to use the same KDC certificate - when the KDC is acting in any of the following three roles: - 1) KDC is authenticating clients via PKINIT - 2) KDC is authenticating another KDC for PKCROSS - 3) KDC is the client in a PKCROSS exchange with another KDC - - Note that per PKINIT, the KDC X.509 certificate (the server in a - PKINIT exchange) MUST contain the principal name of the KDC in the - subjectAltName field. - - -8. Transport Issues - - Because the messages between the KDCs involve PKINIT exchanges, and - PKINIT recommends TCP as a transport mechanism (due to the length of - the messages and the likelihood that they will fragment), the same - recommendation for TCP applies to PKCROSS as well. - - -9. Security Considerations - - Since PKCROSS utilizes PKINIT, it is subject to the same security - considerations as PKINIT. Administrators should assure adherence - to security policy - for example, this affects the PKCROSS policies - for cross realm key lifetime and for policy propogation from the - PKCROSS ticket, issued from a remote KDC to a local KDC, to - cross realm tickets that are issued by a local KDC to a client. - - -10. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication Service - (V5). Request for Comments 1510. - - [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service - for Computer Networks, IEEE Communications, 32(9):33-38. September - 1994. - - [3] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S.Medvinsky, J. Wray - J. Trostle. Public Key Cryptography for Initial Authentication - in Kerberos. - draft-ietf-cat-kerberos-pk-init-11.txt - - [4] A. Medvinsky, M. Hur, S. Medvinsky, B. Clifford Neuman. Public - Key Utilizing Tickets for Application Servers (PKTAPP). draft-ietf- - cat-pktapp-02.txt - - [5] A. Medvinsky, J. Cargille, M. Hur. Anonymous Credentials in - Kerberos. draft-ietf-cat-kerberos-anoncred-01.txt - - [6] ITU-T (formerly CCITT) Information technology - Open Systems - Interconnection - The Directory: Authentication Framework - Recommendation X.509 ISO/IEC 9594-8 - - [7] B.C. Neuman, Proxy-Based Authorization and Accounting for - Distributed Systems. In Proceedings of the 13th International - Conference on Distributed Computing Systems, May 1993. - - [8] C.Neuman, J. Kohl, T. Ts'o. The Kerberos Network Authentication - Service (V5). draft-ietf-cat-kerberos-revisions-05.txt - - -11. Authors' Addresses - - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road - Issaquah WA 98027-5378 - Phone: +1 425 391 6000 - E-mail: matt.hur@cybersafe.com - - Brian Tung - Tatyana Ryutov - Clifford Neuman - Gene Tsudik - USC/Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey, CA 90292-6695 - Phone: +1 310 822 1511 - E-Mail: {brian, tryutov, bcn, gts}@isi.edu - - Ari Medvinsky - Keen.com - 2480 Sand Hill Road, Suite 200 - Menlo Park, CA 94025 - Phone +1 650 289 3134 - E-mail: ari@keen.com - - Bill Sommerfeld - Hewlett Packard - 300 Apollo Drive - Chelmsford MA 01824 - Phone: +1 508 436 4352 - E-Mail: sommerfeld@apollo.hp.com - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt deleted file mode 100644 index d91c087dddf9..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt +++ /dev/null @@ -1,589 +0,0 @@ - -INTERNET-DRAFT Clifford Neuman -draft-ietf-cat-kerberos-pk-init-03.txt Brian Tung -Updates: RFC 1510 ISI -expires September 30, 1997 John Wray - Digital Equipment Corporation - Ari Medvinsky - Matthew Hur - CyberSafe Corporation - Jonathan Trostle - Novell - - - Public Key Cryptography for Initial Authentication in Kerberos - - -0. Status Of this Memo - - This document is an Internet-Draft. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - To learn the current status of any Internet-Draft, please check - the "1id-abstracts.txt" listing contained in the Internet-Drafts - Shadow Directories on ds.internic.net (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-init-03.txt, and expires September 30, - 1997. Please send comments to the authors. - - -1. Abstract - - This document defines extensions (PKINIT) to the Kerberos protocol - specification (RFC 1510 [1]) to provide a method for using public - key cryptography during initial authentication. The methods - defined specify the ways in which preauthentication data fields and - error data fields in Kerberos messages are to be used to transport - public key data. - - -2. Introduction - - The popularity of public key cryptography has produced a desire for - its support in Kerberos [2]. The advantages provided by public key - cryptography include simplified key management (from the Kerberos - perspective) and the ability to leverage existing and developing - public key certification infrastructures. - - Public key cryptography can be integrated into Kerberos in a number - of ways. One is to to associate a key pair with each realm, which - can then be used to facilitate cross-realm authentication; this is - the topic of another draft proposal. Another way is to allow users - with public key certificates to use them in initial authentication. - This is the concern of the current document. - - One of the guiding principles in the design of PKINIT is that - changes should be as minimal as possible. As a result, the basic - mechanism of PKINIT is as follows: The user sends a request to the - KDC as before, except that if that user is to use public key - cryptography in the initial authentication step, his certificate - accompanies the initial request, in the preauthentication fields. - - Upon receipt of this request, the KDC verifies the certificate and - issues a ticket granting ticket (TGT) as before, except that instead - of being encrypted in the user's long-term key (which is derived - from a password), it is encrypted in a randomly-generated key. This - random key is in turn encrypted using the public key certificate - that came with the request and signed using the KDC's signature key, - and accompanies the reply, in the preauthentication fields. - - PKINIT also allows for users with only digital signature keys to - authenticate using those keys, and for users to store and retrieve - private keys on the KDC. - - The PKINIT specification may also be used for direct peer to peer - authentication without contacting a central KDC. This application - of PKINIT is described in PKTAPP [4] and is based on concepts - introduced in [5, 6]. For direct client-to-server authentication, - the client uses PKINIT to authenticate to the end server (instead - of a central KDC), which then issues a ticket for itself. This - approach has an advantage over SSL [7] in that the server does not - need to save state (cache session keys). Furthermore, an - additional benefit is that Kerberos tickets can facilitate - delegation (see [8]). - - -3. Proposed Extensions - - This section describes extensions to RFC 1510 for supporting the - use of public key cryptography in the initial request for a ticket - granting ticket (TGT). - - In summary, the following changes to RFC 1510 are proposed: - - --> Users may authenticate using either a public key pair or a - conventional (symmetric) key. If public key cryptography is - used, public key data is transported in preauthentication - data fields to help establish identity. - --> Users may store private keys on the KDC for retrieval during - Kerberos initial authentication. - - This proposal addresses two ways that users may use public key - cryptography for initial authentication. Users may present public - key certificates, or they may generate their own session key, - signed by their digital signature key. In either case, the end - result is that the user obtains an ordinary TGT that may be used for - subsequent authentication, with such authentication using only - conventional cryptography. - - Section 3.1 provides definitions to help specify message formats. - Section 3.2 and 3.3 describe the extensions for the two initial - authentication methods. Section 3.3 describes a way for the user to - store and retrieve his private key on the KDC. - - -3.1. Definitions - - Hash and encryption types will be specified using ENCTYPE tags; we - propose the addition of the following types: - - #define ENCTYPE_SIGN_DSA_GENERATE 0x0011 - #define ENCTYPE_SIGN_DSA_VERIFY 0x0012 - #define ENCTYPE_ENCRYPT_RSA_PRIV 0x0021 - #define ENCTYPE_ENCRYPT_RSA_PUB 0x0022 - - allowing further signature types to be defined in the range 0x0011 - through 0x001f, and further encryption types to be defined in the - range 0x0021 through 0x002f. - - The extensions involve new preauthentication fields. The - preauthentication data types are in the range 17 through 21. - These values are also specified along with their corresponding - ASN.1 definition. - - #define PA-PK-AS-REQ 17 - #define PA-PK-AS-REP 18 - #define PA-PK-AS-SIGN 19 - #define PA-PK-KEY-REQ 20 - #define PA-PK-KEY-REP 21 - - The extensions also involve new error types. The new error types - are in the range 227 through 229. They are: - - #define KDC_ERROR_CLIENT_NOT_TRUSTED 227 - #define KDC_ERROR_KDC_NOT_TRUSTED 228 - #define KDC_ERROR_INVALID_SIG 229 - - In the exposition below, we use the following terms: encryption key, - decryption key, signature key, verification key. It should be - understood that encryption and verification keys are essentially - public keys, and decryption and signature keys are essentially - private keys. The fact that they are logically distinct does - not preclude the assignment of bitwise identical keys. - - -3.2. Standard Public Key Authentication - - Implementation of the changes in this section is REQUIRED for - compliance with pk-init. - - It is assumed that all public keys are signed by some certification - authority (CA). The initial authentication request is sent as per - RFC 1510, except that a preauthentication field containing data - signed by the user's signature key accompanies the request: - - PA-PK-AS-REQ ::- SEQUENCE { - -- PA TYPE 17 - signedPKAuth [0] SignedPKAuthenticator, - userCert [1] SEQUENCE OF Certificate OPTIONAL, - -- the user's certificate - -- optionally followed by that - -- certificate's certifier chain - trustedCertifiers [2] SEQUENCE OF PrincipalName OPTIONAL - -- CAs that the client trusts - } - - SignedPKAuthenticator ::= SEQUENCE { - pkAuth [0] PKAuthenticator, - pkAuthSig [1] Signature, - -- of pkAuth - -- using user's signature key - } - - PKAuthenticator ::= SEQUENCE { - cusec [0] INTEGER, - -- for replay prevention - ctime [1] KerberosTime, - -- for replay prevention - nonce [2] INTEGER, - -- binds response to this request - kdcName [3] PrincipalName, - clientPubValue [4] SubjectPublicKeyInfo OPTIONAL, - -- for Diffie-Hellman algorithm - } - - Signature ::= SEQUENCE { - signedHash [0] EncryptedData - -- of type Checksum - -- encrypted under signature key - } - - Checksum ::= SEQUENCE { - cksumtype [0] INTEGER, - checksum [1] OCTET STRING - } -- as specified by RFC 1510 - - SubjectPublicKeyInfo ::= SEQUENCE { - algorithm [0] algorithmIdentifier, - subjectPublicKey [1] BIT STRING - } -- as specified by the X.509 recommendation [9] - - Certificate ::= SEQUENCE { - CertType [0] INTEGER, - -- type of certificate - -- 1 = X.509v3 (DER encoding) - -- 2 = PGP (per PGP draft) - CertData [1] OCTET STRING - -- actual certificate - -- type determined by CertType - } - - Note: If the signature uses RSA keys, then it is to be performed - as per PKCS #1. - - The PKAuthenticator carries information to foil replay attacks, - to bind the request and response, and to optionally pass the - client's Diffie-Hellman public value (i.e. for using DSA in - combination with Diffie-Hellman). The PKAuthenticator is signed - with the private key corresponding to the public key in the - certificate found in userCert (or cached by the KDC). - - In the PKAuthenticator, the client may specify the KDC name in one - of two ways: 1) a Kerberos principal name, or 2) the name in the - KDC's certificate (e.g., an X.500 name, or a PGP name). Note that - case #1 requires that the certificate name and the Kerberos principal - name be bound together (e.g., via an X.509v3 extension). - - The userCert field is a sequence of certificates, the first of which - must be the user's public key certificate. Any subsequent - certificates will be certificates of the certifiers of the user's - certificate. These cerificates may be used by the KDC to verify the - user's public key. This field is empty if the KDC already has the - user's certifcate. - - The trustedCertifiers field contains a list of certification - authorities trusted by the client, in the case that the client does - not possess the KDC's public key certificate. - - Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication - type, the KDC attempts to verify the user's certificate chain - (userCert), if one is provided in the request. This is done by - verifying the certification path against the KDC's policy of - legitimate certifiers. This may be based on a certification - hierarchy, or it may be simply a list of recognized certifiers in a - system like PGP. If the certification path does not match one of - the KDC's trusted certifiers, the KDC sends back an error message of - type KDC_ERROR_CLIENT_NOT_TRUSTED, and it includes in the error data - field a list of its own trusted certifiers, upon which the client - resends the request. - - If trustedCertifiers is provided in the PA-PK-AS-REQ, the KDC - verifies that it has a certificate issued by one of the certifiers - trusted by the client. If it does not have a suitable certificate, - the KDC returns an error message of type KDC_ERROR_KDC_NOT_TRUSTED - to the client. - - If a trust relationship exists, the KDC then verifies the client's - signature on PKAuthenticator. If that fails, the KDC returns an - error message of type KDC_ERROR_INVALID_SIG. Otherwise, the KDC - uses the timestamp in the PKAuthenticator to assure that the request - is not a replay. The KDC also verifies that its name is specified - in PKAuthenticator. - - Assuming no errors, the KDC replies as per RFC 1510, except that it - encrypts the reply not with the user's key, but with a random key - generated only for this particular response. This random key - is sealed in the preauthentication field: - - PA-PK-AS-REP ::= SEQUENCE { - -- PA TYPE 18 - kdcCert [0] SEQUENCE OF Certificate OPTIONAL, - -- the KDC's certificate - -- optionally followed by that - -- certificate's certifier chain - encPaReply [1] EncryptedData, - -- of type PaReply - -- using either the client public - -- key or the Diffie-Hellman key - -- specified by SignedDHPublicValue - signedDHPublicValue [2] SignedDHPublicValue OPTIONAL - } - - - PaReply ::= SEQUENCE { - replyEncKeyPack [0] ReplyEncKeyPack, - replyEncKeyPackSig [1] Signature, - -- of replyEncKeyPack - -- using KDC's signature key - } - - ReplyEncKeyPack ::= SEQUENCE { - replyEncKey [0] EncryptionKey, - -- used to encrypt main reply - nonce [1] INTEGER - -- binds response to the request - -- passed in the PKAuthenticator - } - - SignedDHPublicValue ::= SEQUENCE { - dhPublicValue [0] SubjectPublicKeyInfo, - dhPublicValueSig [1] Signature - -- of dhPublicValue - -- using KDC's signature key - } - - The kdcCert field is a sequence of certificates, the first of which - must have as its root certifier one of the certifiers sent to the - KDC in the PA-PK-AS-REQ. Any subsequent certificates will be - certificates of the certifiers of the KDC's certificate. These - cerificates may be used by the client to verify the KDC's public - key. This field is empty if the client did not send to the KDC a - list of trusted certifiers (the trustedCertifiers field was empty). - - Since each certifier in the certification path of a user's - certificate is essentially a separate realm, the name of each - certifier shall be added to the transited field of the ticket. The - format of these realm names shall follow the naming constraints set - forth in RFC 1510 (sections 7.1 and 3.3.3.1). Note that this will - require new nametypes to be defined for PGP certifiers and other - types of realms as they arise. - - The KDC's certificate must bind the public key to a name derivable - from the name of the realm for that KDC. The client then extracts - the random key used to encrypt the main reply. This random key (in - encPaReply) is encrypted with either the client's public key or - with a key derived from the DH values exchanged between the client - and the KDC. - - -3.3. Digital Signature - - Implementation of the changes in this section are OPTIONAL for - compliance with pk-init. - - We offer this option with the warning that it requires the client to - generate a random key; the client may not be able to guarantee the - same level of randomness as the KDC. - - If the user registered a digital signature key with the KDC instead - of an encryption key, then a separate exchange must be used. The - client sends a request for a TGT as usual, except that it (rather - than the KDC) generates the random key that will be used to encrypt - the KDC response. This key is sent to the KDC along with the - request in a preauthentication field: - - PA-PK-AS-SIGN ::= SEQUENCE { - -- PA TYPE 19 - encSignedKeyPack [0] EncryptedData - -- of SignedKeyPack - -- using the KDC's public key - } - - SignedKeyPack ::= SEQUENCE { - signedKey [0] KeyPack, - signedKeyAuth [1] PKAuthenticator, - signedKeySig [2] Signature - -- of signedKey.signedKeyAuth - -- using user's signature key - } - - KeyPack ::= SEQUENCE { - randomKey [0] EncryptionKey, - -- will be used to encrypt reply - nonce [1] INTEGER - } - - where the nonce is copied from the request. - - Upon receipt of the PA-PK-AS-SIGN, the KDC decrypts then verifies - the randomKey. It then replies as per RFC 1510, except that the - reply is encrypted not with a password-derived user key, but with - the randomKey sent in the request. Since the client already knows - this key, there is no need to accompany the reply with an extra - preauthentication field. The transited field of the ticket should - specify the certification path as described in Section 3.2. - - -3.4. Retrieving the Private Key From the KDC - - Implementation of the changes in this section is RECOMMENDED for - compliance with pk-init. - - When the user's private key is not stored local to the user, he may - choose to store the private key (normally encrypted using a - password-derived key) on the KDC. We provide this option to present - the user with an alternative to storing the private key on local - disk at each machine where he expects to authenticate himself using - pk-init. It should be noted that it replaces the added risk of - long-term storage of the private key on possibly many workstations - with the added risk of storing the private key on the KDC in a - form vulnerable to brute-force attack. - - In order to obtain a private key, the client includes a - preauthentication field with the AS-REQ message: - - PA-PK-KEY-REQ ::= SEQUENCE { - -- PA TYPE 20 - patimestamp [0] KerberosTime OPTIONAL, - -- used to address replay attacks. - pausec [1] INTEGER OPTIONAL, - -- used to address replay attacks. - nonce [2] INTEGER, - -- binds the reply to this request - privkeyID [3] SEQUENCE OF KeyID OPTIONAL - -- constructed as a hash of - -- public key corresponding to - -- desired private key - } - - KeyID ::= SEQUENCE { - KeyIdentifier [0] OCTET STRING - } - - The client may request a specific private key by sending the - corresponding ID. If this field is left empty, then all - private keys are returned. - - If all checks out, the KDC responds as described in the above - sections, except that an additional preauthentication field, - containing the user's private key, accompanies the reply: - - PA-PK-KEY-REP ::= SEQUENCE { - -- PA TYPE 21 - nonce [0] INTEGER, - -- binds the reply to the request - KeyData [1] SEQUENCE OF KeyPair - } - - KeyPair ::= SEQUENCE { - privKeyID [0] OCTET STRING, - -- corresponding to encPrivKey - encPrivKey [1] OCTET STRING - } - - -3.4.1. Additional Protection of Retrieved Private Keys - - We solicit discussion on the following proposal: that the client may - optionally include in its request additional data to encrypt the - private key, which is currently only protected by the user's - password. One possibility is that the client might generate a - random string of bits, encrypt it with the public key of the KDC (as - in the SignedKeyPack, but with an ordinary OCTET STRING in place of - an EncryptionKey), and include this with the request. The KDC then - XORs each returned key with this random bit string. (If the bit - string is too short, the KDC could either return an error, or XOR - the returned key with a repetition of the bit string.) - - In order to make this work, additional means of preauthentication - need to be devised in order to prevent attackers from simply - inserting their own bit string. One way to do this is to store - a hash of the password-derived key (the one used to encrypt the - private key). This hash is then used in turn to derive a second - key (called the hash-key); the hash-key is used to encrypt an ASN.1 - structure containing the generated bit string and a nonce value - that binds it to the request. - - Since the KDC possesses the hash, it can generate the hash-key and - verify this (weaker) preauthentication, and yet cannot reproduce - the private key itself, since the hash is a one-way function. - - -4. Logistics and Policy Issues - - We solicit discussion on how clients and KDCs should be configured - in order to determine which of the options described above (if any) - should be used. One possibility is to set the user's database - record to indicate that authentication is to use public key - cryptography; this will not work, however, in the event that the - client needs to know before making the initial request. - -5. Compatibility with One-Time Passcodes - - We solicit discussion on how the protocol changes proposed in this - draft will interact with the proposed use of one-time passcodes - discussed in draft-ietf-cat-kerberos-passwords-00.txt. - - -6. Strength of Cryptographic Schemes - - In light of recent findings on the strength of MD5 and DES, - we solicit discussion on which encryption types to incorporate - into the protocol changes. - - -7. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments: 1510 - - [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service - for Computer Networks, IEEE Communications, 32(9):33-38. - September 1994. - - [3] A. Medvinsky, M. Hur. Addition of Kerberos Cipher Suites to - Transport Layer Security (TLS). - draft-ietf-tls-kerb-cipher-suites-00.txt - - [4] A. Medvinsky, M. Hur, B. Clifford Neuman. Public Key Utilizing - Tickets for Application Servers (PKTAPP). - draft-ietf-cat-pktapp-00.txt - - [5] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos Using - Public Key Cryptography. Symposium On Network and Distributed System - Security, 1997. - - [6] B. Cox, J.D. Tygar, M. Sirbu. NetBill Security and Transaction - Protocol. In Proceedings of the USENIX Workshop on Electronic Commerce, - July 1995. - - [7] Alan O. Freier, Philip Karlton and Paul C. Kocher. - The SSL Protocol, Version 3.0 - IETF Draft. - - [8] B.C. Neuman, Proxy-Based Authorization and Accounting for - Distributed Systems. In Proceedings of the 13th International - Conference on Distributed Computing Systems, May 1993 - - [9] ITU-T (formerly CCITT) - Information technology - Open Systems Interconnection - - The Directory: Authentication Framework Recommendation X.509 - ISO/IEC 9594-8 - - -8. Acknowledgements - - Some of the ideas on which this proposal is based arose during - discussions over several years between members of the SAAG, the IETF - CAT working group, and the PSRG, regarding integration of Kerberos - and SPX. Some ideas have also been drawn from the DASS system. - These changes are by no means endorsed by these groups. This is an - attempt to revive some of the goals of those groups, and this - proposal approaches those goals primarily from the Kerberos - perspective. Lastly, comments from groups working on similar ideas - in DCE have been invaluable. - - -9. Expiration Date - - This draft expires September 30, 1997. - - -10. Authors - - Clifford Neuman - Brian Tung - USC Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey CA 90292-6695 - Phone: +1 310 822 1511 - E-mail: {bcn, brian}@isi.edu - - John Wray - Digital Equipment Corporation - 550 King Street, LKG2-2/Z7 - Littleton, MA 01460 - Phone: +1 508 486 5210 - E-mail: wray@tuxedo.enet.dec.com - - Ari Medvinsky - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road Suite 310 - Issaquah WA 98027-5378 - Phone: +1 206 391 6000 - E-mail: {ari.medvinsky, matt.hur}@cybersafe.com - - Jonathan Trostle - Novell - E-mail: jonathan.trostle@novell.com diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt deleted file mode 100644 index 9b0e76adad98..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt +++ /dev/null @@ -1,1059 +0,0 @@ -INTERNET-DRAFT Brian Tung -draft-ietf-cat-kerberos-pk-init-11.txt Clifford Neuman -Updates: RFC 1510 USC/ISI -expires September 15, 2000 Matthew Hur - CyberSafe Corporation - Ari Medvinsky - Keen.com, Inc. - Sasha Medvinsky - Motorola - John Wray - Iris Associates, Inc. - Jonathan Trostle - Cisco - - Public Key Cryptography for Initial Authentication in Kerberos - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC 2026. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - To learn the current status of any Internet-Draft, please check - the "1id-abstracts.txt" listing contained in the Internet-Drafts - Shadow Directories on ftp.ietf.org (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-init-11.txt, and expires September 15, - 2000. Please send comments to the authors. - -1. Abstract - - This document defines extensions (PKINIT) to the Kerberos protocol - specification (RFC 1510 [1]) to provide a method for using public - key cryptography during initial authentication. The methods - defined specify the ways in which preauthentication data fields and - error data fields in Kerberos messages are to be used to transport - public key data. - -2. Introduction - - The popularity of public key cryptography has produced a desire for - its support in Kerberos [2]. The advantages provided by public key - cryptography include simplified key management (from the Kerberos - perspective) and the ability to leverage existing and developing - public key certification infrastructures. - - Public key cryptography can be integrated into Kerberos in a number - of ways. One is to associate a key pair with each realm, which can - then be used to facilitate cross-realm authentication; this is the - topic of another draft proposal. Another way is to allow users with - public key certificates to use them in initial authentication. This - is the concern of the current document. - - PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in - combination with digital signature keys as the primary, required - mechanism. It also allows for the use of RSA keys and/or (static) - Diffie-Hellman certificates. Note in particular that PKINIT supports - the use of separate signature and encryption keys. - - PKINIT enables access to Kerberos-secured services based on initial - authentication utilizing public key cryptography. PKINIT utilizes - standard public key signature and encryption data formats within the - standard Kerberos messages. The basic mechanism is as follows: The - user sends an AS-REQ message to the KDC as before, except that if that - user is to use public key cryptography in the initial authentication - step, his certificate and a signature accompany the initial request - in the preauthentication fields. Upon receipt of this request, the - KDC verifies the certificate and issues a ticket granting ticket - (TGT) as before, except that the encPart from the AS-REP message - carrying the TGT is now encrypted utilizing either a Diffie-Hellman - derived key or the user's public key. This message is authenticated - utilizing the public key signature of the KDC. - - Note that PKINIT does not require the use of certificates. A KDC - may store the public key of a principal as part of that principal's - record. In this scenario, the KDC is the trusted party that vouches - for the principal (as in a standard, non-cross realm, Kerberos - environment). Thus, for any principal, the KDC may maintain a - secret key, a public key, or both. - - The PKINIT specification may also be used as a building block for - other specifications. PKCROSS [3] utilizes PKINIT for establishing - the inter-realm key and associated inter-realm policy to be applied - in issuing cross realm service tickets. As specified in [4], - anonymous Kerberos tickets can be issued by applying a NULL - signature in combination with Diffie-Hellman in the PKINIT exchange. - Additionally, the PKINIT specification may be used for direct peer - to peer authentication without contacting a central KDC. This - application of PKINIT is described in PKTAPP [5] and is based on - concepts introduced in [6, 7]. For direct client-to-server - authentication, the client uses PKINIT to authenticate to the end - server (instead of a central KDC), which then issues a ticket for - itself. This approach has an advantage over TLS [8] in that the - server does not need to save state (cache session keys). - Furthermore, an additional benefit is that Kerberos tickets can - facilitate delegation (see [9]). - -3. Proposed Extensions - - This section describes extensions to RFC 1510 for supporting the - use of public key cryptography in the initial request for a ticket - granting ticket (TGT). - - In summary, the following change to RFC 1510 is proposed: - - * Users may authenticate using either a public key pair or a - conventional (symmetric) key. If public key cryptography is - used, public key data is transported in preauthentication - data fields to help establish identity. The user presents - a public key certificate and obtains an ordinary TGT that may - be used for subsequent authentication, with such - authentication using only conventional cryptography. - - Section 3.1 provides definitions to help specify message formats. - Section 3.2 describes the extensions for the initial authentication - method. - -3.1. Definitions - - The extensions involve new preauthentication fields; we introduce - the following preauthentication types: - - PA-PK-AS-REQ 14 - PA-PK-AS-REP 15 - - The extensions also involve new error types; we introduce the - following types: - - KDC_ERR_CLIENT_NOT_TRUSTED 62 - KDC_ERR_KDC_NOT_TRUSTED 63 - KDC_ERR_INVALID_SIG 64 - KDC_ERR_KEY_TOO_WEAK 65 - KDC_ERR_CERTIFICATE_MISMATCH 66 - KDC_ERR_CANT_VERIFY_CERTIFICATE 70 - KDC_ERR_INVALID_CERTIFICATE 71 - KDC_ERR_REVOKED_CERTIFICATE 72 - KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 - KDC_ERR_CLIENT_NAME_MISMATCH 75 - KDC_ERR_KDC_NAME_MISMATCH 76 - - We utilize the following typed data for errors: - - TD-PKINIT-CMS-CERTIFICATES 101 - TD-KRB-PRINCIPAL 102 - TD-KRB-REALM 103 - TD-TRUSTED-CERTIFIERS 104 - TD-CERTIFICATE-INDEX 105 - - We utilize the following encryption types (which map directly to - OIDs): - - dsaWithSHA1-CmsOID 9 - md5WithRSAEncryption-CmsOID 10 - sha1WithRSAEncryption-CmsOID 11 - rc2CBC-EnvOID 12 - rsaEncryption-EnvOID (PKCS#1 v1.5) 13 - rsaES-OAEP-ENV-OID (PKCS#1 v2.0) 14 - des-ede3-cbc-Env-OID 15 - - These mappings are provided so that a client may send the - appropriate enctypes in the AS-REQ message in order to indicate - support for the corresponding OIDs (for performing PKINIT). - - In many cases, PKINIT requires the encoding of the X.500 name of a - certificate authority as a Realm. When such a name appears as - a realm it will be represented using the "other" form of the realm - name as specified in the naming constraints section of RFC1510. - For a realm derived from an X.500 name, NAMETYPE will have the value - X500-RFC2253. The full realm name will appear as follows: - - + ":" + - - where nametype is "X500-RFC2253" and string is the result of doing - an RFC2253 encoding of the distinguished name, i.e. - - "X500-RFC2253:" + RFC2253Encode(DistinguishedName) - - where DistinguishedName is an X.500 name, and RFC2253Encode is a - function returing a readable UTF encoding of an X.500 name, as - defined by RFC 2253 [14] (part of LDAPv3 [18]). - - To ensure that this encoding is unique, we add the following rule - to those specified by RFC 2253: - - The order in which the attributes appear in the RFC 2253 - encoding must be the reverse of the order in the ASN.1 - encoding of the X.500 name that appears in the public key - certificate. The order of the relative distinguished names - (RDNs), as well as the order of the AttributeTypeAndValues - within each RDN, will be reversed. (This is despite the fact - that an RDN is defined as a SET of AttributeTypeAndValues, where - an order is normally not important.) - - Similarly, in cases where the KDC does not provide a specific - policy based mapping from the X.500 name or X.509 Version 3 - SubjectAltName extension in the user's certificate to a Kerberos - principal name, PKINIT requires the direct encoding of the X.500 - name as a PrincipalName. In this case, the name-type of the - principal name shall be set to KRB_NT-X500-PRINCIPAL. This new - name type is defined in RFC 1510 as: - - KRB_NT_X500_PRINCIPAL 6 - - The name-string shall be set as follows: - - RFC2253Encode(DistinguishedName) - - as described above. When this name type is used, the principal's - realm shall be set to the certificate authority's distinguished - name using the X500-RFC2253 realm name format described earlier in - this section - - RFC 1510 specifies the ASN.1 structure for PrincipalName as follows: - - PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString - } - - For the purposes of encoding an X.500 name as a Kerberos name for - use in Kerberos structures, the name-string shall be encoded as a - single GeneralString. The name-type should be KRB_NT_X500_PRINCIPAL, - as noted above. All Kerberos names must conform to validity - requirements as given in RFC 1510. Note that name mapping may be - required or optional, based on policy. - - We also define the following similar ASN.1 structure: - - CertPrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF UTF8String - } - - When a Kerberos PrincipalName is to be placed within an X.509 data - structure, the CertPrincipalName structure is to be used, with the - name-string encoded as a single UTF8String. The name-type should be - as identified in the original PrincipalName structure. The mapping - between the GeneralString and UTF8String formats can be found in - [19]. - - The following rules relate to the the matching of PrincipalNames (or - corresponding CertPrincipalNames) with regard to the PKI name - constraints for CAs as laid out in RFC 2459 [15]. In order to be - regarded as a match (for permitted and excluded name trees), the - following must be satisfied. - - 1. If the constraint is given as a user plus realm name, or - as a user plus instance plus realm name (as specified in - RFC 1510), the realm name must be valid (see 2.a-d below) - and the match must be exact, byte for byte. - - 2. If the constraint is given only as a realm name, matching - depends on the type of the realm: - - a. If the realm contains a colon (':') before any equal - sign ('='), it is treated as a realm of type Other, - and must match exactly, byte for byte. - - b. Otherwise, if the realm contains an equal sign, it - is treated as an X.500 name. In order to match, every - component in the constraint MUST be in the principal - name, and have the same value. For example, 'C=US' - matches 'C=US/O=ISI' but not 'C=UK'. - - c. Otherwise, if the realm name conforms to rules regarding - the format of DNS names, it is considered a realm name of - type Domain. The constraint may be given as a realm - name 'FOO.BAR', which matches any PrincipalName within - the realm 'FOO.BAR' but not those in subrealms such as - 'CAR.FOO.BAR'. A constraint of the form '.FOO.BAR' - matches PrincipalNames in subrealms of the form - 'CAR.FOO.BAR' but not the realm 'FOO.BAR' itself. - - d. Otherwise, the realm name is invalid and does not match - under any conditions. - -3.1.1. Encryption and Key Formats - - In the exposition below, we use the terms public key and private - key generically. It should be understood that the term "public - key" may be used to refer to either a public encryption key or a - signature verification key, and that the term "private key" may be - used to refer to either a private decryption key or a signature - generation key. The fact that these are logically distinct does - not preclude the assignment of bitwise identical keys for RSA - keys. - - In the case of Diffie-Hellman, the key shall be produced from the - agreed bit string as follows: - - * Truncate the bit string to the appropriate length. - * Rectify parity in each byte (if necessary) to obtain the key. - - For instance, in the case of a DES key, we take the first eight - bytes of the bit stream, and then adjust the least significant bit - of each byte to ensure that each byte has odd parity. - -3.1.2. Algorithm Identifiers - - PKINIT does not define, but does permit, the algorithm identifiers - listed below. - -3.1.2.1. Signature Algorithm Identifiers - - The following signature algorithm identifiers specified in [11] and - in [15] shall be used with PKINIT: - - id-dsa-with-sha1 (DSA with SHA1) - md5WithRSAEncryption (RSA with MD5) - sha-1WithRSAEncryption (RSA with SHA1) - -3.1.2.2 Diffie-Hellman Key Agreement Algorithm Identifier - - The following algorithm identifier shall be used within the - SubjectPublicKeyInfo data structure: dhpublicnumber - - This identifier and the associated algorithm parameters are - specified in RFC 2459 [15]. - -3.1.2.3. Algorithm Identifiers for RSA Encryption - - These algorithm identifiers are used inside the EnvelopedData data - structure, for encrypting the temporary key with a public key: - - rsaEncryption (RSA encryption, PKCS#1 v1.5) - id-RSAES-OAEP (RSA encryption, PKCS#1 v2.0) - - Both of the above RSA encryption schemes are specified in [16]. - Currently, only PKCS#1 v1.5 is specified by CMS [11], although the - CMS specification says that it will likely include PKCS#1 v2.0 in - the future. (PKCS#1 v2.0 addresses adaptive chosen ciphertext - vulnerability discovered in PKCS#1 v1.5.) - -3.1.2.4. Algorithm Identifiers for Encryption with Secret Keys - - These algorithm identifiers are used inside the EnvelopedData data - structure in the PKINIT Reply, for encrypting the reply key with the - temporary key: - des-ede3-cbc (3-key 3-DES, CBC mode) - rc2-cbc (RC2, CBC mode) - - The full definition of the above algorithm identifiers and their - corresponding parameters (an IV for block chaining) is provided in - the CMS specification [11]. - -3.2. Public Key Authentication - - Implementation of the changes in this section is REQUIRED for - compliance with PKINIT. - -3.2.1. Client Request - - Public keys may be signed by some certification authority (CA), or - they may be maintained by the KDC in which case the KDC is the - trusted authority. Note that the latter mode does not require the - use of certificates. - - The initial authentication request is sent as per RFC 1510, except - that a preauthentication field containing data signed by the user's - private key accompanies the request: - - PA-PK-AS-REQ ::= SEQUENCE { - -- PA TYPE 14 - signedAuthPack [0] SignedData - -- Defined in CMS [11]; - -- AuthPack (below) defines the - -- data that is signed. - trustedCertifiers [1] SEQUENCE OF TrustedCas OPTIONAL, - -- This is a list of CAs that the - -- client trusts and that certify - -- KDCs. - kdcCert [2] IssuerAndSerialNumber OPTIONAL - -- As defined in CMS [11]; - -- specifies a particular KDC - -- certificate if the client - -- already has it. - encryptionCert [3] IssuerAndSerialNumber OPTIONAL - -- For example, this may be the - -- client's Diffie-Hellman - -- certificate, or it may be the - -- client's RSA encryption - -- certificate. - } - - TrustedCas ::= CHOICE { - principalName [0] KerberosName, - -- as defined below - caName [1] Name - -- fully qualified X.500 name - -- as defined by X.509 - issuerAndSerial [2] IssuerAndSerialNumber - -- Since a CA may have a number of - -- certificates, only one of which - -- a client trusts - } - - Usage of SignedData: - - The SignedData data type is specified in the Cryptographic - Message Syntax, a product of the S/MIME working group of the - IETF. The following describes how to fill in the fields of - this data: - - 1. The encapContentInfo field must contain the PKAuthenticator - and, optionally, the client's Diffie Hellman public value. - - a. The eContentType field shall contain the OID value for - pkdata: iso (1) org (3) dod (6) internet (1) security (5) - kerberosv5 (2) pkinit (3) pkdata (1) - - b. The eContent field is data of the type AuthPack (below). - - 2. The signerInfos field contains the signature of AuthPack. - - 3. The Certificates field, when non-empty, contains the client's - certificate chain. If present, the KDC uses the public key - from the client's certificate to verify the signature in the - request. Note that the client may pass different certificate - chains that are used for signing or for encrypting. Thus, - the KDC may utilize a different client certificate for - signature verification than the one it uses to encrypt the - reply to the client. For example, the client may place a - Diffie-Hellman certificate in this field in order to convey - its static Diffie Hellman certificate to the KDC to enable - static-ephemeral Diffie-Hellman mode for the reply; in this - case, the client does NOT place its public value in the - AuthPack (defined below). As another example, the client may - place an RSA encryption certificate in this field. However, - there must always be (at least) a signature certificate. - - AuthPack ::= SEQUENCE { - pkAuthenticator [0] PKAuthenticator, - clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL - -- if client is using Diffie-Hellman - -- (ephemeral-ephemeral only) - } - - PKAuthenticator ::= SEQUENCE { - kdcName [0] PrincipalName, - kdcRealm [1] Realm, - cusec [2] INTEGER, - -- for replay prevention as in RFC1510 - ctime [3] KerberosTime, - -- for replay prevention as in RFC1510 - nonce [4] INTEGER - } - - SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - -- dhKeyAgreement - subjectPublicKey BIT STRING - -- for DH, equals - -- public exponent (INTEGER encoded - -- as payload of BIT STRING) - } -- as specified by the X.509 recommendation [10] - - AlgorithmIdentifier ::= SEQUENCE { - algorithm ALGORITHM.&id, - parameters ALGORITHM.&type - } -- as specified by the X.509 recommendation [10] - - If the client passes an issuer and serial number in the request, - the KDC is requested to use the referred-to certificate. If none - exists, then the KDC returns an error of type - KDC_ERR_CERTIFICATE_MISMATCH. It also returns this error if, on the - other hand, the client does not pass any trustedCertifiers, - believing that it has the KDC's certificate, but the KDC has more - than one certificate. The KDC should include information in the - KRB-ERROR message that indicates the KDC certificate(s) that a - client may utilize. This data is specified in the e-data, which - is defined in RFC 1510 revisions as a SEQUENCE of TypedData: - - TypedData ::= SEQUENCE { - data-type [0] INTEGER, - data-value [1] OCTET STRING, - } -- per Kerberos RFC 1510 revisions - - where: - data-type = TD-PKINIT-CMS-CERTIFICATES = 101 - data-value = CertificateSet // as specified by CMS [11] - - The PKAuthenticator carries information to foil replay attacks, and - to bind the request and response. The PKAuthenticator is signed - with the client's signature key. - -3.2.2. KDC Response - - Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication - type, the KDC attempts to verify the user's certificate chain - (userCert), if one is provided in the request. This is done by - verifying the certification path against the KDC's policy of - legitimate certifiers. This may be based on a certification - hierarchy, or it may be simply a list of recognized certifiers in a - system like PGP. - - If the client's certificate chain contains no certificate signed by - a CA trusted by the KDC, then the KDC sends back an error message - of type KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data - is a SEQUENCE of one TypedData (with type TD-TRUSTED-CERTIFIERS=104) - whose data-value is an OCTET STRING which is the DER encoding of - - TrustedCertifiers ::= SEQUENCE OF PrincipalName - -- X.500 name encoded as a principal name - -- see Section 3.1 - - If while verifying a certificate chain the KDC determines that the - signature on one of the certificates in the CertificateSet from - the signedAuthPack fails verification, then the KDC returns an - error of type KDC_ERR_INVALID_CERTIFICATE. The accompanying - e-data is a SEQUENCE of one TypedData (with type - TD-CERTIFICATE-INDEX=105) whose data-value is an OCTET STRING - which is the DER encoding of the index into the CertificateSet - ordered as sent by the client. - - CertificateIndex ::= INTEGER - -- 0 = 1st certificate, - -- (in order of encoding) - -- 1 = 2nd certificate, etc - - The KDC may also check whether any of the certificates in the - client's chain has been revoked. If one of the certificates has - been revoked, then the KDC returns an error of type - KDC_ERR_REVOKED_CERTIFICATE; if such a query reveals that - the certificate's revocation status is unknown or not - available, then if required by policy, the KDC returns the - appropriate error of type KDC_ERR_REVOCATION_STATUS_UNKNOWN or - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE. In any of these three - cases, the affected certificate is identified by the accompanying - e-data, which contains a CertificateIndex as described for - KDC_ERR_INVALID_CERTIFICATE. - - If the certificate chain can be verified, but the name of the - client in the certificate does not match the client's name in the - request, then the KDC returns an error of type - KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data - field in this case. - - Finally, if the certificate chain is verified, but the KDC's name - or realm as given in the PKAuthenticator does not match the KDC's - actual principal name, then the KDC returns an error of type - KDC_ERR_KDC_NAME_MISMATCH. The accompanying e-data field is again - a SEQUENCE of one TypedData (with type TD-KRB-PRINCIPAL=102 or - TD-KRB-REALM=103 as appropriate) whose data-value is an OCTET - STRING whose data-value is the DER encoding of a PrincipalName or - Realm as defined in RFC 1510 revisions. - - Even if all succeeds, the KDC may--for policy reasons--decide not - to trust the client. In this case, the KDC returns an error message - of type KDC_ERR_CLIENT_NOT_TRUSTED. One specific case of this is - the presence or absence of an Enhanced Key Usage (EKU) OID within - the certificate extensions. The rules regarding acceptability of - an EKU sequence (or the absence of any sequence) are a matter of - local policy. For the benefit of implementers, we define a PKINIT - EKU OID as the following: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkekuoid (2). - - If a trust relationship exists, the KDC then verifies the client's - signature on AuthPack. If that fails, the KDC returns an error - message of type KDC_ERR_INVALID_SIG. Otherwise, the KDC uses the - timestamp (ctime and cusec) in the PKAuthenticator to assure that - the request is not a replay. The KDC also verifies that its name - is specified in the PKAuthenticator. - - If the clientPublicValue field is filled in, indicating that the - client wishes to use Diffie-Hellman key agreement, then the KDC - checks to see that the parameters satisfy its policy. If they do - not (e.g., the prime size is insufficient for the expected - encryption type), then the KDC sends back an error message of type - KDC_ERR_KEY_TOO_WEAK. Otherwise, it generates its own public and - private values for the response. - - The KDC also checks that the timestamp in the PKAuthenticator is - within the allowable window and that the principal name and realm - are correct. If the local (server) time and the client time in the - authenticator differ by more than the allowable clock skew, then the - KDC returns an error message of type KRB_AP_ERR_SKEW as defined in 1510. - - Assuming no errors, the KDC replies as per RFC 1510, except as - follows. The user's name in the ticket is determined by the - following decision algorithm: - - 1. If the KDC has a mapping from the name in the certificate - to a Kerberos name, then use that name. - Else - 2. If the certificate contains the SubjectAltName extention - and the local KDC policy defines a mapping from the - SubjectAltName to a Kerberos name, then use that name. - Else - 3. Use the name as represented in the certificate, mapping - mapping as necessary (e.g., as per RFC 2253 for X.500 - names). In this case the realm in the ticket shall be the - name of the certifier that issued the user's certificate. - - Note that a principal name may be carried in the subject alt name - field of a certificate. This name may be mapped to a principal - record in a security database based on local policy, for example - the subject alt name may be kerberos/principal@realm format. In - this case the realm name is not that of the CA but that of the - local realm doing the mapping (or some realm name chosen by that - realm). - - If a non-KDC X.509 certificate contains the principal name within - the subjectAltName version 3 extension , that name may utilize - KerberosName as defined below, or, in the case of an S/MIME - certificate [17], may utilize the email address. If the KDC - is presented with an S/MIME certificate, then the email address - within subjectAltName will be interpreted as a principal and realm - separated by the "@" sign, or as a name that needs to be - canonicalized. If the resulting name does not correspond to a - registered principal name, then the principal name is formed as - defined in section 3.1. - - The trustedCertifiers field contains a list of certification - authorities trusted by the client, in the case that the client does - not possess the KDC's public key certificate. If the KDC has no - certificate signed by any of the trustedCertifiers, then it returns - an error of type KDC_ERR_KDC_NOT_TRUSTED. - - KDCs should try to (in order of preference): - 1. Use the KDC certificate identified by the serialNumber included - in the client's request. - 2. Use a certificate issued to the KDC by the client's CA (if in the - middle of a CA key roll-over, use the KDC cert issued under same - CA key as user cert used to verify request). - 3. Use a certificate issued to the KDC by one of the client's - trustedCertifier(s); - If the KDC is unable to comply with any of these options, then the - KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to the - client. - - The KDC encrypts the reply not with the user's long-term key, but - with the Diffie Hellman derived key or a random key generated - for this particular response which is carried in the padata field of - the TGS-REP message. - - PA-PK-AS-REP ::= CHOICE { - -- PA TYPE 15 - dhSignedData [0] SignedData, - -- Defined in CMS and used only with - -- Diffie-Hellman key exchange (if the - -- client public value was present in the - -- request). - -- This choice MUST be supported - -- by compliant implementations. - encKeyPack [1] EnvelopedData, - -- Defined in CMS - -- The temporary key is encrypted - -- using the client public key - -- key - -- SignedReplyKeyPack, encrypted - -- with the temporary key, is also - -- included. - } - - Usage of SignedData: - - When the Diffie-Hellman option is used, dhSignedData in - PA-PK-AS-REP provides authenticated Diffie-Hellman parameters - of the KDC. The reply key used to encrypt part of the KDC reply - message is derived from the Diffie-Hellman exchange: - - 1. Both the KDC and the client calculate a secret value - (g^ab mod p), where a is the client's private exponent and - b is the KDC's private exponent. - - 2. Both the KDC and the client take the first N bits of this - secret value and convert it into a reply key. N depends on - the reply key type. - - 3. If the reply key is DES, N=64 bits, where some of the bits - are replaced with parity bits, according to FIPS PUB 74. - - 4. If the reply key is (3-key) 3-DES, N=192 bits, where some - of the bits are replaced with parity bits, according to - FIPS PUB 74. - - 5. The encapContentInfo field must contain the KdcDHKeyInfo as - defined below. - - a. The eContentType field shall contain the OID value for - pkdata: iso (1) org (3) dod (6) internet (1) security (5) - kerberosv5 (2) pkinit (3) pkdata (1) - - b. The eContent field is data of the type KdcDHKeyInfo - (below). - - 6. The certificates field must contain the certificates - necessary for the client to establish trust in the KDC's - certificate based on the list of trusted certifiers sent by - the client in the PA-PK-AS-REQ. This field may be empty if - the client did not send to the KDC a list of trusted - certifiers (the trustedCertifiers field was empty, meaning - that the client already possesses the KDC's certificate). - - 7. The signerInfos field is a SET that must contain at least - one member, since it contains the actual signature. - - KdcDHKeyInfo ::= SEQUENCE { - -- used only when utilizing Diffie-Hellman - nonce [0] INTEGER, - -- binds responce to the request - subjectPublicKey [2] BIT STRING - -- Equals public exponent (g^a mod p) - -- INTEGER encoded as payload of - -- BIT STRING - } - - Usage of EnvelopedData: - - The EnvelopedData data type is specified in the Cryptographic - Message Syntax, a product of the S/MIME working group of the - IETF. It contains a temporary key encrypted with the PKINIT - client's public key. It also contains a signed and encrypted - reply key. - - 1. The originatorInfo field is not required, since that - information may be presented in the signedData structure - that is encrypted within the encryptedContentInfo field. - - 2. The optional unprotectedAttrs field is not required for - PKINIT. - - 3. The recipientInfos field is a SET which must contain exactly - one member of the KeyTransRecipientInfo type for encryption - with an RSA public key. - - a. The encryptedKey field (in KeyTransRecipientInfo) - contains the temporary key which is encrypted with the - PKINIT client's public key. - - 4. The encryptedContentInfo field contains the signed and - encrypted reply key. - - a. The contentType field shall contain the OID value for - id-signedData: iso (1) member-body (2) us (840) - rsadsi (113549) pkcs (1) pkcs7 (7) signedData (2) - - b. The encryptedContent field is encrypted data of the CMS - type signedData as specified below. - - i. The encapContentInfo field must contains the - ReplyKeyPack. - - * The eContentType field shall contain the OID value - for pkdata: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkdata (1) - - * The eContent field is data of the type ReplyKeyPack - (below). - - ii. The certificates field must contain the certificates - necessary for the client to establish trust in the - KDC's certificate based on the list of trusted - certifiers sent by the client in the PA-PK-AS-REQ. - This field may be empty if the client did not send - to the KDC a list of trusted certifiers (the - trustedCertifiers field was empty, meaning that the - client already possesses the KDC's certificate). - - iii. The signerInfos field is a SET that must contain at - least one member, since it contains the actual - signature. - - ReplyKeyPack ::= SEQUENCE { - -- not used for Diffie-Hellman - replyKey [0] EncryptionKey, - -- used to encrypt main reply - -- ENCTYPE is at least as strong as - -- ENCTYPE of session key - nonce [1] INTEGER, - -- binds response to the request - -- must be same as the nonce - -- passed in the PKAuthenticator - } - - Since each certifier in the certification path of a user's - certificate is equivalent to a separate Kerberos realm, the name - of each certifier in the certificate chain must be added to the - transited field of the ticket. The format of these realm names is - defined in Section 3.1 of this document. If applicable, the - transit-policy-checked flag should be set in the issued ticket. - - The KDC's certificate(s) must bind the public key(s) of the KDC to - a name derivable from the name of the realm for that KDC. X.509 - certificates shall contain the principal name of the KDC - (defined in section 8.2 of RFC 1510) as the SubjectAltName version - 3 extension. Below is the definition of this version 3 extension, - as specified by the X.509 standard: - - subjectAltName EXTENSION ::= { - SYNTAX GeneralNames - IDENTIFIED BY id-ce-subjectAltName - } - - GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName - - GeneralName ::= CHOICE { - otherName [0] OtherName, - ... - } - - OtherName ::= SEQUENCE { - type-id OBJECT IDENTIFIER, - value [0] EXPLICIT ANY DEFINED BY type-id - } - - For the purpose of specifying a Kerberos principal name, the value - in OtherName shall be a KerberosName as defined in RFC 1510, but with - the PrincipalName replaced by CertPrincipalName as mentioned in - Section 3.1: - - KerberosName ::= SEQUENCE { - realm [0] Realm, - principalName [1] CertPrincipalName -- defined above - } - - This specific syntax is identified within subjectAltName by setting - the type-id in OtherName to krb5PrincipalName, where (from the - Kerberos specification) we have - - krb5 OBJECT IDENTIFIER ::= { iso (1) - org (3) - dod (6) - internet (1) - security (5) - kerberosv5 (2) } - - krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } - - (This specification may also be used to specify a Kerberos name - within the user's certificate.) The KDC's certificate may be signed - directly by a CA, or there may be intermediaries if the server resides - within a large organization, or it may be unsigned if the client - indicates possession (and trust) of the KDC's certificate. - - The client then extracts the random key used to encrypt the main - reply. This random key (in encPaReply) is encrypted with either the - client's public key or with a key derived from the DH values - exchanged between the client and the KDC. The client uses this - random key to decrypt the main reply, and subsequently proceeds as - described in RFC 1510. - -3.2.3. Required Algorithms - - Not all of the algorithms in the PKINIT protocol specification have - to be implemented in order to comply with the proposed standard. - Below is a list of the required algorithms: - - * Diffie-Hellman public/private key pairs - * utilizing Diffie-Hellman ephemeral-ephemeral mode - * SHA1 digest and DSA for signatures - * 3-key triple DES keys derived from the Diffie-Hellman Exchange - * 3-key triple DES Temporary and Reply keys - -4. Logistics and Policy - - This section describes a way to define the policy on the use of - PKINIT for each principal and request. - - The KDC is not required to contain a database record for users - who use public key authentication. However, if these users are - registered with the KDC, it is recommended that the database record - for these users be modified to an additional flag in the attributes - field to indicate that the user should authenticate using PKINIT. - If this flag is set and a request message does not contain the - PKINIT preauthentication field, then the KDC sends back as error of - type KDC_ERR_PREAUTH_REQUIRED indicating that a preauthentication - field of type PA-PK-AS-REQ must be included in the request. - -5. Security Considerations - - PKINIT raises a few security considerations, which we will address - in this section. - - First of all, PKINIT introduces a new trust model, where KDCs do not - (necessarily) certify the identity of those for whom they issue - tickets. PKINIT does allow KDCs to act as their own CAs, in the - limited capacity of self-signing their certificates, but one of the - additional benefits is to align Kerberos authentication with a global - public key infrastructure. Anyone using PKINIT in this way must be - aware of how the certification infrastructure they are linking to - works. - - Secondly, PKINIT also introduces the possibility of interactions - between different cryptosystems, which may be of widely varying - strengths. Many systems, for instance, allow the use of 512-bit - public keys. Using such keys to wrap data encrypted under strong - conventional cryptosystems, such as triple-DES, is inappropriate; - it adds a weak link to a strong one at extra cost. Implementors - and administrators should take care to avoid such wasteful and - deceptive interactions. - - Lastly, PKINIT calls for randomly generated keys for conventional - cryptosystems. Many such systems contain systematically "weak" - keys. PKINIT implementations MUST avoid use of these keys, either - by discarding those keys when they are generated, or by fixing them - in some way (e.g., by XORing them with a given mask). These - precautions vary from system to system; it is not our intention to - give an explicit recipe for them here. - -6. Transport Issues - - Certificate chains can potentially grow quite large and span several - UDP packets; this in turn increases the probability that a Kerberos - message involving PKINIT extensions will be broken in transit. In - light of the possibility that the Kerberos specification will - require KDCs to accept requests using TCP as a transport mechanism, - we make the same recommendation with respect to the PKINIT - extensions as well. - -7. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication Service - (V5). Request for Comments 1510. - - [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service - for Computer Networks, IEEE Communications, 32(9):33-38. September - 1994. - - [3] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Sommerfeld, - A. Medvinsky, M. Hur. Public Key Cryptography for Cross-Realm - Authentication in Kerberos. draft-ietf-cat-kerberos-pk-cross-04.txt - - [4] A. Medvinsky, J. Cargille, M. Hur. Anonymous Credentials in - Kerberos. draft-ietf-cat-kerberos-anoncred-00.txt - - [5] Ari Medvinsky, M. Hur, Alexander Medvinsky, B. Clifford Neuman. - Public Key Utilizing Tickets for Application Servers (PKTAPP). - draft-ietf-cat-pktapp-02.txt - - [6] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos - Using Public Key Cryptography. Symposium On Network and Distributed - System Security, 1997. - - [7] B. Cox, J.D. Tygar, M. Sirbu. NetBill Security and Transaction - Protocol. In Proceedings of the USENIX Workshop on Electronic - Commerce, July 1995. - - [8] T. Dierks, C. Allen. The TLS Protocol, Version 1.0 - Request for Comments 2246, January 1999. - - [9] B.C. Neuman, Proxy-Based Authorization and Accounting for - Distributed Systems. In Proceedings of the 13th International - Conference on Distributed Computing Systems, May 1993. - - [10] ITU-T (formerly CCITT) Information technology - Open Systems - Interconnection - The Directory: Authentication Framework - Recommendation X.509 ISO/IEC 9594-8 - - [11] R. Housley. Cryptographic Message Syntax. - draft-ietf-smime-cms-13.txt, April 1999, approved for publication - as RFC. - - [12] PKCS #7: Cryptographic Message Syntax Standard, - An RSA Laboratories Technical Note Version 1.5 - Revised November 1, 1993 - - [13] R. Rivest, MIT Laboratory for Computer Science and RSA Data - Security, Inc. A Description of the RC2(r) Encryption Algorithm - March 1998. - Request for Comments 2268. - - [14] M. Wahl, S. Kille, T. Howes. Lightweight Directory Access - Protocol (v3): UTF-8 String Representation of Distinguished Names. - Request for Comments 2253. - - [15] R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public - Key Infrastructure, Certificate and CRL Profile, January 1999. - Request for Comments 2459. - - [16] B. Kaliski, J. Staddon. PKCS #1: RSA Cryptography - Specifications, October 1998. Request for Comments 2437. - - [17] S. Dusse, P. Hoffman, B. Ramsdell, J. Weinstein. S/MIME - Version 2 Certificate Handling, March 1998. Request for - Comments 2312. - - [18] M. Wahl, T. Howes, S. Kille. Lightweight Directory Access - Protocol (v3), December 1997. Request for Comments 2251. - - [19] ITU-T (formerly CCITT) Information Processing Systems - Open - Systems Interconnection - Specification of Abstract Syntax Notation - One (ASN.1) Rec. X.680 ISO/IEC 8824-1 - -8. Acknowledgements - - Some of the ideas on which this proposal is based arose during - discussions over several years between members of the SAAG, the IETF - CAT working group, and the PSRG, regarding integration of Kerberos - and SPX. Some ideas have also been drawn from the DASS system. - These changes are by no means endorsed by these groups. This is an - attempt to revive some of the goals of those groups, and this - proposal approaches those goals primarily from the Kerberos - perspective. Lastly, comments from groups working on similar ideas - in DCE have been invaluable. - -9. Expiration Date - - This draft expires September 15, 2000. - -10. Authors - - Brian Tung - Clifford Neuman - USC Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey CA 90292-6695 - Phone: +1 310 822 1511 - E-mail: {brian, bcn}@isi.edu - - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road - Issaquah WA 98027-5378 - Phone: +1 425 391 6000 - E-mail: matt.hur@cybersafe.com - - Ari Medvinsky - Keen.com, Inc. - 150 Independence Drive - Menlo Park CA 94025 - Phone: +1 650 289 3134 - E-mail: ari@keen.com - - Sasha Medvinsky - Motorola - 6450 Sequence Drive - San Diego, CA 92121 - Phone +1 619 404 2825 - E-mail: smedvinsky@gi.com - - John Wray - Iris Associates, Inc. - 5 Technology Park Dr. - Westford, MA 01886 - E-mail: John_Wray@iris.com - - Jonathan Trostle - 170 W. Tasman Dr. - San Jose, CA 95134 - E-mail: jtrostle@cisco.com diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt deleted file mode 100644 index b1e596836eb8..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt +++ /dev/null @@ -1,1080 +0,0 @@ -INTERNET-DRAFT Brian Tung -draft-ietf-cat-kerberos-pk-init-12.txt Clifford Neuman -Updates: RFC 1510 USC/ISI -expires January 15, 2001 Matthew Hur - CyberSafe Corporation - Ari Medvinsky - Keen.com, Inc. - Sasha Medvinsky - Motorola - John Wray - Iris Associates, Inc. - Jonathan Trostle - Cisco - - Public Key Cryptography for Initial Authentication in Kerberos - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC 2026. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), - its areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - To learn the current status of any Internet-Draft, please check - the "1id-abstracts.txt" listing contained in the Internet-Drafts - Shadow Directories on ftp.ietf.org (US East Coast), - nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or - munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is filed as - draft-ietf-cat-kerberos-pk-init-11.txt, and expires January 15, - 2001. Please send comments to the authors. - -1. Abstract - - This document defines extensions (PKINIT) to the Kerberos protocol - specification (RFC 1510 [1]) to provide a method for using public - key cryptography during initial authentication. The methods - defined specify the ways in which preauthentication data fields and - error data fields in Kerberos messages are to be used to transport - public key data. - -2. Introduction - - The popularity of public key cryptography has produced a desire for - its support in Kerberos [2]. The advantages provided by public key - cryptography include simplified key management (from the Kerberos - perspective) and the ability to leverage existing and developing - public key certification infrastructures. - - Public key cryptography can be integrated into Kerberos in a number - of ways. One is to associate a key pair with each realm, which can - then be used to facilitate cross-realm authentication; this is the - topic of another draft proposal. Another way is to allow users with - public key certificates to use them in initial authentication. This - is the concern of the current document. - - PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in - combination with digital signature keys as the primary, required - mechanism. It also allows for the use of RSA keys and/or (static) - Diffie-Hellman certificates. Note in particular that PKINIT supports - the use of separate signature and encryption keys. - - PKINIT enables access to Kerberos-secured services based on initial - authentication utilizing public key cryptography. PKINIT utilizes - standard public key signature and encryption data formats within the - standard Kerberos messages. The basic mechanism is as follows: The - user sends an AS-REQ message to the KDC as before, except that if that - user is to use public key cryptography in the initial authentication - step, his certificate and a signature accompany the initial request - in the preauthentication fields. Upon receipt of this request, the - KDC verifies the certificate and issues a ticket granting ticket - (TGT) as before, except that the encPart from the AS-REP message - carrying the TGT is now encrypted utilizing either a Diffie-Hellman - derived key or the user's public key. This message is authenticated - utilizing the public key signature of the KDC. - - Note that PKINIT does not require the use of certificates. A KDC - may store the public key of a principal as part of that principal's - record. In this scenario, the KDC is the trusted party that vouches - for the principal (as in a standard, non-cross realm, Kerberos - environment). Thus, for any principal, the KDC may maintain a - secret key, a public key, or both. - - The PKINIT specification may also be used as a building block for - other specifications. PKCROSS [3] utilizes PKINIT for establishing - the inter-realm key and associated inter-realm policy to be applied - in issuing cross realm service tickets. As specified in [4], - anonymous Kerberos tickets can be issued by applying a NULL - signature in combination with Diffie-Hellman in the PKINIT exchange. - Additionally, the PKINIT specification may be used for direct peer - to peer authentication without contacting a central KDC. This - application of PKINIT is described in PKTAPP [5] and is based on - concepts introduced in [6, 7]. For direct client-to-server - authentication, the client uses PKINIT to authenticate to the end - server (instead of a central KDC), which then issues a ticket for - itself. This approach has an advantage over TLS [8] in that the - server does not need to save state (cache session keys). - Furthermore, an additional benefit is that Kerberos tickets can - facilitate delegation (see [9]). - -3. Proposed Extensions - - This section describes extensions to RFC 1510 for supporting the - use of public key cryptography in the initial request for a ticket - granting ticket (TGT). - - In summary, the following change to RFC 1510 is proposed: - - * Users may authenticate using either a public key pair or a - conventional (symmetric) key. If public key cryptography is - used, public key data is transported in preauthentication - data fields to help establish identity. The user presents - a public key certificate and obtains an ordinary TGT that may - be used for subsequent authentication, with such - authentication using only conventional cryptography. - - Section 3.1 provides definitions to help specify message formats. - Section 3.2 describes the extensions for the initial authentication - method. - -3.1. Definitions - - The extensions involve new preauthentication fields; we introduce - the following preauthentication types: - - PA-PK-AS-REQ 14 - PA-PK-AS-REP 15 - - The extensions also involve new error types; we introduce the - following types: - - KDC_ERR_CLIENT_NOT_TRUSTED 62 - KDC_ERR_KDC_NOT_TRUSTED 63 - KDC_ERR_INVALID_SIG 64 - KDC_ERR_KEY_TOO_WEAK 65 - KDC_ERR_CERTIFICATE_MISMATCH 66 - KDC_ERR_CANT_VERIFY_CERTIFICATE 70 - KDC_ERR_INVALID_CERTIFICATE 71 - KDC_ERR_REVOKED_CERTIFICATE 72 - KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 - KDC_ERR_CLIENT_NAME_MISMATCH 75 - KDC_ERR_KDC_NAME_MISMATCH 76 - - We utilize the following typed data for errors: - - TD-PKINIT-CMS-CERTIFICATES 101 - TD-KRB-PRINCIPAL 102 - TD-KRB-REALM 103 - TD-TRUSTED-CERTIFIERS 104 - TD-CERTIFICATE-INDEX 105 - - We utilize the following encryption types (which map directly to - OIDs): - - dsaWithSHA1-CmsOID 9 - md5WithRSAEncryption-CmsOID 10 - sha1WithRSAEncryption-CmsOID 11 - rc2CBC-EnvOID 12 - rsaEncryption-EnvOID (PKCS#1 v1.5) 13 - rsaES-OAEP-ENV-OID (PKCS#1 v2.0) 14 - des-ede3-cbc-Env-OID 15 - - These mappings are provided so that a client may send the - appropriate enctypes in the AS-REQ message in order to indicate - support for the corresponding OIDs (for performing PKINIT). - - In many cases, PKINIT requires the encoding of the X.500 name of a - certificate authority as a Realm. When such a name appears as - a realm it will be represented using the "other" form of the realm - name as specified in the naming constraints section of RFC1510. - For a realm derived from an X.500 name, NAMETYPE will have the value - X500-RFC2253. The full realm name will appear as follows: - - + ":" + - - where nametype is "X500-RFC2253" and string is the result of doing - an RFC2253 encoding of the distinguished name, i.e. - - "X500-RFC2253:" + RFC2253Encode(DistinguishedName) - - where DistinguishedName is an X.500 name, and RFC2253Encode is a - function returing a readable UTF encoding of an X.500 name, as - defined by RFC 2253 [14] (part of LDAPv3 [18]). - - To ensure that this encoding is unique, we add the following rule - to those specified by RFC 2253: - - The order in which the attributes appear in the RFC 2253 - encoding must be the reverse of the order in the ASN.1 - encoding of the X.500 name that appears in the public key - certificate. The order of the relative distinguished names - (RDNs), as well as the order of the AttributeTypeAndValues - within each RDN, will be reversed. (This is despite the fact - that an RDN is defined as a SET of AttributeTypeAndValues, where - an order is normally not important.) - - Similarly, in cases where the KDC does not provide a specific - policy based mapping from the X.500 name or X.509 Version 3 - SubjectAltName extension in the user's certificate to a Kerberos - principal name, PKINIT requires the direct encoding of the X.500 - name as a PrincipalName. In this case, the name-type of the - principal name shall be set to KRB_NT-X500-PRINCIPAL. This new - name type is defined in RFC 1510 as: - - KRB_NT_X500_PRINCIPAL 6 - - The name-string shall be set as follows: - - RFC2253Encode(DistinguishedName) - - as described above. When this name type is used, the principal's - realm shall be set to the certificate authority's distinguished - name using the X500-RFC2253 realm name format described earlier in - this section - - RFC 1510 specifies the ASN.1 structure for PrincipalName as follows: - - PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString - } - - For the purposes of encoding an X.500 name as a Kerberos name for - use in Kerberos structures, the name-string shall be encoded as a - single GeneralString. The name-type should be KRB_NT_X500_PRINCIPAL, - as noted above. All Kerberos names must conform to validity - requirements as given in RFC 1510. Note that name mapping may be - required or optional, based on policy. - - We also define the following similar ASN.1 structure: - - CertPrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF UTF8String - } - - When a Kerberos PrincipalName is to be placed within an X.509 data - structure, the CertPrincipalName structure is to be used, with the - name-string encoded as a single UTF8String. The name-type should be - as identified in the original PrincipalName structure. The mapping - between the GeneralString and UTF8String formats can be found in - [19]. - - The following rules relate to the the matching of PrincipalNames (or - corresponding CertPrincipalNames) with regard to the PKI name - constraints for CAs as laid out in RFC 2459 [15]. In order to be - regarded as a match (for permitted and excluded name trees), the - following must be satisfied. - - 1. If the constraint is given as a user plus realm name, or - as a user plus instance plus realm name (as specified in - RFC 1510), the realm name must be valid (see 2.a-d below) - and the match must be exact, byte for byte. - - 2. If the constraint is given only as a realm name, matching - depends on the type of the realm: - - a. If the realm contains a colon (':') before any equal - sign ('='), it is treated as a realm of type Other, - and must match exactly, byte for byte. - - b. Otherwise, if the realm contains an equal sign, it - is treated as an X.500 name. In order to match, every - component in the constraint MUST be in the principal - name, and have the same value. For example, 'C=US' - matches 'C=US/O=ISI' but not 'C=UK'. - - c. Otherwise, if the realm name conforms to rules regarding - the format of DNS names, it is considered a realm name of - type Domain. The constraint may be given as a realm - name 'FOO.BAR', which matches any PrincipalName within - the realm 'FOO.BAR' but not those in subrealms such as - 'CAR.FOO.BAR'. A constraint of the form '.FOO.BAR' - matches PrincipalNames in subrealms of the form - 'CAR.FOO.BAR' but not the realm 'FOO.BAR' itself. - - d. Otherwise, the realm name is invalid and does not match - under any conditions. - -3.1.1. Encryption and Key Formats - - In the exposition below, we use the terms public key and private - key generically. It should be understood that the term "public - key" may be used to refer to either a public encryption key or a - signature verification key, and that the term "private key" may be - used to refer to either a private decryption key or a signature - generation key. The fact that these are logically distinct does - not preclude the assignment of bitwise identical keys for RSA - keys. - - In the case of Diffie-Hellman, the key shall be produced from the - agreed bit string as follows: - - * Truncate the bit string to the appropriate length. - * Rectify parity in each byte (if necessary) to obtain the key. - - For instance, in the case of a DES key, we take the first eight - bytes of the bit stream, and then adjust the least significant bit - of each byte to ensure that each byte has odd parity. - -3.1.2. Algorithm Identifiers - - PKINIT does not define, but does permit, the algorithm identifiers - listed below. - -3.1.2.1. Signature Algorithm Identifiers - - The following signature algorithm identifiers specified in [11] and - in [15] shall be used with PKINIT: - - id-dsa-with-sha1 (DSA with SHA1) - md5WithRSAEncryption (RSA with MD5) - sha-1WithRSAEncryption (RSA with SHA1) - -3.1.2.2 Diffie-Hellman Key Agreement Algorithm Identifier - - The following algorithm identifier shall be used within the - SubjectPublicKeyInfo data structure: dhpublicnumber - - This identifier and the associated algorithm parameters are - specified in RFC 2459 [15]. - -3.1.2.3. Algorithm Identifiers for RSA Encryption - - These algorithm identifiers are used inside the EnvelopedData data - structure, for encrypting the temporary key with a public key: - - rsaEncryption (RSA encryption, PKCS#1 v1.5) - id-RSAES-OAEP (RSA encryption, PKCS#1 v2.0) - - Both of the above RSA encryption schemes are specified in [16]. - Currently, only PKCS#1 v1.5 is specified by CMS [11], although the - CMS specification says that it will likely include PKCS#1 v2.0 in - the future. (PKCS#1 v2.0 addresses adaptive chosen ciphertext - vulnerability discovered in PKCS#1 v1.5.) - -3.1.2.4. Algorithm Identifiers for Encryption with Secret Keys - - These algorithm identifiers are used inside the EnvelopedData data - structure in the PKINIT Reply, for encrypting the reply key with the - temporary key: - des-ede3-cbc (3-key 3-DES, CBC mode) - rc2-cbc (RC2, CBC mode) - - The full definition of the above algorithm identifiers and their - corresponding parameters (an IV for block chaining) is provided in - the CMS specification [11]. - -3.2. Public Key Authentication - - Implementation of the changes in this section is REQUIRED for - compliance with PKINIT. - -3.2.1. Client Request - - Public keys may be signed by some certification authority (CA), or - they may be maintained by the KDC in which case the KDC is the - trusted authority. Note that the latter mode does not require the - use of certificates. - - The initial authentication request is sent as per RFC 1510, except - that a preauthentication field containing data signed by the user's - private key accompanies the request: - - PA-PK-AS-REQ ::= SEQUENCE { - -- PA TYPE 14 - signedAuthPack [0] SignedData - -- Defined in CMS [11]; - -- AuthPack (below) defines the - -- data that is signed. - trustedCertifiers [1] SEQUENCE OF TrustedCas OPTIONAL, - -- This is a list of CAs that the - -- client trusts and that certify - -- KDCs. - kdcCert [2] IssuerAndSerialNumber OPTIONAL - -- As defined in CMS [11]; - -- specifies a particular KDC - -- certificate if the client - -- already has it. - encryptionCert [3] IssuerAndSerialNumber OPTIONAL - -- For example, this may be the - -- client's Diffie-Hellman - -- certificate, or it may be the - -- client's RSA encryption - -- certificate. - } - - TrustedCas ::= CHOICE { - principalName [0] KerberosName, - -- as defined below - caName [1] Name - -- fully qualified X.500 name - -- as defined by X.509 - issuerAndSerial [2] IssuerAndSerialNumber - -- Since a CA may have a number of - -- certificates, only one of which - -- a client trusts - } - - Usage of SignedData: - - The SignedData data type is specified in the Cryptographic - Message Syntax, a product of the S/MIME working group of the - IETF. The following describes how to fill in the fields of - this data: - - 1. The encapContentInfo field must contain the PKAuthenticator - and, optionally, the client's Diffie Hellman public value. - - a. The eContentType field shall contain the OID value for - pkauthdata: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkauthdata (1) - - b. The eContent field is data of the type AuthPack (below). - - 2. The signerInfos field contains the signature of AuthPack. - - 3. The Certificates field, when non-empty, contains the client's - certificate chain. If present, the KDC uses the public key - from the client's certificate to verify the signature in the - request. Note that the client may pass different certificate - chains that are used for signing or for encrypting. Thus, - the KDC may utilize a different client certificate for - signature verification than the one it uses to encrypt the - reply to the client. For example, the client may place a - Diffie-Hellman certificate in this field in order to convey - its static Diffie Hellman certificate to the KDC to enable - static-ephemeral Diffie-Hellman mode for the reply; in this - case, the client does NOT place its public value in the - AuthPack (defined below). As another example, the client may - place an RSA encryption certificate in this field. However, - there must always be (at least) a signature certificate. - - AuthPack ::= SEQUENCE { - pkAuthenticator [0] PKAuthenticator, - clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL - -- if client is using Diffie-Hellman - -- (ephemeral-ephemeral only) - } - - PKAuthenticator ::= SEQUENCE { - cusec [0] INTEGER, - -- for replay prevention as in RFC1510 - ctime [1] KerberosTime, - -- for replay prevention as in RFC1510 - nonce [2] INTEGER, - pachecksum [3] Checksum - -- Checksum over KDC-REQ-BODY - -- Defined by Kerberos spec - } - - SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - -- dhKeyAgreement - subjectPublicKey BIT STRING - -- for DH, equals - -- public exponent (INTEGER encoded - -- as payload of BIT STRING) - } -- as specified by the X.509 recommendation [10] - - AlgorithmIdentifier ::= SEQUENCE { - algorithm OBJECT IDENTIFIER, - -- for dhKeyAgreement, this is - -- { iso (1) member-body (2) US (840) - -- rsadsi (113459) pkcs (1) 3 1 } - -- from PKCS #3 [20] - parameters ANY DEFINED by algorithm OPTIONAL - -- for dhKeyAgreement, this is - -- DHParameter - } -- as specified by the X.509 recommendation [10] - - DHParameter ::= SEQUENCE { - prime INTEGER, - -- p - base INTEGER, - -- g - privateValueLength INTEGER OPTIONAL - -- l - } -- as defined in PKCS #3 [20] - - If the client passes an issuer and serial number in the request, - the KDC is requested to use the referred-to certificate. If none - exists, then the KDC returns an error of type - KDC_ERR_CERTIFICATE_MISMATCH. It also returns this error if, on the - other hand, the client does not pass any trustedCertifiers, - believing that it has the KDC's certificate, but the KDC has more - than one certificate. The KDC should include information in the - KRB-ERROR message that indicates the KDC certificate(s) that a - client may utilize. This data is specified in the e-data, which - is defined in RFC 1510 revisions as a SEQUENCE of TypedData: - - TypedData ::= SEQUENCE { - data-type [0] INTEGER, - data-value [1] OCTET STRING, - } -- per Kerberos RFC 1510 revisions - - where: - data-type = TD-PKINIT-CMS-CERTIFICATES = 101 - data-value = CertificateSet // as specified by CMS [11] - - The PKAuthenticator carries information to foil replay attacks, to - bind the pre-authentication data to the KDC-REQ-BODY, and to bind the - request and response. The PKAuthenticator is signed with the client's - signature key. - -3.2.2. KDC Response - - Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication - type, the KDC attempts to verify the user's certificate chain - (userCert), if one is provided in the request. This is done by - verifying the certification path against the KDC's policy of - legitimate certifiers. This may be based on a certification - hierarchy, or it may be simply a list of recognized certifiers in a - system like PGP. - - If the client's certificate chain contains no certificate signed by - a CA trusted by the KDC, then the KDC sends back an error message - of type KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data - is a SEQUENCE of one TypedData (with type TD-TRUSTED-CERTIFIERS=104) - whose data-value is an OCTET STRING which is the DER encoding of - - TrustedCertifiers ::= SEQUENCE OF PrincipalName - -- X.500 name encoded as a principal name - -- see Section 3.1 - - If while verifying a certificate chain the KDC determines that the - signature on one of the certificates in the CertificateSet from - the signedAuthPack fails verification, then the KDC returns an - error of type KDC_ERR_INVALID_CERTIFICATE. The accompanying - e-data is a SEQUENCE of one TypedData (with type - TD-CERTIFICATE-INDEX=105) whose data-value is an OCTET STRING - which is the DER encoding of the index into the CertificateSet - ordered as sent by the client. - - CertificateIndex ::= INTEGER - -- 0 = 1st certificate, - -- (in order of encoding) - -- 1 = 2nd certificate, etc - - The KDC may also check whether any of the certificates in the - client's chain has been revoked. If one of the certificates has - been revoked, then the KDC returns an error of type - KDC_ERR_REVOKED_CERTIFICATE; if such a query reveals that - the certificate's revocation status is unknown or not - available, then if required by policy, the KDC returns the - appropriate error of type KDC_ERR_REVOCATION_STATUS_UNKNOWN or - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE. In any of these three - cases, the affected certificate is identified by the accompanying - e-data, which contains a CertificateIndex as described for - KDC_ERR_INVALID_CERTIFICATE. - - If the certificate chain can be verified, but the name of the - client in the certificate does not match the client's name in the - request, then the KDC returns an error of type - KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data - field in this case. - - Finally, if the certificate chain is verified, but the KDC's name - or realm as given in the PKAuthenticator does not match the KDC's - actual principal name, then the KDC returns an error of type - KDC_ERR_KDC_NAME_MISMATCH. The accompanying e-data field is again - a SEQUENCE of one TypedData (with type TD-KRB-PRINCIPAL=102 or - TD-KRB-REALM=103 as appropriate) whose data-value is an OCTET - STRING whose data-value is the DER encoding of a PrincipalName or - Realm as defined in RFC 1510 revisions. - - Even if all succeeds, the KDC may--for policy reasons--decide not - to trust the client. In this case, the KDC returns an error message - of type KDC_ERR_CLIENT_NOT_TRUSTED. One specific case of this is - the presence or absence of an Enhanced Key Usage (EKU) OID within - the certificate extensions. The rules regarding acceptability of - an EKU sequence (or the absence of any sequence) are a matter of - local policy. For the benefit of implementers, we define a PKINIT - EKU OID as the following: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkekuoid (2). - - If a trust relationship exists, the KDC then verifies the client's - signature on AuthPack. If that fails, the KDC returns an error - message of type KDC_ERR_INVALID_SIG. Otherwise, the KDC uses the - timestamp (ctime and cusec) in the PKAuthenticator to assure that - the request is not a replay. The KDC also verifies that its name - is specified in the PKAuthenticator. - - If the clientPublicValue field is filled in, indicating that the - client wishes to use Diffie-Hellman key agreement, then the KDC - checks to see that the parameters satisfy its policy. If they do - not (e.g., the prime size is insufficient for the expected - encryption type), then the KDC sends back an error message of type - KDC_ERR_KEY_TOO_WEAK. Otherwise, it generates its own public and - private values for the response. - - The KDC also checks that the timestamp in the PKAuthenticator is - within the allowable window and that the principal name and realm - are correct. If the local (server) time and the client time in the - authenticator differ by more than the allowable clock skew, then the - KDC returns an error message of type KRB_AP_ERR_SKEW as defined in 1510. - - Assuming no errors, the KDC replies as per RFC 1510, except as - follows. The user's name in the ticket is determined by the - following decision algorithm: - - 1. If the KDC has a mapping from the name in the certificate - to a Kerberos name, then use that name. - Else - 2. If the certificate contains the SubjectAltName extention - and the local KDC policy defines a mapping from the - SubjectAltName to a Kerberos name, then use that name. - Else - 3. Use the name as represented in the certificate, mapping - mapping as necessary (e.g., as per RFC 2253 for X.500 - names). In this case the realm in the ticket shall be the - name of the certifier that issued the user's certificate. - - Note that a principal name may be carried in the subject alt name - field of a certificate. This name may be mapped to a principal - record in a security database based on local policy, for example - the subject alt name may be kerberos/principal@realm format. In - this case the realm name is not that of the CA but that of the - local realm doing the mapping (or some realm name chosen by that - realm). - - If a non-KDC X.509 certificate contains the principal name within - the subjectAltName version 3 extension , that name may utilize - KerberosName as defined below, or, in the case of an S/MIME - certificate [17], may utilize the email address. If the KDC - is presented with an S/MIME certificate, then the email address - within subjectAltName will be interpreted as a principal and realm - separated by the "@" sign, or as a name that needs to be - canonicalized. If the resulting name does not correspond to a - registered principal name, then the principal name is formed as - defined in section 3.1. - - The trustedCertifiers field contains a list of certification - authorities trusted by the client, in the case that the client does - not possess the KDC's public key certificate. If the KDC has no - certificate signed by any of the trustedCertifiers, then it returns - an error of type KDC_ERR_KDC_NOT_TRUSTED. - - KDCs should try to (in order of preference): - 1. Use the KDC certificate identified by the serialNumber included - in the client's request. - 2. Use a certificate issued to the KDC by the client's CA (if in the - middle of a CA key roll-over, use the KDC cert issued under same - CA key as user cert used to verify request). - 3. Use a certificate issued to the KDC by one of the client's - trustedCertifier(s); - If the KDC is unable to comply with any of these options, then the - KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to the - client. - - The KDC encrypts the reply not with the user's long-term key, but - with the Diffie Hellman derived key or a random key generated - for this particular response which is carried in the padata field of - the TGS-REP message. - - PA-PK-AS-REP ::= CHOICE { - -- PA TYPE 15 - dhSignedData [0] SignedData, - -- Defined in CMS and used only with - -- Diffie-Hellman key exchange (if the - -- client public value was present in the - -- request). - -- This choice MUST be supported - -- by compliant implementations. - encKeyPack [1] EnvelopedData, - -- Defined in CMS - -- The temporary key is encrypted - -- using the client public key - -- key - -- SignedReplyKeyPack, encrypted - -- with the temporary key, is also - -- included. - } - - Usage of SignedData: - - When the Diffie-Hellman option is used, dhSignedData in - PA-PK-AS-REP provides authenticated Diffie-Hellman parameters - of the KDC. The reply key used to encrypt part of the KDC reply - message is derived from the Diffie-Hellman exchange: - - 1. Both the KDC and the client calculate a secret value - (g^ab mod p), where a is the client's private exponent and - b is the KDC's private exponent. - - 2. Both the KDC and the client take the first N bits of this - secret value and convert it into a reply key. N depends on - the reply key type. - - 3. If the reply key is DES, N=64 bits, where some of the bits - are replaced with parity bits, according to FIPS PUB 74. - - 4. If the reply key is (3-key) 3-DES, N=192 bits, where some - of the bits are replaced with parity bits, according to - FIPS PUB 74. - - 5. The encapContentInfo field must contain the KdcDHKeyInfo as - defined below. - - a. The eContentType field shall contain the OID value for - pkdhkeydata: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkdhkeydata (2) - - b. The eContent field is data of the type KdcDHKeyInfo - (below). - - 6. The certificates field must contain the certificates - necessary for the client to establish trust in the KDC's - certificate based on the list of trusted certifiers sent by - the client in the PA-PK-AS-REQ. This field may be empty if - the client did not send to the KDC a list of trusted - certifiers (the trustedCertifiers field was empty, meaning - that the client already possesses the KDC's certificate). - - 7. The signerInfos field is a SET that must contain at least - one member, since it contains the actual signature. - - KdcDHKeyInfo ::= SEQUENCE { - -- used only when utilizing Diffie-Hellman - nonce [0] INTEGER, - -- binds responce to the request - subjectPublicKey [2] BIT STRING - -- Equals public exponent (g^a mod p) - -- INTEGER encoded as payload of - -- BIT STRING - } - - Usage of EnvelopedData: - - The EnvelopedData data type is specified in the Cryptographic - Message Syntax, a product of the S/MIME working group of the - IETF. It contains a temporary key encrypted with the PKINIT - client's public key. It also contains a signed and encrypted - reply key. - - 1. The originatorInfo field is not required, since that - information may be presented in the signedData structure - that is encrypted within the encryptedContentInfo field. - - 2. The optional unprotectedAttrs field is not required for - PKINIT. - - 3. The recipientInfos field is a SET which must contain exactly - one member of the KeyTransRecipientInfo type for encryption - with an RSA public key. - - a. The encryptedKey field (in KeyTransRecipientInfo) - contains the temporary key which is encrypted with the - PKINIT client's public key. - - 4. The encryptedContentInfo field contains the signed and - encrypted reply key. - - a. The contentType field shall contain the OID value for - id-signedData: iso (1) member-body (2) us (840) - rsadsi (113549) pkcs (1) pkcs7 (7) signedData (2) - - b. The encryptedContent field is encrypted data of the CMS - type signedData as specified below. - - i. The encapContentInfo field must contains the - ReplyKeyPack. - - * The eContentType field shall contain the OID value - for pkrkeydata: iso (1) org (3) dod (6) internet (1) - security (5) kerberosv5 (2) pkinit (3) pkrkeydata (3) - - * The eContent field is data of the type ReplyKeyPack - (below). - - ii. The certificates field must contain the certificates - necessary for the client to establish trust in the - KDC's certificate based on the list of trusted - certifiers sent by the client in the PA-PK-AS-REQ. - This field may be empty if the client did not send - to the KDC a list of trusted certifiers (the - trustedCertifiers field was empty, meaning that the - client already possesses the KDC's certificate). - - iii. The signerInfos field is a SET that must contain at - least one member, since it contains the actual - signature. - - ReplyKeyPack ::= SEQUENCE { - -- not used for Diffie-Hellman - replyKey [0] EncryptionKey, - -- used to encrypt main reply - -- ENCTYPE is at least as strong as - -- ENCTYPE of session key - nonce [1] INTEGER, - -- binds response to the request - -- must be same as the nonce - -- passed in the PKAuthenticator - } - - Since each certifier in the certification path of a user's - certificate is equivalent to a separate Kerberos realm, the name - of each certifier in the certificate chain must be added to the - transited field of the ticket. The format of these realm names is - defined in Section 3.1 of this document. If applicable, the - transit-policy-checked flag should be set in the issued ticket. - - The KDC's certificate(s) must bind the public key(s) of the KDC to - a name derivable from the name of the realm for that KDC. X.509 - certificates shall contain the principal name of the KDC - (defined in section 8.2 of RFC 1510) as the SubjectAltName version - 3 extension. Below is the definition of this version 3 extension, - as specified by the X.509 standard: - - subjectAltName EXTENSION ::= { - SYNTAX GeneralNames - IDENTIFIED BY id-ce-subjectAltName - } - - GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName - - GeneralName ::= CHOICE { - otherName [0] OtherName, - ... - } - - OtherName ::= SEQUENCE { - type-id OBJECT IDENTIFIER, - value [0] EXPLICIT ANY DEFINED BY type-id - } - - For the purpose of specifying a Kerberos principal name, the value - in OtherName shall be a KerberosName as defined in RFC 1510, but with - the PrincipalName replaced by CertPrincipalName as mentioned in - Section 3.1: - - KerberosName ::= SEQUENCE { - realm [0] Realm, - principalName [1] CertPrincipalName -- defined above - } - - This specific syntax is identified within subjectAltName by setting - the type-id in OtherName to krb5PrincipalName, where (from the - Kerberos specification) we have - - krb5 OBJECT IDENTIFIER ::= { iso (1) - org (3) - dod (6) - internet (1) - security (5) - kerberosv5 (2) } - - krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } - - (This specification may also be used to specify a Kerberos name - within the user's certificate.) The KDC's certificate may be signed - directly by a CA, or there may be intermediaries if the server resides - within a large organization, or it may be unsigned if the client - indicates possession (and trust) of the KDC's certificate. - - The client then extracts the random key used to encrypt the main - reply. This random key (in encPaReply) is encrypted with either the - client's public key or with a key derived from the DH values - exchanged between the client and the KDC. The client uses this - random key to decrypt the main reply, and subsequently proceeds as - described in RFC 1510. - -3.2.3. Required Algorithms - - Not all of the algorithms in the PKINIT protocol specification have - to be implemented in order to comply with the proposed standard. - Below is a list of the required algorithms: - - * Diffie-Hellman public/private key pairs - * utilizing Diffie-Hellman ephemeral-ephemeral mode - * SHA1 digest and DSA for signatures - * SHA1 digest also for the Checksum in the PKAuthenticator - * 3-key triple DES keys derived from the Diffie-Hellman Exchange - * 3-key triple DES Temporary and Reply keys - -4. Logistics and Policy - - This section describes a way to define the policy on the use of - PKINIT for each principal and request. - - The KDC is not required to contain a database record for users - who use public key authentication. However, if these users are - registered with the KDC, it is recommended that the database record - for these users be modified to an additional flag in the attributes - field to indicate that the user should authenticate using PKINIT. - If this flag is set and a request message does not contain the - PKINIT preauthentication field, then the KDC sends back as error of - type KDC_ERR_PREAUTH_REQUIRED indicating that a preauthentication - field of type PA-PK-AS-REQ must be included in the request. - -5. Security Considerations - - PKINIT raises a few security considerations, which we will address - in this section. - - First of all, PKINIT introduces a new trust model, where KDCs do not - (necessarily) certify the identity of those for whom they issue - tickets. PKINIT does allow KDCs to act as their own CAs, in the - limited capacity of self-signing their certificates, but one of the - additional benefits is to align Kerberos authentication with a global - public key infrastructure. Anyone using PKINIT in this way must be - aware of how the certification infrastructure they are linking to - works. - - Secondly, PKINIT also introduces the possibility of interactions - between different cryptosystems, which may be of widely varying - strengths. Many systems, for instance, allow the use of 512-bit - public keys. Using such keys to wrap data encrypted under strong - conventional cryptosystems, such as triple-DES, is inappropriate; - it adds a weak link to a strong one at extra cost. Implementors - and administrators should take care to avoid such wasteful and - deceptive interactions. - - Lastly, PKINIT calls for randomly generated keys for conventional - cryptosystems. Many such systems contain systematically "weak" - keys. PKINIT implementations MUST avoid use of these keys, either - by discarding those keys when they are generated, or by fixing them - in some way (e.g., by XORing them with a given mask). These - precautions vary from system to system; it is not our intention to - give an explicit recipe for them here. - -6. Transport Issues - - Certificate chains can potentially grow quite large and span several - UDP packets; this in turn increases the probability that a Kerberos - message involving PKINIT extensions will be broken in transit. In - light of the possibility that the Kerberos specification will - require KDCs to accept requests using TCP as a transport mechanism, - we make the same recommendation with respect to the PKINIT - extensions as well. - -7. Bibliography - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication Service - (V5). Request for Comments 1510. - - [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service - for Computer Networks, IEEE Communications, 32(9):33-38. September - 1994. - - [3] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Sommerfeld, - A. Medvinsky, M. Hur. Public Key Cryptography for Cross-Realm - Authentication in Kerberos. draft-ietf-cat-kerberos-pk-cross-04.txt - - [4] A. Medvinsky, J. Cargille, M. Hur. Anonymous Credentials in - Kerberos. draft-ietf-cat-kerberos-anoncred-00.txt - - [5] Ari Medvinsky, M. Hur, Alexander Medvinsky, B. Clifford Neuman. - Public Key Utilizing Tickets for Application Servers (PKTAPP). - draft-ietf-cat-pktapp-02.txt - - [6] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos - Using Public Key Cryptography. Symposium On Network and Distributed - System Security, 1997. - - [7] B. Cox, J.D. Tygar, M. Sirbu. NetBill Security and Transaction - Protocol. In Proceedings of the USENIX Workshop on Electronic - Commerce, July 1995. - - [8] T. Dierks, C. Allen. The TLS Protocol, Version 1.0 - Request for Comments 2246, January 1999. - - [9] B.C. Neuman, Proxy-Based Authorization and Accounting for - Distributed Systems. In Proceedings of the 13th International - Conference on Distributed Computing Systems, May 1993. - - [10] ITU-T (formerly CCITT) Information technology - Open Systems - Interconnection - The Directory: Authentication Framework - Recommendation X.509 ISO/IEC 9594-8 - - [11] R. Housley. Cryptographic Message Syntax. - draft-ietf-smime-cms-13.txt, April 1999, approved for publication - as RFC. - - [12] PKCS #7: Cryptographic Message Syntax Standard, - An RSA Laboratories Technical Note Version 1.5 - Revised November 1, 1993 - - [13] R. Rivest, MIT Laboratory for Computer Science and RSA Data - Security, Inc. A Description of the RC2(r) Encryption Algorithm - March 1998. - Request for Comments 2268. - - [14] M. Wahl, S. Kille, T. Howes. Lightweight Directory Access - Protocol (v3): UTF-8 String Representation of Distinguished Names. - Request for Comments 2253. - - [15] R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public - Key Infrastructure, Certificate and CRL Profile, January 1999. - Request for Comments 2459. - - [16] B. Kaliski, J. Staddon. PKCS #1: RSA Cryptography - Specifications, October 1998. Request for Comments 2437. - - [17] S. Dusse, P. Hoffman, B. Ramsdell, J. Weinstein. S/MIME - Version 2 Certificate Handling, March 1998. Request for - Comments 2312. - - [18] M. Wahl, T. Howes, S. Kille. Lightweight Directory Access - Protocol (v3), December 1997. Request for Comments 2251. - - [19] ITU-T (formerly CCITT) Information Processing Systems - Open - Systems Interconnection - Specification of Abstract Syntax Notation - One (ASN.1) Rec. X.680 ISO/IEC 8824-1 - - [20] PKCS #3: Diffie-Hellman Key-Agreement Standard, An RSA - Laboratories Technical Note, Version 1.4, Revised November 1, 1993. - -8. Acknowledgements - - Some of the ideas on which this proposal is based arose during - discussions over several years between members of the SAAG, the IETF - CAT working group, and the PSRG, regarding integration of Kerberos - and SPX. Some ideas have also been drawn from the DASS system. - These changes are by no means endorsed by these groups. This is an - attempt to revive some of the goals of those groups, and this - proposal approaches those goals primarily from the Kerberos - perspective. Lastly, comments from groups working on similar ideas - in DCE have been invaluable. - -9. Expiration Date - - This draft expires January 15, 2001. - -10. Authors - - Brian Tung - Clifford Neuman - USC Information Sciences Institute - 4676 Admiralty Way Suite 1001 - Marina del Rey CA 90292-6695 - Phone: +1 310 822 1511 - E-mail: {brian, bcn}@isi.edu - - Matthew Hur - CyberSafe Corporation - 1605 NW Sammamish Road - Issaquah WA 98027-5378 - Phone: +1 425 391 6000 - E-mail: matt.hur@cybersafe.com - - Ari Medvinsky - Keen.com, Inc. - 150 Independence Drive - Menlo Park CA 94025 - Phone: +1 650 289 3134 - E-mail: ari@keen.com - - Sasha Medvinsky - Motorola - 6450 Sequence Drive - San Diego, CA 92121 - +1 858 404 2367 - E-mail: smedvinsky@gi.com - - John Wray - Iris Associates, Inc. - 5 Technology Park Dr. - Westford, MA 01886 - E-mail: John_Wray@iris.com - - Jonathan Trostle - 170 W. Tasman Dr. - San Jose, CA 95134 - E-mail: jtrostle@cisco.com diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt deleted file mode 100644 index 6581dd5810a5..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt +++ /dev/null @@ -1,378 +0,0 @@ -INTERNET-DRAFT Ari Medvinsky -draft-ietf-cat-kerberos-pk-tapp-03.txt Keen.com, Inc. -Expires January 14, 2001 Matthew Hur -Informational CyberSafe Corporation - Sasha Medvinsky - Motorola - Clifford Neuman - USC/ISI - -Public Key Utilizing Tickets for Application Servers (PKTAPP) - - -0. Status Of this Memo - -This document is an Internet-Draft and is in full conformance with -all provisions of Section 10 of RFC 2026. Internet-Drafts are -working documents of the Internet Engineering Task Force (IETF), -its areas, and its working groups. Note that other groups may also -distribute working documents as Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six -months and may be updated, replaced, or obsoleted by other -documents at any time. It is inappropriate to use Internet-Drafts -as reference material or to cite them other than as "work in -progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -To learn the current status of any Internet-Draft, please check -the "1id-abstracts.txt" listing contained in the Internet-Drafts -Shadow Directories on ftp.ietf.org (US East Coast), -nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or -munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-pk-init-10.txt, and expires April 30, -2000. Please send comments to the authors. - -1. Abstract - -Public key based Kerberos for Distributed Authentication[1], (PKDA) -proposed by Sirbu & Chuang, describes PK based authentication that -eliminates the use of a centralized key distribution center while -retaining the advantages of Kerberos tickets. This draft describes how, -without any modification, the PKINIT specification[2] may be used to -implement the ideas introduced in PKDA. The benefit is that only a -single PK Kerberos extension is needed to address the goals of PKINIT & -PKDA. - - - -2. Introduction - -With the proliferation of public key cryptography, a number of public -key extensions to Kerberos have been proposed to provide -interoperability with the PK infrastructure and to improve the Kerberos -authentication system [4]. Among these are PKINIT[2] (under development -in the CAT working group) and more recently PKDA [1] proposed by Sirbu & -Chuang of CMU. One of the principal goals of PKINIT is to provide for -interoperability between a PK infrastructure and Kerberos. Using -PKINIT, a user can authenticate to the KDC via a public key certificate. -A ticket granting ticket (TGT), returned by the KDC, enables a PK user -to obtain tickets and authenticate to kerberized services. The PKDA -proposal goes a step further. It supports direct client to server -authentication, eliminating the need for an online key distribution -center. In this draft, we describe how, without any modification, the -PKINIT protocol may be applied to achieve the goals of PKDA. For direct -client to server authentication, the client will use PKINIT to -authenticate to the end server (instead of a central KDC), which then, -will issue a ticket for itself. The benefit of this proposal, is that a -single PK extension to Kerberos can addresses the goals of PKINIT and -PKDA. - - -3. PKDA background - -The PKDA proposal provides direct client to server authentication, thus -eliminating the need for an online key distribution center. A client -and server take part in an initial PK based authentication exchange, -with an added caveat that the server acts as a Kerberos ticket granting -service and issues a traditional Kerberos ticket for itself. In -subsequent communication, the client makes use of the Kerberos ticket, -thus eliminating the need for public key operations on the server. This -approach has an advantage over SSL in that the server does not need to -save state (cache session keys). Furthermore, an additional benefit, is -that Kerberos tickets can facilitate delegation (see Neuman[3]). - -Below is a brief overview of the PKDA protocol. For a more detailed -description see [1]. - -SCERT_REQ: Client to Server -The client requests a certificate from the server. If the serverÆs -certificate is cached locally, SCERT_REQ and SCERT_REP are omitted. - -SCERT_REP: Server to Client -The server returns its certificate to the client. - -PKTGS_REQ: Client to Server -The client sends a request for a service ticket to the server. To -authenticate the request, the client signs, among other fields, a time -stamp and a newly generated symmetric key . The time stamp is used to -foil replay attacks; the symmetric key is used by the server to secure -the PKTGS_REP message. -The client provides a certificate in the request (the certificate -enables the server to verify the validity of the clientÆs signature) and -seals it along with the signed information using the serverÆs public -key. - - -PKTGS_REP: Server to Client -The server returns a service ticket (which it issued for itself) along -with the session key for the ticket. The session key is protected by -the client-generated key from the PKTGS_REQ message. - -AP_REQ: Client to Server -After the above exchange, the client can proceed in a normal fashion, -using the conventional Kerberos ticket in an AP_REQ message. - - -4. PKINIT background - -One of the principal goals of PKINIT is to provide for interoperability -between a public key infrastructure and Kerberos. Using a public key -certificate, a client can authenticate to the KDC and receive a TGT -which enables the client to obtain service tickets to kerberized -services.. In PKINIT, the AS-REQ and AS-REP messages remain the same; -new preauthentication data types are used to conduct the PK exchange. -Client and server certificates are exchanged via the preauthentication -data. Thus, the exchange of certificates , PK authentication, and -delivery of a TGT can occur in two messages. - -Below is a brief overview of the PKINIT protocol. For a more detailed -description see [2]. - -PreAuthentication data of AS-REQ: Client to Server -The client sends a list of trusted certifiers, a signed PK -authenticator, and its certificate. The PK authenticator, based on the -Kerberos authenticator, contains the name of the KDC, a timestamp, and a -nonce. - -PreAuthentication data of AS-REP: Server to Client -The server responds with its certificate and the key used for decrypting -the encrypted part of the AS-REQ. This key is encrypted with the -clientÆs public key. - -AP_REQ: Client to Server -After the above exchange, the client can proceed in a normal fashion, -using the conventional Kerberos ticket in an AP_REQ message. - - -5. Application of PKINIT to achieve equivalence to PKDA - -While PKINIT is normally used to retrieve a ticket granting ticket -(TGT), it may also be used to request an end service ticket. When used -in this fashion, PKINIT is functionally equivalent to PKDA. We -introduce the concept of a local ticket granting server (LTGS) to -illustrate how PKINIT may be used for issuing end service tickets based -on public key authentication. It is important to note that the LTGS may -be built into an application server, or it may be a stand-alone server -used for issuing tickets within a well-defined realm, such as a single -machine. We will discuss both of these options. - - -5.1. The LTGS - -The LTGS processes the Kerberos AS-REQ and AS-REP messages with PKINIT -preauthentication data. When a client submits an AS-REQ to the LTGS, it -specifies an application server, in order to receive an end service -ticket instead of a TGT. - - -5.1.1. The LTGS as a standalone server - -The LTGS may run as a separate process that serves applications which -reside on the same machine. This serves to consolidate administrative -functions and provide an easier migration path for a heterogeneous -environment consisting of both public key and Kerberos. The LTGS would -use one well-known port (port #88 - same as the KDC) for all message -traffic and would share a symmetric with each service. After the client -receives a service ticket, it then contacts the application server -directly. This approach is similar to the one suggested by Sirbu , et -al [1]. - -5.1.1.1. Ticket Policy for PKTAPP Clients - -It is desirable for the LTGS to have access to a PKTAPP client ticket -policy. This policy will contain information for each client, such as -the maximum lifetime of a ticket, whether or not a ticket can be -forwardable, etc. PKTAPP clients, however, use the PKINIT protocol for -authentication and are not required to be registered as Kerberos -principals. - -As one possible solution, each public key Certification Authority could -be registered in a secure database, along with the ticket policy -information for all PKTAPP clients that are certified by this -Certification Authority. - -5.1.1.2. LTGS as a Kerberos Principal - -Since the LTGS serves only PKTAPP clients and returns only end service -tickets for other services, it does not require a Kerberos service key -or a Kerberos principal identity. It is therefore not necessary for the -LTGS to even be registered as a Kerberos principal. - -The LTGS still requires public key credentials for the PKINIT exchange, -and it may be desired to have some global restrictions on the Kerberos -tickets that it can issue. It is recommended (but not required) that -this information be associated with a Kerberos principal entry for the -LTGS. - - -5.1.1.3. Kerberos Principal Database - -Since the LTGS issues tickets for Kerberos services, it will require -access to a Kerberos principal database containing entries for at least -the end services. Each entry must contain a service key and may also -contain restrictions on the service tickets that are issued to clients. -It is recommended that (for ease of administration) this principal -database be centrally administered and distributed (replicated) to all -hosts where an LTGS may be running. - -In the case that there are other clients that do not support PKINIT -protocol, but still need access to the same Kerberos services, this -principal database will also require entries for Kerberos clients and -for the TGS entries. - -5.1.2. The LTGS as part of an application server - -The LTGS may be combined with an application server. This accomplishes -direct client to application server authentication; however, it requires -that applications be modified to process AS-REQ and AS-REP messages. -The LTGS would communicate over the port assigned to the application -server or over the well known Kerberos port for that particular -application. - -5.1.2.2. Ticket Policy for PKTAPP Clients - -Application servers normally do not have access to a distributed -principal database. Therefore, they will have to find another means of -keeping track of the ticket policy information for PKTAPP clients. It is -recommended that this ticket policy be kept in a directory service (such -as LDAP). - -It is critical, however, that both read and write access to this ticket -policy is restricted with strong authentication and encryption to only -the correct application server. An unauthorized party should not have -the authority to modify the ticket policy. Disclosing the ticket policy -to a 3rd party may aid an adversary in determining the best way to -compromise the network. - -It is just as critical for the application server to authenticate the -directory service. Otherwise an adversary could use a man-in-the-middle -attack to substitute a false ticket policy with a false directory -service. - -5.1.2.3. LTGS Credentials - -Each LTGS (combined with an application service) will require public key -credentials in order to use the PKINIT protocol. These credentials can -be stored in a single file that is both encrypted with a password- -derived symmetric key and also secured by an operating system. This -symmetric key may be stashed somewhere on the machine for convenience, -although such practice potentially weakens the overall system security -and is strongly discouraged. - -For added security, it is recommended that the LTGS private keys are -stored inside a temper-resistant hardware module that requires a pin -code for access. - - -5.1.2.4. Compatibility With Standard Kerberos - -Even though an application server is combined with the LTGS, for -backward compatibility it should still accept service tickets that have -been issued by the KDC. This will allow Kerberos clients that do not -support PKTAPP to authenticate to the same application server (with the -help of a KDC). - -5.1.3. Cross-Realm Authentication - -According to the PKINIT draft, the client's realm is the X.500 name of -the Certification Authority that issued the client certificate. A -Kerberos application service will be in a standard Kerberos realm, which -implies that the LTGS will need to issue cross-realm end service -tickets. This is the only case, where cross-realm end service tickets -are issued. In a standard Kerberos model, a client first acquires a -cross-realm TGT, and then gets an end service ticket from the KDC that -is in the same realm as the application service. - -6. Protocol differences between PKINIT and PKDA - -Both PKINIT and PKDA will accomplish the same goal of issuing end -service tickets, based on initial public key authentication. A PKINIT- -based implementation and a PKDA implementation would be functionally -equivalent. The primary differences are that 1)PKDA requires the client -to create the symmetric key while PKINIT requires the server to create -the key and 2)PKINIT accomplishes in two messages what PKDA accomplishes -in four messages. - -7. Summary - -The PKINIT protocol can be used, without modification to facilitate -client to server authentication without the use of a central KDC. The -approach described in this draft (and originally proposed in PKDA[1]) -is essentially a public key authentication protocol that retains the -advantages of Kerberos tickets. - -Given that PKINIT has progressed through the CAT working group of the -IETF, with plans for non-commercial distribution (via MITÆs v5 Kerberos) -as well as commercial support, it is worthwhile to provide PKDA -functionality, under the PKINIT umbrella. - -8. Security Considerations - -PKTAPP is based on the PKINIT protocol and all security considerations -already listed in [2] apply here. - -When the LTGS is implemented as part of each application server, the -secure storage of its public key credentials and of its ticket policy -are both a concern. The respective security considerations are already -covered in sections 5.1.2.3 and 5.1.2.2 of this document. - - -9. Bibliography - -[1] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos Using -Public Key Cryptography. Symposium On Network and Distributed System -Security, 1997. - -[2] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray, -J. Trostle. Public Key Cryptography for Initial Authentication in -Kerberos. Internet Draft, October 1999. -(ftp://ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-10.txt) - -[3] C. Neuman, Proxy-Based Authorization and Accounting for -Distributed Systems. In Proceedings of the 13th International -Conference on Distributed Computing Systems, May 1993. - -[4] J. Kohl, C. Neuman. The Kerberos Network Authentication Service -(V5). Request for Comments 1510. - -10. Expiration Date - -This draft expires April 24, 2000. - -11. Authors - -Ari Medvinsky -Keen.com, Inc. -150 Independence Dr. -Menlo Park, CA 94025 -Phone +1 650 289 3134 -E-mail: ari@keen.com - -Matthew Hur -CyberSafe Corporation -1605 NW Sammamish Road -Issaquah, WA 98027-5378 -Phone: +1 425 391 6000 -E-mail: matt.hur@cybersafe.com - -Alexander Medvinsky -Motorola -6450 Sequence Dr. -San Diego, CA 92121 -Phone: +1 858 404 2367 -E-mail: smedvinsky@gi.com - -Clifford Neuman -USC Information Sciences Institute -4676 Admiralty Way Suite 1001 -Marina del Rey CA 90292-6695 -Phone: +1 310 822 1511 -E-mail: bcn@isi.edu diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt deleted file mode 100644 index 2284c3c6b57b..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt +++ /dev/null @@ -1,8277 +0,0 @@ - -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - 11 July 1997 - - - - The Kerberos Network Authentication Service (V5) - - -STATUS OF THIS MEMO - - This document is an Internet-Draft. Internet-Drafts -are working documents of the Internet Engineering Task Force -(IETF), its areas, and its working groups. Note that other -groups may also distribute working documents as Internet- -Drafts. - - Internet-Drafts are draft documents valid for a maximum -of six months and may be updated, replaced, or obsoleted by -other documents at any time. It is inappropriate to use -Internet-Drafts as reference material or to cite them other -than as "work in progress." - - To learn the current status of any Internet-Draft, -please check the "1id-abstracts.txt" listing contained in -the Internet-Drafts Shadow Directories on ds.internic.net -(US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US -West Coast), or munnari.oz.au (Pacific Rim). - - The distribution of this memo is unlimited. It is -filed as draft-ietf-cat-kerberos-revisions-00.txt, and expires -11 January 1998. Please send comments to: - - krb-protocol@MIT.EDU - -ABSTRACT - - - This document provides an overview and specification of -Version 5 of the Kerberos protocol, and updates RFC1510 to -clarify aspects of the protocol and its intended use that -require more detailed or clearer explanation than was pro- -vided in RFC1510. This document is intended to provide a -detailed description of the protocol, suitable for implemen- -tation, together with descriptions of the appropriate use of -protocol messages and fields within those messages. - - This document is not intended to describe Kerberos to -__________________________ -Project Athena, Athena, and Kerberos are trademarks of -the Massachusetts Institute of Technology (MIT). No -commercial use of these trademarks may be made without -prior written permission of MIT. - - - -Overview - 1 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -the end user, system administrator, or application -developer. Higher level papers describing Version 5 of the -Kerberos system [1] and documenting version 4 [23], are -available elsewhere. - -OVERVIEW - - This INTERNET-DRAFT describes the concepts and model -upon which the Kerberos network authentication system is -based. It also specifies Version 5 of the Kerberos proto- -col. - - The motivations, goals, assumptions, and rationale -behind most design decisions are treated cursorily; they are -more fully described in a paper available in IEEE communica- -tions [1] and earlier in the Kerberos portion of the Athena -Technical Plan [2]. The protocols have been a proposed -standard and are being considered for advancement for draft -standard through the IETF standard process. Comments are -encouraged on the presentation, but only minor refinements -to the protocol as implemented or extensions that fit within -current protocol framework will be considered at this time. - - Requests for addition to an electronic mailing list for -discussion of Kerberos, kerberos@MIT.EDU, may be addressed -to kerberos-request@MIT.EDU. This mailing list is gatewayed -onto the Usenet as the group comp.protocols.kerberos. -Requests for further information, including documents and -code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - - The Kerberos model is based in part on Needham and -Schroeder's trusted third-party authentication protocol [4] -and on modifications suggested by Denning and Sacco [5]. -The original design and implementation of Kerberos Versions -1 through 4 was the work of two former Project Athena staff -members, Steve Miller of Digital Equipment Corporation and -Clifford Neuman (now at the Information Sciences Institute -of the University of Southern California), along with Jerome -Saltzer, Technical Director of Project Athena, and Jeffrey -Schiller, MIT Campus Network Manager. Many other members of -Project Athena have also contributed to the work on Ker- -beros. - - Version 5 of the Kerberos protocol (described in this -document) has evolved from Version 4 based on new require- -ments and desires for features not available in Version 4. -The design of Version 5 of the Kerberos protocol was led by -Clifford Neuman and John Kohl with much input from the com- -munity. The development of the MIT reference implementation -was led at MIT by John Kohl and Theodore T'so, with help and -contributed code from many others. Reference implementa- -tions of both version 4 and version 5 of Kerberos are pub- -licly available and commercial implementations have been - -Overview - 2 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -developed and are widely used. - - Details on the differences between Kerberos Versions 4 -and 5 can be found in [6]. - -1. Introduction - - Kerberos provides a means of verifying the identities -of principals, (e.g. a workstation user or a network server) -on an open (unprotected) network. This is accomplished -without relying on assertions by the host operating system, -without basing trust on host addresses, without requiring -physical security of all the hosts on the network, and under -the assumption that packets traveling along the network can -be read, modified, and inserted at will[1]. Kerberos per- -forms authentication under these conditions as a trusted -third-party authentication service by using conventional -(shared secret key[2]) cryptography. Kerberos extensions -have been proposed and implemented that provide for the use -of public key cryptography during certain phases of the -authentication protocol. These extensions provide for -authentication of users registered with public key certifi- -cation authorities, and allow the system to provide certain -benefits of public key cryptography in situations where they -are needed. - - The basic Kerberos authentication process proceeds as -follows: A client sends a request to the authentication -server (AS) requesting "credentials" for a given server. -The AS responds with these credentials, encrypted in the -client's key. The credentials consist of 1) a "ticket" for -the server and 2) a temporary encryption key (often called a -"session key"). The client transmits the ticket (which con- -tains the client's identity and a copy of the session key, -all encrypted in the server's key) to the server. The ses- -sion key (now shared by the client and server) is used to -authenticate the client, and may optionally be used to -__________________________ -[1] Note, however, that many applications use Kerberos' -functions only upon the initiation of a stream-based -network connection. Unless an application subsequently -provides integrity protection for the data stream, the -identity verification applies only to the initiation of -the connection, and does not guarantee that subsequent -messages on the connection originate from the same -principal. -[2] Secret and private are often used interchangeably -in the literature. In our usage, it takes two (or -more) to share a secret, thus a shared DES key is a -secret key. Something is only private when no one but -its owner knows it. Thus, in public key cryptosystems, -one has a public and a private key. - - - -Section 1. - 3 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -authenticate the server. It may also be used to encrypt -further communication between the two parties or to exchange -a separate sub-session key to be used to encrypt further -communication. - - Implementation of the basic protocol consists of one or -more authentication servers running on physically secure -hosts. The authentication servers maintain a database of -principals (i.e., users and servers) and their secret keys. -Code libraries provide encryption and implement the Kerberos -protocol. In order to add authentication to its transac- -tions, a typical network application adds one or two calls -to the Kerberos library directly or through the Generic -Security Services Application Programming Interface, GSSAPI, -described in separate document. These calls result in the -transmission of the necessary messages to achieve authenti- -cation. - - The Kerberos protocol consists of several sub-protocols -(or exchanges). There are two basic methods by which a -client can ask a Kerberos server for credentials. In the -first approach, the client sends a cleartext request for a -ticket for the desired server to the AS. The reply is sent -encrypted in the client's secret key. Usually this request -is for a ticket-granting ticket (TGT) which can later be -used with the ticket-granting server (TGS). In the second -method, the client sends a request to the TGS. The client -uses the TGT to authenticate itself to the TGS in the same -manner as if it were contacting any other application server -that requires Kerberos authentication. The reply is -encrypted in the session key from the TGT. Though the pro- -tocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different pro- -tocol entry points within a single Kerberos server. - - Once obtained, credentials may be used to verify the -identity of the principals in a transaction, to ensure the -integrity of messages exchanged between them, or to preserve -privacy of the messages. The application is free to choose -whatever protection may be necessary. - - To verify the identities of the principals in a tran- -saction, the client transmits the ticket to the application -server. Since the ticket is sent "in the clear" (parts of -it are encrypted, but this encryption doesn't thwart replay) -and might be intercepted and reused by an attacker, addi- -tional information is sent to prove that the message ori- -ginated with the principal to whom the ticket was issued. -This information (called the authenticator) is encrypted in -the session key, and includes a timestamp. The timestamp -proves that the message was recently generated and is not a -replay. Encrypting the authenticator in the session key -proves that it was generated by a party possessing the ses- -sion key. Since no one except the requesting principal and - - -Section 1. - 4 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -the server know the session key (it is never sent over the -network in the clear) this guarantees the identity of the -client. - - The integrity of the messages exchanged between princi- -pals can also be guaranteed using the session key (passed in -the ticket and contained in the credentials). This approach -provides detection of both replay attacks and message stream -modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a -hash or digest function) of the client's message, keyed with -the session key. Privacy and integrity of the messages -exchanged between principals can be secured by encrypting -the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - - The authentication exchanges mentioned above require -read-only access to the Kerberos database. Sometimes, how- -ever, the entries in the database must be modified, such as -when adding new principals or changing a principal's key. -This is done using a protocol between a client and a third -Kerberos server, the Kerberos Administration Server (KADM). -There is also a protocol for maintaining multiple copies of -the Kerberos database. Neither of these protocols are -described in this document. - -1.1. Cross-Realm Operation - - The Kerberos protocol is designed to operate across -organizational boundaries. A client in one organization can -be authenticated to a server in another. Each organization -wishing to run a Kerberos server establishes its own -"realm". The name of the realm in which a client is -registered is part of the client's name, and can be used by -the end-service to decide whether to honor a request. - - By establishing "inter-realm" keys, the administrators -of two realms can allow a client authenticated in the local -realm to prove its identity to servers in other realms[3]. -The exchange of inter-realm keys (a separate key may be used -for each direction) registers the ticket-granting service of -each realm as a principal in the other realm. A client is -then able to obtain a ticket-granting ticket for the remote -realm's ticket-granting service from its local realm. When -that ticket-granting ticket is used, the remote ticket- -granting service uses the inter-realm key (which usually -__________________________ -[3] Of course, with appropriate permission the client -could arrange registration of a separately-named prin- -cipal in a remote realm, and engage in normal exchanges -with that realm's services. However, for even small -numbers of clients this becomes cumbersome, and more -automatic methods as described here are necessary. - - -Section 1.1. - 5 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -differs from its own normal TGS key) to decrypt the ticket- -granting ticket, and is thus certain that it was issued by -the client's own TGS. Tickets issued by the remote ticket- -granting service will indicate to the end-service that the -client was authenticated from another realm. - - A realm is said to communicate with another realm if -the two realms share an inter-realm key, or if the local -realm shares an inter-realm key with an intermediate realm -that communicates with the remote realm. An authentication -path is the sequence of intermediate realms that are tran- -sited in communicating from one realm to another. - - Realms are typically organized hierarchically. Each -realm shares a key with its parent and a different key with -each child. If an inter-realm key is not directly shared by -two realms, the hierarchical organization allows an authen- -tication path to be easily constructed. If a hierarchical -organization is not used, it may be necessary to consult a -database in order to construct an authentication path -between realms. - - Although realms are typically hierarchical, intermedi- -ate realms may be bypassed to achieve cross-realm authenti- -cation through alternate authentication paths (these might -be established to make communication between two realms more -efficient). It is important for the end-service to know -which realms were transited when deciding how much faith to -place in the authentication process. To facilitate this -decision, a field in each ticket contains the names of the -realms that were involved in authenticating the client. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of -verifying the identity of principals on a network. Authen- -tication is usually useful primarily as a first step in the -process of authorization, determining whether a client may -use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos -does not, by itself, provide authorization. Possession of a -client ticket for a service provides only for authentication -of the client to that service, and in the absence of a -separate authorization procedure, it should not be con- -sidered by an application as authorizing the use of that -service. - - Such separate authorization methods may be implemented -as application specific access control functions and may be -based on files such as the application server, or on -separately issued authorization credentials such as those -based on proxies [7] , or on other authorization services. - - Applications should not be modified to accept the -issuance of a service ticket by the Kerberos server (even by - -Section 1.2. - 6 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -an modified Kerberos server) as granting authority to use -the service, since such applications may become vulnerable -to the bypass of this authorization check in an environment -where they interoperate with other KDCs or where other -options for application authentication (e.g. the PKTAPP pro- -posal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in -which it can properly function: - -+ "Denial of service" attacks are not solved with Ker- - beros. There are places in these protocols where an - intruder can prevent an application from participating - in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to - be not-uncommon "normal" failure modes for the system) - is usually best left to the human administrators and - users. - -+ Principals must keep their secret keys secret. If an - intruder somehow steals a principal's key, it will be - able to masquerade as that principal or impersonate any - server to the legitimate principal. - -+ "Password guessing" attacks are not solved by Kerberos. - If a user chooses a poor password, it is possible for - an attacker to successfully mount an offline dictionary - attack by repeatedly attempting to decrypt, with suc- - cessive entries from a dictionary, messages obtained - which are encrypted under a key derived from the user's - password. - -+ Each host on the network must have a clock which is - "loosely synchronized" to the time of the other hosts; - this synchronization is used to reduce the bookkeeping - needs of application servers when they do replay detec- - tion. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 - minutes. If the clocks are synchronized over the net- - work, the clock synchronization protocol must itself be - secured from network attackers. - -+ Principal identifiers are not recycled on a short-term - basis. A typical mode of access control will use - access control lists (ACLs) to grant permissions to - particular principals. If a stale ACL entry remains - for a deleted principal and the principal identifier is - reused, the new principal will inherit rights specified - in the stale ACL entry. By not re-using principal - identifiers, the danger of inadvertent access is - removed. - - - -Section 1.3. - 7 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - - -Authentication Verifying the claimed identity of a - principal. - - -Authentication headerA record containing a Ticket and an - Authenticator to be presented to a - server as part of the authentication - process. - - -Authentication path A sequence of intermediate realms tran- - sited in the authentication process when - communicating from one realm to another. - - -Authenticator A record containing information that can - be shown to have been recently generated - using the session key known only by the - client and server. - - -Authorization The process of determining whether a - client may use a service, which objects - the client is allowed to access, and the - type of access allowed for each. - - -Capability A token that grants the bearer permis- - sion to access an object or service. In - Kerberos, this might be a ticket whose - use is restricted by the contents of the - authorization data field, but which - lists no network addresses, together - with the session key necessary to use - the ticket. - - -Ciphertext The output of an encryption function. - Encryption transforms plaintext into - ciphertext. - - -Client A process that makes use of a network - service on behalf of a user. Note that - in some cases a Server may itself be a - client of some other server (e.g. a - print server may be a client of a file - server). - - - -Section 1.4. - 8 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -Credentials A ticket plus the secret session key - necessary to successfully use that - ticket in an authentication exchange. - - -KDC Key Distribution Center, a network ser- - vice that supplies tickets and temporary - session keys; or an instance of that - service or the host on which it runs. - The KDC services both initial ticket and - ticket-granting ticket requests. The - initial ticket portion is sometimes - referred to as the Authentication Server - (or service). The ticket-granting - ticket portion is sometimes referred to - as the ticket-granting server (or ser- - vice). - - -Kerberos Aside from the 3-headed dog guarding - Hades, the name given to Project - Athena's authentication service, the - protocol used by that service, or the - code used to implement the authentica- - tion service. - - -Plaintext The input to an encryption function or - the output of a decryption function. - Decryption transforms ciphertext into - plaintext. - - -Principal A uniquely named client or server - instance that participates in a network - communication. - - -Principal identifierThe name used to uniquely identify each - different principal. - - -Seal To encipher a record containing several - fields in such a way that the fields - cannot be individually replaced without - either knowledge of the encryption key - or leaving evidence of tampering. - - -Secret key An encryption key shared by a principal - and the KDC, distributed outside the - bounds of the system, with a long life- - time. In the case of a human user's - principal, the secret key is derived - - -Section 1.4. - 9 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - from a password. - - -Server A particular Principal which provides a - resource to network clients. The server - is sometimes refered to as the Applica- - tion Server. - - -Service A resource provided to network clients; - often provided by more than one server - (for example, remote file service). - - -Session key A temporary encryption key used between - two principals, with a lifetime limited - to the duration of a single login "ses- - sion". - - -Sub-session key A temporary encryption key used between - two principals, selected and exchanged - by the principals using the session key, - and with a lifetime limited to the dura- - tion of a single association. - - -Ticket A record that helps a client authenti- - cate itself to a server; it contains the - client's identity, a session key, a - timestamp, and other information, all - sealed using the server's secret key. - It only serves to authenticate a client - when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used -to indicate various attributes of that ticket. Most flags -may be requested by a client when the ticket is obtained; -some are automatically turned on and off by a Kerberos -server as required. The following sections explain what the -various flags mean, and gives examples of reasons to use -such a flag. - -2.1. Initial and pre-authenticated tickets - - The INITIAL flag indicates that a ticket was issued -using the AS protocol and not issued based on a ticket- -granting ticket. Application servers that want to require -the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set -in any tickets they accept, and thus be assured that the - - -Section 2.1. - 10 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -client's key was recently presented to the application -client. - - The PRE-AUTHENT and HW-AUTHENT flags provide addition -information about the initial authentication, regardless of -whether the current ticket was issued directly (in which -case INITIAL will also be set) or issued on the basis of a -ticket-granting ticket (in which case the INITIAL flag is -clear, but the PRE-AUTHENT and HW-AUTHENT flags are carried -forward from the ticket-granting ticket). - -2.2. Invalid tickets - - The INVALID flag indicates that a ticket is invalid. -Application servers must reject tickets which have this flag -set. A postdated ticket will usually be issued in this -form. Invalid tickets must be validated by the KDC before -use, by presenting them to the KDC in a TGS request with the -VALIDATE option specified. The KDC will only validate tick- -ets after their starttime has passed. The validation is -required so that postdated tickets which have been stolen -before their starttime can be rendered permanently invalid -(through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - - Applications may desire to hold tickets which can be -valid for long periods of time. However, this can expose -their credentials to potential theft for equally long -periods, and those stolen credentials would be valid until -the expiration time of the ticket(s). Simply using short- -lived tickets and obtaining new ones periodically would -require the client to have long-term access to its secret -key, an even greater risk. Renewable tickets can be used to -mitigate the consequences of theft. Renewable tickets have -two "expiration times": the first is when the current -instance of the ticket expires, and the second is the latest -permissible value for an individual expiration time. An -application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the -RENEW option set in the KDC request. The KDC will issue a -new ticket with a new session key and a later expiration -time. All other fields of the ticket are left unmodified by -the renewal process. When the latest permissible expiration -time arrives, the ticket expires permanently. At each -renewal, the KDC may consult a hot-list to determine if the -ticket had been reported stolen since its last renewal; it -will refuse to renew such stolen tickets, and thus the -usable lifetime of stolen tickets is reduced. - - The RENEWABLE flag in a ticket is normally only inter- -preted by the ticket-granting service (discussed below in -section 3.3). It can usually be ignored by application -servers. However, some particularly careful application - - -Section 2.3. - 11 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -servers may wish to disallow renewable tickets. - - If a renewable ticket is not renewed by its expiration -time, the KDC will not renew the ticket. The RENEWABLE flag -is reset by default, but a client may request it be set by -setting the RENEWABLE option in the KRB_AS_REQ message. If -it is set, then the renew-till field in the ticket contains -the time after which the ticket may not be renewed. - -2.4. Postdated tickets - - Applications may occasionally need to obtain tickets -for use much later, e.g. a batch submission system would -need tickets to be valid at the time the batch job is ser- -viced. However, it is dangerous to hold valid tickets in a -batch queue, since they will be on-line longer and more -prone to theft. Postdated tickets provide a way to obtain -these tickets from the KDC at job submission time, but to -leave them "dormant" until they are activated and validated -by a further request of the KDC. If a ticket theft were -reported in the interim, the KDC would refuse to validate -the ticket, and the thief would be foiled. - - The MAY-POSTDATE flag in a ticket is normally only -interpreted by the ticket-granting service. It can be -ignored by application servers. This flag must be set in a -ticket-granting ticket in order to issue a postdated ticket -based on the presented ticket. It is reset by default; it -may be requested by a client by setting the ALLOW-POSTDATE -option in the KRB_AS_REQ message. This flag does not allow -a client to obtain a postdated ticket-granting ticket; post- -dated ticket-granting tickets can only by obtained by -requesting the postdating in the KRB_AS_REQ message. The -life (endtime-starttime) of a postdated ticket will be the -remaining life of the ticket-granting ticket at the time of -the request, unless the RENEWABLE option is also set, in -which case it can be the full life (endtime-starttime) of -the ticket-granting ticket. The KDC may limit how far in -the future a ticket may be postdated. - - The POSTDATED flag indicates that a ticket has been -postdated. The application server can check the authtime -field in the ticket to see when the original authentication -occurred. Some services may choose to reject postdated -tickets, or they may only accept them within a certain -period after the original authentication. When the KDC -issues a POSTDATED ticket, it will also be marked as -INVALID, so that the application client must present the -ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - - At times it may be necessary for a principal to allow a -service to perform an operation on its behalf. The service - - -Section 2.5. - 12 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -must be able to take on the identity of the client, but only -for a particular purpose. A principal can allow a service -to take on the principal's identity for a particular purpose -by granting it a proxy. - - The process of granting a proxy using the proxy and -proxiable flags is used to provide credentials for use with -specific services. Though conceptually also a proxy, user's -wishing to delegate their identity for ANY purpose must use -the ticket forwarding mechanism described in the next sec- -tion to forward a ticket granting ticket. - - The PROXIABLE flag in a ticket is normally only inter- -preted by the ticket-granting service. It can be ignored by -application servers. When set, this flag tells the ticket- -granting server that it is OK to issue a new ticket (but not -a ticket-granting ticket) with a different network address -based on this ticket. This flag is set if requested by the -client on initial authentication. By default, the client -will request that it be set when requesting a ticket grant- -ing ticket, and reset when requesting any other ticket. - - This flag allows a client to pass a proxy to a server -to perform a remote request on its behalf, e.g. a print ser- -vice client can give the print server a proxy to access the -client's files on a particular file server in order to -satisfy a print request. - - In order to complicate the use of stolen credentials, -Kerberos tickets are usually valid from only those network -addresses specifically included in the ticket[4]. When -granting a proxy, the client must specify the new network -address from which the proxy is to be used, or indicate that -the proxy is to be issued for use from any address. - - The PROXY flag is set in a ticket by the TGS when it -issues a proxy ticket. Application servers may check this -flag and at their option they may require additional authen- -tication from the agent presenting the proxy in order to -provide an audit trail. - -2.6. Forwardable tickets - - Authentication forwarding is an instance of a proxy -where the service is granted complete use of the client's -identity. An example where it might be used is when a user -logs in to a remote system and wants authentication to work -from that system as if the login were local. - - The FORWARDABLE flag in a ticket is normally only -__________________________ -[4] Though it is permissible to request or issue tick- -ets with no network addresses specified. - - -Section 2.6. - 13 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -interpreted by the ticket-granting service. It can be -ignored by application servers. The FORWARDABLE flag has an -interpretation similar to that of the PROXIABLE flag, except -ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users -may request that it be set by setting the FORWARDABLE option -in the AS request when they request their initial ticket- -granting ticket. - - This flag allows for authentication forwarding without -requiring the user to enter a password again. If the flag -is not set, then authentication forwarding is not permitted, -but the same result can still be achieved if the user -engages in the AS exchange specifying the requested network -addresses and supplies a password. - - The FORWARDED flag is set by the TGS when a client -presents a ticket with the FORWARDABLE flag set and requests -a forwarded ticket by specifying the FORWARDED KDC option -and supplying a set of addresses for the new ticket. It is -also set in all tickets issued based on tickets with the -FORWARDED flag set. Application servers may choose to pro- -cess FORWARDED tickets differently than non-FORWARDED tick- -ets. - -2.7. Other KDC options - - There are two additional options which may be set in a -client's request of the KDC. The RENEWABLE-OK option indi- -cates that the client will accept a renewable ticket if a -ticket with the requested life cannot otherwise be provided. -If a ticket with the requested life cannot be provided, then -the KDC may issue a renewable ticket with a renew-till equal -to the the requested endtime. The value of the renew-till -field may still be adjusted by site-determined limits or -limits imposed by the individual principal or server. - - The ENC-TKT-IN-SKEY option is honored only by the -ticket-granting service. It indicates that the ticket to be -issued for the end server is to be encrypted in the session -key from the a additional second ticket-granting ticket pro- -vided with the request. See section 3.3.3 for specific -details. - -__________________________ -[5] The password-changing request must not be honored -unless the requester can provide the old password (the -user's current secret key). Otherwise, it would be -possible for someone to walk up to an unattended ses- -sion and change another user's password. -[6] To authenticate a user logging on to a local sys- -tem, the credentials obtained in the AS exchange may -first be used in a TGS exchange to obtain credentials - - -Section 3.1. - 14 - Expires 11 January 1998 - - - - - - - Version 5 - Specification Revision 6 - - - -3. Message Exchanges - -The following sections describe the interactions between -network clients and servers and the messages involved in -those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - - The Authentication Service (AS) Exchange between the -client and the Kerberos Authentication Server is initiated -by a client when it wishes to obtain authentication creden- -tials for a given server but currently holds no credentials. -In its basic form, the client's secret key is used for en- -cryption and decryption. This exchange is typically used at -the initiation of a login session to obtain credentials for -a Ticket-Granting Server which will subsequently be used to -obtain credentials for other servers (see section 3.3) -without requiring further use of the client's secret key. -This exchange is also used to request credentials for ser- -vices which must not be mediated through the Ticket-Granting -Service, but rather require a principal's secret key, such -as the password-changing service[5]. This exchange does not -by itself provide any assurance of the the identity of the -user[6]. - - The exchange consists of two messages: KRB_AS_REQ from -the client to Kerberos, and KRB_AS_REP or KRB_ERROR in -reply. The formats for these messages are described in sec- -tions 5.4.1, 5.4.2, and 5.9.1. - - In the request, the client sends (in cleartext) its own -identity and the identity of the server for which it is -requesting credentials. The response, KRB_AS_REP, contains -a ticket for the client to present to the server, and a ses- -sion key that will be shared by the client and the server. -The session key and additional information are encrypted in -the client's secret key. The KRB_AS_REP message contains -information which can be used to detect replays, and to -associate it with the message to which it replies. Various -errors can occur; these are indicated by an error response -(KRB_ERROR) instead of the KRB_AS_REP response. The error -__________________________ -for a local server. Those credentials must then be -verified by a local server through successful comple- -tion of the Client/Server exchange. - - - -Section 3.1. - 15 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -message is not encrypted. The KRB_ERROR message contains -information which can be used to associate it with the mes- -sage to which it replies. The lack of encryption in the -KRB_ERROR message precludes the ability to detect replays, -fabrications, or modifications of such messages. - - Without preautentication, the authentication server -does not know whether the client is actually the principal -named in the request. It simply sends a reply without know- -ing or caring whether they are the same. This is acceptable -because nobody but the principal whose identity was given in -the request will be able to use the reply. Its critical -information is encrypted in that principal's key. The ini- -tial request supports an optional field that can be used to -pass additional information that might be needed for the -initial exchange. This field may be used for pre- -authentication as described in section <>. - -3.1.1. Generation of KRB_AS_REQ message - - The client may specify a number of options in the ini- -tial request. Among these options are whether pre- -authentication is to be performed; whether the requested -ticket is to be renewable, proxiable, or forwardable; -whether it should be postdated or allow postdating of -derivative tickets; and whether a renewable ticket will be -accepted in lieu of a non-renewable ticket if the requested -ticket expiration date cannot be satisfied by a non- -renewable ticket (due to configuration constraints; see sec- -tion 4). See section A.1 for pseudocode. - - The client prepares the KRB_AS_REQ message and sends it -to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - - If all goes well, processing the KRB_AS_REQ message -will result in the creation of a ticket for the client to -present to the server. The format for the ticket is -described in section 5.3.1. The contents of the ticket are -determined as follows. - -3.1.3. Generation of KRB_AS_REP message - - The authentication server looks up the client and -server principals named in the KRB_AS_REQ in its database, -extracting their respective keys. If required, the server -pre-authenticates the request, and if the pre-authentication -check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot -accommodate the requested encryption type, an error message -with code KDC_ERR_ETYPE_NOSUPP is returned. Otherwise it -generates a "random" session key[7]. -__________________________ - - -Section 3.1.3. - 16 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - If there are multiple encryption keys registered for a -client in the Kerberos database (or if the key registered -supports multiple encryption types; e.g. DES-CBC-CRC and -DES-CBC-MD5), then the etype field from the AS request is -used by the KDC to select the encryption method to be used -for encrypting the response to the client. If there is more -than one supported, strong encryption type in the etype -list, the first valid etype for which an encryption key is -available is used. The encryption method used to respond to -a TGS request is taken from the keytype of the session key -found in the ticket granting ticket. - - When the etype field is present in a KDC request, -whether an AS or TGS request, the KDC will attempt to assign -the type of the random session key from the list of methods -in the etype field. The KDC will select the appropriate -type using the list of methods provided together with infor- -mation from the Kerberos database indicating acceptable -encryption methods for the application server. The KDC will -not issue tickets with a weak session key encryption type. - - If the requested start time is absent, indicates a time -in the past, or is within the window of acceptable clock -skew for the KDC and the POSTDATE option has not been speci- -fied, then the start time of the ticket is set to the -authentication server's current time. If it indicates a -time in the future beyond the acceptable clock skew, but the -POSTDATED option has not been specified then the error -KDC_ERR_CANNOT_POSTDATE is returned. Otherwise the -requested start time is checked against the policy of the -local realm (the administrator might decide to prohibit cer- -tain types or ranges of postdated tickets), and if accept- -able, the ticket's start time is set as requested and the -INVALID flag is set in the new ticket. The postdated ticket -must be validated before use by presenting it to the KDC -after the start time has been reached. - - - - - - - - - -__________________________ -[7] "Random" means that, among other things, it should -be impossible to guess the next session key based on -knowledge of past session keys. This can only be -achieved in a pseudo-random number generator if it is -based on cryptographic principles. It is more desir- -able to use a truly random number generator, such as -one based on measurements of random physical phenomena. - - - -Section 3.1.3. - 17 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -The expiration time of the ticket will be set to the minimum -of the following: - -+The expiration time (endtime) requested in the KRB_AS_REQ - message. - -+The ticket's start time plus the maximum allowable lifetime - associated with the client principal (the authentication - server's database includes a maximum ticket lifetime field - in each principal's record; see section 4). - -+The ticket's start time plus the maximum allowable lifetime - associated with the server principal. - -+The ticket's start time plus the maximum lifetime set by - the policy of the local realm. - - If the requested expiration time minus the start time -(as determined above) is less than a site-determined minimum -lifetime, an error message with code KDC_ERR_NEVER_VALID is -returned. If the requested expiration time for the ticket -exceeds what was determined as above, and if the -"RENEWABLE-OK" option was requested, then the "RENEWABLE" -flag is set in the new ticket, and the renew-till value is -set as if the "RENEWABLE" option were requested (the field -and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the -RENEWABLE-OK option has been set and a renewable ticket is -to be issued, then the renew-till field is set to the -minimum of: - -+Its requested value. - -+The start time of the ticket plus the minimum of the two - maximum renewable lifetimes associated with the principals' - database entries. - -+The start time of the ticket plus the maximum renewable - lifetime set by the policy of the local realm. - - The flags field of the new ticket will have the follow- -ing options set if they have been requested and if the pol- -icy of the local realm allows: FORWARDABLE, MAY-POSTDATE, -POSTDATED, PROXIABLE, RENEWABLE. If the new ticket is post- -dated (the start time is in the future), its INVALID flag -will also be set. - - If all of the above succeed, the server formats a -KRB_AS_REP message (see section 5.4.2), copying the -addresses in the request into the caddr of the response, -placing any required pre-authentication data into the padata -of the response, and encrypts the ciphertext part in the -client's key using the requested encryption method, and - - -Section 3.1.3. - 18 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -sends it to the client. See section A.2 for pseudocode. - -3.1.4. Generation of KRB_ERROR message - - Several errors can occur, and the Authentication Server -responds by returning an error message, KRB_ERROR, to the -client, with the error-code and e-text fields set to -appropriate values. The error message contents and details -are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - - If the reply message type is KRB_AS_REP, then the -client verifies that the cname and crealm fields in the -cleartext portion of the reply match what it requested. If -any padata fields are present, they may be used to derive -the proper secret key to decrypt the message. The client -decrypts the encrypted part of the response using its secret -key, verifies that the nonce in the encrypted part matches -the nonce it supplied in its request (to detect replays). -It also verifies that the sname and srealm in the response -match those in the request (or are otherwise expected -values), and that the host address field is also correct. -It then stores the ticket, session key, start and expiration -times, and other information for later use. The key- -expiration field from the encrypted part of the response may -be checked to notify the user of impending key expiration -(the client program could then suggest remedial action, such -as a password change). See section A.3 for pseudocode. - - Proper decryption of the KRB_AS_REP message is not suf- -ficient to verify the identity of the user; the user and an -attacker could cooperate to generate a KRB_AS_REP format -message which decrypts properly but is not from the proper -KDC. If the host wishes to verify the identity of the user, -it must require the user to present application credentials -which can be verified using a securely-stored secret key for -the host. If those credentials can be verified, then the -identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - - If the reply message type is KRB_ERROR, then the client -interprets it as an error and performs whatever -application-specific tasks are necessary to recover. - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - - - -Section 3.2. - 19 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - The client/server authentication (CS) exchange is used -by network applications to authenticate the client to the -server and vice versa. The client must have already -acquired credentials for the server using the AS or TGS -exchange. - -3.2.1. The KRB_AP_REQ message - - The KRB_AP_REQ contains authentication information -which should be part of the first message in an authenti- -cated transaction. It contains a ticket, an authenticator, -and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insuf- -ficient to authenticate a client, since tickets are passed -across the network in cleartext[8], so the authenticator is -used to prevent invalid replay of tickets by proving to the -server that the client knows the session key of the ticket -and thus is entitled to use the ticket. The KRB_AP_REQ mes- -sage is referred to elsewhere as the "authentication -header." - -3.2.2. Generation of a KRB_AP_REQ message - - When a client wishes to initiate authentication to a -server, it obtains (either through a credentials cache, the -AS exchange, or the TGS exchange) a ticket and session key -for the desired service. The client may re-use any tickets -it holds until they expire. To use a ticket the client con- -structs a new Authenticator from the the system time, its -name, and optionally an application specific checksum, an -initial sequence number to be used in KRB_SAFE or KRB_PRIV -messages, and/or a session subkey to be used in negotiations -for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if -replayed to a server[9]. If a sequence number is to be -included, it should be randomly chosen so that even after -many messages have been exchanged it is not likely to col- -lide with other sequence numbers in use. - - The client may indicate a requirement of mutual -__________________________ -[8] Tickets contain both an encrypted and unencrypted -portion, so cleartext here refers to the entire unit, -which can be copied from one message and replayed in -another without any cryptographic skill. -[9] Note that this can make applications based on un- -reliable transports difficult to code correctly. If the -transport might deliver duplicated messages, either a -new authenticator must be generated for each retry, or -the application server must match requests and replies -and replay the first reply in response to a detected -duplicate. - - - -Section 3.2.2. - 20 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -authentication or the use of a session-key based ticket by -setting the appropriate flag(s) in the ap-options field of -the message. - - The Authenticator is encrypted in the session key and -combined with the ticket to form the KRB_AP_REQ message -which is then sent to the end server along with any addi- -tional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - - Authentication is based on the server's current time of -day (clocks must be loosely synchronized), the authentica- -tor, and the ticket. Several errors are possible. If an -error occurs, the server is expected to reply to the client -with a KRB_ERROR message. This message may be encapsulated -in the application protocol if its "raw" form is not accept- -able to the protocol. The format of error messages is -described in section 5.9.1. - - The algorithm for verifying authentication information -is as follows. If the message type is not KRB_AP_REQ, the -server returns the KRB_AP_ERR_MSG_TYPE error. If the key -version indicated by the Ticket in the KRB_AP_REQ is not one -the server can use (e.g., it indicates an old key, and the -server no longer possesses a copy of the old key), the -KRB_AP_ERR_BADKEYVER error is returned. If the USE- -SESSION-KEY flag is set in the ap-options field, it indi- -cates to the server that the ticket is encrypted in the ses- -sion key from the server's ticket-granting ticket rather -than its secret key[10]. Since it is possible for the -server to be registered in multiple realms, with different -keys in each, the srealm field in the unencrypted portion of -the ticket in the KRB_AP_REQ is used to specify which secret -key the server should use to decrypt that ticket. The -KRB_AP_ERR_NOKEY error code is returned if the server -doesn't have the proper key to decipher the ticket. - - The ticket is decrypted using the version of the -server's key specified by the ticket. If the decryption -routines detect a modification of the ticket (each encryp- -tion system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY -error is returned (chances are good that different keys were -used to encrypt and decrypt). - - The authenticator is decrypted using the session key -extracted from the decrypted ticket. If decryption shows it -to have been modified, the KRB_AP_ERR_BAD_INTEGRITY error is -__________________________ -[10] This is used for user-to-user authentication as -described in [8]. - - -Section 3.2.3. - 21 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -returned. The name and realm of the client from the ticket -are compared against the same fields in the authenticator. -If they don't match, the KRB_AP_ERR_BADMATCH error is -returned (they might not match, for example, if the wrong -session key was used to encrypt the authenticator). The -addresses in the ticket (if any) are then searched for an -address matching the operating-system reported address of -the client. If no match is found or the server insists on -ticket addresses but none are present in the ticket, the -KRB_AP_ERR_BADADDR error is returned. - - If the local (server) time and the client time in the -authenticator differ by more than the allowable clock skew -(e.g., 5 minutes), the KRB_AP_ERR_SKEW error is returned. -If the server name, along with the client name, time and -microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is -returned[11]. The server must remember any authenticator -presented within the allowable clock skew, so that a replay -attempt is guaranteed to fail. If a server loses track of -any authenticator presented within the allowable clock skew, -it must reject all requests until the clock skew interval -has passed. This assures that any lost or re-played authen- -ticators will fall outside the allowable clock skew and can -no longer be successfully replayed (If this is not done, an -attacker could conceivably record the ticket and authentica- -tor sent over the network to a server, then disable the -client's host, pose as the disabled host, and replay the -ticket and authenticator to subvert the authentication.). -If a sequence number is provided in the authenticator, the -server saves it for later use in processing KRB_SAFE and/or -KRB_PRIV messages. If a subkey is present, the server -either saves it for later use or uses it to help generate -its own choice for a subkey to be returned in a KRB_AP_REP -message. - - The server computes the age of the ticket: local -(server) time minus the start time inside the Ticket. If -the start time is later than the current time by more than -the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Oth- -erwise, if the current time is later than end time by more -than the allowable clock skew, the KRB_AP_ERR_TKT_EXPIRED -error is returned. - - If all these checks succeed without an error, the -__________________________ -[11] Note that the rejection here is restricted to au- -thenticators from the same principal to the same -server. Other client principals communicating with the -same server principal should not be have their authen- -ticators rejected if the time and microsecond fields -happen to match some other client's authenticator. - - -Section 3.2.3. - 22 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -server is assured that the client possesses the credentials -of the principal named in the ticket and thus, the client -has been authenticated to the server. See section A.10 for -pseudocode. - - Passing these checks provides only authentication of -the named principal; it does not imply authorization to use -the named service. Applications must make a separate -authorization decisions based upon the authenticated name of -the user, the requested operation, local acces control -information such as that contained in a .k5login or .k5users -file, and possibly a separate distributed authorization ser- -vice. - -3.2.4. Generation of a KRB_AP_REP message - - Typically, a client's request will include both the -authentication information and its initial request in the -same message, and the server need not explicitly reply to -the KRB_AP_REQ. However, if mutual authentication (not only -authenticating the client to the server, but also the server -to the client) is being performed, the KRB_AP_REQ message -will have MUTUAL-REQUIRED set in its ap-options field, and a -KRB_AP_REP message is required in response. As with the -error message, this message may be encapsulated in the -application protocol if its "raw" form is not acceptable to -the application's protocol. The timestamp and microsecond -field used in the reply must be the client's timestamp and -microsecond field (as provided in the authenticator)[12]. -If a sequence number is to be included, it should be ran- -domly chosen as described above for the authenticator. A -subkey may be included if the server desires to negotiate a -different subkey. The KRB_AP_REP message is encrypted in -the session key extracted from the ticket. See section A.11 -for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - - - If a KRB_AP_REP message is returned, the client uses -the session key from the credentials obtained for the -server[13] to decrypt the message, and verifies that the -__________________________ -[12] In the Kerberos version 4 protocol, the timestamp -in the reply was the client's timestamp plus one. This -is not necessary in version 5 because version 5 mes- -sages are formatted in such a way that it is not possi- -ble to create the reply by judicious message surgery -(even in encrypted form) without knowledge of the ap- -propriate encryption keys. -[13] Note that for encrypting the KRB_AP_REP message, -the sub-session key is not used, even if present in the -Authenticator. - - -Section 3.2.5. - 23 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -timestamp and microsecond fields match those in the Authen- -ticator it sent to the server. If they match, then the -client is assured that the server is genuine. The sequence -number and subkey (if present) are retained for later use. -See section A.12 for pseudocode. - - -3.2.6. Using the encryption key - - After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, -the client and server share an encryption key which can be -used by the application. The "true session key" to be used -for KRB_PRIV, KRB_SAFE, or other application-specific uses -may be chosen by the application based on the subkeys in the -KRB_AP_REP message and the authenticator[14]. In some -cases, the use of this session key will be implicit in the -protocol; in others the method of use must be chosen from -several alternatives. We leave the protocol negotiations of -how to use the key (e.g. selecting an encryption or check- -sum type) to the application programmer; the Kerberos proto- -col does not constrain the implementation options, but an -example of how this might be done follows. - - One way that an application may choose to negotiate a -key to be used for subequent integrity and privacy protec- -tion is for the client to propose a key in the subkey field -of the authenticator. The server can then choose a key -using the proposed key from the client as input, returning -the new subkey in the subkey field of the application reply. -This key could then be used for subsequent communication. -To make this example more concrete, if the encryption method -in use required a 56 bit key, and for whatever reason, one -of the parties was prevented from using a key with more than -40 unknown bits, this method would allow the the party which -is prevented from using more than 40 bits to either propose -(if the client) an initial key with a known quantity for 16 -of those bits, or to mask 16 of the bits (if the server) -with the known quantity. The application implementor is -warned, however, that this is only an example, and that an -analysis of the particular crytosystem to be used, and the -reasons for limiting the key length, must be made before -deciding whether it is acceptable to mask bits of the key. - - With both the one-way and mutual authentication -exchanges, the peers should take care not to send sensitive -information to each other without proper assurances. In -particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client -__________________________ -[14] Implementations of the protocol may wish to pro- -vide routines to choose subkeys based on session keys -and random numbers and to generate a negotiated key to -be returned in the KRB_AP_REP message. - - -Section 3.2.6. - 24 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -to assure both client and server of their peer's identity. -If an application protocol requires privacy of its messages, -it can use the KRB_PRIV message (section 3.5). The KRB_SAFE -message (section 3.4) can be used to assure integrity. - - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - - The TGS exchange between a client and the Kerberos -Ticket-Granting Server is initiated by a client when it -wishes to obtain authentication credentials for a given -server (which might be registered in a remote realm), when -it wishes to renew or validate an existing ticket, or when -it wishes to obtain a proxy ticket. In the first case, the -client must already have acquired a ticket for the Ticket- -Granting Service using the AS exchange (the ticket-granting -ticket is usually obtained when a client initially authenti- -cates to the system, such as when a user logs in). The mes- -sage format for the TGS exchange is almost identical to that -for the AS exchange. The primary difference is that encryp- -tion and decryption in the TGS exchange does not take place -under the client's key. Instead, the session key from the -ticket-granting ticket or renewable ticket, or sub-session -key from an Authenticator is used. As is the case for all -application servers, expired tickets are not accepted by the -TGS, so once a renewable or ticket-granting ticket expires, -the client must use a separate exchange to obtain valid -tickets. - - The TGS exchange consists of two messages: A request -(KRB_TGS_REQ) from the client to the Kerberos Ticket- -Granting Server, and a reply (KRB_TGS_REP or KRB_ERROR). -The KRB_TGS_REQ message includes information authenticating -the client plus a request for credentials. The authentica- -tion information consists of the authentication header -(KRB_AP_REQ) which includes the client's previously obtained -ticket-granting, renewable, or invalid ticket. In the -ticket-granting ticket and proxy cases, the request may -include one or more of: a list of network addresses, a col- -lection of typed authorization data to be sealed in the -ticket for authorization use by the application server, or -additional tickets (the use of which are described later). -The TGS reply (KRB_TGS_REP) contains the requested creden- -tials, encrypted in the session key from the ticket-granting -ticket or renewable ticket, or if present, in the sub- -session key from the Authenticator (part of the authentica- -tion header). The KRB_ERROR message contains an error code - - -Section 3.3. - 25 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -and text explaining what went wrong. The KRB_ERROR message -is not encrypted. The KRB_TGS_REP message contains informa- -tion which can be used to detect replays, and to associate -it with the message to which it replies. The KRB_ERROR mes- -sage also contains information which can be used to associ- -ate it with the message to which it replies, but the lack of -encryption in the KRB_ERROR message precludes the ability to -detect replays or fabrications of such messages. - -3.3.1. Generation of KRB_TGS_REQ message - - Before sending a request to the ticket-granting ser- -vice, the client must determine in which realm the applica- -tion server is registered[15]. If the client does not -already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted -by requesting a ticket-granting ticket for the destination -realm from a Kerberos server for which the client does -posess a ticket-granting ticket (using the KRB_TGS_REQ mes- -sage recursively). The Kerberos server may return a TGT for -the desired realm in which case one can proceed. Alterna- -tively, the Kerberos server may return a TGT for a realm -which is "closer" to the desired realm (further along the -standard hierarchical path), in which case this step must be -repeated with a Kerberos server in the realm specified in -the returned TGT. If neither are returned, then the request -must be retried with a Kerberos server for a realm higher in -the hierarchy. This request will itself require a ticket- -granting ticket for the higher realm which must be obtained -by recursively applying these directions. - - - Once the client obtains a ticket-granting ticket for -the appropriate realm, it determines which Kerberos servers -serve that realm, and contacts one. The list might be -obtained through a configuration file or network service or -it may be generated from the name of the realm; as long as -the secret keys exchanged by realms are kept secret, only -denial of service results from using a false Kerberos -server. -__________________________ -[15] This can be accomplished in several ways. It -might be known beforehand (since the realm is part of -the principal identifier), it might be stored in a -nameserver, or it might be obtained from a configura- -tion file. If the realm to be used is obtained from a -nameserver, there is a danger of being spoofed if the -nameservice providing the realm name is not authenti- -cated. This might result in the use of a realm which -has been compromised, and would result in an attacker's -ability to compromise the authentication of the appli- -cation server to the client. - - - -Section 3.3.1. - 26 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - As in the AS exchange, the client may specify a number -of options in the KRB_TGS_REQ message. The client prepares -the KRB_TGS_REQ message, providing an authentication header -as an element of the padata field, and including the same -fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for appli- -cation server use and additional tickets required by some -options. - - In preparing the authentication header, the client can -select a sub-session key under which the response from the -Kerberos server will be encrypted[16]. If the sub-session -key is not specified, the session key from the ticket- -granting ticket will be used. If the enc-authorization-data -is present, it must be encrypted in the sub-session key, if -present, from the authenticator portion of the authentica- -tion header, or if not present, using the session key from -the ticket-granting ticket. - - Once prepared, the message is sent to a Kerberos server -for the destination realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - - The KRB_TGS_REQ message is processed in a manner simi- -lar to the KRB_AS_REQ message, but there are many additional -checks to be performed. First, the Kerberos server must -determine which server the accompanying ticket is for and it -must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting ser- -vice, and the TGS's key will be used. If the TGT was issued -by another realm, then the appropriate inter-realm key must -be used. If the accompanying ticket is not a ticket grant- -ing ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY -options are specified in the request, and the server for -which a ticket is requested is the server named in the -accompanying ticket, then the KDC will decrypt the ticket in -the authentication header using the key of the server for -which it was issued. If no ticket can be found in the -padata field, the KDC_ERR_PADATA_TYPE_NOSUPP error is -returned. - - Once the accompanying ticket has been decrypted, the -user-supplied checksum in the Authenticator must be verified -against the contents of the request, and the message -rejected if the checksums do not match (with an error code -__________________________ -[16] If the client selects a sub-session key, care must -be taken to ensure the randomness of the selected sub- -session key. One approach would be to generate a ran- -dom number and XOR it with the session key from the -ticket-granting ticket. - - -Section 3.3.2. - 27 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or -not collision-proof (with an error code of -KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not sup- -ported, the KDC_ERR_SUMTYPE_NOSUPP error is returned. If -the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - - If any of the decryptions indicate failed integrity -checks, the KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - - The KRB_TGS_REP message shares its format with the -KRB_AS_REP (KRB_KDC_REP), but with its type field set to -KRB_TGS_REP. The detailed specification is in section -5.4.2. - - The response will include a ticket for the requested -server. The Kerberos database is queried to retrieve the -record for the requested server (including the key with -which the ticket will be encrypted). If the request is for -a ticket granting ticket for a remote realm, and if no key -is shared with the requested realm, then the Kerberos server -will select the realm "closest" to the requested realm with -which it does share a key, and use that realm instead. This -is the only case where the response from the KDC will be for -a different server than that requested by the client. - - By default, the address field, the client's name and -realm, the list of transited realms, the time of initial -authentication, the expiration time, and the authorization -data of the newly-issued ticket will be copied from the -ticket-granting ticket (TGT) or renewable ticket. If the -transited field needs to be updated, but the transited type -is not supported, the KDC_ERR_TRTYPE_NOSUPP error is -returned. - - If the request specifies an endtime, then the endtime -of the new ticket is set to the minimum of (a) that request, -(b) the endtime from the TGT, and (c) the starttime of the -TGT plus the minimum of the maximum life for the application -server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when -the TGT was issued). If the new ticket is to be a renewal, -then the endtime above is replaced by the minimum of (a) the -value of the renew_till field of the ticket and (b) the -starttime for the new ticket plus the life (endtime- -starttime) of the old ticket. - - If the FORWARDED option has been requested, then the -resulting ticket will contain the addresses specified by the -client. This option will only be honored if the FORWARDABLE -flag is set in the TGT. The PROXY option is similar; the -resulting ticket will contain the addresses specified by the - - -Section 3.3.3. - 28 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -client. It will be honored only if the PROXIABLE flag in -the TGT is set. The PROXY option will not be honored on -requests for additional ticket-granting tickets. - - If the requested start time is absent, indicates a time -in the past, or is within the window of acceptable clock -skew for the KDC and the POSTDATE option has not been speci- -fied, then the start time of the ticket is set to the -authentication server's current time. If it indicates a -time in the future beyond the acceptable clock skew, but the -POSTDATED option has not been specified or the MAY-POSTDATE -flag is not set in the TGT, then the error -KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the -ticket-granting ticket has the MAY-POSTDATE flag set, then -the resulting ticket will be postdated and the requested -starttime is checked against the policy of the local realm. -If acceptable, the ticket's start time is set as requested, -and the INVALID flag is set. The postdated ticket must be -validated before use by presenting it to the KDC after the -starttime has been reached. However, in no case may the -starttime, endtime, or renew-till time of a newly-issued -postdated ticket extend beyond the renew-till time of the -ticket-granting ticket. - - If the ENC-TKT-IN-SKEY option has been specified and an -additional ticket has been included in the request, the KDC -will decrypt the additional ticket using the key for the -server to which the additional ticket was issued and verify -that it is a ticket-granting ticket. If the name of the -requested server is missing from the request, the name of -the client in the additional ticket will be used. Otherwise -the name of the requested server will be compared to the -name of the client in the additional ticket and if dif- -ferent, the request will be rejected. If the request -succeeds, the session key from the additional ticket will be -used to encrypt the new ticket that is issued instead of -using the key of the server for which the new ticket will be -used[17]. - - If the name of the server in the ticket that is -presented to the KDC as part of the authentication header is -not that of the ticket-granting server itself, the server is -registered in the realm of the KDC, and the RENEW option is -requested, then the KDC will verify that the RENEWABLE flag -is set in the ticket, that the INVALID flag is not set in -the ticket, and that the renew_till time is still in the -future. If the VALIDATE option is rqeuested, the KDC will -__________________________ -[17] This allows easy implementation of user-to-user -authentication [8], which uses ticket-granting ticket -session keys in lieu of secret server keys in situa- -tions where such secret keys could be easily comprom- -ised. - - -Section 3.3.3. - 29 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -check that the starttime has passed and the INVALID flag is -set. If the PROXY option is requested, then the KDC will -check that the PROXIABLE flag is set in the ticket. If the -tests succeed, and the ticket passes the hotlist check -described in the next paragraph, the KDC will issue the -appropriate new ticket. - - -3.3.3.1. Checking for revoked tickets - - Whenever a request is made to the ticket-granting -server, the presented ticket(s) is(are) checked against a -hot-list of tickets which have been canceled. This hot-list -might be implemented by storing a range of issue timestamps -for "suspect tickets"; if a presented ticket had an authtime -in that range, it would be rejected. In this way, a stolen -ticket-granting ticket or renewable ticket cannot be used to -gain additional tickets (renewals or otherwise) once the -theft has been reported. Any normal ticket obtained before -it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their -normal expiration time. - - The ciphertext part of the response in the KRB_TGS_REP -message is encrypted in the sub-session key from the Authen- -ticator, if present, or the session key key from the -ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's -expiration date and the key version number fields are left -out since these values are stored along with the client's -database record, and that record is not needed to satisfy a -request based on a ticket-granting ticket. See section A.6 -for pseudocode. - -3.3.3.2. Encoding the transited field - - If the identity of the server in the TGT that is -presented to the KDC as part of the authentication header is -that of the ticket-granting service, but the TGT was issued -from another realm, the KDC will look up the inter-realm key -shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the -request, subject to the constraints outlined above in the -section describing the AS exchange. The realm part of the -client's identity will be taken from the ticket-granting -ticket. The name of the realm that issued the ticket- -granting ticket will be added to the transited field of the -ticket to be issued. This is accomplished by reading the -transited field from the ticket-granting ticket (which is -treated as an unordered set of realm names), adding the new -realm to the set, then constructing and writing out its -encoded (shorthand) form (this may involve a rearrangement -of the existing encoding). - - - -Section 3.3.3.2. - 30 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - Note that the ticket-granting service does not add the -name of its own realm. Instead, its responsibility is to -add the name of the previous realm. This prevents a mali- -cious Kerberos server from intentionally leaving out its own -name (it could, however, omit other realms' names). - - The names of neither the local realm nor the -principal's realm are to be included in the transited field. -They appear elsewhere in the ticket and both are known to -have taken part in authenticating the principal. Since the -endpoints are not included, both local and single-hop -inter-realm authentication result in a transited field that -is empty. - - Because the name of each realm transited is added to -this field, it might potentially be very long. To decrease -the length of this field, its contents are encoded. The -initially supported encoding is optimized for the normal -case of inter-realm communication: a hierarchical arrange- -ment of realms using either domain or X.500 style realm -names. This encoding (called DOMAIN-X500-COMPRESS) is now -described. - - Realm names in the transited field are separated by a -",". The ",", "\", trailing "."s, and leading spaces (" ") -are special characters, and if they are part of a realm -name, they must be quoted in the transited field by preced- -ing them with a "\". - - A realm name ending with a "." is interpreted as being -prepended to the previous realm. For example, we can encode -traversal of EDU, MIT.EDU, ATHENA.MIT.EDU, WASHINGTON.EDU, -and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end- -points, that they would not be included in this field, and -we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being -appended to the previous realm[18]. If it is to stand by -itself, then it should be preceded by a space (" "). For -example, we can encode traversal of /COM/HP/APOLLO, /COM/HP, -/COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". -__________________________ -[18] For the purpose of appending, the realm preceding -the first listed realm is considered to be the null -realm (""). - - -Section 3.3.3.2. - 31 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are -endpoints, they they would not be included in this field, -and we would have: - - "/COM,/HP" - - - A null subfield preceding or following a "," indicates -that all realms between the previous realm and the next -realm have been traversed[19]. Thus, "," means that all -realms along the path between the client and the server have -been traversed. ",EDU, /COM," means that that all realms -from the client's realm up to EDU (in a domain style hierar- -chy) have been traversed, and that everything from /COM down -to the server's realm in an X.500 style has also been -traversed. This could occur if the EDU realm in one hierar- -chy shares an inter-realm key directly with the /COM realm -in another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is pro- -cessed in the same manner as the KRB_AS_REP processing -described above. The primary difference is that the cipher- -text part of the response must be decrypted using the ses- -sion key from the ticket-granting ticket rather than the -client's secret key. See section A.7 for pseudocode. - - -3.4. The KRB_SAFE Exchange - - The KRB_SAFE message may be used by clients requiring -the ability to detect modifications of messages they -exchange. It achieves this by including a keyed collision- -proof checksum of the user data and some control informa- -tion. The checksum is keyed with an encryption key (usually -the last key negotiated via subkeys, or the session key if -no negotiation has occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it -collects its data and the appropriate control information -and computes a checksum over them. The checksum algorithm -should be a keyed one-way hash function (such as the RSA- -MD5-DES checksum algorithm specified in section 6.4.5, or -the DES MAC), generated using the sub-session key if -present, or the session key. Different algorithms may be -__________________________ -[19] For the purpose of interpreting null subfields, -the client's realm is considered to precede those in -the transited field, and the server's realm is con- -sidered to follow them. - - -Section 3.4.1. - 32 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -selected by changing the checksum type in the message. -Unkeyed or non-collision-proof checksums are not suitable -for this use. - - The control information for the KRB_SAFE message -includes both a timestamp and a sequence number. The -designer of an application using the KRB_SAFE message must -choose at least one of the two mechanisms. This choice -should be based on the needs of the application protocol. - - Sequence numbers are useful when all messages sent will -be received by one's peer. Connection state is presently -required to maintain the session key, so maintaining the -next sequence number should not present an additional prob- -lem. - - If the application protocol is expected to tolerate -lost messages without them being resent, the use of the -timestamp is the appropriate replay detection mechanism. -Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common -sub-session key, but some messages will be sent to a subset -of one's peers. - - After computing the checksum, the client then transmits -the information and checksum to the recipient in the message -format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies -it as follows. If any error occurs, an error code is -reported for use by the application. - - The message is first checked by verifying that the pro- -tocol version and type fields match the current version and -KRB_SAFE, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application verifies that the checksum used is a collision- -proof keyed checksum, and if it is not, a -KRB_AP_ERR_INAPP_CKSUM error is generated. The recipient -verifies that the operating system's report of the sender's -address matches the sender's address in the message, and (if -a recipient address is specified or the recipient requires -an address) that one of the recipient's addresses appears as -the recipient's address in the message. A failed match for -either case generates a KRB_AP_ERR_BADADDR error. Then the -timestamp and usec and/or the sequence number fields are -checked. If timestamp and usec are expected and not -present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, -along with the client name, time and microsecond fields from -the Authenticator match any recently-seen (sent or -received[20] ) such tuples, the KRB_AP_ERR_REPEAT error is -__________________________ -[20] This means that a client and server running on the - - - - - - - Version 5 - Specification Revision 6 - - -generated. If an incorrect sequence number is included, or -a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time- -stamp and usec or a sequence number is present, a -KRB_AP_ERR_MODIFIED error is generated. Finally, the check- -sum is computed over the data and control information, and -if it doesn't match the received checksum, a -KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application is assured -that the message was generated by its peer and was not modi- -fied in transit. - -3.5. The KRB_PRIV Exchange - - The KRB_PRIV message may be used by clients requiring -confidentiality and the ability to detect modifications of -exchanged messages. It achieves this by encrypting the mes- -sages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it -collects its data and the appropriate control information -(specified in section 5.7.1) and encrypts them under an -encryption key (usually the last key negotiated via subkeys, -or the session key if no negotiation has occured). As part -of the control information, the client must choose to use -either a timestamp or a sequence number (or both); see the -discussion in section 3.4.1 for guidelines on which to use. -After the user data and control information are encrypted, -the client transmits the ciphertext and some "envelope" -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies -it as follows. If any error occurs, an error code is -reported for use by the application. - - The message is first checked by verifying that the pro- -tocol version and type fields match the current version and -KRB_PRIV, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the -resultant plaintext. If decryption shows the data to have -been modified, a KRB_AP_ERR_BAD_INTEGRITY error is gen- -erated. The recipient verifies that the operating system's -report of the sender's address matches the sender's address -__________________________ -same host and communicating with one another using the -KRB_SAFE messages should not share a common replay -cache to detect KRB_SAFE replays. - - - -Section 3.5.2. - 34 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -in the message, and (if a recipient address is specified or -the recipient requires an address) that one of the -recipient's addresses appears as the recipient's address in -the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. Then the timestamp and usec -and/or the sequence number fields are checked. If timestamp -and usec are expected and not present, or they are present -but not current, the KRB_AP_ERR_SKEW error is generated. If -the server name, along with the client name, time and -microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is -generated. If an incorrect sequence number is included, or -a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time- -stamp and usec or a sequence number is present, a -KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application can assume -the message was generated by its peer, and was securely -transmitted (without intruders able to see the unencrypted -contents). - -3.6. The KRB_CRED Exchange - - The KRB_CRED message may be used by clients requiring -the ability to send Kerberos credentials from one host to -another. It achieves this by sending the tickets together -with encrypted data containing the session keys and other -information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it -first (using the KRB_TGS exchange) obtains credentials to be -sent to the remote host. It then constructs a KRB_CRED mes- -sage using the ticket or tickets so obtained, placing the -session key needed to use each ticket in the key field of -the corresponding KrbCredInfo sequence of the encrypted part -of the the KRB_CRED message. - - Other information associated with each ticket and -obtained during the KRB_TGS exchange is also placed in the -corresponding KrbCredInfo sequence in the encrypted part of -the KRB_CRED message. The current time and, if specifically -required by the application the nonce, s-address, and r- -address fields, are placed in the encrypted part of the -KRB_CRED message which is then encrypted under an encryption -key previosuly exchanged in the KRB_AP exchange (usually the -last key negotiated via subkeys, or the session key if no -negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies - - -Section 3.6.2. - 35 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -it. If any error occurs, an error code is reported for use -by the application. The message is verified by checking -that the protocol version and type fields match the current -version and KRB_CRED, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the -resultant plaintext. If decryption shows the data to have -been modified, a KRB_AP_ERR_BAD_INTEGRITY error is gen- -erated. - - If present or required, the recipient verifies that the -operating system's report of the sender's address matches -the sender's address in the message, and that one of the -recipient's addresses appears as the recipient's address in -the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields -(and the nonce field if required) are checked next. If the -timestamp and usec are not present, or they are present but -not current, the KRB_AP_ERR_SKEW error is generated. - - If all the checks succeed, the application stores each -of the new tickets in its ticket cache together with the -session key and other information in the corresponding -KrbCredInfo sequence from the encrypted part of the KRB_CRED -message. - -4. The Kerberos Database - -The Kerberos server must have access to a database contain- -ing the principal identifiers and secret keys of principals -to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following -fields: - -Field Value - -name Principal's identif- -ier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -__________________________ -[21] The implementation of the Kerberos server need not -combine the database and the server on the same -machine; it is feasible to store the principal database -in, say, a network name service, as long as the entries -stored therein are protected from disclosure to and -modification by unauthorized parties. However, we -recommend against such strategies, as they can make -system management and threat analysis quite complex. - - -Section 4.1. - 36 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. -The key field contains an encryption key. This key is the -principal's secret key. (The key can be encrypted before -storage under a Kerberos "master key" to protect it in case -the database is compromised but the master key is not. In -that case, an extra field must be added to indicate the mas- -ter key version used, see below.) The p_kvno field is the -key version number of the principal's secret key. The -max_life field contains the maximum allowable lifetime (end- -time - starttime) for any Ticket issued for this principal. -The max_renewable_life field contains the maximum allowable -total lifetime for any renewable Ticket issued for this -principal. (See section 3.1 for a description of how these -lifetimes are used in determining the lifetime of a given -Ticket.) - - A server may provide KDC service to several realms, as -long as the database representation provides a mechanism to -distinguish between principal records with identifiers which -differ only in the realm name. - - When an application server's key changes, if the change -is routine (i.e. not the result of disclosure of the old -key), the old key should be retained by the server until all -tickets that had been issued using that key have expired. -Because of this, it is possible for several keys to be -active for a single principal. Ciphertext encrypted in a -principal's key is always tagged with the version of the key -that was used for encryption, to help the recipient find the -proper key for decryption. - - When more than one key is active for a particular prin- -cipal, the principal will have more than one record in the -Kerberos database. The keys and key version numbers will -differ between the records (the rest of the fields may or -may not be the same). Whenever Kerberos issues a ticket, or -responds to a request for initial authentication, the most -recent key (known by the Kerberos server) will be used for -encryption. This is the key with the highest key version -number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields -in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification - - -Section 4.2. - 37 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -mod_name Modifying principal's identifier - - -The K_kvno field indicates the key version of the Kerberos -master key under which the principal's secret key is -encrypted. - - After an entry's expiration date has passed, the KDC -will return an error to any client attempting to gain tick- -ets as or for the principal. (A database may want to main- -tain two expiration dates: one for the principal, and one -for the principal's current key. This allows password aging -to work independently of the principal's expiration date. -However, due to the limited space in the responses, the KDC -must combine the key expiration and principal expiration -date into a single value called "key_exp", which is used as -a hint to the user to take administrative action.) - - The attributes field is a bitfield used to govern the -operations involving the principal. This field might be -useful in conjunction with user registration procedures, for -site-specific policy implementations (Project Athena -currently uses it for their user registration process con- -trolled by the system-wide database service, Moira [9]), to -identify whether a principal can play the role of a client -or server or both, to note whether a server is appropriate -trusted to recieve credentials delegated by a client, or to -identify the "string to key" conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that -certain ticket options should not be allowed in tickets -encrypted under a principal's key (one bit each): Disallow -issuing postdated tickets, disallow issuing forwardable -tickets, disallow issuing tickets based on TGT authentica- -tion, disallow issuing renewable tickets, disallow issuing -proxiable tickets, and disallow issuing tickets for which -the principal is the server. - - The mod_date field contains the time of last modifica- -tion of the entry, and the mod_name field contains the name -of the principal which last modified the entry. - -4.3. Frequently Changing Fields - - Some KDC implementations may wish to maintain the last -time that a request was made by a particular principal. -Information that might be maintained includes the time of -the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a -ticket-granting ticket, or other times. This information -can then be returned to the user in the last-req field (see -__________________________ -[22] See the discussion of the padata field in section -5.4.2 for details on why this can be useful. - - -Section 4.3. - 38 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -section 5.2). - - Other frequently changing information that can be main- -tained is the latest expiration time for any tickets that -have been issued using each key. This field would be used -to indicate how long old keys must remain valid to allow the -continued use of outstanding tickets. - -4.4. Site Constants - - The KDC implementation should have the following confi- -gurable constants or options, to allow an administrator to -make and enforce policy decisions: - -+ The minimum supported lifetime (used to determine whether - the KDC_ERR_NEVER_VALID error should be returned). This - constant should reflect reasonable expectations of - round-trip time to the KDC, encryption/decryption time, - and processing time by the client and target server, and - it should allow for a minimum "useful" lifetime. - -+ The maximum allowable total (renewable) lifetime of a - ticket (renew_till - starttime). - -+ The maximum allowable lifetime of a ticket (endtime - - starttime). - -+ Whether to allow the issue of tickets with empty address - fields (including the ability to specify that such tick- - ets may only be issued if the request specifies some - authorization_data). - -+ Whether proxiable, forwardable, renewable or post-datable - tickets are to be issued. - - -5. Message Specifications - - The following sections describe the exact contents and -encoding of protocol messages and objects. The ASN.1 base -definitions are presented in the first subsection. The -remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryp- -tion and checksum techniques, and the fields related to -them, appear in section 6. - -5.1. ASN.1 Distinguished Encoding Representation - - All uses of ASN.1 in Kerberos shall use the Dis- -tinguished Encoding Representation of the data elements as -described in the X.509 specification, section 8.7 [10]. - - - - - -Section 5.1. - 39 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -5.2. ASN.1 Base Definitions - - The following ASN.1 base definitions are used in the -rest of this section. Note that since the underscore char- -acter (_) is not permitted in ASN.1 names, the hyphen (-) is -used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - - -Kerberos realms are encoded as GeneralStrings. Realms shall -not contain a character with the code 0 (the ASCII NUL). -Most realms will usually consist of several components -separated by periods (.), in the style of Internet Domain -Names, or separated by slashes (/) in the style of X.500 -names. Acceptable forms for realm names are specified in -section 7. A PrincipalName is a typed sequence of com- -ponents consisting of the following sub-fields: - -name-type This field specifies the type of name that fol- - lows. Pre-defined values for this field are - specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two - names can be the same (i.e. at least one of the - components, or the realm, must be different). - This constraint may be eliminated in the future. - -name-stringThis field encodes a sequence of components that - form a name, each component encoded as a General- - String. Taken together, a PrincipalName and a - Realm form a principal identifier. Most Princi- - palNames will have only a few components (typi- - cally one or two). - - - - KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - - - The timestamps used in Kerberos are encoded as General- -izedTimes. An encoding shall specify the UTC time zone (Z) -and shall not include any fractional portions of the -seconds. It further shall not include any separators. -Example: The only valid format for UTC time 6 minutes, 27 -seconds after 9 pm on 6 November 1985 is 19851106210627Z. - - HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING - - -Section 5.2. - 40 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - } - - HostAddresses ::= SEQUENCE OF SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING - } - - - The host adddress encodings consists of two fields: - -addr-type This field specifies the type of address that - follows. Pre-defined values for this field are - specified in section 8.1. - - -address This field encodes a single address of type addr- - type. - -The two forms differ slightly. HostAddress contains exactly -one address; HostAddresses contains a sequence of possibly -many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - - -ad-data This field contains authorization data to be - interpreted according to the value of the - corresponding ad-type field. - -ad-type This field specifies the format for the ad-data - subfield. All negative values are reserved for - local use. Non-negative values are reserved for - registered use. - - APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) - } - - - TicketFlags ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - may-postdate(5), - postdated(6), - invalid(7), - renewable(8), - initial(9), - - -Section 5.2. - 41 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - pre-authent(10), - hw-authent(11), - transited-policy-checked(12), - ok-as-delegate(13) - } - - - KDCOptions ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - unused12(12), - unused13(13), - disable-transited-check(26), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) - } - - ASN.1 Bit strings have a length and a value. When - used in Kerberos for the APOptions, TicketFlags, - and KDCOptions, the length of the bit string on - generated values should be the smallest multiple - of 32 bits needed to include the highest order bit - that is set (1), but in no case less than 32 bits. - Implementations should accept values of bit - strings of any length and treat the value of flags - cooresponding to bits beyond the end of the bit - string as if the bit were reset (0). Comparisonof - bit strings of different length should treat the - smaller string as if it were padded with zeros - beyond the high order bits to the length of the - longer string[23]. - -__________________________ -[23] Warning for implementations that unpack and repack -data structures during the generation and verification -of embedded checksums: Because any checksums applied to -data structures must be checked against the original -data the length of bit strings must be preserved within -a data structure between the time that a checksum is -generated through transmission to the time that the -checksum is verified. - - - -Section 5.2. - 42 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime - } - - -lr-type This field indicates how the following lr-value - field is to be interpreted. Negative values indi- - cate that the information pertains only to the - responding server. Non-negative values pertain to - all servers for the realm. - - If the lr-type field is zero (0), then no informa- - tion is conveyed by the lr-value subfield. If the - absolute value of the lr-type field is one (1), - then the lr-value subfield is the time of last - initial request for a TGT. If it is two (2), then - the lr-value subfield is the time of last initial - request. If it is three (3), then the lr-value - subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), - then the lr-value subfield is the time of the last - renewal. If it is five (5), then the lr-value - subfield is the time of last request (of any - type). - - -lr-value This field contains the time of the last request. - The time must be interpreted according to the con- - tents of the accompanying lr-type subfield. - - See section 6 for the definitions of Checksum, Check- -sumType, EncryptedData, EncryptionKey, EncryptionType, and -KeyType. - - -5.3. Tickets and Authenticators - - This section describes the format and encryption param- -eters for tickets and authenticators. When a ticket or -authenticator is included in a protocol message it is -treated as an opaque object. - -5.3.1. Tickets - - A ticket is a record that helps a client authenticate -to a service. A Ticket contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData -} - - -Section 5.3.1. - 43 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared -by Kerberos and the end server (the server's secret key). -See section 6 for the format of the ciphertext. - -tkt-vno This field specifies the version number for the - ticket format. This document describes version - number 5. - - -realm This field specifies the realm that issued a - ticket. It also serves to identify the realm part - of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers - within its realm, the two will always be identi- - cal. - - -sname This field specifies the name part of the server's - identity. - - -enc-part This field holds the encrypted encoding of the - EncTicketPart sequence. - - -flags This field indicates which of various options were - used or requested when the ticket was issued. It - is a bit-field, where the selected options are - indicated by the bit being set (1), and the - unselected options and reserved fields being reset - (0). Bit 0 is the most significant bit. The - encoding of the bits is specified in section 5.2. - The flags are described in more detail above in - section 2. The meanings of the flags are: - - -Section 5.3.1. - 44 - Expires 11 January 1998 - - - - - - Version 5 - Specification Revision 6 - - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - - - - - - - -Section 5.3.1. - 45 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - - - -Section 5.3.1. - 46 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - -Section 5.3.1. - 47 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - - - -Section 5.3.1. - 48 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - - - -key This field exists in the ticket and the KDC - response and is used to pass the session key from - Kerberos to the application server and the client. - The field's encoding is described in section 6.2. - -crealm This field contains the name of the realm in which - the client is registered and in which initial - authentication took place. - - -cname This field contains the name part of the client's - principal identifier. - - -transited This field lists the names of the Kerberos realms - that took part in authenticating the user to whom - this ticket was issued. It does not specify the - order in which the realms were transited. See - section 3.3.3.2 for details on how this field - encodes the traversed realms. - - -authtime This field indicates the time of initial authenti- - cation for the named principal. It is the time of - issue for the original ticket on which this ticket - is based. It is included in the ticket to provide - additional information to the end service, and to - provide the necessary information for implementa- - tion of a `hot list' service at the KDC. An end - service that is particularly paranoid could refuse - to accept tickets for which the initial authenti- - cation occurred "too far" in the past. - - This field is also returned as part of the - response from the KDC. When returned as part of - the response to initial authentication - - -Section 5.3.1. - 49 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - (KRB_AS_REP), this is the current time on the Ker- - beros server[24]. - - -starttime This field in the ticket specifies the time after - which the ticket is valid. Together with endtime, - this field specifies the life of the ticket. If - it is absent from the ticket, its value should be - treated as that of the authtime field. - - -endtime This field contains the time after which the - ticket will not be honored (its expiration time). - Note that individual services may place their own - limits on the life of a ticket and may reject - tickets which have not yet expired. As such, this - is really an upper bound on the expiration time - for the ticket. - - -renew-tillThis field is only present in tickets that have - the RENEWABLE flag set in the flags field. It - indicates the maximum endtime that may be included - in a renewal. It can be thought of as the abso- - lute expiration time for the ticket, including all - renewals. - - -caddr This field in a ticket contains zero (if omitted) - or more (if present) host addresses. These are - the addresses from which the ticket can be used. - If there are no addresses, the ticket can be used - from any location. The decision by the KDC to - issue or by the end server to accept zero-address - tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may - refuse to issue or accept such tickets. The sug- - gested and default policy, however, is that such - tickets will only be issued or accepted when addi- - tional information that can be used to restrict - the use of the ticket is included in the - authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to - make it harder for an attacker to use stolen - credentials. Because the session key is not sent - over the network in cleartext, credentials can't -__________________________ -[24] It is NOT recommended that this time value be used -to adjust the workstation's clock since the workstation -cannot reliably determine that such a KRB_AS_REP actu- -ally came from the proper KDC in a timely manner. - - -Section 5.3.1. - 50 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - be stolen simply by listening to the network; an - attacker has to gain access to the session key - (perhaps through operating system security - breaches or a careless user's unattended session) - to make use of stolen tickets. - - It is important to note that the network address - from which a connection is received cannot be - reliably determined. Even if it could be, an - attacker who has compromised the client's worksta- - tion could use the credentials from there. - Including the network addresses only makes it more - difficult, not impossible, for an attacker to walk - off with stolen credentials and then use them from - a "safe" location. - - -authorization-data - The authorization-data field is used to pass - authorization data from the principal on whose - behalf a ticket was issued to the application ser- - vice. If no authorization data is included, this - field will be left out. Experience has shown that - the name of this field is confusing, and that a - better name for this field would be restrictions. - Unfortunately, it is not possible to change the - name of this field at this time. - - This field contains restrictions on any authority - obtained on the bases of authentication using the - ticket. It is possible for any principal in - posession of credentials to add entries to the - authorization data field since these entries - further restrict what can be done with the ticket. - Such additions can be made by specifying the addi- - tional entries when a new ticket is obtained dur- - ing the TGS exchange, or they may be added during - chained delegation using the authorization data - field of the authenticator. - - Because entries may be added to this field by the - holder of credentials, it is not allowable for the - presence of an entry in the authorization data - field of a ticket to amplify the priveleges one - would obtain from using a ticket. - - The data in this field may be specific to the end - service; the field will contain the names of ser- - vice specific objects, and the rights to those - objects. The format for this field is described - in section 5.2. Although Kerberos is not con- - cerned with the format of the contents of the sub- - fields, it does carry type information (ad-type). - - - -Section 5.3.1. - 51 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - By using the authorization_data field, a principal - is able to issue a proxy that is valid for a - specific purpose. For example, a client wishing - to print a file can obtain a file server proxy to - be passed to the print server. By specifying the - name of the file in the authorization_data field, - the file server knows that the print server can - only use the client's rights when accessing the - particular file to be printed. - - A separate service providing providing authoriza- - tion or certifying group membership may be built - using the authorization-data field. In this case, - the entity granting authorization (not the author- - ized entity), obtains a ticket in its own name - (e.g. the ticket is issued in the name of a - privelege server), and this entity adds restric- - tions on its own authority and delegates the res- - tricted authority through a proxy to the client. - The client would then present this authorization - credential to the application server separately - from the authentication exchange. - - Similarly, if one specifies the authorization-data - field of a proxy and leaves the host addresses - blank, the resulting ticket and session key can be - treated as a capability. See [7] for some sug- - gested uses of this field. - - The authorization-data field is optional and does - not have to be included in a ticket. - - -5.3.2. Authenticators - - An authenticator is a record sent with a ticket to a -server to certify the client's knowledge of the encryption -key in the ticket, to help the server detect replays, and to -help choose a "true session key" to use with the particular -session. The encoding is encrypted in the ticket's session -key shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - - -Section 5.3.2. - 52 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -authenticator-vno - This field specifies the version number for the - format of the authenticator. This document speci- - fies version 5. - - -crealm and cname - These fields are the same as those described for - the ticket in section 5.3.1. - - -cksum This field contains a checksum of the the applica- - tion data that accompanies the KRB_AP_REQ. - - -cusec This field contains the microsecond part of the - client's timestamp. Its value (before encryption) - ranges from 0 to 999999. It often appears along - with ctime. The two fields are used together to - specify a reasonably accurate timestamp. - - -ctime This field contains the current time on the - client's host. - - -subkey This field contains the client's choice for an - encryption key which is to be used to protect this - specific application session. Unless an applica- - tion specifies otherwise, if this field is left - out the session key from the ticket will be used. - -seq-numberThis optional field includes the initial sequence - number to be used by the KRB_PRIV or KRB_SAFE mes- - sages when sequence numbers are used to detect - replays (It may also be used by application - specific messages). When included in the authen- - ticator this field specifies the initial sequence - number for messages from the client to the server. - When included in the AP-REP message, the initial - sequence number is that for messages from the - server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after - each message is sent. - - For sequence numbers to adequately support the - detection of replays they should be non-repeating, - even across connection boundaries. The initial - sequence number should be random and uniformly - distributed across the full space of possible - sequence numbers, so that it cannot be guessed by - an attacker and so that it and the successive - sequence numbers do not repeat other sequences. - - - -Section 5.3.2. - 53 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -authorization-data - This field is the same as described for the ticket - in section 5.3.1. It is optional and will only - appear when additional restrictions are to be - placed on the use of a ticket, beyond those car- - ried in the ticket itself. - -5.4. Specifications for the AS and TGS exchanges - - This section specifies the format of the messages used -in the exchange between the client and the Kerberos server. -The format of possible error messages appears in section -5.9.1. - -5.4.1. KRB_KDC_REQ definition - - The KRB_KDC_REQ message has no type of its own. -Instead, its type is one of KRB_AS_REQ or KRB_TGS_REQ -depending on whether the request is for an initial ticket or -an additional ticket. In either case, the message is sent -from the client to the Authentication Server to request -credentials for a service. - - The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - - -Section 5.4.1. - 54 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -The fields in this message are: - - -pvno This field is included in each message, and speci- - fies the protocol version number. This document - specifies protocol version 5. - - -msg-type This field indicates the type of a protocol mes- - sage. It will almost always be the same as the - application identifier associated with a message. - It is included to make the identifier more readily - accessible to the application. For the KDC-REQ - message, this type will be KRB_AS_REQ or - KRB_TGS_REQ. - - -padata The padata (pre-authentication data) field con- - tains a sequence of authentication information - which may be needed before credentials can be - issued or decrypted. In the case of requests for - additional tickets (KRB_TGS_REQ), this field will - include an element with padata-type of PA-TGS-REQ - and data of an authentication header (ticket- - granting ticket and authenticator). The checksum - in the authenticator (which must be collision- - proof) is to be computed over the KDC-REQ-BODY - encoding. In most requests for initial authenti- - cation (KRB_AS_REQ) and most replies (KDC-REP), - the padata field will be left out. - - This field may also contain information needed by - certain extensions to the Kerberos protocol. For - example, it might be used to initially verify the - identity of a client before any response is - returned. This is accomplished with a padata - field with padata-type equal to PA-ENC-TIMESTAMP - and padata-value defined as follows: - -padata-type ::= PA-ENC-TIMESTAMP -padata-value ::= EncryptedData -- PA-ENC-TS-ENC - -PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL -} - - with patimestamp containing the client's time and - - -Section 5.4.1. - 55 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - pausec containing the microseconds which may be - omitted if a client will not generate more than - one request per second. The ciphertext (padata- - value) consists of the PA-ENC-TS-ENC sequence, - encrypted using the client's secret key. - - The padata field can also contain information - needed to help the KDC or the client select the - key needed for generating or decrypting the - response. This form of the padata is useful for - supporting the use of certain token cards with - Kerberos. The details of such extensions are - specified in separate documents. See [11] for - additional uses of this field. - -padata-type - The padata-type element of the padata field indi- - cates the way that the padata-value element is to - be interpreted. Negative values of padata-type - are reserved for unregistered use; non-negative - values are used for a registered interpretation of - the element type. - - -req-body This field is a placeholder delimiting the extent - of the remaining fields. If a checksum is to be - calculated over the request, it is calculated over - an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. - - -kdc-options - This field appears in the KRB_AS_REQ and - KRB_TGS_REQ requests to the KDC and indicates the - flags that the client wants set on the tickets as - well as other information that is to modify the - behavior of the KDC. Where appropriate, the name - of an option may be the same as the flag that is - set by that option. Although in most case, the - bit in the options field will be the same as that - in the flags field, this is not guaranteed, so it - is not acceptable to simply copy the options field - to the flags field. There are various checks that - must be made before honoring an option anyway. - - The kdc_options field is a bit-field, where the - selected options are indicated by the bit being - set (1), and the unselected options and reserved - fields being reset (0). The encoding of the bits - is specified in section 5.2. The options are - described in more detail above in section 2. The - meanings of the options are: - - - - -Section 5.4.1. - 56 - Expires 11 January 1998 - - - - - Version 5 - Specification Revision 6 - - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates that - the ticket to be issued is to have its - forwardable flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based is also for- - wardable. - - 2 FORWARDED - The FORWARDED option is only specified - in a request to the ticket-granting - server and will only be honored if the - ticket-granting ticket in the request - has its FORWARDABLE bit set. This - option indicates that this is a request - for forwarding. The address(es) of the - host from which the resulting ticket is - to be valid are included in the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that the - ticket to be issued is to have its prox- - iable flag set. It may only be set on - the initial request, or in a subsequent - request if the ticket-granting ticket on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this is - a request for a proxy. This option will - only be honored if the ticket-granting - ticket in the request has its PROXIABLE - bit set. The address(es) of the host - from which the resulting ticket is to be - valid are included in the addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates that - the ticket to be issued is to have its - MAY-POSTDATE flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based also has its - MAY-POSTDATE flag set. - - - - - - - -Section 5.4.1. - 57 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 6 POSTDATED - The POSTDATED option indicates that this - is a request for a postdated ticket. - This option will only be honored if the - ticket-granting ticket on which it is - based has its MAY-POSTDATE flag set. - The resulting ticket will also have its - INVALID flag set, and that flag may be - reset by a subsequent request to the KDC - after the starttime in the ticket has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that the - ticket to be issued is to have its - RENEWABLE flag set. It may only be set - on the initial request, or when the - ticket-granting ticket on which the - request is based is also renewable. If - this option is requested, then the rtime - field in the request contains the - desired absolute expiration time for the - ticket. - - 9-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option indicates - that the ticket to be issued is not to - identify the user to which it was - issued. Instead, the principal identif- - ier is to be generic, as specified by - the policy of the realm (e.g. usually - anonymous@realm). The purpose of the - ticket is only to securely distribute a - session key, and not to identify the - user. The ANONYMOUS flag on the ticket - to be returned should be set. If the - local realms policy does not permit - anonymous credentials, the request is to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited field - is disabled. Tickets issued without the - performance of this check will be noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - - -Section 5.4.1. - 58 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that a - renewable ticket will be acceptable if a - ticket with the requested life cannot - otherwise be provided. If a ticket with - the requested life cannot be provided, - then a renewable ticket may be issued - with a renew-till equal to the the - requested endtime. The value of the - renew-till field may still be limited by - local limits, or limits selected by the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the ticket- - granting service. The ENC-TKT-IN-SKEY - option indicates that the ticket for the - end server is to be encrypted in the - session key from the additional ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the ticket- - granting service. The RENEW option - indicates that the present request is - for a renewal. The ticket provided is - encrypted in the secret key for the - server on which it is valid. This - option will only be honored if the - ticket to be renewed has its RENEWABLE - flag set and if the time in its renew- - till field has not passed. The ticket - to be renewed is passed in the padata - field as part of the authentication - header. - - 31 VALIDATE - This option is used only by the ticket- - granting service. The VALIDATE option - indicates that the request is to vali- - date a postdated ticket. It will only - be honored if the ticket presented is - postdated, presently has its INVALID - flag set, and would be otherwise usable - at this time. A ticket cannot be vali- - dated before its starttime. The ticket - presented for validation is encrypted in - the key of the server for which it is - valid and is passed in the padata field - as part of the authentication header. - -cname and sname - These fields are the same as those described for - the ticket in section 5.3.1. sname may only be - - -Section 5.4.1. - 59 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - absent when the ENC-TKT-IN-SKEY option is speci- - fied. If absent, the name of the server is taken - from the name of the client in the ticket passed - as additional-tickets. - - -enc-authorization-data - The enc-authorization-data, if present (and it can - only be present in the TGS_REQ form), is an encod- - ing of the desired authorization-data encrypted - under the sub-session key if present in the - Authenticator, or alternatively from the session - key in the ticket-granting ticket, both from the - padata field in the KRB_AP_REQ. - - -realm This field specifies the realm part of the - server's principal identifier. In the AS - exchange, this is also the realm part of the - client's principal identifier. - - -from This field is included in the KRB_AS_REQ and - KRB_TGS_REQ ticket requests when the requested - ticket is to be postdated. It specifies the - desired start time for the requested ticket. - - - -till This field contains the expiration date requested - by the client in a ticket request. It is option - and if omitted the requested ticket is to have the - maximum endtime permitted according to KDC policy - for the parties to the authentication exchange as - limited by expiration date of the ticket granting - ticket or other preauthentication credentials. - - -rtime This field is the requested renew-till time sent - from a client to the KDC in a ticket request. It - is optional. - - -nonce This field is part of the KDC request and - response. It it intended to hold a random number - generated by the client. If the same number is - included in the encrypted response from the KDC, - it provides evidence that the response is fresh - and has not been replayed by an attacker. Nonces - must never be re-used. Ideally, it should be gen- - erated randomly, but if the correct time is known, - it may suffice[25]. -__________________________ -[25] Note, however, that if the time is used as the - -Section 5.4.1. - 60 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -etype This field specifies the desired encryption algo- - rithm to be used in the response. - - -addresses This field is included in the initial request for - tickets, and optionally included in requests for - additional tickets from the ticket-granting - server. It specifies the addresses from which the - requested ticket is to be valid. Normally it - includes the addresses for the client's host. If - a proxy is requested, this field will contain - other addresses. The contents of this field are - usually copied by the KDC into the caddr field of - the resulting ticket. - - -additional-tickets - Additional tickets may be optionally included in a - request to the ticket-granting server. If the - ENC-TKT-IN-SKEY option has been specified, then - the session key from the additional ticket will be - used in place of the server's key to encrypt the - new ticket. If more than one option which - requires additional tickets has been specified, - then the additional tickets are used in the order - specified by the ordering of the options bits (see - kdc-options, above). - - - The application code will be either ten (10) or twelve -(12) depending on whether the request is for an initial -ticket (AS-REQ) or for an additional ticket (TGS-REQ). - - The optional fields (addresses, authorization-data and -additional-tickets) are only included if necessary to per- -form the operation specified in the kdc-options field. - - It should be noted that in KRB_TGS_REQ, the protocol -version number appears twice and two different message types -appear: the KRB_TGS_REQ message contains these fields as -does the authentication header (KRB_AP_REQ) that is passed -in the padata field. - -5.4.2. KRB_KDC_REP definition - - The KRB_KDC_REP message format is used for the reply -from the KDC for either an initial (AS) request or a subse- -quent (TGS) request. There is no message type for -__________________________ -nonce, one must make sure that the workstation time is -monotonically increasing. If the time is ever reset -backwards, there is a small, but finite, probability -that a nonce will be reused. - - - -Section 5.4.2. - 61 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or -KRB_TGS_REP. The key used to encrypt the ciphertext part of -the reply depends on the message type. For KRB_AS_REP, the -ciphertext is encrypted in the client's secret key, and the -client's key version number is included in the key version -number for the encrypted data. For KRB_TGS_REP, the cipher- -text is encrypted in the sub-session key from the Authenti- -cator, or if absent, the session key from the ticket- -granting ticket used in the request. In that case, no ver- -sion number will be present in the EncryptedData sequence. - - The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - - - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is either KRB_AS_REP or KRB_TGS_REP. -__________________________ -[27] An application code in the encrypted part of a -message provides an additional check that the message -was decrypted properly. - - -Section 5.4.2. - 62 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -padata This field is described in detail in section - 5.4.1. One possible use for this field is to - encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is - described in section 6.3.2). This ability is use- - ful to ease transitions if a realm name needs to - change (e.g. when a company is acquired); in such - a case all existing password-derived entries in - the KDC database would be flagged as needing a - special mix-in string until the next password - change. - - -crealm, cname, srealm and sname - These fields are the same as those described for - the ticket in section 5.3.1. - - -ticket The newly-issued ticket, from section 5.3.1. - - -enc-part This field is a place holder for the ciphertext - and related information that forms the encrypted - part of a message. The description of the - encrypted part of the message follows each appear- - ance of this field. The encrypted part is encoded - as described in section 6.1. - - -key This field is the same as described for the ticket - in section 5.3.1. - - -last-req This field is returned by the KDC and specifies - the time(s) of the last request by a principal. - Depending on what information is available, this - might be the last time that a request for a - ticket-granting ticket was made, or the last time - that a request based on a ticket-granting ticket - was successful. It also might cover all servers - for a realm, or just the particular server. Some - implementations may display this information to - the user to aid in discovering unauthorized use of - one's identity. It is similar in spirit to the - last login time displayed when logging into - timesharing systems. - - -nonce This field is described above in section 5.4.1. - - -key-expiration - The key-expiration field is part of the response - from the KDC and specifies the time that the - - -Section 5.4.2. - 63 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - client's secret key is due to expire. The expira- - tion might be the result of password aging or an - account expiration. This field will usually be - left out of the TGS reply since the response to - the TGS request is encrypted in a session key and - no client information need be retrieved from the - KDC database. It is up to the application client - (usually the login program) to take appropriate - action (such as notifying the user) if the expira- - tion time is imminent. - - -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the - encrypted portion of the attached ticket (see sec- - tion 5.3.1), provided so the client may verify - they match the intended request and to assist in - proper ticket caching. If the message is of type - KRB_TGS_REP, the caddr field will only be filled - in if the request was for a proxy or forwarded - ticket, or if the user is substituting a subset of - the addresses from the ticket granting ticket. If - the client-requested addresses are not present or - not used, then the addresses contained in the - ticket will be the same as those included in the - ticket-granting ticket. - - -5.5. Client/Server (CS) message specifications - - This section specifies the format of the messages used -for the authentication of the client to the application -server. - -5.5.1. KRB_AP_REQ definition - - The KRB_AP_REQ message contains the Kerberos protocol -version number, the message type KRB_AP_REQ, an options -field to indicate any options in use, and the ticket and -authenticator themselves. The KRB_AP_REQ message is often -referred to as the "authentication header". - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) - - -Section 5.5.1. - 64 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -} - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_AP_REQ. - - -ap-optionsThis field appears in the application request - (KRB_AP_REQ) and affects the way the request is - processed. It is a bit-field, where the selected - options are indicated by the bit being set (1), - and the unselected options and reserved fields - being reset (0). The encoding of the bits is - specified in section 5.2. The meanings of the - options are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - - - -ticket This field is a ticket authenticating the client - to the server. - - -authenticator - This contains the authenticator, which includes - the client's choice of a subkey. Its encoding is - described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - - The KRB_AP_REP message contains the Kerberos protocol -version number, the message type, and an encrypted time- -stamp. The message is sent in in response to an application -request (KRB_AP_REQ) where the mutual authentication option - - -Section 5.5.2. - 65 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session -key of the ticket. The optional subkey field can be used in -an application-arranged negotiation to choose a per associa- -tion session key. - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_AP_REP. - - -enc-part This field is described above in section 5.4.2. - - -ctime This field contains the current time on the - client's host. - - -cusec This field contains the microsecond part of the - client's timestamp. - - -subkey This field contains an encryption key which is to - be used to protect this specific application ses- - sion. See section 3.2.6 for specifics on how this - field is used to negotiate a key. Unless an - application specifies otherwise, if this field is - left out, the sub-session key from the authentica- - tor, or if also left out, the session key from the - ticket will be used. - - - -__________________________ -[29] An application code in the encrypted part of a -message provides an additional check that the message -was decrypted properly. - - - -Section 5.5.2. - 66 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -5.5.3. Error message reply - - If an error occurs while processing the application -request, the KRB_ERROR message will be sent in response. -See section 5.9.1 for the format of the error message. The -cname and crealm fields may be left out if the server cannot -determine their appropriate values from the corresponding -KRB_AP_REQ message. If the authenticator was decipherable, -the ctime and cusec fields will contain the values from it. - -5.6. KRB_SAFE message specification - - This section specifies the format of a message that can -be used by either side (client or server) of an application -to send a tamper-proof message to its peer. It presumes -that a session key has previously been exchanged (for exam- -ple, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - - The KRB_SAFE message contains user data along with a -collision-proof checksum keyed with the last encryption key -negotiated via subkeys, or the session key if no negotiation -has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - - - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_SAFE. - - -safe-body This field is a placeholder for the body of the - KRB-SAFE message. It is to be encoded separately - and then have the checksum computed over it, for - use in the cksum field. - - - -Section 5.6.1. - 67 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -cksum This field contains the checksum of the applica- - tion data. Checksum details are described in sec- - tion 6.4. The checksum is computed over the - encoding of the KRB-SAFE-BODY sequence. - - -user-data This field is part of the KRB_SAFE and KRB_PRIV - messages and contain the application specific data - that is being passed from the sender to the reci- - pient. - - -timestamp This field is part of the KRB_SAFE and KRB_PRIV - messages. Its contents are the current time as - known by the sender of the message. By checking - the timestamp, the recipient of the message is - able to make sure that it was recently generated, - and is not a replay. - - -usec This field is part of the KRB_SAFE and KRB_PRIV - headers. It contains the microsecond part of the - timestamp. - - -seq-number - This field is described above in section 5.3.2. - - -s-address This field specifies the address in use by the - sender of the message. - - -r-address This field specifies the address in use by the - recipient of the message. It may be omitted for - some uses (such as broadcast protocols), but the - recipient may arbitrarily reject such messages. - This field along with s-address can be used to - help detect messages which have been incorrectly - or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - - This section specifies the format of a message that can -be used by either side (client or server) of an application -to securely and privately send a message to its peer. It -presumes that a session key has previously been exchanged -(for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - - The KRB_PRIV message contains user data encrypted in -the Session Key. The message fields are: - -__________________________ -[31] An application code in the encrypted part of a - - - - - - - Version 5 - Specification Revision 6 - - - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's addr - r-address[5] HostAddress OPTIONAL -- recip's addr -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_PRIV. - - -enc-part This field holds an encoding of the EncKrbPrivPart - sequence encrypted under the session key[32]. - This encrypted encoding is used for the enc-part - field of the KRB-PRIV message. See section 6 for - the format of the ciphertext. - - -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. - - -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - - This section specifies the format of a message that can -be used to send Kerberos credentials from one principal to -__________________________ -message provides an additional check that the message -was decrypted properly. -[32] If supported by the encryption method in use, an -initialization vector may be passed to the encryption -procedure, in order to achieve proper cipher chaining. -The initialization vector might come from the last -block of the ciphertext from the previous KRB_PRIV mes- -sage, but it is the application's choice whether or not -to use such an initialization vector. If left out, the -default initialization vector for the encryption algo- -rithm will be used. - - -Section 5.8. - 69 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -another. It is presented here to encourage a common mechan- -ism to be used by applications when forwarding tickets or -providing proxies to subordinate servers. It presumes that -a session key has already been exchanged perhaps by using -the KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - - The KRB_CRED message contains a sequence of tickets to -be sent and information needed to use the tickets, including -the session key from each. The information needed to use -the tickets is encrypted under an encryption key previously -exchanged or transferred alongside the KRB_CRED message. -The message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - - - - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_CRED. - - - - -Section 5.8.1. - 70 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -tickets - These are the tickets obtained from the KDC - specifically for use by the intended recipient. - Successive tickets are paired with the correspond- - ing KrbCredInfo sequence from the enc-part of the - KRB-CRED message. - - -enc-part This field holds an encoding of the EncKrbCredPart - sequence encrypted under the session key shared - between the sender and the intended recipient. - This encrypted encoding is used for the enc-part - field of the KRB-CRED message. See section 6 for - the format of the ciphertext. - - -nonce If practical, an application may require the - inclusion of a nonce generated by the recipient of - the message. If the same value is included as the - nonce in the message, it provides evidence that - the message is fresh and has not been replayed by - an attacker. A nonce must never be re-used; it - should be generated randomly by the recipient of - the message and provided to the sender of the mes- - sage in an application specific manner. - - -timestamp and usec - - These fields specify the time that the KRB-CRED - message was generated. The time is used to pro- - vide assurance that the message is fresh. - - -s-address and r-address - These fields are described above in section 5.6.1. - They are used optionally to provide additional - assurance of the integrity of the KRB-CRED mes- - sage. - - -key This field exists in the corresponding ticket - passed by the KRB-CRED message and is used to pass - the session key from the sender to the intended - recipient. The field's encoding is described in - section 6.2. - - The following fields are optional. If present, they -can be associated with the credentials in the remote ticket -file. If left out, then it is assumed that the recipient of -the credentials already knows their value. - - -prealm and pname - - -Section 5.8.1. - 71 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - The name and realm of the delegated principal - identity. - - -flags, authtime, starttime, endtime, renew-till, srealm, - sname, and caddr - These fields contain the values of the correspond- - ing fields from the ticket found in the ticket - field. Descriptions of the fields are identical - to the descriptions in the KDC-REP message. - -5.9. Error message specification - - This section specifies the format for the KRB_ERROR -message. The fields included in the message are intended to -return as much information as possible about an error. It -is not expected that all the information required by the -fields will be available for all types of errors. If the -appropriate information is not available when the message is -composed, the corresponding field will be left out of the -message. - - Note that since the KRB_ERROR message is not protected -by any encryption, it is quite possible for an intruder to -synthesize or modify such a message. In particular, this -means that the client should not use any fields in this mes- -sage for security-critical purposes, such as setting a sys- -tem clock or generating a fresh authenticator. The message -can be useful, however, for advising a user on the reason -for some failure. - -5.9.1. KRB_ERROR definition - - The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL -} - - - - - -Section 5.9.1. - 72 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -pvno and msg-type - These fields are described above in section 5.4.1. - msg-type is KRB_ERROR. - - -ctime This field is described above in section 5.4.1. - - - -cusec This field is described above in section 5.5.2. - - -stime This field contains the current time on the - server. It is of type KerberosTime. - - -susec This field contains the microsecond part of the - server's timestamp. Its value ranges from 0 to - 999999. It appears along with stime. The two - fields are used in conjunction to specify a rea- - sonably accurate timestamp. - - -error-codeThis field contains the error code returned by - Kerberos or the server when a request fails. To - interpret the value of this field see the list of - error codes in section 8. Implementations are - encouraged to provide for national language sup- - port in the display of error messages. - - -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. - - -e-text This field contains additional text to help - explain the error code associated with the failed - request (for example, it might include a principal - name which was unknown). - - -e-data This field contains additional data about the - error for use by the application to help it - recover from or handle the error. If the error- - code is KDC_ERR_PREAUTH_REQUIRED, then the e-data - field will contain an encoding of a sequence of - padata fields, each corresponding to an acceptable - pre-authentication method and optionally contain- - ing data for the method: - - -e-cksum This field contains an optional checksum for the - KRB-ERROR message. The checksum is calculated - over the Kerberos ASN.1 encoding of the KRB-ERROR - - -Section 5.9.1. - 73 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - message with the checksum absent. The checksum is - then added to the KRB-ERROR structure and the mes- - sage is re-encoded. The Checksum should be calcu- - lated using the session key from the ticket grant- - ing ticket or service ticket, where available. If - the error is in response to a TGS or AP request, - the checksum should be calculated uing the the - session key from the client's ticket. If the - error is in response to an AS request, then the - checksum should be calulated using the client's - secret key ONLY if there has been suitable preau- - thentication to prove knowledge of the secret key - by the client[33]. If a checksum can not be com- - puted because the key to be used is not available, - no checksum will be included. - - METHOD-DATA ::= SEQUENCE of PA-DATA - - - If the error-code is KRB_AP_ERR_METHOD, then the - e-data field will contain an encoding of the fol- - lowing sequence: - - METHOD-DATA ::= SEQUENCE { - method-type[0] INTEGER, - method-data[1] OCTET STRING OPTIONAL - } - - method-type will indicate the required alternate - method; method-data will contain any required - additional information. - - - -6. Encryption and Checksum Specifications - -The Kerberos protocols described in this document are -designed to use stream encryption ciphers, which can be -simulated using commonly available block encryption ciphers, -such as the Data Encryption Standard, [12] in conjunction -with block chaining and checksum methods [13]. Encryption -is used to prove the identities of the network entities par- -ticipating in message exchanges. The Key Distribution -Center for each realm is trusted by all principals -registered in that realm to store a secret key in confi- -dence. Proof of knowledge of this secret key is used to -verify the authenticity of a principal. - - The KDC uses the principal's secret key (in the AS -__________________________ -[33] This prevents an attacker who generates an in- -correct AS request from obtaining verifiable plaintext -for use in an off-line password guessing attack. - - -Section 6. - 74 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -exchange) or a shared session key (in the TGS exchange) to -encrypt responses to ticket requests; the ability to obtain -the secret key or session key implies the knowledge of the -appropriate keys and the identity of the KDC. The ability -of a principal to decrypt the KDC response and present a -Ticket and a properly formed Authenticator (generated with -the session key from the KDC response) to a service verifies -the identity of the principal; likewise the ability of the -service to extract the session key from the Ticket and prove -its knowledge thereof in a response verifies the identity of -the service. - - The Kerberos protocols generally assume that the -encryption used is secure from cryptanalysis; however, in -some cases, the order of fields in the encrypted portions of -messages are arranged to minimize the effects of poorly -chosen keys. It is still important to choose good keys. If -keys are derived from user-typed passwords, those passwords -need to be well chosen to make brute force attacks more dif- -ficult. Poorly chosen keys still make easy targets for -intruders. - - The following sections specify the encryption and -checksum mechanisms currently defined for Kerberos. The -encodings, chaining, and padding requirements for each are -described. For encryption methods, it is often desirable to -place random information (often referred to as a confounder) -at the start of the message. The requirements for a con- -founder are specified with each encryption mechanism. - - Some encryption systems use a block-chaining method to -improve the the security characteristics of the ciphertext. -However, these chaining methods often don't provide an -integrity check upon decryption. Such systems (such as DES -in CBC mode) must be augmented with a checksum of the plain- -text which can be verified at decryption and used to detect -any tampering or damage. Such checksums should be good at -detecting burst errors in the input. If any damage is -detected, the decryption routine is expected to return an -error indicating the failure of an integrity check. Each -encryption type is expected to provide and verify an -appropriate checksum. The specification of each encryption -method sets out its checksum requirements. - - Finally, where a key is to be derived from a user's -password, an algorithm for converting the password to a key -of the appropriate type is included. It is desirable for -the string to key function to be one-way, and for the map- -ping to be different in different realms. This is important -because users who are registered in more than one realm will -often use the same password in each, and it is desirable -that an attacker compromising the Kerberos server in one -realm not obtain or derive the user's key in another. - - - -Section 6. - 75 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - For an discussion of the integrity characteristics of -the candidate encryption and checksum methods considered for -Kerberos, the the reader is referred to [14]. - -6.1. Encryption Specifications - - The following ASN.1 definition describes all encrypted -messages. The enc-part field which appears in the unen- -crypted part of messages in section 5 is a sequence consist- -ing of an encryption type, an optional key version number, -and the ciphertext. - - -EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext -} - - -etype This field identifies which encryption algorithm - was used to encipher the cipher. Detailed specif- - ications for selected encryption types appear - later in this section. - - -kvno This field contains the version number of the key - under which data is encrypted. It is only present - in messages encrypted under long lasting keys, - such as principals' secret keys. - - -cipher This field contains the enciphered text, encoded - as an OCTET STRING. - - - The cipher field is generated by applying the specified -encryption algorithm to data composed of the message and -algorithm-specific inputs. Encryption mechanisms defined -for use with Kerberos must take sufficient measures to -guarantee the integrity of the plaintext, and we recommend -they also take measures to protect against precomputed dic- -tionary attacks. If the encryption algorithm is not itself -capable of doing so, the protections can often be enhanced -by adding a checksum and a confounder. - - The suggested format for the data to be encrypted -includes a confounder, a checksum, the encoded plaintext, -and any necessary padding. The msg-seq field contains the -part of the protocol message described in section 5 which is -to be encrypted. The confounder, checksum, and padding are -all untagged and untyped, and their length is exactly suffi- -cient to hold the appropriate item. The type and length is -implicit and specified by the particular encryption type - - -Section 6.1. - 76 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -being used (etype). The format for the data to be encrypted -is described in the following diagram: - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - -The format cannot be described in ASN.1, but for those who -prefer an ASN.1-like notation: - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - - - One generates a random confounder of the appropriate -length, placing it in confounder; zeroes out check; calcu- -lates the appropriate checksum over confounder, check, and -msg-seq, placing the result in check; adds the necessary -padding; then encrypts using the specified encryption type -and the appropriate key. - - Unless otherwise specified, a definition of an encryp- -tion algorithm that specifies a checksum, a length for the -confounder field, or an octet boundary for padding uses this -ciphertext format[36]. Those fields which are not specified -will be omitted. - - In the interest of allowing all implementations using a -__________________________ -[35] In the above specification, UNTAGGED OCTET -STRING(length) is the notation for an octet string with -its tag and length removed. It is not a valid ASN.1 -type. The tag bits and length must be removed from the -confounder since the purpose of the confounder is so -that the message starts with random data, but the tag -and its length are fixed. For other fields, the length -and tag would be redundant if they were included be- -cause they are specified by the encryption type. -[36] The ordering of the fields in the CipherText is -important. Additionally, messages encoded in this for- -mat must include a length as part of the msg-seq field. -This allows the recipient to verify that the message -has not been truncated. Without a length, an attacker -could use a chosen plaintext attack to generate a mes- -sage which could be truncated, while leaving the check- -sum intact. Note that if the msg-seq is an encoding of -an ASN.1 SEQUENCE or OCTET STRING, then the length is -part of that encoding. - - - -Section 6.1. - 77 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -particular encryption type to communicate with all others -using that type, the specification of an encryption type -defines any checksum that is needed as part of the encryp- -tion process. If an alternative checksum is to be used, a -new encryption type must be defined. - - Some cryptosystems require additional information -beyond the key and the data to be encrypted. For example, -DES, when used in cipher-block-chaining mode, requires an -initialization vector. If required, the description for -each encryption type must specify the source of such addi- -tional information. - -6.2. Encryption Keys - - The sequence below shows the encoding of an encryption -key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - - -keytype This field specifies the type of encryption key - that follows in the keyvalue field. It will - almost always correspond to the encryption algo- - rithm used to generate the EncryptedData, though - more than one algorithm may use the same type of - key (the mapping is many to one). This might hap- - pen, for example, if the encryption algorithm uses - an alternate checksum algorithm for an integrity - check, or a different chaining mechanism. - - -keyvalue This field contains the key itself, encoded as an - octet string. - - All negative values for the encryption key type are -reserved for local use. All non-negative values are -reserved for officially assigned type fields and interpreta- -tions. - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - - If no encryption is in use, the encryption system is -said to be the NULL encryption system. In the NULL encryp- -tion system there is no checksum, confounder or padding. -The ciphertext is simply the plaintext. The NULL Key is -used by the null encryption system and is zero octets in -length, with keytype zero (0). - - - -Section 6.3.1. - 78 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - - The des-cbc-crc encryption mode encrypts information -under the Data Encryption Standard [12] using the cipher -block chaining mode [13]. A CRC-32 checksum (described in -ISO 3309 [15]) is applied to the confounder and message -sequence (msg-seq) and placed in the cksum field. DES -blocks are 8 bytes. As a result, the data to be encrypted -(the concatenation of confounder, checksum, and message) -must be padded to an 8 byte boundary before encryption. The -details of the encryption of this data are identical to -those for the des-cbc-md5 encryption mode. - - Note that, since the CRC-32 checksum is not collision- -proof, an attacker could use a probabilistic chosen- -plaintext attack to generate a valid message even if a con- -founder is used [14]. The use of collision-proof checksums -is recommended for environments where such attacks represent -a significant threat. The use of the CRC-32 as the checksum -for ticket or authenticator is no longer mandated as an -interoperability requirement for Kerberos Version 5 Specifi- -cation 1 (See section 9.1 for specific details). - - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - - The des-cbc-md4 encryption mode encrypts information -under the Data Encryption Standard [12] using the cipher -block chaining mode [13]. An MD4 checksum (described in -[16]) is applied to the confounder and message sequence -(msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concate- -nation of confounder, checksum, and message) must be padded -to an 8 byte boundary before encryption. The details of the -encryption of this data are identical to those for the des- -cbc-md5 encryption mode. - - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - - The des-cbc-md5 encryption mode encrypts information -under the Data Encryption Standard [12] using the cipher -block chaining mode [13]. An MD5 checksum (described in -[17].) is applied to the confounder and message sequence -(msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concate- -nation of confounder, checksum, and message) must be padded -to an 8 byte boundary before encryption. - - Plaintext and DES ciphtertext are encoded as 8-octet -blocks which are concatenated to make the 64-bit inputs for -the DES algorithms. The first octet supplies the 8 most -significant bits (with the octet's MSbit used as the DES -input block's MSbit, etc.), the second octet the next 8 - - -Section 6.3.4. - 79 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -bits, ..., and the eighth octet supplies the 8 least signi- -ficant bits. - - Encryption under DES using cipher block chaining -requires an additional input in the form of an initializa- -tion vector. Unless otherwise specified, zero should be -used as the initialization vector. Kerberos' use of DES -requires an 8-octet confounder. - - The DES specifications identify some "weak" and "semi- -weak" keys; those keys shall not be used for encrypting mes- -sages for use in Kerberos. Additionally, because of the way -that keys are derived for the encryption of checksums, keys -shall not be used that yield "weak" or "semi-weak" keys when -eXclusive-ORed with the constant F0F0F0F0F0F0F0F0. - - A DES key is 8 octets of data, with keytype one (1). -This consists of 56 bits of key, and 8 parity bits (one per -octet). The key is encoded as a series of 8 octets written -in MSB-first order. The bits within the key are also -encoded in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) -where B1,B2,...,B56 are the key bits in MSB order, and -P1,P2,...,P8 are the parity bits, the first octet of the key -would be B1,B2,...,B7,P1 (with B1 as the MSbit). [See the -FIPS 81 introduction for reference.] - - To generate a DES key from a text string (password), -the text string normally must have the realm and each com- -ponent of the principal's name appended[37], then padded -with ASCII nulls to an 8 byte boundary. This string is then -fan-folded and eXclusive-ORed with itself to form an 8 byte -DES key. The parity is corrected on the key, and it is used -to generate a DES CBC checksum on the initial string (with -the realm and name appended). Next, parity is corrected on -the CBC checksum. If the result matches a "weak" or "semi- -weak" key as described in the DES specification, it is -eXclusive-ORed with the constant 00000000000000F0. Finally, -the result is returned as the key. Pseudocode follows: - - string_to_key(string,realm,name) { - odd = 1; - s = string + realm; - for(each component in name) { - s = s + component; - } - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { -__________________________ -[37] In some cases, it may be necessary to use a dif- -ferent "mix-in" string for compatibility reasons; see -the discussion of padata in section 5.4.2. - - -Section 6.3.4. - 80 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - tempkey = tempkey XOR 8byteblock; - } - fixparity(tempkey); - key = DES-CBC-check(s,tempkey); - fixparity(key); - if(is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - -6.3.5. Triple DES EDE in outer CBC mode with an SHA1 check- -sum (des3-cbc-sha1) - - The des3-cbc-sha1 encryption encodes information using -three Data Encryption Standard transformations with three -DES keys. The first key is used to perform a DES ECB -encryption on an eight-octet data block using the first DES -key, followed by a DES ECB decryption of the result using -the second DES key, and a DES ECB encryption of the result -using the third DES key. Because DES blocks are 8 bytes, -the data to be encrypted (the concatenation of confounder, -checksum, and message) must first be padded to an 8 byte -boundary before encryption. To support the outer CBC mode, -the input is padded an eight-octet boundary. The first 8 -octets of the data to be encrypted (the confounder) is -exclusive-ored with an initialization vector of zero and -then ECB encrypted using triple DES as described above. -Subsequent blocks of 8 octets are exclusive-ored with the -ciphertext produced by the encryption on the previous block -before ECB encryption. - - An HMAC-SHA1 checksum (described in [18].) is applied -to the confounder and message sequence (msg-seq) and placed -in the cksum field. - - Plaintext are encoded as 8-octet blocks which are con- -catenated to make the 64-bit inputs for the DES algorithms. -The first octet supplies the 8 most significant bits (with -the octet's MSbit used as the DES input block's MSbit, -etc.), the second octet the next 8 bits, ..., and the eighth -octet supplies the 8 least significant bits. - - Encryption under Triple DES using cipher block chaining -requires an additional input in the form of an initializa- -tion vector. Unless otherwise specified, zero should be -used as the initialization vector. Kerberos' use of DES -requires an 8-octet confounder. - - The DES specifications identify some "weak" and "semi- - - -Section 6.3.5. - 81 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -weak" keys; those keys shall not be used for encrypting mes- -sages for use in Kerberos. Additionally, because of the way -that keys are derived for the encryption of checksums, keys -shall not be used that yield "weak" or "semi-weak" keys when -eXclusive-ORed with the constant F0F0F0F0F0F0F0F0. - - A Triple DES key is 24 octets of data, with keytype -seven (7). This consists of 168 bits of key, and 24 parity -bits (one per octet). The key is encoded as a series of 24 -octets written in MSB-first order, with the first 8 octets -treated as the first DES key, the second 8 octets as the -second key, and the third 8 octets the third DES key. The -bits within each key are also encoded in MSB order. For -example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) -where B1,B2,...,B56 are the key bits in MSB order, and -P1,P2,...,P8 are the parity bits, the first octet of the key -would be B1,B2,...,B7,P1 (with B1 as the MSbit). [See the -FIPS 81 introduction for reference.] - - To generate a DES key from a text string (password), -the text string normally must have the realm and each com- -ponent of the principal's name appended[38], - - The input string (with any salt data appended to it) is -n-folded into a 24 octet (192 bit) string. To n-fold a -number X, replicate the input value to a length that is the -least common multiple of n and the length of X. Before each -repetition, the input X is rotated to the right by 13 bit -positions. The successive n-bit chunks are added together -using 1's-complement addition (addition with end-around -carry) to yield a n-bit result. (This transformation was -proposed by Richard Basch) - - Each successive set of 8 octets is taken as a DES key, -and its parity is adjusted in the same manner as previously -described. If any of the three sets of 8 octets match a -"weak" or "semi-weak" key as described in the DES specifica- -tion, that chunk is eXclusive-ORed with the constant -00000000000000F0. The resulting DES keys are then used in -sequence to perform a Triple-DES CBC encryption of the n- -folded input string (appended with any salt data), using a -zero initial vector. Parity, weak, and semi-weak keys are -once again corrected and the result is returned as the 24 -octet key. - - Pseudocode follows: - - string_to_key(string,realm,name) { -__________________________ -[38] In some cases, it may be necessary to use a dif- -ferent "mix-in" string for compatibility reasons; see -the discussion of padata in section 5.4.2. - - -Section 6.3.5. - 82 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - s = string + realm; - for(each component in name) { - s = s + component; - } - tkey[24] = fold(s); - fixparity(tkey); - if(isweak(tkey[0-7])) tkey[0-7] = tkey[0-7] XOR 0xF0; - if(isweak(tkey[8-15])) tkey[8-15] = tkey[8-15] XOR 0xF0; - if(is_weak(tkey[16-23])) tkey[16-23] = tkey[16-23] XOR 0xF0; - key[24] = 3DES-CBC(data=fold(s),key=tkey,iv=0); - fixparity(key); - if(is_weak(key[0-7])) key[0-7] = key[0-7] XOR 0xF0; - if(is_weak(key[8-15])) key[8-15] = key[8-15] XOR 0xF0; - if(is_weak(key[16-23])) key[16-23] = key[16-23] XOR 0xF0; - return(key); - } - -6.4. Checksums - - The following is the ASN.1 definition used for a check- -sum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - - -cksumtype This field indicates the algorithm used to gen- - erate the accompanying checksum. - -checksum This field contains the checksum itself, encoded - as an octet string. - - Detailed specification of selected checksum types -appear later in this section. Negative values for the -checksum type are reserved for local use. All non-negative -values are reserved for officially assigned type fields and -interpretations. - - Checksums used by Kerberos can be classified by two -properties: whether they are collision-proof, and whether -they are keyed. It is infeasible to find two plaintexts -which generate the same checksum value for a collision-proof -checksum. A key is required to perturb or initialize the -algorithm in a keyed checksum. To prevent message-stream -modification by an active attacker, unkeyed checksums should -only be used when the checksum and message will be subse- -quently encrypted (e.g. the checksums defined as part of the -encryption algorithms covered earlier in this section). - - Collision-proof checksums can be made tamper-proof if -the checksum value is encrypted before inclusion in a mes- -sage. In such cases, the composition of the checksum and - - -Section 6.4. - 83 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -the encryption algorithm must be considered a separate -checksum algorithm (e.g. RSA-MD5 encrypted using DES is a -new checksum algorithm of type RSA-MD5-DES). For most keyed -checksums, as well as for the encrypted forms of unkeyed -collision-proof checksums, Kerberos prepends a confounder -before the checksum is calculated. - -6.4.1. The CRC-32 Checksum (crc32) - - The CRC-32 checksum calculates a checksum based on a -cyclic redundancy check as described in ISO 3309 [15]. The -resulting checksum is four (4) octets in length. The CRC-32 -is neither keyed nor collision-proof. The use of this -checksum is not recommended. An attacker using a proba- -bilistic chosen-plaintext attack as described in [14] might -be able to generate an alternative message that satisfies -the checksum. The use of collision-proof checksums is -recommended for environments where such attacks represent a -significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - - The RSA-MD4 checksum calculates a checksum using the -RSA MD4 algorithm [16]. The algorithm takes as input an -input message of arbitrary length and produces as output a -128-bit (16 octet) checksum. RSA-MD4 is believed to be -collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4- -des) - - The RSA-MD4-DES checksum calculates a keyed collision- -proof checksum by prepending an 8 octet confounder before -the text, applying the RSA MD4 checksum algorithm, and -encrypting the confounder and the checksum using DES in -cipher-block-chaining (CBC) mode using a variant of the key, -where the variant is computed by eXclusive-ORing the key -with the constant F0F0F0F0F0F0F0F0[39]. The initialization -vector should be zero. The resulting checksum is 24 octets -long (8 octets of which are redundant). This checksum is -tamper-proof and believed to be collision-proof. - - The DES specifications identify some "weak keys" and -__________________________ -[39] A variant of the key is used to limit the use of a -key to a particular function, separating the functions -of generating a checksum from other encryption per- -formed using the session key. The constant -F0F0F0F0F0F0F0F0 was chosen because it maintains key -parity. The properties of DES precluded the use of the -complement. The same constant is used for similar pur- -pose in the Message Integrity Check in the Privacy -Enhanced Mail standard. - - -Section 6.4.3. - 84 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -"semi-weak keys"; those keys shall not be used for generat- -ing RSA-MD4 checksums for use in Kerberos. - - The format for the checksum is described in the follow- -ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who -prefer an ASN.1-like notation: - -rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - - - -6.4.4. The RSA MD5 Checksum (rsa-md5) - - The RSA-MD5 checksum calculates a checksum using the -RSA MD5 algorithm. [17]. The algorithm takes as input an -input message of arbitrary length and produces as output a -128-bit (16 octet) checksum. RSA-MD5 is believed to be -collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5- -des) - - The RSA-MD5-DES checksum calculates a keyed collision- -proof checksum by prepending an 8 octet confounder before -the text, applying the RSA MD5 checksum algorithm, and -encrypting the confounder and the checksum using DES in -cipher-block-chaining (CBC) mode using a variant of the key, -where the variant is computed by eXclusive-ORing the key -with the constant F0F0F0F0F0F0F0F0. The initialization vec- -tor should be zero. The resulting checksum is 24 octets -long (8 octets of which are redundant). This checksum is -tamper-proof and believed to be collision-proof. - - The DES specifications identify some "weak keys" and -"semi-weak keys"; those keys shall not be used for encrypt- -ing RSA-MD5 checksums for use in Kerberos. - - The format for the checksum is described in the follow- -ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who - - -Section 6.4.5. - 85 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -prefer an ASN.1-like notation: - -rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - - -6.4.6. DES cipher-block chained checksum (des-mac) - - The DES-MAC checksum is computed by prepending an 8 -octet confounder to the plaintext, performing a DES CBC-mode -encryption on the result using the key and an initialization -vector of zero, taking the last block of the ciphertext, -prepending the same confounder and encrypting the pair using -DES in cipher-block-chaining (CBC) mode using a a variant of -the key, where the variant is computed by eXclusive-ORing -the key with the constant F0F0F0F0F0F0F0F0. The initializa- -tion vector should be zero. The resulting checksum is 128 -bits (16 octets) long, 64 bits of which are redundant. This -checksum is tamper-proof and collision-proof. - - The format for the checksum is described in the follow- -ing diagram: - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ -| des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -The format cannot be described in ASN.1, but for those who -prefer an ASN.1-like notation: - -des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) -} - - - The DES specifications identify some "weak" and "semi- -weak" keys; those keys shall not be used for generating -DES-MAC checksums for use in Kerberos, nor shall a key be -used whose variant is "weak" or "semi-weak". - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative -(rsa-md4-des-k) - - The RSA-MD4-DES-K checksum calculates a keyed -collision-proof checksum by applying the RSA MD4 checksum -algorithm and encrypting the results using DES in cipher- -block-chaining (CBC) mode using a DES key as both key and -initialization vector. The resulting checksum is 16 octets -long. This checksum is tamper-proof and believed to be -collision-proof. Note that this checksum type is the old -method for encoding the RSA-MD4-DES checksum and it is no - - -Section 6.4.7. - 86 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (des- -mac-k) - - The DES-MAC-K checksum is computed by performing a DES -CBC-mode encryption of the plaintext, and using the last -block of the ciphertext as the checksum value. It is keyed -with an encryption key and an initialization vector; any -uses which do not specify an additional initialization vec- -tor will use the key as both key and initialization vector. -The resulting checksum is 64 bits (8 octets) long. This -checksum is tamper-proof and collision-proof. Note that -this checksum type is the old method for encoding the DES- -MAC checksum and it is no longer recommended. - - The DES specifications identify some "weak keys" and -"semi-weak keys"; those keys shall not be used for generat- -ing DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - - -7.1. Realm Names - - Although realm names are encoded as GeneralStrings and -although a realm can technically select any name it chooses, -interoperability across realm boundaries requires agreement -on how realm names are to be assigned, and what information -they imply. - - To enforce these conventions, each realm must conform -to the conventions itself, and it must require that any -realms with which inter-realm keys are shared also conform -to the conventions and require the same from its neighbors. - - Kerberos realm names are case sensitive. Realm names -that differ only in the case of the characters are not -equivalent. There are presently four styles of realm names: -domain, X500, other, and reserved. Examples of each style -follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - - -Domain names must look like domain names: they consist of -components separated by periods (.) and they contain neither -colons (:) nor slashes (/). Domain names must be converted -to upper case when used as realm names. - - X.500 names contain an equal (=) and cannot contain a - - -Section 7.1. - 87 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -colon (:) before the equal. The realm names for X.500 names -will be string representations of the names with components -separated by slashes. Leading and trailing slashes will not -be included. - - Names that fall into the other category must begin with -a prefix that contains no equal (=) or period (.) and the -prefix must be followed by a colon (:) and the rest of the -name. All prefixes must be assigned before they may be -used. Presently none are assigned. - - The reserved category includes strings which do not -fall into the first three categories. All names in this -category are reserved. It is unlikely that names will be -assigned to this category unless there is a very strong -argument for not using the "other" category. - - These rules guarantee that there will be no conflicts -between the various name styles. The following additional -constraints apply to the assignment of realm names in the -domain and X.500 categories: the name of a realm for the -domain or X.500 formats must either be used by the organiza- -tion owning (to whom it was assigned) an Internet domain -name or X.500 name, or in the case that no such names are -registered, authority to use a realm name may be derived -from the authority of the parent realm. For example, if -there is no domain name for E40.MIT.EDU, then the adminis- -trator of the MIT.EDU realm can authorize the creation of a -realm with that name. - - This is acceptable because the organization to which -the parent is assigned is presumably the organization -authorized to assign names to its children in the X.500 and -domain name systems as well. If the parent assigns a realm -name without also registering it in the domain name or X.500 -hierarchy, it is the parent's responsibility to make sure -that there will not in the future exists a name identical to -the realm name of the child unless it is assigned to the -same entity as the realm name. - - -7.2. Principal Names - - As was the case for realm names, conventions are needed -to ensure that all agree on what information is implied by a -principal name. The name-type field that is part of the -principal name indicates the kind of information implied by -the name. The name-type should be treated as a hint. -Ignoring the name type, no two names can be the same (i.e. -at least one of the components, or the realm, must be dif- -ferent). This constraint may be eliminated in the future. -The following name types are defined: - - name-type value meaning - - -Section 7.2. - 88 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - - -When a name implies no information other than its uniqueness -at a particular time the name type PRINCIPAL should be used. -The principal name type should be used for users, and it -might also be used for a unique server. If the name is a -unique machine generated ID that is guaranteed never to be -reassigned then the name type of UID should be used (note -that it is generally a bad idea to reassign names of any -type since stale entries might remain in access control -lists). - - If the first component of a name identifies a service -and the remaining components identify an instance of the -service in a server specified manner, then the name type of -SRV-INST should be used. An example of this name type is -the Kerberos ticket-granting service whose name has a first -component of krbtgt and a second component identifying the -realm for which the ticket is valid. - - If instance is a single component following the service -name and the instance identifies the host on which the -server is running, then the name type SRV-HST should be -used. This type is typically used for Internet services -such as telnet and the Berkeley R commands. If the separate -components of the host name appear as successive components -following the name of the service, then the name type SRV- -XHST should be used. This type might be used to identify -servers on hosts with X.500 names where the slash (/) might -otherwise be ambiguous. - - A name type of UNKNOWN should be used when the form of -the name is not known. When comparing names, a name of type -UNKNOWN will match principals authenticated with names of -any type. A principal authenticated with a name of type -UNKNOWN, however, will only match other names of type UNK- -NOWN. - - Names of any type with an initial component of "krbtgt" -are reserved for the Kerberos ticket granting service. See -section 8.2.3 for the form of such names. - -7.2.1. Name of server principals - - The principal identifier for a server on a host will -generally be composed of two parts: (1) the realm of the KDC -with which the server is registered, and (2) a two-component - - -Section 7.2.1. - 89 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -name of type NT-SRV-HST if the host name is an Internet -domain name or a multi-component name of type NT-SRV-XHST if -the name of the host is of a form such as X.500 that allows -slash (/) separators. The first component of the two- or -multi-component name will identify the service and the -latter components will identify the host. Where the name of -the host is not case sensitive (for example, with Internet -domain names) the name of the host must be lower case. If -specified by the application protocol for services such as -telnet and the Berkeley R commands which run with system -privileges, the first component may be the string "host" -instead of a service specific identifier. When a host has -an official name and one or more aliases, the official name -of the host must be used when constructing the name of the -server principal. - -8. Constants and other defined values - - -8.1. Host address types - - All negative values for the host address type are -reserved for local use. All non-negative values are -reserved for officially assigned type fields and interpreta- -tions. - - The values of the types for the following addresses are -chosen to match the defined address family constants in the -Berkeley Standard Distributions of Unix. They can be found -in with symbolic names AF_xxx (where xxx is -an abbreviation of the address family name). - - -Internet addresses - - Internet addresses are 32-bit (4-octet) quantities, -encoded in MSB order. The type of internet addresses is two -(2). - -CHAOSnet addresses - - CHAOSnet addresses are 16-bit (2-octet) quantities, -encoded in MSB order. The type of CHAOSnet addresses is -five (5). - -ISO addresses - - ISO addresses are variable-length. The type of ISO -addresses is seven (7). - -Xerox Network Services (XNS) addresses - - XNS addresses are 48-bit (6-octet) quantities, encoded -in MSB order. The type of XNS addresses is six (6). - - -Section 8.1. - 90 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -AppleTalk Datagram Delivery Protocol (DDP) addresses - - AppleTalk DDP addresses consist of an 8-bit node number -and a 16-bit network number. The first octet of the address -is the node number; the remaining two octets encode the net- -work number in MSB order. The type of AppleTalk DDP -addresses is sixteen (16). - -DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded -in LSB order. The type of DECnet Phase IV addresses is -twelve (12). - -8.2. KDC messages - -8.2.1. IP transport - - When contacting a Kerberos server (KDC) for a -KRB_KDC_REQ request using UDP IP transport, the client shall -send a UDP datagram containing only an encoding of the -request to port 88 (decimal) at the KDC's IP address; the -KDC will respond with a reply datagram containing only an -encoding of the reply message (either a KRB_ERROR or a -KRB_KDC_REP) to the sending port at the sender's IP address. - - Kerberos servers supporting IP transport must accept -UDP requests on port 88 (decimal). Servers may also accept -TCP requests on port 88 (decimal). When the KRB_KDC_REQ -message is sent to the KDC by TCP, a new connection will be -established for each authentication exchange and the -KRB_KDC_REP or KRB_ERROR message will be returned to the -client on the TCP stream that was established for the -request. The connection will be broken after the reply has -been received (or upon time-out). Care must be taken in -managing TCP/IP connections with the KDC to prevent denial -of service attacks based on the number of TCP/IP connections -with the KDC that remain open. - -8.2.2. OSI transport - - During authentication of an OSI client to an OSI -server, the mutual authentication of an OSI server to an OSI -client, the transfer of credentials from an OSI client to an -OSI server, or during exchange of private or integrity -checked messages, Kerberos protocol messages may be treated -as opaque objects and the type of the authentication mechan- -ism will be: - -OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5), - kerberosv5(2)} - -Depending on the situation, the opaque object will be an -authentication header (KRB_AP_REQ), an authentication reply -(KRB_AP_REP), a safe message (KRB_SAFE), a private message - - -Section 8.2.2. - 91 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -(KRB_PRIV), or a credentials message (KRB_CRED). The opaque -data contains an application code as specified in the ASN.1 -description for each message. The application code may be -used by Kerberos to determine the message type. - -8.2.3. Name of the TGS - - The principal identifier of the ticket-granting service -shall be composed of three parts: (1) the realm of the KDC -issuing the TGS ticket (2) a two-part name of type NT-SRV- -INST, with the first part "krbtgt" and the second part the -name of the realm which will accept the ticket-granting -ticket. For example, a ticket-granting ticket issued by the -ATHENA.MIT.EDU realm to be used to get tickets from the -ATHENA.MIT.EDU KDC has a principal identifier of -"ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") -(name). A ticket-granting ticket issued by the -ATHENA.MIT.EDU realm to be used to get tickets from the -MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" -(realm), ("krbtgt", "MIT.EDU") (name). - - -8.3. Protocol constants and associated values - -The following tables list constants used in the protocol and defines their -meanings. - -Encryption type etype value block size minimum pad size confounder size -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - 4 -des3-cbc-md5 5 8 0 8 - 6 -des3-cbc-sha1 7 8 0 8 -sign-dsa-generate 8 (pkinit) -encrypt-rsa-priv 9 (pkinit) -encrypt-rsa-pub 10 (pkinit) -ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - -Checksum type sumtype value checksum size -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 -rsa-md5-des3 9 24 -hmac-sha1-des3 10 20 (I had this as 10, is it 12) - - -Section 8.3. - 92 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -padata type padata-type value - -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - 4 -PA-ENC-UNIX-TIME 5 -PA-SANDIA-SECUREID 6 -PA-SESAME 7 -PA-OSF-DCE 8 -PA-CYBERSAFE-SECUREID 9 -PA-AFS3-SALT 10 -PA-ETYPE-INFO 11 -SAM-CHALLENGE 12 (sam/otp) -SAM-RESPONSE 13 (sam/otp) -PA-PK-AS-REQ 14 (pkinit) -PA-PK-AS-REP 15 (pkinit) -PA-PK-AS-SIGN 16 (pkinit) -PA-PK-KEY-REQ 17 (pkinit) -PA-PK-KEY-REP 18 (pkinit) - -authorization data type ad-type value -reserved values 0-63 -OSF-DCE 64 -SESAME 65 - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - - - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward credentials -KRB_ERROR 30 Error response - - -Section 8.3. - 93 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested protocol version number not supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password to reset -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired- -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message - - - -Section 8.3. - 94 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) - - -9. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of -options. Among these are multiple encryption and checksum -types, alternative encoding schemes for the transited field, -optional mechanisms for pre-authentication, the handling of -tickets with no addresses, options for mutual authentica- -tion, user to user authentication, support for proxies, for- -warding, postdating, and renewing tickets, the format of -realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it -is necessary to define a minimal configuration which must be -supported by all implementations. This minimal configura- -tion is subject to change as technology does. For example, -if at some later date it is discovered that one of the -required encryption or checksum algorithms is not secure, it -will be replaced. - -9.1. Specification 1 - - This section defines the first specification of these -options. Implementations which are configured in this way -can be said to support Kerberos Version 5 Specification 1 -(5.1). - -Encryption and checksum methods - -The following encryption and checksum mechanisms must be -supported. Implementations may support other mechanisms as -well, but the additional mechanisms may only be used when -communicating with principals known to also support them: -This list is to be determined. -Encryption: DES-CBC-MD5 -Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - - -__________________________ -- This error carries additional information in the e- -data field. The contents of the e-data field for this -message is described in section 5.9.1. - - - -Section 9.1. - 95 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -Realm Names - -All implementations must understand hierarchical realms in -both the Internet Domain and the X.500 style. When a ticket -granting ticket for an unknown realm is requested, the KDC -must be able to determine the names of the intermediate -realms between the KDCs realm and the requested realm. - -Transited field encoding - -DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be -supported. Alternative encodings may be supported, but they -may be used only when that encoding is supported by ALL -intermediate realms. - -Pre-authentication methods - -The TGS-REQ method must be supported. The TGS-REQ method is -not used on the initial request. The PA-ENC-TIMESTAMP -method must be supported by clients but whether it is -enabled by default may be determined on a realm by realm -basis. If not used in the initial request and the error -KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC- -TIMESTAMP as an acceptable method, the client should retry -the initial request using the PA-ENC-TIMESTAMP pre- -authentication method. Servers need not support the PA- -ENC-TIMESTAMP method, but if not supported the server should -ignore the presence of PA-ENC-TIMESTAMP pre-authentication -in a request. - -Mutual authentication - -Mutual authentication (via the KRB_AP_REP message) must be -supported. - - -Ticket addresses and flags - -All KDC's must pass on tickets that carry no addresses (i.e. -if a TGT contains no addresses, the KDC will return deriva- -tive tickets), but each realm may set its own policy for -issuing such tickets, and each application server will set -its own policy with respect to accepting them. - - Proxies and forwarded tickets must be supported. Indi- -vidual realms and application servers can set their own pol- -icy on when such tickets will be accepted. - - All implementations must recognize renewable and post- -dated tickets, but need not actually implement them. If -these options are not supported, the starttime and endtime -in the ticket shall specify a ticket's entire useful life. -When a postdated ticket is decoded by a server, all imple- -mentations shall make the presence of the postdated flag - - -Section 9.1. - 96 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -visible to the calling server. - -User-to-user authentication - -Support for user to user authentication (via the ENC-TKT- -IN-SKEY KDC option) must be provided by implementations, but -individual realms may decide as a matter of policy to reject -such requests on a per-principal or realm-wide basis. - -Authorization data - -Implementations must pass all authorization data subfields -from ticket-granting tickets to any derivative tickets -unless directed to suppress a subfield as part of the defin- -ition of that registered subfield type (it is never -incorrect to pass on a subfield, and no registered subfield -types presently specify suppression at the KDC). - - Implementations must make the contents of any authori- -zation data subfields available to the server when a ticket -is used. Implementations are not required to allow clients -to specify the contents of the authorization data fields. - -9.2. Recommended KDC values - -Following is a list of recommended values for a KDC imple- -mentation, based on the list of suggested configuration con- -stants (see section 4.4). - -minimum lifetime 5 minutes - -maximum renewable lifetime1 week - -maximum ticket lifetime1 day - -empty addresses only when suitable restrictions appear - in authorization data - -proxiable, etc. Allowed. - - - - - - - - - - - - - - - - - -Section 9.2. - 97 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -10. REFERENCES - - - -1. B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - -2. S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - -3. J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - -4. Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - -5. Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - -6. John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - -7. B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - -8. Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - -9. P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - -10. CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - -11. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - - - -Section 10. - 98 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -12. National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - -13. National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - -14. Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - -15. International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - -16. R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - -17. R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - -18. H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - - - - - - - - - - - - - - - - - - - - - - - - - -Section 10. - 99 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -A. Pseudo-code for protocol processing - - This appendix provides pseudo-code describing how the -messages are to be constructed and interpreted by clients -and servers. - -A.1. KRB_AS_REQ generation - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - -Section A.2. - 100 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - - -Section A.2. - 101 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - - -Section A.2. - 102 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - - - -Section A.2. - 103 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -A.3. KRB_AS_REP verification - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all that */ - /* should be are set */ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - - -Section A.4. - 104 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -A.5. KRB_TGS_REQ generation - /* Note that make_application_request might have to recursivly */ - /* call this routine to get the appropriate ticket-granting ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - - -Section A.5. - 105 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - /* note that reading the application request requires first - determining the server for which a ticket was issued, and choosing the - correct key for decryption. The name of the server appears in the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is operating is - determined by the instance from the ticket-granting ticket. The realm - in the ticket-granting ticket is the realm under which the ticket - granting ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - -Section A.6. - 106 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(server)) then - server := best_intermediate_tgs(server); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - - -Section A.6. - 107 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - -Section A.6. - 108 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would */ - /* have been rejected in the initial authentication stage, so */ - /* there is no need to check again here */ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till >= kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - - -Section A.6. - 109 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + tgt.realm) - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - - - -Section A.6. - 110 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - - - -Section A.7. - 111 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -A.8. Authenticator generation - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - -A.9. KRB_AP_REQ generation - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - -A.10. KRB_AP_REQ verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - - -Section A.10. - 112 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - -A.11. KRB_AP_REP generation - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - -Section A.11. - 113 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - -A.13. KRB_SAFE generation - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - - -Section A.13. - 114 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - -Section A.15. - 115 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number not present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - -A.16. KRB_PRIV generation - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - - -A.17. KRB_PRIV verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - - -Section A.17. - 116 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - - -Section A.18. - 117 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - using negotiated encryption key; - - -A.19. KRB_CRED verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - - -Section A.20. - 118 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 119 - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cxx - Expires 11 January 1998 - - - - - - - - - - - Table of Contents - - - - -Overview .............................................. 2 - -Background ............................................ 2 - -1. Introduction ....................................... 3 - -1.1. Cross-Realm Operation ............................ 5 - -1.2. Authorization .................................... 6 - -1.3. Environmental assumptions ........................ 7 - -1.4. Glossary of terms ................................ 8 - -2. Ticket flag uses and requests ...................... 10 - -2.1. Initial and pre-authenticated tickets ............ 10 - -2.2. Invalid tickets .................................. 11 - -2.3. Renewable tickets ................................ 11 - -2.4. Postdated tickets ................................ 12 - -2.5. Proxiable and proxy tickets ...................... 12 - -2.6. Forwardable tickets .............................. 13 - -2.7. Other KDC options ................................ 14 - -3. Message Exchanges .................................. 14 - -3.1. The Authentication Service Exchange .............. 14 - -3.1.1. Generation of KRB_AS_REQ message ............... 16 - -3.1.2. Receipt of KRB_AS_REQ message .................. 16 - -3.1.3. Generation of KRB_AS_REP message ............... 16 - -3.1.4. Generation of KRB_ERROR message ................ 19 - -3.1.5. Receipt of KRB_AS_REP message .................. 19 - -3.1.6. Receipt of KRB_ERROR message ................... 19 - -3.2. The Client/Server Authentication Exchange ........ 19 - -3.2.1. The KRB_AP_REQ message ......................... 20 - - - - i - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -3.2.2. Generation of a KRB_AP_REQ message ............. 20 - -3.2.3. Receipt of KRB_AP_REQ message .................. 21 - -3.2.4. Generation of a KRB_AP_REP message ............. 23 - -3.2.5. Receipt of KRB_AP_REP message .................. 23 - -3.2.6. Using the encryption key ....................... 24 - -3.3. The Ticket-Granting Service (TGS) Exchange ....... 25 - -3.3.1. Generation of KRB_TGS_REQ message .............. 26 - -3.3.2. Receipt of KRB_TGS_REQ message ................. 27 - -3.3.3. Generation of KRB_TGS_REP message .............. 28 - -3.3.3.1. Checking for revoked tickets ................. 30 - -3.3.3.2. Encoding the transited field ................. 30 - -3.3.4. Receipt of KRB_TGS_REP message ................. 32 - -3.4. The KRB_SAFE Exchange ............................ 32 - -3.4.1. Generation of a KRB_SAFE message ............... 32 - -3.4.2. Receipt of KRB_SAFE message .................... 33 - -3.5. The KRB_PRIV Exchange ............................ 34 - -3.5.1. Generation of a KRB_PRIV message ............... 34 - -3.5.2. Receipt of KRB_PRIV message .................... 34 - -3.6. The KRB_CRED Exchange ............................ 35 - -3.6.1. Generation of a KRB_CRED message ............... 35 - -3.6.2. Receipt of KRB_CRED message .................... 35 - -4. The Kerberos Database .............................. 36 - -4.1. Database contents ................................ 36 - -4.2. Additional fields ................................ 37 - -4.3. Frequently Changing Fields ....................... 38 - -4.4. Site Constants ................................... 39 - -5. Message Specifications ............................. 39 - - - - - ii - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -5.1. ASN.1 Distinguished Encoding Representation ...... 39 - -5.2. ASN.1 Base Definitions ........................... 40 - -5.3. Tickets and Authenticators ....................... 43 - -5.3.1. Tickets ........................................ 43 - -5.3.2. Authenticators ................................. 52 - -5.4. Specifications for the AS and TGS exchanges ...... 54 - -5.4.1. KRB_KDC_REQ definition ......................... 54 - -5.4.2. KRB_KDC_REP definition ......................... 61 - -5.5. Client/Server (CS) message specifications ........ 64 - -5.5.1. KRB_AP_REQ definition .......................... 64 - -5.5.2. KRB_AP_REP definition .......................... 65 - -5.5.3. Error message reply ............................ 67 - -5.6. KRB_SAFE message specification ................... 67 - -5.6.1. KRB_SAFE definition ............................ 67 - -5.7. KRB_PRIV message specification ................... 68 - -5.7.1. KRB_PRIV definition ............................ 68 - -5.8. KRB_CRED message specification ................... 69 - -5.8.1. KRB_CRED definition ............................ 70 - -5.9. Error message specification ...................... 72 - -5.9.1. KRB_ERROR definition ........................... 72 - -6. Encryption and Checksum Specifications ............. 74 - -6.1. Encryption Specifications ........................ 76 - -6.2. Encryption Keys .................................. 78 - -6.3. Encryption Systems ............................... 78 - -6.3.1. The NULL Encryption System (null) .............. 78 - -6.3.2. DES in CBC mode with a CRC-32 checksum (des- -cbc-crc) .............................................. 79 - -6.3.3. DES in CBC mode with an MD4 checksum (des- - - - - iii - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -cbc-md4) .............................................. 79 - -6.3.4. DES in CBC mode with an MD5 checksum (des- -cbc-md5) .............................................. 79 - -6.3.5. Triple DES EDE in outer CBC mode with an SHA1 -checksum (des3-cbc-sha1) .............................. 81 - -6.4. Checksums ........................................ 83 - -6.4.1. The CRC-32 Checksum (crc32) .................... 84 - -6.4.2. The RSA MD4 Checksum (rsa-md4) ................. 84 - -6.4.3. RSA MD4 Cryptographic Checksum Using DES -(rsa-md4-des) ......................................... 84 - -6.4.4. The RSA MD5 Checksum (rsa-md5) ................. 85 - -6.4.5. RSA MD5 Cryptographic Checksum Using DES -(rsa-md5-des) ......................................... 85 - -6.4.6. DES cipher-block chained checksum (des-mac) - -6.4.7. RSA MD4 Cryptographic Checksum Using DES -alternative (rsa-md4-des-k) ........................... 86 - -6.4.8. DES cipher-block chained checksum alternative -(des-mac-k) ........................................... 87 - -7. Naming Constraints ................................. 87 - -7.1. Realm Names ...................................... 87 - -7.2. Principal Names .................................. 88 - -7.2.1. Name of server principals ...................... 89 - -8. Constants and other defined values ................. 90 - -8.1. Host address types ............................... 90 - -8.2. KDC messages ..................................... 91 - -8.2.1. IP transport ................................... 91 - -8.2.2. OSI transport .................................. 91 - -8.2.3. Name of the TGS ................................ 92 - -8.3. Protocol constants and associated values ......... 92 - -9. Interoperability requirements ...................... 95 - - - - - iv - Expires 11 January 1998 - - - - - - - - Version 5 - Specification Revision 6 - - -9.1. Specification 1 .................................. 95 - -9.2. Recommended KDC values ........................... 97 - -10. REFERENCES ........................................ 98 - -A. Pseudo-code for protocol processing ................ 100 - -A.1. KRB_AS_REQ generation ............................ 100 - -A.2. KRB_AS_REQ verification and KRB_AS_REP genera- -tion .................................................. 100 - -A.3. KRB_AS_REP verification .......................... 104 - -A.4. KRB_AS_REP and KRB_TGS_REP common checks ......... 104 - -A.5. KRB_TGS_REQ generation ........................... 105 - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP gen- -eration ............................................... 106 - -A.7. KRB_TGS_REP verification ......................... 111 - -A.8. Authenticator generation ......................... 112 - -A.9. KRB_AP_REQ generation ............................ 112 - -A.10. KRB_AP_REQ verification ......................... 112 - -A.11. KRB_AP_REP generation ........................... 113 - -A.12. KRB_AP_REP verification ......................... 114 - -A.13. KRB_SAFE generation ............................. 114 - -A.14. KRB_SAFE verification ........................... 115 - -A.15. KRB_SAFE and KRB_PRIV common checks ............. 115 - -A.16. KRB_PRIV generation ............................. 116 - -A.17. KRB_PRIV verification ........................... 116 - -A.18. KRB_CRED generation ............................. 117 - -A.19. KRB_CRED verification ........................... 118 - -A.20. KRB_ERROR generation ............................ 118 - - - - - - - - - v - Expires 11 January 1998 - - - - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt deleted file mode 100644 index 78db9d78f3cb..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt +++ /dev/null @@ -1,6214 +0,0 @@ - -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - 21 November 1997 - -The Kerberos Network Authentication Service (V5) - -STATUS OF THIS MEMO - -This document is an Internet-Draft. Internet-Drafts are working documents of -the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It is -inappropriate to use Internet-Drafts as reference material or to cite them -other than as 'work in progress.' - -To learn the current status of any Internet-Draft, please check the -'1id-abstracts.txt' listing contained in the Internet-Drafts Shadow -Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), -ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-r-01.txt, and expires 21 May 1998. Please send -comments to: krb-protocol@MIT.EDU - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the Kerberos -network authentication system is based. It also specifies Version 5 of the -Kerberos protocol. - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -standard and are being considered for advancement for draft standard through -the IETF standard process. Comments are encouraged on the presentation, but -only minor refinements to the protocol as implemented or extensions that fit -within current protocol framework will be considered at this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested by -Denning and Sacco [DS81]. The original design and implementation of Kerberos -Versions 1 through 4 was the work of two former Project Athena staff -members, Steve Miller of Digital Equipment Corporation and Clifford Neuman -(now at the Information Sciences Institute of the University of Southern -California), along with Jerome Saltzer, Technical Director of Project -Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members -of Project Athena have also contributed to the work on Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol was -led by Clifford Neuman and John Kohl with much input from the community. The -development of the MIT reference implementation was led at MIT by John Kohl -and Theodore T'so, with help and contributed code from many others. -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. - -Details on the differences between Kerberos Versions 4 and 5 can be found in -[KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. a -workstation user or a network server) on an open (unprotected) network. This -is accomplished without relying on assertions by the host operating system, -without basing trust on host addresses, without requiring physical security -of all the hosts on the network, and under the assumption that packets -traveling along the network can be read, modified, and inserted at will[1]. -Kerberos performs authentication under these conditions as a trusted -third-party authentication service by using conventional (shared secret key -[2] cryptography. Kerberos extensions have been proposed and implemented -that provide for the use of public key cryptography during certain phases of -the authentication protocol. These extensions provide for authentication of -users registered with public key certification authorities, and allow the -system to provide certain benefits of public key cryptography in situations -where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in the -client's key. The credentials consist of 1) a 'ticket' for the server and 2) -a temporary encryption key (often called a "session key"). The client -transmits the ticket (which contains the client's identity and a copy of the -session key, all encrypted in the server's key) to the server. The session -key (now shared by the client and server) is used to authenticate the -client, and may optionally be used to authenticate the server. It may also -be used to encrypt further communication between the two parties or to -exchange a separate sub-session key to be used to encrypt further -communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their secret -keys. Code libraries provide encryption and implement the Kerberos protocol. -In order to add authentication to its transactions, a typical network -application adds one or two calls to the Kerberos library directly or -through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request for -a ticket for the desired server to the AS. The reply is sent encrypted in -the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client uses -the TGT to authenticate itself to the TGS in the same manner as if it were -contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry points -within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent "in -the clear" (parts of it are encrypted, but this encryption doesn't thwart -replay) and might be intercepted and reused by an attacker, additional -information is sent to prove that the message originated with the principal -to whom the ticket was issued. This information (called the authenticator) -is encrypted in the session key, and includes a timestamp. The timestamp -proves that the message was recently generated and is not a replay. -Encrypting the authenticator in the session key proves that it was generated -by a party possessing the session key. Since no one except the requesting -principal and the server know the session key (it is never sent over the -network in the clear) this guarantees the identity of the client. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest -function) of the client's message, keyed with the session key. Privacy and -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -The authentication exchanges mentioned above require read-only access to the -Kerberos database. Sometimes, however, the entries in the database must be -modified, such as when adding new principals or changing a principal's key. -This is done using a protocol between a client and a third Kerberos server, -the Kerberos Administration Server (KADM). There is also a protocol for -maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server in -another. Each organization wishing to run a Kerberos server establishes its -own 'realm'. The name of the realm in which a client is registered is part -of the client's name, and can be used by the end-service to decide whether -to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate key -may be used for each direction) registers the ticket-granting service of -each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share an -inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is not -directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical organization -is not used, it may be necessary to consult a database in order to construct -an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in authenticating -the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93] , or on other authorization services. - -Applications should not be modified to accept the issuance of a service -ticket by the Kerberos server (even by an modified Kerberos server) as -granting authority to use the service, since such applications may become -vulnerable to the bypass of this authorization check in an environment if -they interoperate with other KDCs or where other options for application -authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to successfully - mount an offline dictionary attack by repeatedly attempting to decrypt, - with successive entries from a dictionary, messages obtained which are - encrypted under a key derived from the user's password. - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A typical - mode of access control will use access control lists (ACLs) to grant - permissions to particular principals. If a stale ACL entry remains for - a deleted principal and the principal identifier is reused, the new - principal will inherit rights specified in the stale ACL entry. By not - re-using principal identifiers, the danger of inadvertent access is - removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been recently - generated using the session key known only by the client and server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access allowed - for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted by - the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. Note - that in some cases a Server may itself be a client of some other server - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use that - ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and ticket-granting - ticket requests. The initial ticket portion is sometimes referred to as - the Authentication Server (or service). The ticket-granting ticket - portion is sometimes referred to as the ticket-granting server (or - service). -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. -Principal - A uniquely named client or server instance that participates in a - network communication. -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than one - server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a lifetime - limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the various -flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the KDC -before use, by presenting them to the KDC in a TGS request with the VALIDATE -option specified. The KDC will only validate tickets after their starttime -has passed. The validation is required so that postdated tickets which have -been stolen before their starttime can be rendered permanently invalid -(through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set in -the KDC request. The KDC will issue a new ticket with a new session key and -a later expiration time. All other fields of the ticket are left unmodified -by the renewal process. When the latest permissible expiration time arrives, -the ticket expires permanently. At each renewal, the KDC may consult a -hot-list to determine if the ticket had been reported stolen since its last -renewal; it will refuse to renew such stolen tickets, and thus the usable -lifetime of stolen tickets is reduced. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets in -a batch queue, since they will be on-line longer and more prone to theft. -Postdated tickets provide a way to obtain these tickets from the KDC at job -submission time, but to leave them "dormant" until they are activated and -validated by a further request of the KDC. If a ticket theft were reported -in the interim, the KDC would refuse to validate the ticket, and the thief -would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This flag -must be set in a ticket-granting ticket in order to issue a postdated ticket -based on the presented ticket. It is reset by default; it may be requested -by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message. -This flag does not allow a client to obtain a postdated ticket-granting -ticket; postdated ticket-granting tickets can only by obtained by requesting -the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a -postdated ticket will be the remaining life of the ticket-granting ticket at -the time of the request, unless the RENEWABLE option is also set, in which -case it can be the full life (endtime-starttime) of the ticket-granting -ticket. The KDC may limit how far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the identity -of the client, but only for a particular purpose. A principal can allow a -service to take on the principal's identity for a particular purpose by -granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -also a proxy, user's wishing to delegate their identity for ANY purpose must -use the ticket forwarding mechanism described in the next section to forward -a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When set, -this flag tells the ticket-granting server that it is OK to issue a new -ticket (but not a ticket-granting ticket) with a different network address -based on this ticket. This flag is set if requested by the client on initial -authentication. By default, the client will request that it be set when -requesting a ticket granting ticket, and reset when requesting any other -ticket. - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print server -a proxy to access the client's files on a particular file server in order to -satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in the -ticket[4]. When granting a proxy, the client must specify the new network -address from which the proxy is to be used, or indicate that the proxy is to -be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may require -additional authentication from the agent presenting the proxy in order to -provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request that -it be set by setting the FORWARDABLE option in the AS request when they -request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user to -enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. It -is also set in all tickets issued based on tickets with the FORWARDED flag - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -set. Application servers may choose to process FORWARDED tickets differently -than non-FORWARDED tickets. - -2.7. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - -3. Message Exchanges - -The following sections describe the interactions between network clients and -servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the Kerberos -Authentication Server is initiated by a client when it wishes to obtain -authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the initiation -of a login session to obtain credentials for a Ticket-Granting Server which -will subsequently be used to obtain credentials for other servers (see -section 3.3) without requiring further use of the client's secret key. This -exchange is also used to request credentials for services which must not be -mediated through the Ticket-Granting Service, but rather require a -principal's secret key, such as the password-changing service[5]. This -exchange does not by itself provide any assurance of the the identity of the -user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The response, -KRB_AS_REP, contains a ticket for the client to present to the server, and a -session key that will be shared by the client and the server. The session - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -key and additional information are encrypted in the client's secret key. The -KRB_AS_REP message contains information which can be used to detect replays, -and to associate it with the message to which it replies. Various errors can -occur; these are indicated by an error response (KRB_ERROR) instead of the -KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR -message contains information which can be used to associate it with the -message to which it replies. The lack of encryption in the KRB_ERROR message -precludes the ability to detect replays, fabrications, or modifications of -such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends a -reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is encrypted -in that principal's key. The initial request supports an optional field that -can be used to pass additional information that might be needed for the -initial exchange. This field may be used for preauthentication as described -in section [hl<>]. - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether the -requested ticket is to be renewable, proxiable, or forwardable; whether it -should be postdated or allow postdating of derivative tickets; and whether a -renewable ticket will be accepted in lieu of a non-renewable ticket if the -requested ticket expiration date cannot be satisfied by a non-renewable -ticket (due to configuration constraints; see section 4). See section A.1 -for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format for -the ticket is described in section 5.3.1. The contents of the ticket are -determined as follows. - -3.1.3. Generation of KRB_AS_REP message - -The authentication server looks up the client and server principals named in -the KRB_AS_REQ in its database, extracting their respective keys. If -required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS -request is used by the KDC to select the encryption method to be used for - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -encrypting the response to the client. If there is more than one supported, -strong encryption type in the etype list, the first valid etype for which an -encryption key is available is used. The encryption method used to respond -to a TGS request is taken from the keytype of the session key found in the -ticket granting ticket. - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise -the requested start time is checked against the policy of the local realm -(the administrator might decide to prohibit certain types or ranges of -postdated tickets), and if acceptable, the ticket's start time is set as -requested and the INVALID flag is set in the new ticket. The postdated -ticket must be validated before use by presenting it to the KDC after the -start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option has -been set and a renewable ticket is to be issued, then the renew-till field -is set to the minimum of: - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set by - the policy of the local realm. - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using the -requested encryption method, and sends it to the client. See section A.2 for -pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, start -and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate a -KRB_AS_REP format message which decrypts properly but is not from the proper -KDC. If the host wishes to verify the identity of the user, it must require -the user to present application credentials which can be verified using a -securely-stored secret key for the host. If those credentials can be -verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS or -TGS exchange. - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is -referred to elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) a -ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use of -a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors are - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -possible. If an error occurs, the server is expected to reply to the client -with a KRB_ERROR message. This message may be encapsulated in the -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If the -message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE -error. If the key version indicated by the Ticket in the KRB_AP_REQ is not -one the server can use (e.g., it indicates an old key, and the server no -longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is -returned. If the USE-SESSION-KEY flag is set in the ap-options field, it -indicates to the server that the ticket is encrypted in the session key from -the server's ticket-granting ticket rather than its secret key[10]. Since it -is possible for the server to be registered in multiple realms, with -different keys in each, the srealm field in the unencrypted portion of the -ticket in the KRB_AP_REQ is used to specify which secret key the server -should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is -returned if the server doesn't have the proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client -from the ticket are compared against the same fields in the authenticator. -If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might -not match, for example, if the wrong session key was used to encrypt the -authenticator). The addresses in the ticket (if any) are then searched for -an address matching the operating-system reported address of the client. If -no match is found or the server insists on ticket addresses but none are -present in the ticket, the KRB_AP_ERR_BADADDR error is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW -error is returned. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must -remember any authenticator presented within the allowable clock skew, so -that a replay attempt is guaranteed to fail. If a server loses track of any -authenticator presented within the allowable clock skew, it must reject all -requests until the clock skew interval has passed. This assures that any -lost or re-played authenticators will fall outside the allowable clock skew -and can no longer be successfully replayed (If this is not done, an attacker -could conceivably record the ticket and authenticator sent over the network -to a server, then disable the client's host, pose as the disabled host, and -replay the ticket and authenticator to subvert the authentication.). If a -sequence number is provided in the authenticator, the server saves it for -later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is -present, the server either saves it for later use or uses it to help -generate its own choice for a subkey to be returned in a KRB_AP_REP message. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -If all these checks succeed without an error, the server is assured that the -client possesses the credentials of the principal named in the ticket and -thus, the client has been authenticated to the server. See section A.10 for -pseudocode. - -Passing these checks provides only authentication of the named principal; it -does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name of -the user, the requested operation, local acces control information such as -that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server need -not explicitly reply to the KRB_AP_REQ. However, if mutual authentication -(not only authenticating the client to the server, but also the server to -the client) is being performed, the KRB_AP_REQ message will have -MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is -required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not acceptable -to the application's protocol. The timestamp and microsecond field used in -the reply must be the client's timestamp and microsecond field (as provided -in the authenticator)[12]. If a sequence number is to be included, it should -be randomly chosen as described above for the authenticator. A subkey may be -included if the server desires to negotiate a different subkey. The -KRB_AP_REP message is encrypted in the session key extracted from the -ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server -share an encryption key which can be used by the application. The 'true -session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption or -checksum type) to the application programmer; the Kerberos protocol does not -constrain the implementation options, but an example of how this might be -done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever reason, -one of the parties was prevented from using a key with more than 40 unknown -bits, this method would allow the the party which is prevented from using -more than 40 bits to either propose (if the client) an initial key with a -known quantity for 16 of those bits, or to mask 16 of the bits (if the -server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server is -initiated by a client when it wishes to obtain authentication credentials -for a given server (which might be registered in a remote realm), when it -wishes to renew or validate an existing ticket, or when it wishes to obtain -a proxy ticket. In the first case, the client must already have acquired a -ticket for the Ticket-Granting Service using the AS exchange (the -ticket-granting ticket is usually obtained when a client initially -authenticates to the system, such as when a user logs in). The message -format for the TGS exchange is almost identical to that for the AS exchange. -The primary difference is that encryption and decryption in the TGS exchange -does not take place under the client's key. Instead, the session key from -the ticket-granting ticket or renewable ticket, or sub-session key from an -Authenticator is used. As is the case for all application servers, expired -tickets are not accepted by the TGS, so once a renewable or ticket-granting - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -ticket expires, the client must use a separate exchange to obtain valid -tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed authorization -data to be sealed in the ticket for authorization use by the application -server, or additional tickets (the use of which are described later). The -TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the -session key from the ticket-granting ticket or renewable ticket, or if -present, in the sub-session key from the Authenticator (part of the -authentication header). The KRB_ERROR message contains an error code and -text explaining what went wrong. The KRB_ERROR message is not encrypted. The -KRB_TGS_REP message contains information which can be used to detect -replays, and to associate it with the message to which it replies. The -KRB_ERROR message also contains information which can be used to associate -it with the message to which it replies, but the lack of encryption in the -KRB_ERROR message precludes the ability to detect replays or fabrications of -such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15]. If the -client does not already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted by requesting a -ticket-granting ticket for the destination realm from a Kerberos server for -which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ -message recursively). The Kerberos server may return a TGT for the desired -realm in which case one can proceed. Alternatively, the Kerberos server may -return a TGT for a realm which is 'closer' to the desired realm (further -along the standard hierarchical path), in which case this step must be -repeated with a Kerberos server in the realm specified in the returned TGT. -If neither are returned, then the request must be retried with a Kerberos -server for a realm higher in the hierarchy. This request will itself require -a ticket-granting ticket for the higher realm which must be obtained by -recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. The -list might be obtained through a configuration file or network service or it -may be generated from the name of the realm; as long as the secret keys -exchanged by realms are kept secret, only denial of service results from -using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -optional fields: the enc-authorization-data field for application server use -and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be encrypted[16]. -If the sub-session key is not specified, the session key from the -ticket-granting ticket will be used. If the enc-authorization-data is -present, it must be encrypted in the sub-session key, if present, from the -authenticator portion of the authentication header, or if not present, using -the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which it -was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP), -but with its type field set to KRB_TGS_REP. The detailed specification is in -section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -"closest" to the requested realm with which it does share a key, and use -that realm instead. This is the only case where the response from the KDC -will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited field -needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. The -PROXY option will not be honored on requests for additional ticket-granting -tickets. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting -ticket has the MAY-POSTDATE flag set, then the resulting ticket will be -postdated and the requested starttime is checked against the policy of the -local realm. If acceptable, the ticket's start time is set as requested, and -the INVALID flag is set. The postdated ticket must be validated before use -by presenting it to the KDC after the starttime has been reached. However, -in no case may the starttime, endtime, or renew-till time of a newly-issued -postdated ticket extend beyond the renew-till time of the ticket-granting -ticket. - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional ticket -using the key for the server to which the additional ticket was issued and -verify that it is a ticket-granting ticket. If the name of the requested -server is missing from the request, the name of the client in the additional -ticket will be used. Otherwise the name of the requested server will be -compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as part -of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is set -in the ticket, that the INVALID flag is not set in the ticket, and that the -renew_till time is still in the future. If the VALIDATE option is rqeuested, -the KDC will check that the starttime has passed and the INVALID flag is -set. If the PROXY option is requested, then the KDC will check that the -PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket -passes the hotlist check described in the next paragraph, the KDC will issue -the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal expiration -time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and the -key version number fields are left out since these values are stored along -with the client's database record, and that record is not needed to satisfy -a request based on a ticket-granting ticket. See section A.6 for pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, subject -to the constraints outlined above in the section describing the AS exchange. -The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket to -be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -realm. Instead, its responsibility is to add the name of the previous realm. -This prevents a malicious Kerberos server from intentionally leaving out its -own name (it could, however, omit other realms' names). - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since the -endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its contents -are encoded. The initially supported encoding is optimized for the normal -case of inter-realm communication: a hierarchical arrangement of realms -using either domain or X.500 style realm names. This encoding (called -DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they -would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. Thus, -"," means that all realms along the path between the client and the server -have been traversed. ",EDU, /COM," means that that all realms from the -client's realm up to EDU (in a domain style hierarchy) have been traversed, -and that everything from /COM down to the server's realm in an X.500 style -has also been traversed. This could occur if the EDU realm in one hierarchy -shares an inter-realm key directly with the /COM realm in another hierarchy. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC), -generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by one's -peer. Connection state is presently required to maintain the session key, so -maintaining the next sequence number should not present an additional -problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_SAFE, respectively. A mismatch - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. The -recipient verifies that the operating system's report of the sender's -address matches the sender's address in the message, and (if a recipient -address is specified or the recipient requires an address) that one of the -recipient's addresses appears as the recipient's address in the message. A -failed match for either case generates a KRB_AP_ERR_BADADDR error. Then the -timestamp and usec and/or the sequence number fields are checked. If -timestamp and usec are expected and not present, or they are present but not -current, the KRB_AP_ERR_SKEW error is generated. If the server name, along -with the client name, time and microsecond fields from the Authenticator -match any recently-seen (sent or received[20] ) such tuples, the -KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number is -included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. -Finally, the checksum is computed over the data and control information, and -if it doesn't match the received checksum, a KRB_AP_ERR_MODIFIED error is -generated. - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_PRIV, respectively. A mismatch -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. The recipient verifies that the -operating system's report of the sender's address matches the sender's - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses appears -as the recipient's address in the message. A failed match for either case -generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the -sequence number fields are checked. If timestamp and usec are expected and -not present, or they are present but not current, the KRB_AP_ERR_SKEW error -is generated. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence -number is included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It then -constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED -message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in -the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and r-address -fields, are placed in the encrypted part of the KRB_CRED message which is -then encrypted under an encryption key previosuly exchanged in the KRB_AP -exchange (usually the last key negotiated via subkeys, or the session key if -no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If decryption -shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is -generated. - -If present or required, the recipient verifies that the operating system's - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's address -in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field -if required) are checked next. If the timestamp and usec are not present, or -they are present but not current, the KRB_AP_ERR_SKEW error is generated. - -If all the checks succeed, the application stores each of the new tickets in -its ticket cache together with the session key and other information in the -corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED -message. - -4. The Kerberos Database - -The Kerberos server must have access to a database contain- ing the -principal identifiers and secret keys of principals to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The key -can be encrypted before storage under a Kerberos "master key" to protect it -in case the database is compromised but the master key is not. In that case, -an extra field must be added to indicate the master key version used, see -below.) The p_kvno field is the key version number of the principal's secret -key. The max_life field contains the maximum allowable lifetime (endtime - -starttime) for any Ticket issued for this principal. The max_renewable_life -field contains the maximum allowable total lifetime for any renewable Ticket -issued for this principal. (See section 3.1 for a description of how these -lifetimes are used in determining the lifetime of a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal records -with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. not -the result of disclosure of the old key), the old key should be retained by -the server until all tickets that had been issued using that key have -expired. Because of this, it is possible for several keys to be active for a -single principal. Ciphertext encrypted in a principal's key is always tagged -with the version of the key that was used for encryption, to help the -recipient find the proper key for decryption. - -When more than one key is active for a particular principal, the principal - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may -or may not be the same). Whenever Kerberos issues a ticket, or responds to a -request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error to -any client attempting to gain tickets as or for the principal. (A database -may want to maintain two expiration dates: one for the principal, and one -for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether a -server is appropriate trusted to recieve credentials delegated by a client, -or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user in -the last-req field (see section 5.2). - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This -field would be used to indicate how long old keys must remain valid to allow -the continued use of outstanding tickets. - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 specification, -section 8.7 [X509-88]. - -5.2. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A PrincipalName -is a typed sequence of components consisting of the following sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the same - (i.e. at least one of the components, or the realm, must be different). - This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding -shall specify the UTC time zone (Z) and shall not include any fractional -portions of the seconds. It further shall not include any separators. -Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm -on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - -ad-data - This field contains authorization data to be interpreted according to - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - the value of the corresponding ad-type field. -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the interpretation -of the encapsulating element determines which of the embedded elements must -be interpreted, and which may be ignored. Definitions for these common -elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - - - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - -TicketFlags ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - may-postdate(5), - postdated(6), - invalid(7), - renewable(8), - initial(9), - pre-authent(10), - hw-authent(11), - transited-policy-checked(12), - ok-as-delegate(13) -} - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -KDCOptions ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - unused12(12), - unused13(13), - disable-transited-check(26), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) -} - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest multiple of 32 bits needed to -include the highest order bit that is set (1), but in no case less than 32 -bits. Implementations should accept values of bit strings of any length and -treat the value of flags cooresponding to bits beyond the end of the bit -string as if the bit were reset (0). Comparisonof bit strings of different -length should treat the smaller string as if it were padded with zeros -beyond the high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute value - of the lr-type field is one (1), then the lr-value subfield is the time - of last initial request for a TGT. If it is two (2), then the lr-value - subfield is the time of last initial request. If it is three (3), then - the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A Ticket -contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos and -the end server (the server's secret key). See section 6 for the format of -the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - the two will always be identical. -sname - This field specifies the name part of the server's identity. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - This optional field contains a sequence of extentions that may be used - to carry information that must be carried with the ticket to support - several extensions, including but not limited to plaintext - authorization data, tokens for exchanging inter-realm keys, and other - information that must be associated with a ticket for use by the - application server. See Appendix C for definitions of some common - extensions. - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of the - appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The meanings - of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. -cname - This field contains the name part of the client's principal identifier. -transited - This field lists the names of the Kerberos realms that took part in - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the necessary - information for implementation of a `hot list' service at the KDC. An - end service that is particularly paranoid could refuse to accept - tickets for which the initial authentication occurred "too far" in the - past. This field is also returned as part of the response from the KDC. - When returned as part of the response to initial authentication - (KRB_AS_REP), this is the current time on the Ker- beros server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated as - that of the authtime field. -endtime - This field contains the time after which the ticket will not be honored - (its expiration time). Note that individual services may place their - own limits on the life of a ticket and may reject tickets which have - not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is that - such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not sent - over the network in cleartext, credentials can't be stolen simply by - listening to the network; an attacker has to gain access to the session - key (perhaps through operating system security breaches or a careless - user's unattended session) to make use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's worksta- tion could - use the credentials from there. Including the network addresses only - makes it more difficult, not impossible, for an attacker to walk off - with stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, and - that a better name for this field would be restrictions. Unfortunately, - it is not possible to change the name of this field at this time. - - This field contains restrictions on any authority obtained on the basis - of authentication using the ticket. It is possible for any principal in - posession of credentials to add entries to the authorization data field - since these entries further restrict what can be done with the ticket. - Such additions can be made by specifying the additional entries when a - new ticket is obtained during the TGS exchange, or they may be added - during chained delegation using the authorization data field of the - authenticator. - - Because entries may be added to this field by the holder of - credentials, it is not allowable for the presence of an entry in the - authorization data field of a ticket to amplify the priveleges one - would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - obtains a ticket in its own name (e.g. the ticket is issued in the name - of a privelege server), and this entity adds restrictions on its own - authority and delegates the restricted authority through a proxy to the - client. The client would then present this authorization credential to - the application server separately from the authentication exchange. - - Similarly, if one specifies the authorization-data field of a proxy and - leaves the host addresses blank, the resulting ticket and session key - can be treated as a capability. See [Neu93] for some suggested uses of - this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.3.2. Authenticators - -An authenticator is a record sent with a ticket to a server to certify the -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. Its - value (before encryption) ranges from 0 to 999999. It often appears - along with ctime. The two fields are used together to specify a - reasonably accurate timestamp. -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that for - messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is sent. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. -authorization-data - This field is the same as described for the ticket in section 5.3.1. It - is optional and will only appear when additional restrictions are to be - placed on the use of a ticket, beyond those carried in the ticket - itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial -ticket or an additional ticket. In either case, the message is sent from the -client to the Authentication Server to request credentials for a service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -The fields in this message are: - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting ticket - and authenticator). The checksum in the authenticator (which must be - collision-proof) is to be computed over the KDC-REQ-BODY encoding. In - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - most requests for initial authentication (KRB_AS_REQ) and most replies - (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions to - the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. This - is accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - with patimestamp containing the client's time and pausec containing the - microseconds which may be omitted if a client will not generate more - than one request per second. The ciphertext (padata-value) consists of - the PA-ENC-TS-ENC sequence, encrypted using the client's secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC or - the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - specified in separate documents. See [Pat92] for additional uses of - this field. -padata-type - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets as - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - well as other information that is to modify the behavior of the KDC. - Where appropriate, the name of an option may be the same as the flag - that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field to - the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates that - the ticket to be issued is to have its - forwardable flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based is also for- - wardable. - - 2 FORWARDED - The FORWARDED option is only specified - in a request to the ticket-granting - server and will only be honored if the - ticket-granting ticket in the request - has its FORWARDABLE bit set. This - option indicates that this is a request - for forwarding. The address(es) of the - host from which the resulting ticket is - to be valid are included in the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that the - ticket to be issued is to have its prox- - iable flag set. It may only be set on - the initial request, or in a subsequent - request if the ticket-granting ticket on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this is - a request for a proxy. This option will - only be honored if the ticket-granting - ticket in the request has its PROXIABLE - bit set. The address(es) of the host - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - from which the resulting ticket is to be - valid are included in the addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates that - the ticket to be issued is to have its - MAY-POSTDATE flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based also has its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that this - is a request for a postdated ticket. - This option will only be honored if the - ticket-granting ticket on which it is - based has its MAY-POSTDATE flag set. - The resulting ticket will also have its - INVALID flag set, and that flag may be - reset by a subsequent request to the KDC - after the starttime in the ticket has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that the - ticket to be issued is to have its - RENEWABLE flag set. It may only be set - on the initial request, or when the - ticket-granting ticket on which the - request is based is also renewable. If - this option is requested, then the rtime - field in the request contains the - desired absolute expiration time for the - ticket. - - 9-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option indicates - that the ticket to be issued is not to - identify the user to which it was - issued. Instead, the principal identif- - ier is to be generic, as specified by - the policy of the realm (e.g. usually - anonymous@realm). The purpose of the - ticket is only to securely distribute a - session key, and not to identify the - user. The ANONYMOUS flag on the ticket - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - to be returned should be set. If the - local realms policy does not permit - anonymous credentials, the request is to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited field - is disabled. Tickets issued without the - performance of this check will be noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that a - renewable ticket will be acceptable if a - ticket with the requested life cannot - otherwise be provided. If a ticket with - the requested life cannot be provided, - then a renewable ticket may be issued - with a renew-till equal to the the - requested endtime. The value of the - renew-till field may still be limited by - local limits, or limits selected by the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the ticket- - granting service. The ENC-TKT-IN-SKEY - option indicates that the ticket for the - end server is to be encrypted in the - session key from the additional ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the ticket- - granting service. The RENEW option - indicates that the present request is - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - for a renewal. The ticket provided is - encrypted in the secret key for the - server on which it is valid. This - option will only be honored if the - ticket to be renewed has its RENEWABLE - flag set and if the time in its renew- - till field has not passed. The ticket - to be renewed is passed in the padata - field as part of the authentication - header. - - 31 VALIDATE - This option is used only by the ticket- - granting service. The VALIDATE option - indicates that the request is to vali- - date a postdated ticket. It will only - be honored if the ticket presented is - postdated, presently has its INVALID - flag set, and would be otherwise usable - at this time. A ticket cannot be vali- - dated before its starttime. The ticket - presented for validation is encrypted in - the key of the server for which it is - valid and is passed in the padata field - as part of the authentication header. - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, or - alternatively from the session key in the ticket-granting ticket, both - from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies the - desired start time for the requested ticket. If this field is omitted - then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date of - the ticket granting ticket or other preauthentication credentials. -rtime - This field is the requested renew-till time sent from a client to the - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated randomly, - but if the correct time is known, it may suffice[25]. -etype - This field specifies the desired encryption algorithm to be used in the - response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses for - the client's host. If a proxy is requested, this field will contain - other addresses. The contents of this field are usually copied by the - KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be used - in place of the server's key to encrypt the new ticket. If more than - one option which requires additional tickets has been specified, then - the additional tickets are used in the order specified by the ordering - of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that is -passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for either -an initial (AS) request or a subsequent (TGS) request. There is no message -type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or -KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or if -absent, the session key from the ticket-granting ticket used in the request. -In that case, no version number will be present in the EncryptedData -sequence. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section 6.3.2). - This ability is useful to ease transitions if a realm name needs to - change (e.g. when a company is acquired); in such a case all existing - password-derived entries in the KDC database would be flagged as - needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related information - that forms the encrypted part of a message. The description of the - encrypted part of the message follows each appearance of this field. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - The encrypted part is encoded as described in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. -last-req - This field is returned by the KDC and specifies the time(s) of the last - request by a principal. Depending on what information is available, - this might be the last time that a request for a ticket-granting ticket - was made, or the last time that a request based on a ticket-granting - ticket was successful. It also might cover all servers for a realm, or - just the particular server. Some implementations may display this - information to the user to aid in discovering unauthorized use of one's - identity. It is similar in spirit to the last login time displayed when - logging into timesharing systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up to - the application client (usually the login program) to take appropriate - action (such as notifying the user) if the expiration time is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will be - the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is often -referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). The encoding of the bits - is specified in section 5.2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. It is - to be encoded separately and then have the checksum computed over it, - for use in the cksum field. -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over the - encoding of the KRB-SAFE-BODY sequence. -user-data - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By checking - the timestamp, the recipient of the message is able to make sure that - it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast protocols), - but the recipient may arbitrarily reject such messages. This field - along with s-address can be used to help detect messages which have - been incorrectly or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's addr - r-address[5] HostAddress OPTIONAL -- recip's addr -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format of - the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by the - intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce must - never be re-used; it should be generated randomly by the recipient of - the message and provided to the sender of the message in an application - specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is not protected by any encryption, it -is quite possible for an intruder to synthesize or modify such a message. In -particular, this means that the client should not use any fields in this -message for security-critical purposes, such as setting a system clock or -generating a fresh authenticator. The message can be useful, however, for -advising a user on the reason for some failure. - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, - e-typed-data[14] SEQUENCE of ETypedData OPTIONAL -} - -ETypedData ::= SEQUENCE { - e-data-type [1] INTEGER, - e-data-value [2] OCTET STRING, -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. Its - value ranges from 0 to 999999. It appears along with stime. The two - fields are used in conjunction to specify a reasonably accurate - timestamp. -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the list - of error codes in section 8. Implementations are encouraged to provide - for national language support in the display of error messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - application to help it recover from or handle the error. If the - errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will - contain an encoding of a sequence of padata fields, each corresponding - to an acceptable pre-authentication method and optionally containing - data for the method: - - METHOD-DATA ::= SEQUENCE of PA-DATA - - If the error-code is KRB_AP_ERR_METHOD, then the e-data field will - contain an encoding of the following sequence: - - METHOD-DATA ::= SEQUENCE { - method-type[0] INTEGER, - method-data[1] OCTET STRING OPTIONAL - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - } - - method-type will indicate the required alternate method; method-data - will contain any required additional information. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. The - checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to an - AS request, then the checksum should be calulated using the client's - secret key ONLY if there has been suitable preauthentication to prove - knowledge of the secret key by the client[33]. If a checksum can not be - computed because the key to be used is not available, no checksum will - be included. -e-typed-data - [This field for discussion, may be deleted from final spec] This field - contains optional data that may be used to help the client recover from - the indicated error. [This could contain the METHOD-DATA specified - since I don't think anyone actually uses it yet. It could also contain - the PA-DATA sequence for the preauth required error if we had a clear - way to transition to the use of this field from the use of the untype - e-data field.] For example, this field may specify the key version of - the key used to verify preauthentication: - - e-data-type := 20 -- Key version number - e-data-value := Integer -- Key version number used to verify - preauthentication - -6. Encryption and Checksum Specifications - -The Kerberos protocols described in this document are designed to use stream -encryption ciphers, which can be simulated using commonly available block -encryption ciphers, such as the Data Encryption Standard, [DES77] in -conjunction with block chaining and checksum methods [DESM80]. Encryption is -used to prove the identities of the network entities participating in -message exchanges. The Key Distribution Center for each realm is trusted by -all principals registered in that realm to store a secret key in confidence. -Proof of knowledge of this secret key is used to verify the authenticity of -a principal. - -The KDC uses the principal's secret key (in the AS exchange) or a shared -session key (in the TGS exchange) to encrypt responses to ticket requests; -the ability to obtain the secret key or session key implies the knowledge of -the appropriate keys and the identity of the KDC. The ability of a principal -to decrypt the KDC response and present a Ticket and a properly formed -Authenticator (generated with the session key from the KDC response) to a -service verifies the identity of the principal; likewise the ability of the -service to extract the session key from the Ticket and prove its knowledge -thereof in a response verifies the identity of the service. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The Kerberos protocols generally assume that the encryption used is secure -from cryptanalysis; however, in some cases, the order of fields in the -encrypted portions of messages are arranged to minimize the effects of -poorly chosen keys. It is still important to choose good keys. If keys are -derived from user-typed passwords, those passwords need to be well chosen to -make brute force attacks more difficult. Poorly chosen keys still make easy -targets for intruders. - -The following sections specify the encryption and checksum mechanisms -currently defined for Kerberos. The encodings, chaining, and padding -requirements for each are described. For encryption methods, it is often -desirable to place random information (often referred to as a confounder) at -the start of the message. The requirements for a confounder are specified -with each encryption mechanism. - -Some encryption systems use a block-chaining method to improve the the -security characteristics of the ciphertext. However, these chaining methods -often don't provide an integrity check upon decryption. Such systems (such -as DES in CBC mode) must be augmented with a checksum of the plain-text -which can be verified at decryption and used to detect any tampering or -damage. Such checksums should be good at detecting burst errors in the -input. If any damage is detected, the decryption routine is expected to -return an error indicating the failure of an integrity check. Each -encryption type is expected to provide and verify an appropriate checksum. -The specification of each encryption method sets out its checksum -requirements. - -Finally, where a key is to be derived from a user's password, an algorithm -for converting the password to a key of the appropriate type is included. It -is desirable for the string to key function to be one-way, and for the -mapping to be different in different realms. This is important because users -who are registered in more than one realm will often use the same password -in each, and it is desirable that an attacker compromising the Kerberos -server in one realm not obtain or derive the user's key in another. - -For an discussion of the integrity characteristics of the candidate -encryption and checksum methods considered for Kerberos, the the reader is -referred to [SG92]. - -6.1. Encryption Specifications - -The following ASN.1 definition describes all encrypted messages. The -enc-part field which appears in the unencrypted part of messages in section -5 is a sequence consisting of an encryption type, an optional key version -number, and the ciphertext. - -EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext -} - - - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -etype - This field identifies which encryption algorithm was used to encipher - the cipher. Detailed specifications for selected encryption types - appear later in this section. -kvno - This field contains the version number of the key under which data is - encrypted. It is only present in messages encrypted under long lasting - keys, such as principals' secret keys. -cipher - This field contains the enciphered text, encoded as an OCTET STRING. - -The cipher field is generated by applying the specified encryption algorithm -to data composed of the message and algorithm-specific inputs. Encryption -mechanisms defined for use with Kerberos must take sufficient measures to -guarantee the integrity of the plaintext, and we recommend they also take -measures to protect against precomputed dictionary attacks. If the -encryption algorithm is not itself capable of doing so, the protections can -often be enhanced by adding a checksum and a confounder. - -The suggested format for the data to be encrypted includes a confounder, a -checksum, the encoded plaintext, and any necessary padding. The msg-seq -field contains the part of the protocol message described in section 5 which -is to be encrypted. The confounder, checksum, and padding are all untagged -and untyped, and their length is exactly sufficient to hold the appropriate -item. The type and length is implicit and specified by the particular -encryption type being used (etype). The format for the data to be encrypted -is described in the following diagram: - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - -One generates a random confounder of the appropriate length, placing it in -confounder; zeroes out check; calculates the appropriate checksum over -confounder, check, and msg-seq, placing the result in check; adds the -necessary padding; then encrypts using the specified encryption type and the -appropriate key. - -Unless otherwise specified, a definition of an encryption algorithm that -specifies a checksum, a length for the confounder field, or an octet -boundary for padding uses this ciphertext format[36]. Those fields which are -not specified will be omitted. - -In the interest of allowing all implementations using a particular - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -encryption type to communicate with all others using that type, the -specification of an encryption type defines any checksum that is needed as -part of the encryption process. If an alternative checksum is to be used, a -new encryption type must be defined. - -Some cryptosystems require additional information beyond the key and the -data to be encrypted. For example, DES, when used in cipher-block-chaining -mode, requires an initialization vector. If required, the description for -each encryption type must specify the source of such additional information. -6.2. Encryption Keys - -The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - -keytype - This field specifies the type of encryption key that follows in the - keyvalue field. It will almost always correspond to the encryption - algorithm used to generate the EncryptedData, though more than one - algorithm may use the same type of key (the mapping is many to one). - This might happen, for example, if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a different - chaining mechanism. -keyvalue - This field contains the key itself, encoded as an octet string. - -All negative values for the encryption key type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpreta- tions. - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - -If no encryption is in use, the encryption system is said to be the NULL -encryption system. In the NULL encryption system there is no checksum, -confounder or padding. The ciphertext is simply the plaintext. The NULL Key -is used by the null encryption system and is zero octets in length, with -keytype zero (0). - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - -The des-cbc-crc encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. A -CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the -confounder and message sequence (msg-seq) and placed in the cksum field. DES -blocks are 8 bytes. As a result, the data to be encrypted (the concatenation -of confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. The details of the encryption of this data are identical -to those for the des-cbc-md5 encryption mode. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -Note that, since the CRC-32 checksum is not collision-proof, an attacker -could use a probabilistic chosen-plaintext attack to generate a valid -message even if a confounder is used [SG92]. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. The use of the CRC-32 as the checksum for ticket or -authenticator is no longer mandated as an interoperability requirement for -Kerberos Version 5 Specification 1 (See section 9.1 for specific details). - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - -The des-cbc-md4 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD4 checksum (described in [MD492]) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. The details of the encryption of this data are identical -to those for the des-cbc-md5 encryption mode. - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - -The des-cbc-md5 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD5 checksum (described in [MD5-92].) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. - -Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are -concatenated to make the 64-bit inputs for the DES algorithms. The first -octet supplies the 8 most significant bits (with the octet's MSbit used as -the DES input block's MSbit, etc.), the second octet the next 8 bits, ..., -and the eighth octet supplies the 8 least significant bits. - -Encryption under DES using cipher block chaining requires an additional -input in the form of an initialization vector. Unless otherwise specified, -zero should be used as the initialization vector. Kerberos' use of DES -requires an 8 octet confounder. - -The DES specifications identify some 'weak' and 'semi-weak' keys; those keys -shall not be used for encrypting messages for use in Kerberos. Additionally, -because of the way that keys are derived for the encryption of checksums, -keys shall not be used that yield 'weak' or 'semi-weak' keys when -eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0. - -A DES key is 8 octets of data, with keytype one (1). This consists of 56 -bits of key, and 8 parity bits (one per octet). The key is encoded as a -series of 8 octets written in MSB-first order. The bits within the key are -also encoded in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where -B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity -bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the -MSbit). [See the FIPS 81 introduction for reference.] - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -String to key transformation - -To generate a DES key from a text string (password), the text string -normally must have the realm and each component of the principal's name -appended[37], then padded with ASCII nulls to an 8 byte boundary. This -string is then fan-folded and eXclusive-ORed with itself to form an 8 byte -DES key. The parity is corrected on the key, and it is used to generate a -DES CBC checksum on the initial string (with the realm and name appended). -Next, parity is corrected on the CBC checksum. If the result matches a -'weak' or 'semi-weak' key as described in the DES specification, it is -eXclusive-ORed with the constant 00000000000000F0. Finally, the result is -returned as the key. Pseudocode follows: - - string_to_key(string,realm,name) { - odd = 1; - s = string + realm; - for(each component in name) { - s = s + component; - } - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - tempkey = tempkey XOR 8byteblock; - } - fixparity(tempkey); - key = DES-CBC-check(s,tempkey); - fixparity(key); - if(is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - -6.3.5. Triple DES EDE in outer CBC mode with an SHA1 check-sum -(des3-cbc-sha1) - -The des3-cbc-sha1 encryption encodes information using three Data Encryption -Standard transformations with three DES keys. The first key is used to -perform a DES ECB encryption on an eight-octet data block using the first -DES key, followed by a DES ECB decryption of the result using the second DES -key, and a DES ECB encryption of the result using the third DES key. Because -DES blocks are 8 bytes, the data to be encrypted (the concatenation of -confounder, checksum, and message) must first be padded to an 8 byte -boundary before encryption. To support the outer CBC mode, the input is -padded to an eight-octet boundary. The first 8 octets of the data to be -encrypted (the confounder) is exclusive-ored with an initialization vector -of zero and then ECB encrypted using triple DES as described above. -Subsequent blocks of 8 octets are exclusive-ored with the ciphertext -produced by the encryption on the previous block before ECB encryption. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -An HMAC-SHA1 checksum (described in [KBC96].) is applied to the confounder -and message sequence (msg-seq) and placed in the cksum field. - -Plaintext are encoded as blocks of 8 octets which are concatenated to make -the 64-bit inputs for the DES algorithms. The first octet supplies the 8 -most significant bits (with the octet's MSbit used as the DES input block's -MSbit, etc.), the second octet the next 8 bits, ..., and the eighth octet -supplies the 8 least significant bits. - -Encryption under Triple DES using cipher block chaining requires an -additional input in the form of an initialization vector. Unless otherwise -specified, zero should be used as the initialization vector. Kerberos' use -of DES requires an 8 octet confounder. - -The DES specifications identify some 'weak' and 'semi-weak' keys; those keys -shall not be used for encrypting messages for use in Kerberos. Additionally, -because of the way that keys are derived for the encryption of checksums, -keys shall not be used that yield 'weak' or 'semi-weak' keys when -eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0. - -A Triple DES key is 24 octets of data, with keytype seven (7). This consists -of 168 bits of key, and 24 parity bits (one per octet). The key is encoded -as a series of 24 octets written in MSB-first order, with the first 8 octets -treated as the first DES key, the second 8 octets as the second key, and the -third 8 octets the third DES key. The bits within each key are also encoded -in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where -B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity -bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the -MSbit). [See the FIPS 81 introduction for reference.] - -Key derivation for specified operations (Horowitz) - -[Discussion is needed for this section, especially since it does not simply -derive key generation, but also specifies encryption using triple DES in a -manner that is different than the basic template that was specified for -single DES and similar systems] - -In the Kerberos protocol cryptographic keys are used in a number of places. -In order to minimize the effect of compromising a key, it is desirable to -use a different key in each of these places. Key derivation [Horowitz96] can -be used to construct different keys for each operation from the keys -transported on the network or derived from the password specified by the -user. - -For each place where a key is used in Kerberos, a ``key usage'' is specified -for that purpose. The key, key usage, and encryption/checksum type together -describe the transformation from plaintext to ciphertext. For backwards -compatibility, this key derivation is only specified here for encryption -methods based on triple DES. Encryption methods specified for use by -Kerberos in the future should specify the key derivation function to be -used. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -Kerberos requires that the ciphertext component of EncryptedData be -tamper-resistant as well as confidential. This implies encryption and -integrity functions, which must each use their own separate keys. So, for -each key usage, two keys must be generated, one for encryption (Ke), and one -for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - -where the key usage is represented as a 32 bit integer in network byte -order. The ciphertest must be generated from the plaintext as follows: - - ciphertext = E(Ke, confounder | length | plaintext | padding) | - H(Ki, confounder | length | plaintext | padding) - -The confounder and padding are specific to the encryption algorithm E. - -When generating a checksum only, there is no need for a confounder or -padding. Again, a new key (Kc) must be used. Checksums must be generated -from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - MAC = H(Kc, length | plaintext) - - -Note that each enctype is described by an encryption algorithm E and a keyed -hash algorithm H, and each checksum type is described by a keyed hash -algorithm H. HMAC, with an appropriate hash, is recommended for use as H. - -The key usage value will be taken from the following list of places where -keys are used in the Kerberos protocol, with key usage values and Kerberos -specification section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - 10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) - 11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) - 12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) - - 13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) - 14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) - 15. KRB-SAFE cksum, keyed with a key chosen by the application - (section 5.8.1) - - 16. Data which is defined in some specification outside of - Kerberos to be encrypted using Kerberos encryption type. - 17. Data which is defined in some specification outside of - Kerberos to be checksummed using Kerberos checksum type. - - 18. KRB-ERROR checksum (e-cksum in section 5.9.1) - 19. AD-KDCIssued checksum (ad-checksum in appendix B.1) - 20. Checksum for Mandatory Ticket Extensions (appendix B.6) - 21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - -String to key transformation - -To generate a DES key from a text string (password), the text string -normally must have the realm and each component of the principal's name -appended[38]. - -The input string (with any salt data appended to it) is n-folded into a 24 -octet (192 bit) string. To n-fold a number X, replicate the input value to a -length that is the least common multiple of n and the length of X. Before -each repetition, the input X is rotated to the right by 13 bit positions. -The successive n-bit chunks are added together using 1's-complement addition -(addition with end-around carry) to yield a n-bit result. (This -transformation was proposed by Richard Basch) - -Each successive set of 8 octets is taken as a DES key, and its parity is -adjusted in the same manner as previously described. If any of the three -sets of 8 octets match a 'weak' or 'semi-weak key as described in the DES -specification, that chunk is eXclusive-ORed with the hexadecimal constant -00000000000000F0. The resulting DES keys are then used in sequence to -perform a Triple-DES CBC encryption of the n-folded input string (appended -with any salt data), using a zero initial vector. Parity, weak, and -semi-weak keys are once again corrected and the result is returned as the 24 -octet key. - -Pseudocode follows: - - string_to_key(string,realm,name) { - s = string + realm; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - for(each component in name) { - s = s + component; - } - tkey[24] = fold(s); - fixparity(tkey); - if(isweak(tkey[0-7])) tkey[0-7] = tkey[0-7] XOR 0xF0; - if(isweak(tkey[8-15])) tkey[8-15] = tkey[8-15] XOR 0xF0; - if(is_weak(tkey[16-23])) tkey[16-23] = tkey[16-23] XOR 0xF0; - key[24] = 3DES-CBC(data=fold(s),key=tkey,iv=0); - fixparity(key); - if(is_weak(key[0-7])) key[0-7] = key[0-7] XOR 0xF0; - if(is_weak(key[8-15])) key[8-15] = key[8-15] XOR 0xF0; - if(is_weak(key[16-23])) key[16-23] = key[16-23] XOR 0xF0; - return(key); - } - -6.4. Checksums - -The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - -cksumtype - This field indicates the algorithm used to generate the accompanying - checksum. -checksum - This field contains the checksum itself, encoded as an octet string. - -Detailed specification of selected checksum types appear later in this -section. Negative values for the checksum type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpretations. - -Checksums used by Kerberos can be classified by two properties: whether they -are collision-proof, and whether they are keyed. It is infeasible to find -two plaintexts which generate the same checksum value for a collision-proof -checksum. A key is required to perturb or initialize the algorithm in a -keyed checksum. To prevent message-stream modification by an active -attacker, unkeyed checksums should only be used when the checksum and -message will be subsequently encrypted (e.g. the checksums defined as part -of the encryption algorithms covered earlier in this section). - -Collision-proof checksums can be made tamper-proof if the checksum value is -encrypted before inclusion in a message. In such cases, the composition of -the checksum and the encryption algorithm must be considered a separate -checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum -algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for the -encrypted forms of unkeyed collision-proof checksums, Kerberos prepends a -confounder before the checksum is calculated. - -6.4.1. The CRC-32 Checksum (crc32) - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -The CRC-32 checksum calculates a checksum based on a cyclic redundancy check -as described in ISO 3309 [ISO3309]. The resulting checksum is four (4) -octets in length. The CRC-32 is neither keyed nor collision-proof. The use -of this checksum is not recommended. An attacker using a probabilistic -chosen-plaintext attack as described in [SG92] might be able to generate an -alternative message that satisfies the checksum. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - -The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm -[MD4-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed to -be collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - -The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD4 -checksum algorithm, and encrypting the confounder and the checksum using DES -in cipher-block-chaining (CBC) mode using a variant of the key, where the -variant is computed by eXclusive-ORing the key with the constant -F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The -resulting checksum is 24 octets long (8 octets of which are redundant). This -checksum is tamper-proof and believed to be collision-proof. - -The DES specifications identify some weak keys' and 'semi-weak keys'; those -keys shall not be used for generating RSA-MD4 checksums for use in Kerberos. - -The format for the checksum is described in the follow- ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.4. The RSA MD5 Checksum (rsa-md5) - -The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm. -[MD5-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed to -be collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD5 -checksum algorithm, and encrypting the confounder and the checksum using DES -in cipher-block-chaining (CBC) mode using a variant of the key, where the -variant is computed by eXclusive-ORing the key with the hexadecimal constant -F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting -checksum is 24 octets long (8 octets of which are redundant). This checksum -is tamper-proof and believed to be collision-proof. - -The DES specifications identify some 'weak keys' and 'semi-weak keys'; those -keys shall not be used for encrypting RSA-MD5 checksums for use in Kerberos. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.6. DES cipher-block chained checksum (des-mac) - -The DES-MAC checksum is computed by prepending an 8 octet confounder to the -plaintext, performing a DES CBC-mode encryption on the result using the key -and an initialization vector of zero, taking the last block of the -ciphertext, prepending the same confounder and encrypting the pair using DES -in cipher-block-chaining (CBC) mode using a a variant of the key, where the -variant is computed by eXclusive-ORing the key with the hexadecimal constant -F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting -checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This -checksum is tamper-proof and collision-proof. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ -| des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) -} - -The DES specifications identify some 'weak' and 'semi-weak' keys; those keys -shall not be used for generating DES-MAC checksums for use in Kerberos, nor - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -shall a key be used whose variant is 'weak' or 'semi-weak'. - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k) - -The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by -applying the RSA MD4 checksum algorithm and encrypting the results using DES -in cipher-block-chaining (CBC) mode using a DES key as both key and -initialization vector. The resulting checksum is 16 octets long. This -checksum is tamper-proof and believed to be collision-proof. Note that this -checksum type is the old method for encoding the RSA-MD4-DES checksum and it -is no longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - -The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption -of the plaintext, and using the last block of the ciphertext as the checksum -value. It is keyed with an encryption key and an initialization vector; any -uses which do not specify an additional initialization vector will use the -key as both key and initialization vector. The resulting checksum is 64 bits -(8 octets) long. This checksum is tamper-proof and collision-proof. Note -that this checksum type is the old method for encoding the DES-MAC checksum -and it is no longer recommended. The DES specifications identify some 'weak -keys' and 'semi-weak keys'; those keys shall not be used for generating -DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - -7.1. Realm Names - -Although realm names are encoded as GeneralStrings and although a realm can -technically select any name it chooses, interoperability across realm -boundaries requires agreement on how realm names are to be assigned, and -what information they imply. - -To enforce these conventions, each realm must conform to the conventions -itself, and it must require that any realms with which inter-realm keys are -shared also conform to the conventions and require the same from its -neighbors. - -Kerberos realm names are case sensitive. Realm names that differ only in the -case of the characters are not equivalent. There are presently four styles -of realm names: domain, X500, other, and reserved. Examples of each style -follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - -Domain names must look like domain names: they consist of components -separated by periods (.) and they contain neither colons (:) nor slashes -(/). Domain names must be converted to upper case when used as realm names. - -X.500 names contain an equal (=) and cannot contain a colon (:) before the - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -equal. The realm names for X.500 names will be string representations of the -names with components separated by slashes. Leading and trailing slashes -will not be included. - -Names that fall into the other category must begin with a prefix that -contains no equal (=) or period (.) and the prefix must be followed by a -colon (:) and the rest of the name. All prefixes must be assigned before -they may be used. Presently none are assigned. - -The reserved category includes strings which do not fall into the first -three categories. All names in this category are reserved. It is unlikely -that names will be assigned to this category unless there is a very strong -argument for not using the 'other' category. - -These rules guarantee that there will be no conflicts between the various -name styles. The following additional constraints apply to the assignment of -realm names in the domain and X.500 categories: the name of a realm for the -domain or X.500 formats must either be used by the organization owning (to -whom it was assigned) an Internet domain name or X.500 name, or in the case -that no such names are registered, authority to use a realm name may be -derived from the authority of the parent realm. For example, if there is no -domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can -authorize the creation of a realm with that name. - -This is acceptable because the organization to which the parent is assigned -is presumably the organization authorized to assign names to its children in -the X.500 and domain name systems as well. If the parent assigns a realm -name without also registering it in the domain name or X.500 hierarchy, it -is the parent's responsibility to make sure that there will not in the -future exists a name identical to the realm name of the child unless it is -assigned to the same entity as the realm name. - -7.2. Principal Names - -As was the case for realm names, conventions are needed to ensure that all -agree on what information is implied by a principal name. The name-type -field that is part of the principal name indicates the kind of information -implied by the name. The name-type should be treated as a hint. Ignoring the -name type, no two names can be the same (i.e. at least one of the -components, or the realm, must be different). The following name types are -defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - -When a name implies no information other than its uniqueness at a particular -time the name type PRINCIPAL should be used. The principal name type should - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -be used for users, and it might also be used for a unique server. If the -name is a unique machine generated ID that is guaranteed never to be -reassigned then the name type of UID should be used (note that it is -generally a bad idea to reassign names of any type since stale entries might -remain in access control lists). - -If the first component of a name identifies a service and the remaining -components identify an instance of the service in a server specified manner, -then the name type of SRV-INST should be used. An example of this name type -is the Kerberos ticket-granting service whose name has a first component of -krbtgt and a second component identifying the realm for which the ticket is -valid. - -If instance is a single component following the service name and the -instance identifies the host on which the server is running, then the name -type SRV-HST should be used. This type is typically used for Internet -services such as telnet and the Berkeley R commands. If the separate -components of the host name appear as successive components following the -name of the service, then the name type SRV-XHST should be used. This type -might be used to identify servers on hosts with X.500 names where the slash -(/) might otherwise be ambiguous. - -A name type of NT-X500-PRINCIPAL should be used when a name from an X.509 -certificiate is translated into a Kerberos name. The encoding of the X.509 -name as a Kerberos principal shall conform to the encoding rules specified -in RFC 1779. - -A name type of UNKNOWN should be used when the form of the name is not -known. When comparing names, a name of type UNKNOWN will match principals -authenticated with names of any type. A principal authenticated with a name -of type UNKNOWN, however, will only match other names of type UNKNOWN. - -Names of any type with an initial component of 'krbtgt' are reserved for the -Kerberos ticket granting service. See section 8.2.3 for the form of such -names. - -7.2.1. Name of server principals - -The principal identifier for a server on a host will generally be composed -of two parts: (1) the realm of the KDC with which the server is registered, -and (2) a two-component name of type NT-SRV-HST if the host name is an -Internet domain name or a multi-component name of type NT-SRV-XHST if the -name of the host is of a form such as X.500 that allows slash (/) -separators. The first component of the two- or multi-component name will -identify the service and the latter components will identify the host. Where -the name of the host is not case sensitive (for example, with Internet -domain names) the name of the host must be lower case. If specified by the -application protocol for services such as telnet and the Berkeley R commands -which run with system privileges, the first component may be the string -'host' instead of a service specific identifier. When a host has an official -name and one or more aliases, the official name of the host must be used -when constructing the name of the server principal. - -8. Constants and other defined values - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -8.1. Host address types - -All negative values for the host address type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpretations. - -The values of the types for the following addresses are chosen to match the -defined address family constants in the Berkeley Standard Distributions of -Unix. They can be found in with symbolic names AF_xxx (where xxx is an -abbreviation of the address family name). - -Internet (IPv4) Addresses - -Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB -order. The type of IPv4 addresses is two (2). - -Internet (IPv6) Addresses - -IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The -type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The -following addresses (see [RFC1884]) MUST not appear in any Kerberos packet: - - * the Unspecified Address - * the Loopback Address - * Link-Local addresses - -IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - -CHAOSnet addresses - -CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order. -The type of CHAOSnet addresses is five (5). - -ISO addresses - -ISO addresses are variable-length. The type of ISO addresses is seven (7). - -Xerox Network Services (XNS) addresses - -XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The -type of XNS addresses is six (6). - -AppleTalk Datagram Delivery Protocol (DDP) addresses - -AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit network -number. The first octet of the address is the node number; the remaining two -octets encode the network number in MSB order. The type of AppleTalk DDP -addresses is sixteen (16). - -DECnet Phase IV addresses - -DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The -type of DECnet Phase IV addresses is twelve (12). - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -8.2. KDC messages - -8.2.1. UDP/IP transport - -When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP -IP transport, the client shall send a UDP datagram containing only an -encoding of the request to port 88 (decimal) at the KDC's IP address; the -KDC will respond with a reply datagram containing only an encoding of the -reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at -the sender's IP address. Kerberos servers supporting IP transport must -accept UDP requests on port 88 (decimal). The response to a request made -through UDP/IP transport must also use UDP/IP transport. - -8.2.2. TCP/IP transport - -Kerberos servers (KDC's) must accept TCP requests on port 88 (decimal). When -the KRB_KDC_REQ message is sent to the KDC over a TCP stream, a new -connection will be established for each authentication exchange (request and -response). The KRB_KDC_REP or KRB_ERROR message will be returned to the -client on the same TCP stream that was established for the request. The -connection will be broken after the reply has been received (or upon -time-out). Care must be taken in managing TCP/IP connections with the KDC to -prevent denial of service attacks based on the number of TCP/IP connections -with the KDC that remain open. If multiple exchanges with the KDC are needed -for certain forms of preauthentication, multiple TCP connections will be -required. The response to a request made through TCP/IP transport must also -use TCP/IP transport. - -The first four octets of the TCP stream used to transmit the request request -will encode in network byte order the length of the request (KRB_KDC_REQ), -and the length will be followed by the request itself. The response will -similarly be preceeded by a 4 octet encoding in network byte order of the -length of the KRB_KDC_REP or the KRB_ERROR message and will be followed by -the KRB_KDC_REP or the KRB_ERROR response. - -8.2.3. OSI transport - -During authentication of an OSI client to an OSI server, the mutual -authentication of an OSI server to an OSI client, the transfer of -credentials from an OSI client to an OSI server, or during exchange of -private or integrity checked messages, Kerberos protocol messages may be -treated as opaque objects and the type of the authentication mechanism will -be: - -OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),kerberosv5(2)} - -Depending on the situation, the opaque object will be an authentication -header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message -(KRB_SAFE), a private message (KRB_PRIV), or a credentials message -(KRB_CRED). The opaque data contains an application code as specified in the -ASN.1 description for each message. The application code may be used by -Kerberos to determine the message type. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -8.2.3. Name of the TGS - -The principal identifier of the ticket-granting service shall be composed of -three parts: (1) the realm of the KDC issuing the TGS ticket (2) a two-part -name of type NT-SRV-INST, with the first part "krbtgt" and the second part -the name of the realm which will accept the ticket-granting ticket. For -example, a ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be -used to get tickets from the ATHENA.MIT.EDU KDC has a principal identifier -of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A -ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get -tickets from the MIT.EDU realm has a principal identifier of -"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name). - -8.3. Protocol constants and associated values - -The following tables list constants used in the protocol and defines their -meanings. - -Encryption type etype value block size minimum pad size confounder size -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - 4 -des3-cbc-md5 5 8 0 8 - 6 -des3-cbc-sha1 7 8 0 8 -sign-dsa-generate 8 (pkinit) -encrypt-rsa-priv 9 (pkinit) -encrypt-rsa-pub 10 (pkinit) -rsa-pub-md5 11 (pkinit) -rsa-pub-sha1 12 (pkinit) -ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - -Checksum type sumtype value checksum size -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 -rsa-md5-des3 9 24 -hmac-sha1-des3 10 20 (I had this as 10, is it 12) - -padata type padata-type value - -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - 4 -PA-ENC-UNIX-TIME 5 - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -PA-SANDIA-SECUREID 6 -PA-SESAME 7 -PA-OSF-DCE 8 -PA-CYBERSAFE-SECUREID 9 -PA-AFS3-SALT 10 -PA-ETYPE-INFO 11 -SAM-CHALLENGE 12 (sam/otp) -SAM-RESPONSE 13 (sam/otp) -PA-PK-AS-REQ 14 (pkinit) -PA-PK-AS-REP 15 (pkinit) -PA-PK-AS-SIGN 16 (pkinit) -PA-PK-KEY-REQ 17 (pkinit) -PA-PK-KEY-REP 18 (pkinit) -PA-USE-SPECIFIED-KVNO 20 - -authorization data type ad-type value -AD-KDC-ISSUED 1 -AD-INTENDED-FOR-SERVER 2 -AD-INTENDED-FOR-APPLICATION-CLASS 3 -AD-IF-RELEVANT 4 -AD-OR 5 -AD-MANDATORY-TICKET-EXTENSIONS 6 -AD-IN-TICKET-EXTENSIONS 7 -reserved values 8-63 -OSF-DCE 64 -SESAME 65 - -Ticket Extension Types - -TE-TYPE-NULL 0 Null ticket extension -TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization data - 2 TE-TYPE-PKCROSS-KDC (I have reservations) -TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket -TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - 5 TE-TYPE-DEST-HOST (I have reservations) - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID -KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested protocol version number not - supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password - to reset -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired [40] -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message -KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) -KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) - -9. Interoperability requirements - -Version 5 of the Kerberos protocol supports a myriad of options. Among these -are multiple encryption and checksum types, alternative encoding schemes for -the transited field, optional mechanisms for pre-authentication, the -handling of tickets with no addresses, options for mutual authentication, -user to user authentication, support for proxies, forwarding, postdating, -and renewing tickets, the format of realm names, and the handling of -authorization data. - -In order to ensure the interoperability of realms, it is necessary to define -a minimal configuration which must be supported by all implementations. This -minimal configuration is subject to change as technology does. For example, -if at some later date it is discovered that one of the required encryption -or checksum algorithms is not secure, it will be replaced. - -9.1. Specification 2 - -This section defines the second specification of these options. -Implementations which are configured in this way can be said to support -Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may -be found in RFC1510. - -Transport - -TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance -to specification 2. Kerberos clients claiming conformance to specification 2 -must support UDP/IP transport for messages with the KDC and may support -TCP/IP transport. - -Encryption and checksum methods - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -The following encryption and checksum mechanisms must be supported. -Implementations may support other mechanisms as well, but the additional -mechanisms may only be used when communicating with principals known to also -support them: This list is to be determined. - -Encryption: DES-CBC-MD5 -Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - -Realm Names - -All implementations must understand hierarchical realms in both the Internet -Domain and the X.500 style. When a ticket granting ticket for an unknown -realm is requested, the KDC must be able to determine the names of the -intermediate realms between the KDCs realm and the requested realm. - -Transited field encoding - -DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. -Alternative encodings may be supported, but they may be used only when that -encoding is supported by ALL intermediate realms. - -Pre-authentication methods - -The TGS-REQ method must be supported. The TGS-REQ method is not used on the -initial request. The PA-ENC-TIMESTAMP method must be supported by clients -but whether it is enabled by default may be determined on a realm by realm -basis. If not used in the initial request and the error -KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an -acceptable method, the client should retry the initial request using the -PA-ENC-TIMESTAMP preauthentication method. Servers need not support the -PA-ENC-TIMESTAMP method, but if not supported the server should ignore the -presence of PA-ENC-TIMESTAMP pre-authentication in a request. - -Mutual authentication - -Mutual authentication (via the KRB_AP_REP message) must be supported. - -Ticket addresses and flags - -All KDC's must pass on tickets that carry no addresses (i.e. if a TGT -contains no addresses, the KDC will return derivative tickets), but each -realm may set its own policy for issuing such tickets, and each application -server will set its own policy with respect to accepting them. - -Proxies and forwarded tickets must be supported. Individual realms and -application servers can set their own policy on when such tickets will be -accepted. - -All implementations must recognize renewable and postdated tickets, but need -not actually implement them. If these options are not supported, the -starttime and endtime in the ticket shall specify a ticket's entire useful -life. When a postdated ticket is decoded by a server, all implementations -shall make the presence of the postdated flag visible to the calling server. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -User-to-user authentication - -Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC option) -must be provided by implementations, but individual realms may decide as a -matter of policy to reject such requests on a per-principal or realm-wide -basis. - -Authorization data - -Implementations must pass all authorization data subfields from -ticket-granting tickets to any derivative tickets unless directed to -suppress a subfield as part of the definition of that registered subfield -type (it is never incorrect to pass on a subfield, and no registered -subfield types presently specify suppression at the KDC). - -Implementations must make the contents of any authorization data subfields -available to the server when a ticket is used. Implementations are not -required to allow clients to specify the contents of the authorization data -fields. - -9.2. Recommended KDC values - -Following is a list of recommended values for a KDC implementation, based on -the list of suggested configuration constants (see section 4.4). - -minimum lifetime 5 minutes -maximum renewable lifetime 1 week -maximum ticket lifetime 1 day -empty addresses only when suitable restrictions appear - in authorization data -proxiable, etc. Allowed. - -10. REFERENCES - -[NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - -[MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - -[SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - -[NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - -[DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - -[KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - -[Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - -[DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - -[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - -[X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - -[Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - -[DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - -[DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - -[SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - -[IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - -[MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -[MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - -[KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - -A. Pseudo-code for protocol processing - -This appendix provides pseudo-code describing how the messages are to be -constructed and interpreted by clients and servers. - -A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - retry or use alternate server; - endif - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - -A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - /* make sure no flags are set that shouldn't be, and that all that */ - /* should be are set */ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly */ - /* call this routine to get the appropriate ticket-granting ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and choosing the - correct key for decryption. The name of the server appears in the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is operating is - determined by the instance from the ticket-granting ticket. The realm - in the ticket-granting ticket is the realm under which the ticket - granting ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would */ - /* have been rejected in the initial authentication stage, so */ - /* there is no need to check again here */ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept it */ - if (check_transited_field(new_tkt.transited) == OK) - set new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - - decode response into resp; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - -A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - -A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - -A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - -A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - -A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number not present) - then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - -A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - -A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - endif - -B. Definition of common authorization data elements - -This appendix contains the definitions of common authorization data -elements. These common authorization data elements are recursivly defined, -meaning the ad-data for these types will itself contain a sequence of -authorization data whose interpretation is affected by the encapsulating -element. Depending on the meaning of the encapsulating element, the -encapsulated elements may be ignored, might be interpreted as issued -directly by the KDC, or they might be stored in a separate plaintext part of -the ticket. The types of the encapsulating elements are specified as part of -the Kerberos specification ebcause the behavior based on these values should -be understood across implementations whereas other elements need only be -understood by the applications which they affect. - -In the definitions that follow, the value of the ad-type for the element -will be specified in the subsection number, and the value of the ad-data -will be as shown in the ASN.1 structure that follows the subsection heading. - -B.1. KDC Issued - -AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. -} - -ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the ticket - itself (i.e. using the same hash function and the same encryption - algorithm used to encrypt the ticket) and using a key derived from the - same key used to protect the ticket. -i-realm, i-sname - The name of the issuing principal if different from the KDC itself. - This field would be used when the KDC can verify the authenticity of - elements signed by the issuing principal and it allows this KDC to - notify the application server of the validity of those elements. -elements - A sequence of authorization data elements issued by the KDC. - -The KDC-issued ad-data field is intended to provide a means for Kerberos -principal credentials to embed within themselves privilege attributes and -other mechanisms for positive authorization, amplifying the priveleges of -the principal beyond what can be done using a credentials without such an -a-data element. - -This can not be provided without this element because the definition of the -authorization-data field allows elements to be added at will by the bearer -of a TGT at the time that they request service tickets and elements may also -be added to a delegated ticket by inclusion in the authenticator. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -For KDC-issued elements this is prevented because the elements are signed by -the KDC by including a checksum encrypted using the server's key (the same -key used to encrypt the ticket - or a key derived from that key). Elements -encapsulated with in the KDC-issued element will be ignored by the -application server if this "signature" is not present. Further, elements -encapsulated within this element from a ticket granting ticket may be -interpreted by the KDC, and used as a basis according to policy for -including new signed elements within derivative tickets, but they will not -be copied to a derivative ticket directly. If they are copied directly to a -derivative ticket by a KDC that is not aware of this element, the signature -will not be correct for the application ticket elements, and the field will -be ignored by the application server. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.2. Intended for server - -AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData -} - -AD elements encapsulated within the intended-for-server element may be -ignored if the application server is not in the list of principal names of -intended servers. Further, a KDC issuing a ticket for an application server -can remove this element if the application server is not in the list of -intended servers. - -Application servers should check for their principal name in the -intended-server field of this element. If their principal name is not found, -this element should be ignored. If found, then the encapsulated elements -should be evaluated in the same manner as if they were present in the top -level authorization data field. Applications and application servers that do -not implement this element should reject tickets that contain authorization -data elements of this type. - -B.3. Intended for application class - -AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0] -SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements -encapsulated within the intended-for-application-class element may be -ignored if the application server is not in one of the named classes of -application servers. Examples of application server classes include -"FILESYSTEM", and other kinds of servers. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.4. If relevant - -AD-IF-RELEVANT AuthorizationData - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -AD elements encapsulated within the if-relevant element are intended for -interpretation only by application servers that understand the particular -ad-type of the embedded element. Application servers that do not understand -the type of an element embedded within the if-relevant element may ignore -the uninterpretable element. This element promotes interoperability across -implementations which may have local extensions for authorization. - -B.5. And-Or - -AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData -} - -When restrictive AD elements encapsulated within the and-or element are -encountered, only the number specified in condition-count of the -encapsulated conditions must be met in order to satisfy this element. This -element may be used to implement an "or" operation by setting the -condition-count field to 1, and it may specify an "and" operation by setting -the condition count to the number of embedded elements. Application servers -that do not implement this element must reject tickets that contain -authorization data elements of this type. - -B.6. Mandatory ticket extensions - -AD-Mandatory-Ticket-Extensions Checksum - -An authorization data element of type mandatory-ticket-extensions specifies -a collision-proof checksum using the same has angorithm used to protect the -integrity of the ticket itself. This checksum will be calculated over the -entire extensions field. If there are more than one extension, all will be -covered by the checksum. This restriction indicates that the ticket should -not be accepted if the checksum does not match that calculated over the -ticket extensions. Application servers that do not implement this element -must reject tickets that contain authorization data elements of this type. - -B.7. Authorization Data in ticket extensions - -AD-IN-Ticket-Extensions Checksum - -An authorization data element of type in-ticket-extensions specifies a -collision-proof checksum using the same has angorithm used to protect the -integrity of the ticket itself. This checksum is calculated over a separate -external AuthorizationData field carried in the ticket extensions. -Application servers that do not implement this element must reject tickets -that contain authorization data elements of this type. Application servers -that do implement this element will search the ticket extensions for -authorization data fields, calculate the specified checksum over each -authorization data field and look for one matching the checksum in this -in-ticket-extensions element. If not found, then the ticket must be -rejected. If found, the corresponding authorization data elements will be -interpreted in the same manner as if they were contained in the top level -authorization data field. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -Note that if multiple external authorization data fields are present in a -ticket, each will have a corresponding element of type in-ticket-extensions -in the top level authorization data field, and the external entries will be -linked to the corresponding element by their checksums. - -C. Definition of common ticket extensions - -This appendix contains the definitions of common ticket extensions. Support -for these extensions is optional. However, certain extensions have -associated authorization data elements that may require rejection of a -ticket containing an extension by application servers that do not implement -the particular extension. Other extensions have been defined beyond those -described in this specification. Such extensions are described elswhere and -for some of those extensions the reserved number may be found in the list of -constants. - -It is known that older versions of Kerberos did not support this field, and -that some clients will strip this field from a ticket when they parse and -then reassemble a ticket as it is passed to the application servers. The -presence of the extension will not break such clients, but any functionaly -dependent on the extensions will not work when such tickets are handled by -old clients. In such situations, some implementation may use alternate -methods to transmit the information in the extensions field. - -C.1. Null ticket extension - -TE-NullExtension OctetString -- The empty Octet String - -The te-data field in the null ticket extension is an octet string of lenght -zero. This extension may be included in a ticket granting ticket so that the -KDC can determine on presentation of the ticket granting ticket whether the -client software will strip the extensions field. - -C.2. External Authorization Data - -TE-ExternalAuthorizationData AuthorizationData - -The te-data field in the external authorization data ticket extension is -field of type AuthorizationData containing one or more authorization data -elements. If present, a corresponding authorization data element will be -present in the primary authorization data for the ticket and that element -will contain a checksum of the external authorization data ticket extension. ----------------------------------------------------------------------------- -[TM] Project Athena, Athena, and Kerberos are trademarks of the -Massachusetts Institute of Technology (MIT). No commercial use of these -trademarks may be made without prior written permission of MIT. - -[1] Note, however, that many applications use Kerberos' functions only upon -the initiation of a stream-based network connection. Unless an application -subsequently provides integrity protection for the data stream, the identity -verification applies only to the initiation of the connection, and does not -guarantee that subsequent messages on the connection originate from the same -principal. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -[2] Secret and private are often used interchangeably in the literature. In -our usage, it takes two (or more) to share a secret, thus a shared DES key -is a secret key. Something is only private when no one but its owner knows -it. Thus, in public key cryptosystems, one has a public and a private key. - -[3] Of course, with appropriate permission the client could arrange -registration of a separately-named prin- cipal in a remote realm, and engage -in normal exchanges with that realm's services. However, for even small -numbers of clients this becomes cumbersome, and more automatic methods as -described here are necessary. - -[4] Though it is permissible to request or issue tick- ets with no network -addresses specified. - -[5] The password-changing request must not be honored unless the requester -can provide the old password (the user's current secret key). Otherwise, it -would be possible for someone to walk up to an unattended ses- sion and -change another user's password. - -[6] To authenticate a user logging on to a local system, the credentials -obtained in the AS exchange may first be used in a TGS exchange to obtain -credentials for a local server. Those credentials must then be verified by a -local server through successful completion of the Client/Server exchange. - -[7] "Random" means that, among other things, it should be impossible to -guess the next session key based on knowledge of past session keys. This can -only be achieved in a pseudo-random number generator if it is based on -cryptographic principles. It is more desirable to use a truly random number -generator, such as one based on measurements of random physical phenomena. - -[8] Tickets contain both an encrypted and unencrypted portion, so cleartext -here refers to the entire unit, which can be copied from one message and -replayed in another without any cryptographic skill. - -[9] Note that this can make applications based on unreliable transports -difficult to code correctly. If the transport might deliver duplicated -messages, either a new authenticator must be generated for each retry, or -the application server must match requests and replies and replay the first -reply in response to a detected duplicate. - -[10] This is used for user-to-user authentication as described in [8]. - -[11] Note that the rejection here is restricted to authenticators from the -same principal to the same server. Other client principals communicating -with the same server principal should not be have their authenticators -rejected if the time and microsecond fields happen to match some other -client's authenticator. - -[12] In the Kerberos version 4 protocol, the timestamp in the reply was the -client's timestamp plus one. This is not necessary in version 5 because -version 5 messages are formatted in such a way that it is not possible to -create the reply by judicious message surgery (even in encrypted form) -without knowledge of the appropriate encryption keys. - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - - -[13] Note that for encrypting the KRB_AP_REP message, the sub-session key is -not used, even if present in the Authenticator. - -[14] Implementations of the protocol may wish to provide routines to choose -subkeys based on session keys and random numbers and to generate a -negotiated key to be returned in the KRB_AP_REP message. - -[15]This can be accomplished in several ways. It might be known beforehand -(since the realm is part of the principal identifier), it might be stored in -a nameserver, or it might be obtained from a configura- tion file. If the -realm to be used is obtained from a nameserver, there is a danger of being -spoofed if the nameservice providing the realm name is not authenti- cated. -This might result in the use of a realm which has been compromised, and -would result in an attacker's ability to compromise the authentication of -the application server to the client. - -[16] If the client selects a sub-session key, care must be taken to ensure -the randomness of the selected sub- session key. One approach would be to -generate a random number and XOR it with the session key from the -ticket-granting ticket. - -[17] This allows easy implementation of user-to-user authentication [8], -which uses ticket-granting ticket session keys in lieu of secret server keys -in situa- tions where such secret keys could be easily comprom- ised. - -[18] For the purpose of appending, the realm preceding the first listed -realm is considered to be the null realm (""). - -[19] For the purpose of interpreting null subfields, the client's realm is -considered to precede those in the transited field, and the server's realm -is considered to follow them. - -[20] This means that a client and server running on the same host and -communicating with one another using the KRB_SAFE messages should not share -a common replay cache to detect KRB_SAFE replays. - -[21] The implementation of the Kerberos server need not combine the database -and the server on the same machine; it is feasible to store the principal -database in, say, a network name service, as long as the entries stored -therein are protected from disclosure to and modification by unauthorized -parties. However, we recommend against such strategies, as they can make -system management and threat analysis quite complex. - -[22] See the discussion of the padata field in section 5.4.2 for details on -why this can be useful. - -[23] Warning for implementations that unpack and repack data structures -during the generation and verification of embedded checksums: Because any -checksums applied to data structures must be checked against the original -data the length of bit strings must be preserved within a data structure -between the time that a checksum is generated through transmission to the -time that the checksum is verified. - - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -[24] It is NOT recommended that this time value be used to adjust the -workstation's clock since the workstation cannot reliably determine that -such a KRB_AS_REP actually came from the proper KDC in a timely manner. - -[25] Note, however, that if the time is used as the nonce, one must make -sure that the workstation time is monotonically increasing. If the time is -ever reset backwards, there is a small, but finite, probability that a nonce -will be reused. - -[27] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[29] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[31] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[32] If supported by the encryption method in use, an initialization vector -may be passed to the encryption procedure, in order to achieve proper cipher -chaining. The initialization vector might come from the last block of the -ciphertext from the previous KRB_PRIV message, but it is the application's -choice whether or not to use such an initialization vector. If left out, the -default initialization vector for the encryption algorithm will be used. - -[33] This prevents an attacker who generates an incorrect AS request from -obtaining verifiable plaintext for use in an off-line password guessing -attack. - -[35] In the above specification, UNTAGGED OCTET STRING(length) is the -notation for an octet string with its tag and length removed. It is not a -valid ASN.1 type. The tag bits and length must be removed from the -confounder since the purpose of the confounder is so that the message starts -with random data, but the tag and its length are fixed. For other fields, -the length and tag would be redundant if they were included because they are -specified by the encryption type. [36] The ordering of the fields in the -CipherText is important. Additionally, messages encoded in this format must -include a length as part of the msg-seq field. This allows the recipient to -verify that the message has not been truncated. Without a length, an -attacker could use a chosen plaintext attack to generate a message which -could be truncated, while leaving the checksum intact. Note that if the -msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length -is part of that encoding. - -[37] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[38] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[39] A variant of the key is used to limit the use of a key to a particular -function, separating the functions of generating a checksum from other -encryption performed using the session key. The constant F0F0F0F0F0F0F0F0 -was chosen because it maintains key parity. The properties of DES precluded - - -draft-ietf-cat-kerberos-r-01 Expires 21 May 1998 - -the use of the complement. The same constant is used for similar purpose in -the Message Integrity Check in the Privacy Enhanced Mail standard. - -[40] This error carries additional information in the e- data field. The -contents of the e-data field for this message is described in section 5.9.1. diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt deleted file mode 100644 index 06d997d48cca..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt +++ /dev/null @@ -1,6766 +0,0 @@ - - - -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - November 18th, 1998 - -The Kerberos Network Authentication Service (V5) - -STATUS OF THIS MEMO - -This document is an Internet-Draft. Internet-Drafts are working documents -of the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It -is inappropriate to use Internet-Drafts as reference material or to cite -them other than as 'work in progress.' - -To learn the current status of any Internet-Draft, please check the -'1id-abstracts.txt' listing contained in the Internet-Drafts Shadow -Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), -ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-revisions-03.txt, and expires May 18th, 1999. -Please send comments to: krb-protocol@MIT.EDU - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the -Kerberos network authentication system is based. It also specifies Version -5 of the Kerberos protocol. - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed -standard and are being considered for advancement for draft standard -through the IETF standard process. Comments are encouraged on the -presentation, but only minor refinements to the protocol as implemented or -extensions that fit within current protocol framework will be considered at - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested -by Denning and Sacco [DS81]. The original design and implementation of -Kerberos Versions 1 through 4 was the work of two former Project Athena -staff members, Steve Miller of Digital Equipment Corporation and Clifford -Neuman (now at the Information Sciences Institute of the University of -Southern California), along with Jerome Saltzer, Technical Director of -Project Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many -other members of Project Athena have also contributed to the work on -Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol -was led by Clifford Neuman and John Kohl with much input from the -community. The development of the MIT reference implementation was led at -MIT by John Kohl and Theodore T'so, with help and contributed code from -many others. Since RFC1510 was issued, extensions and revisions to the -protocol have been proposed by many individuals. Some of these proposals -are reflected in this document. Where such changes involved significant -effort, the document cites the contribution of the proposer. - -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. Details on the differences between Kerberos Versions 4 and -5 can be found in [KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. -a workstation user or a network server) on an open (unprotected) network. -This is accomplished without relying on assertions by the host operating -system, without basing trust on host addresses, without requiring physical -security of all the hosts on the network, and under the assumption that -packets traveling along the network can be read, modified, and inserted at -will[1]. Kerberos performs authentication under these conditions as a -trusted third-party authentication service by using conventional (shared -secret key [2] cryptography. Kerberos extensions have been proposed and -implemented that provide for the use of public key cryptography during -certain phases of the authentication protocol. These extensions provide for -authentication of users registered with public key certification -authorities, and allow the system to provide certain benefits of public key -cryptography in situations where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in -the client's key. The credentials consist of 1) a 'ticket' for the server -and 2) a temporary encryption key (often called a "session key"). The - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -client transmits the ticket (which contains the client's identity and a -copy of the session key, all encrypted in the server's key) to the server. -The session key (now shared by the client and server) is used to -authenticate the client, and may optionally be used to authenticate the -server. It may also be used to encrypt further communication between the -two parties or to exchange a separate sub-session key to be used to encrypt -further communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their -secret keys. Code libraries provide encryption and implement the Kerberos -protocol. In order to add authentication to its transactions, a typical -network application adds one or two calls to the Kerberos library directly -or through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request -for a ticket for the desired server to the AS. The reply is sent encrypted -in the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client -uses the TGT to authenticate itself to the TGS in the same manner as if it -were contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry -points within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent -"in the clear" (parts of it are encrypted, but this encryption doesn't -thwart replay) and might be intercepted and reused by an attacker, -additional information is sent to prove that the message originated with -the principal to whom the ticket was issued. This information (called the -authenticator) is encrypted in the session key, and includes a timestamp. -The timestamp proves that the message was recently generated and is not a -replay. Encrypting the authenticator in the session key proves that it was -generated by a party possessing the session key. Since no one except the -requesting principal and the server know the session key (it is never sent -over the network in the clear) this guarantees the identity of the client. - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest -function) of the client's message, keyed with the session key. Privacy and -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -The authentication exchanges mentioned above require read-only access to -the Kerberos database. Sometimes, however, the entries in the database must -be modified, such as when adding new principals or changing a principal's -key. This is done using a protocol between a client and a third Kerberos -server, the Kerberos Administration Server (KADM). There is also a protocol -for maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server -in another. Each organization wishing to run a Kerberos server establishes -its own 'realm'. The name of the realm in which a client is registered is -part of the client's name, and can be used by the end-service to decide -whether to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate -key may be used for each direction) registers the ticket-granting service -of each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share -an inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is -not directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical -organization is not used, it may be necessary to consult a database in -order to construct an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in -authenticating the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93] , or on other authorization services. - -Applications should not be modified to accept the issuance of a service -ticket by the Kerberos server (even by an modified Kerberos server) as -granting authority to use the service, since such applications may become -vulnerable to the bypass of this authorization check in an environment if -they interoperate with other KDCs or where other options for application -authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to - successfully mount an offline dictionary attack by repeatedly - attempting to decrypt, with successive entries from a dictionary, - messages obtained which are encrypted under a key derived from the - user's password. - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A - typical mode of access control will use access control lists (ACLs) to - grant permissions to particular principals. If a stale ACL entry - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - remains for a deleted principal and the principal identifier is - reused, the new principal will inherit rights specified in the stale - ACL entry. By not re-using principal identifiers, the danger of - inadvertent access is removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been - recently generated using the session key known only by the client and - server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access - allowed for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted - by the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. - Note that in some cases a Server may itself be a client of some other - server (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use - that ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and - ticket-granting ticket requests. The initial ticket portion is - sometimes referred to as the Authentication Server (or service). The - ticket-granting ticket portion is sometimes referred to as the - ticket-granting server (or service). -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. -Principal - A uniquely named client or server instance that participates in a - network communication. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than - one server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a - lifetime limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the -various flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -KDC before use, by presenting them to the KDC in a TGS request with the -VALIDATE option specified. The KDC will only validate tickets after their -starttime has passed. The validation is required so that postdated tickets -which have been stolen before their starttime can be rendered permanently -invalid (through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set -in the KDC request. The KDC will issue a new ticket with a new session key -and a later expiration time. All other fields of the ticket are left -unmodified by the renewal process. When the latest permissible expiration -time arrives, the ticket expires permanently. At each renewal, the KDC may -consult a hot-list to determine if the ticket had been reported stolen -since its last renewal; it will refuse to renew such stolen tickets, and -thus the usable lifetime of stolen tickets is reduced. - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets -in a batch queue, since they will be on-line longer and more prone to -theft. Postdated tickets provide a way to obtain these tickets from the KDC -at job submission time, but to leave them "dormant" until they are -activated and validated by a further request of the KDC. If a ticket theft -were reported in the interim, the KDC would refuse to validate the ticket, -and the thief would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This -flag must be set in a ticket-granting ticket in order to issue a postdated -ticket based on the presented ticket. It is reset by default; it may be -requested by a client by setting the ALLOW-POSTDATE option in the -KRB_AS_REQ message. This flag does not allow a client to obtain a postdated -ticket-granting ticket; postdated ticket-granting tickets can only by -obtained by requesting the postdating in the KRB_AS_REQ message. The life -(endtime-starttime) of a postdated ticket will be the remaining life of the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -ticket-granting ticket at the time of the request, unless the RENEWABLE -option is also set, in which case it can be the full life -(endtime-starttime) of the ticket-granting ticket. The KDC may limit how -far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the -identity of the client, but only for a particular purpose. A principal can -allow a service to take on the principal's identity for a particular -purpose by granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually -also a proxy, user's wishing to delegate their identity for ANY purpose -must use the ticket forwarding mechanism described in the next section to -forward a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When -set, this flag tells the ticket-granting server that it is OK to issue a -new ticket (but not a ticket-granting ticket) with a different network -address based on this ticket. This flag is set if requested by the client -on initial authentication. By default, the client will request that it be -set when requesting a ticket granting ticket, and reset when requesting any -other ticket. - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print -server a proxy to access the client's files on a particular file server in -order to satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in -the ticket[4]. When granting a proxy, the client must specify the new -network address from which the proxy is to be used, or indicate that the -proxy is to be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may -require additional authentication from the agent presenting the proxy in -order to provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request -that it be set by setting the FORWARDABLE option in the AS request when -they request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user -to enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. -It is also set in all tickets issued based on tickets with the FORWARDED -flag set. Application servers may choose to process FORWARDED tickets -differently than non-FORWARDED tickets. - -2.7. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - -3. Message Exchanges - -The following sections describe the interactions between network clients -and servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the -Kerberos Authentication Server is initiated by a client when it wishes to -obtain authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the -initiation of a login session to obtain credentials for a Ticket-Granting -Server which will subsequently be used to obtain credentials for other -servers (see section 3.3) without requiring further use of the client's -secret key. This exchange is also used to request credentials for services - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -which must not be mediated through the Ticket-Granting Service, but rather -require a principal's secret key, such as the password-changing service[5]. -This exchange does not by itself provide any assurance of the the identity -of the user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The -response, KRB_AS_REP, contains a ticket for the client to present to the -server, and a session key that will be shared by the client and the server. -The session key and additional information are encrypted in the client's -secret key. The KRB_AS_REP message contains information which can be used -to detect replays, and to associate it with the message to which it -replies. Various errors can occur; these are indicated by an error response -(KRB_ERROR) instead of the KRB_AS_REP response. The error message is not -encrypted. The KRB_ERROR message contains information which can be used to -associate it with the message to which it replies. The lack of encryption -in the KRB_ERROR message precludes the ability to detect replays, -fabrications, or modifications of such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends -a reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is -encrypted in that principal's key. The initial request supports an optional -field that can be used to pass additional information that might be needed -for the initial exchange. This field may be used for preauthentication as -described in section [hl<>]. - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether -the requested ticket is to be renewable, proxiable, or forwardable; whether -it should be postdated or allow postdating of derivative tickets; and -whether a renewable ticket will be accepted in lieu of a non-renewable -ticket if the requested ticket expiration date cannot be satisfied by a -non-renewable ticket (due to configuration constraints; see section 4). See -section A.1 for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format -for the ticket is described in section 5.3.1. The contents of the ticket -are determined as follows. - -3.1.3. Generation of KRB_AS_REP message - -The authentication server looks up the client and server principals named -in the KRB_AS_REQ in its database, extracting their respective keys. If -required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS -request is used by the KDC to select the encryption method to be used for -encrypting the response to the client. If there is more than one supported, -strong encryption type in the etype list, the first valid etype for which -an encryption key is available is used. The encryption method used to -respond to a TGS request is taken from the keytype of the session key found -in the ticket granting ticket. - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. -Otherwise the requested start time is checked against the policy of the -local realm (the administrator might decide to prohibit certain types or -ranges of postdated tickets), and if acceptable, the ticket's start time is -set as requested and the INVALID flag is set in the new ticket. The -postdated ticket must be validated before use by presenting it to the KDC -after the start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option -has been set and a renewable ticket is to be issued, then the renew-till -field is set to the minimum of: - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set - by the policy of the local realm. - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using -the requested encryption method, and sends it to the client. See section -A.2 for pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, -start and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate -a KRB_AS_REP format message which decrypts properly but is not from the -proper KDC. If the host wishes to verify the identity of the user, it must -require the user to present application credentials which can be verified -using a securely-stored secret key for the host. If those credentials can -be verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. - -3.2. The Client/Server Authentication Exchange - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS -or TGS exchange. - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message -is referred to elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) -a ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use -of a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors -are possible. If an error occurs, the server is expected to reply to the -client with a KRB_ERROR message. This message may be encapsulated in the -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If -the message type is not KRB_AP_REQ, the server returns the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket in -the KRB_AP_REQ is not one the server can use (e.g., it indicates an old -key, and the server no longer possesses a copy of the old key), the -KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION-KEY flag is set -in the ap-options field, it indicates to the server that the ticket is -encrypted in the session key from the server's ticket-granting ticket -rather than its secret key[10]. Since it is possible for the server to be -registered in multiple realms, with different keys in each, the srealm -field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to -specify which secret key the server should use to decrypt that ticket. The -KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the -proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the -client from the ticket are compared against the same fields in the -authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is -returned (they might not match, for example, if the wrong session key was -used to encrypt the authenticator). The addresses in the ticket (if any) -are then searched for an address matching the operating-system reported -address of the client. If no match is found or the server insists on ticket -addresses but none are present in the ticket, the KRB_AP_ERR_BADADDR error -is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the -KRB_AP_ERR_SKEW error is returned. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The -server must remember any authenticator presented within the allowable clock -skew, so that a replay attempt is guaranteed to fail. If a server loses -track of any authenticator presented within the allowable clock skew, it -must reject all requests until the clock skew interval has passed. This -assures that any lost or re-played authenticators will fall outside the -allowable clock skew and can no longer be successfully replayed (If this is -not done, an attacker could conceivably record the ticket and authenticator -sent over the network to a server, then disable the client's host, pose as -the disabled host, and replay the ticket and authenticator to subvert the -authentication.). If a sequence number is provided in the authenticator, -the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV -messages. If a subkey is present, the server either saves it for later use -or uses it to help generate its own choice for a subkey to be returned in a -KRB_AP_REP message. - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -If all these checks succeed without an error, the server is assured that - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -the client possesses the credentials of the principal named in the ticket -and thus, the client has been authenticated to the server. See section A.10 -for pseudocode. - -Passing these checks provides only authentication of the named principal; -it does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name -of the user, the requested operation, local acces control information such -as that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server -need not explicitly reply to the KRB_AP_REQ. However, if mutual -authentication (not only authenticating the client to the server, but also -the server to the client) is being performed, the KRB_AP_REQ message will -have MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message -is required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not -acceptable to the application's protocol. The timestamp and microsecond -field used in the reply must be the client's timestamp and microsecond -field (as provided in the authenticator)[12]. If a sequence number is to be -included, it should be randomly chosen as described above for the -authenticator. A subkey may be included if the server desires to negotiate -a different subkey. The KRB_AP_REP message is encrypted in the session key -extracted from the ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and -server share an encryption key which can be used by the application. The -'true session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption -or checksum type) to the application programmer; the Kerberos protocol does -not constrain the implementation options, but an example of how this might -be done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -reason, one of the parties was prevented from using a key with more than 40 -unknown bits, this method would allow the the party which is prevented from -using more than 40 bits to either propose (if the client) an initial key -with a known quantity for 16 of those bits, or to mask 16 of the bits (if -the server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server -is initiated by a client when it wishes to obtain authentication -credentials for a given server (which might be registered in a remote -realm), when it wishes to renew or validate an existing ticket, or when it -wishes to obtain a proxy ticket. In the first case, the client must already -have acquired a ticket for the Ticket-Granting Service using the AS -exchange (the ticket-granting ticket is usually obtained when a client -initially authenticates to the system, such as when a user logs in). The -message format for the TGS exchange is almost identical to that for the AS -exchange. The primary difference is that encryption and decryption in the -TGS exchange does not take place under the client's key. Instead, the -session key from the ticket-granting ticket or renewable ticket, or -sub-session key from an Authenticator is used. As is the case for all -application servers, expired tickets are not accepted by the TGS, so once a -renewable or ticket-granting ticket expires, the client must use a separate -exchange to obtain valid tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed -authorization data to be sealed in the ticket for authorization use by the -application server, or additional tickets (the use of which are described -later). The TGS reply (KRB_TGS_REP) contains the requested credentials, -encrypted in the session key from the ticket-granting ticket or renewable -ticket, or if present, in the sub-session key from the Authenticator (part -of the authentication header). The KRB_ERROR message contains an error code -and text explaining what went wrong. The KRB_ERROR message is not -encrypted. The KRB_TGS_REP message contains information which can be used - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -to detect replays, and to associate it with the message to which it -replies. The KRB_ERROR message also contains information which can be used -to associate it with the message to which it replies, but the lack of -encryption in the KRB_ERROR message precludes the ability to detect replays -or fabrications of such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15]. If the -client does not already possess a ticket-granting ticket for the -appropriate realm, then one must be obtained. This is first attempted by -requesting a ticket-granting ticket for the destination realm from a -Kerberos server for which the client does posess a ticket-granting ticket -(using the KRB_TGS_REQ message recursively). The Kerberos server may return -a TGT for the desired realm in which case one can proceed. Alternatively, -the Kerberos server may return a TGT for a realm which is 'closer' to the -desired realm (further along the standard hierarchical path), in which case -this step must be repeated with a Kerberos server in the realm specified in -the returned TGT. If neither are returned, then the request must be retried -with a Kerberos server for a realm higher in the hierarchy. This request -will itself require a ticket-granting ticket for the higher realm which -must be obtained by recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. -The list might be obtained through a configuration file or network service -or it may be generated from the name of the realm; as long as the secret -keys exchanged by realms are kept secret, only denial of service results -from using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for application server -use and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be -encrypted[16]. If the sub-session key is not specified, the session key -from the ticket-granting ticket will be used. If the enc-authorization-data -is present, it must be encrypted in the sub-session key, if present, from -the authenticator portion of the authentication header, or if not present, -using the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which -it was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP -(KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The detailed -specification is in section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm -"closest" to the requested realm with which it does share a key, and use -that realm instead. This is the only case where the response from the KDC -will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited -field needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. -The PROXY option will not be honored on requests for additional -ticket-granting tickets. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the -ticket-granting ticket has the MAY-POSTDATE flag set, then the resulting -ticket will be postdated and the requested starttime is checked against the -policy of the local realm. If acceptable, the ticket's start time is set as -requested, and the INVALID flag is set. The postdated ticket must be -validated before use by presenting it to the KDC after the starttime has -been reached. However, in no case may the starttime, endtime, or renew-till -time of a newly-issued postdated ticket extend beyond the renew-till time -of the ticket-granting ticket. - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional -ticket using the key for the server to which the additional ticket was -issued and verify that it is a ticket-granting ticket. If the name of the -requested server is missing from the request, the name of the client in the -additional ticket will be used. Otherwise the name of the requested server -will be compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as -part of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is -set in the ticket, that the INVALID flag is not set in the ticket, and that -the renew_till time is still in the future. If the VALIDATE option is -rqeuested, the KDC will check that the starttime has passed and the INVALID -flag is set. If the PROXY option is requested, then the KDC will check that -the PROXIABLE flag is set in the ticket. If the tests succeed, and the -ticket passes the hotlist check described in the next paragraph, the KDC -will issue the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal -expiration time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and -the key version number fields are left out since these values are stored -along with the client's database record, and that record is not needed to - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -satisfy a request based on a ticket-granting ticket. See section A.6 for -pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, -subject to the constraints outlined above in the section describing the AS -exchange. The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket -to be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own -realm. Instead, its responsibility is to add the name of the previous -realm. This prevents a malicious Kerberos server from intentionally leaving -out its own name (it could, however, omit other realms' names). - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since -the endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its -contents are encoded. The initially supported encoding is optimized for the -normal case of inter-realm communication: a hierarchical arrangement of -realms using either domain or X.500 style realm names. This encoding -(called DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that -they would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. -Thus, "," means that all realms along the path between the client and the -server have been traversed. ",EDU, /COM," means that that all realms from -the client's realm up to EDU (in a domain style hierarchy) have been -traversed, and that everything from /COM down to the server's realm in an -X.500 style has also been traversed. This could occur if the EDU realm in -one hierarchy shares an inter-realm key directly with the /COM realm in -another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES -MAC), generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by -one's peer. Connection state is presently required to maintain the session -key, so maintaining the next sequence number should not present an -additional problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and -type fields match the current version and KRB_SAFE, respectively. A -mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. -The application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. -The recipient verifies that the operating system's report of the sender's -address matches the sender's address in the message, and (if a recipient -address is specified or the recipient requires an address) that one of the -recipient's addresses appears as the recipient's address in the message. A -failed match for either case generates a KRB_AP_ERR_BADADDR error. Then the -timestamp and usec and/or the sequence number fields are checked. If -timestamp and usec are expected and not present, or they are present but -not current, the KRB_AP_ERR_SKEW error is generated. If the server name, -along with the client name, time and microsecond fields from the -Authenticator match any recently-seen (sent or received[20] ) such tuples, -the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number -is included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. -Finally, the checksum is computed over the data and control information, -and if it doesn't match the received checksum, a KRB_AP_ERR_MODIFIED error -is generated. - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -The message is first checked by verifying that the protocol version and -type fields match the current version and KRB_PRIV, respectively. A -mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. -The application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. The recipient verifies that -the operating system's report of the sender's address matches the sender's -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses -appears as the recipient's address in the message. A failed match for -either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and -usec and/or the sequence number fields are checked. If timestamp and usec -are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an -incorrect sequence number is included, or a sequence number is expected but -not present, the KRB_AP_ERR_BADORDER error is generated. If neither a -time-stamp and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED -error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It -then constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the -KRB_CRED message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence -in the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and -r-address fields, are placed in the encrypted part of the KRB_CRED message -which is then encrypted under an encryption key previosuly exchanged in the -KRB_AP exchange (usually the last key negotiated via subkeys, or the -session key if no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates -a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If -decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -error is generated. - -If present or required, the recipient verifies that the operating system's -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's -address in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce -field if required) are checked next. If the timestamp and usec are not -present, or they are present but not current, the KRB_AP_ERR_SKEW error is -generated. - -If all the checks succeed, the application stores each of the new tickets -in its ticket cache together with the session key and other information in -the corresponding KrbCredInfo sequence from the encrypted part of the -KRB_CRED message. - -4. The Kerberos Database - -The Kerberos server must have access to a database contain- ing the -principal identifiers and secret keys of principals to be -authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The -key can be encrypted before storage under a Kerberos "master key" to -protect it in case the database is compromised but the master key is not. -In that case, an extra field must be added to indicate the master key -version used, see below.) The p_kvno field is the key version number of the -principal's secret key. The max_life field contains the maximum allowable -lifetime (endtime - starttime) for any Ticket issued for this principal. -The max_renewable_life field contains the maximum allowable total lifetime -for any renewable Ticket issued for this principal. (See section 3.1 for a -description of how these lifetimes are used in determining the lifetime of -a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal -records with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. -not the result of disclosure of the old key), the old key should be -retained by the server until all tickets that had been issued using that -key have expired. Because of this, it is possible for several keys to be -active for a single principal. Ciphertext encrypted in a principal's key is -always tagged with the version of the key that was used for encryption, to -help the recipient find the proper key for decryption. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -When more than one key is active for a particular principal, the principal -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may -or may not be the same). Whenever Kerberos issues a ticket, or responds to -a request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error -to any client attempting to gain tickets as or for the principal. (A -database may want to maintain two expiration dates: one for the principal, -and one for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether -a server is appropriate trusted to recieve credentials delegated by a -client, or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user -in the last-req field (see section 5.2). - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This -field would be used to indicate how long old keys must remain valid to -allow the continued use of outstanding tickets. - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -Optional field in ASN.1 sequences - -For optional integer value and date fields in ASN.1 sequences where a -default value has been specified, certain default values will not be -allowed in the encoding because these values will always be represented -through defaulting by the absence of the optional field. For example, one -will not send a microsecond zero value because one must make sure that -there is only one way to encode this value. - -Additional fields in ASN.1 sequences - -Implementations receiving Kerberos messages with additional fields present -in ASN.1 sequences should carry the those fields through unmodified when -the message is forwarded. Implementation should drop such fields if the -sequence is reencoded. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 -specification, section 8.7 [X509-88]. - -5.3. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A -PrincipalName is a typed sequence of components consisting of the following -sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the - same (i.e. at least one of the components, or the realm, must be - different). This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An -encoding shall specify the UTC time zone (Z) and shall not include any -fractional portions of the seconds. It further shall not include any -separators. Example: The only valid format for UTC time 6 minutes, 27 -seconds after 9 pm on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -ad-data - This field contains authorization data to be interpreted according to - the value of the corresponding ad-type field. -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved - for registered use. - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the -interpretation of the encapsulating element determines which of the -embedded elements must be interpreted, and which may be ignored. -Definitions for these common elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - - - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved - for registered use. - -APOptions ::= BIT STRING - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - -TicketFlags ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- transited-policy-checked(12), - -- ok-as-delegate(13) - -KDCOptions ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -- unused7(7), - -- renewable(8), - -- unused9(9), - -- unused10(10), - -- unused11(11), - -- unused12(12), - -- unused13(13), - -- disable-transited-check(26), - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest number of bits needed to include -the highest order bit that is set (1), but in no case less than 32 bits. -The ASN.1 representation of the bit strings uses unnamed bits, with the -meaning of the individual bits defined by the comments in the specification -above. Implementations should accept values of bit strings of any length -and treat the value of flags corresponding to bits beyond the end of the -bit string as if the bit were reset (0). Comparison of bit strings of -different length should treat the smaller string as if it were padded with -zeros beyond the high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute - value of the lr-type field is one (1), then the lr-value subfield is - the time of last initial request for a TGT. If it is two (2), then the - lr-value subfield is the time of last initial request. If it is three - (3), then the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). If it is - (6), then the lr-value subfield is the time when the password will - expire. -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A -Ticket contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be -registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos -and the end server (the server's secret key). See section 6 for the format -of the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - the two will always be identical. -sname - This field specifies the name part of the server's identity. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - This optional field contains a sequence of extentions that may be used - to carry information that must be carried with the ticket to support - several extensions, including but not limited to plaintext - authorization data, tokens for exchanging inter-realm keys, and other - information that must be associated with a ticket for use by the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - application server. See Appendix C for definitions of some common - extensions. - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of - the appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The - meanings of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. -cname - This field contains the name part of the client's principal - identifier. -transited - This field lists the names of the Kerberos realms that took part in - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. - When the names of CA's are to be embedded inthe transited field (as - specified for some extentions to the protocol), the X.500 names of the - CA's should be mapped into items in the transited field using the - mapping defined by RFC2253. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the - necessary information for implementation of a `hot list' service at - the KDC. An end service that is particularly paranoid could refuse to - accept tickets for which the initial authentication occurred "too far" - in the past. This field is also returned as part of the response from - the KDC. When returned as part of the response to initial - authentication (KRB_AS_REP), this is the current time on the Ker- - beros server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated - as that of the authtime field. -endtime - This field contains the time after which the ticket will not be - honored (its expiration time). Note that individual services may place - their own limits on the life of a ticket and may reject tickets which - have not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is - that such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not - sent over the network in cleartext, credentials can't be stolen simply - by listening to the network; an attacker has to gain access to the - session key (perhaps through operating system security breaches or a - careless user's unattended session) to make use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's worksta- tion could - use the credentials from there. Including the network addresses only - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - makes it more difficult, not impossible, for an attacker to walk off - with stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, - and that a better name for this field would be restrictions. - Unfortunately, it is not possible to change the name of this field at - this time. - - This field contains restrictions on any authority obtained on the - basis of authentication using the ticket. It is possible for any - principal in posession of credentials to add entries to the - authorization data field since these entries further restrict what can - be done with the ticket. Such additions can be made by specifying the - additional entries when a new ticket is obtained during the TGS - exchange, or they may be added during chained delegation using the - authorization data field of the authenticator. - - Because entries may be added to this field by the holder of - credentials, it is not allowable for the presence of an entry in the - authorization data field of a ticket to amplify the priveleges one - would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - obtains a ticket in its own name (e.g. the ticket is issued in the - name of a privelege server), and this entity adds restrictions on its - own authority and delegates the restricted authority through a proxy - to the client. The client would then present this authorization - credential to the application server separately from the - authentication exchange. - - Similarly, if one specifies the authorization-data field of a proxy - and leaves the host addresses blank, the resulting ticket and session - key can be treated as a capability. See [Neu93] for some suggested - uses of this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.3.2. Authenticators - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -An authenticator is a record sent with a ticket to a server to certify the -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. - Its value (before encryption) ranges from 0 to 999999. It often - appears along with ctime. The two fields are used together to specify - a reasonably accurate timestamp. -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that - for messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is - sent. Sequence numbers fall in the range of 0 through 2^32 - 1 and - wrap to zero following the value 2^32 - 1. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -authorization-data - This field is the same as described for the ticket in section 5.3.1. - It is optional and will only appear when additional restrictions are - to be placed on the use of a ticket, beyond those carried in the - ticket itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an -initial ticket or an additional ticket. In either case, the message is sent -from the client to the Authentication Server to request credentials for a -service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -The fields in this message are: - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting - ticket and authenticator). The checksum in the authenticator (which - must be collision-proof) is to be computed over the KDC-REQ-BODY - encoding. In most requests for initial authentication (KRB_AS_REQ) and - most replies (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions - to the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. This - is accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - with patimestamp containing the client's time and pausec containing - the microseconds which may be omitted if a client will not generate - more than one request per second. The ciphertext (padata-value) - consists of the PA-ENC-TS-ENC sequence, encrypted using the client's - secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC - or the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - specified in separate documents. See [Pat92] for additional uses of - this field. -padata-type - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets - as well as other information that is to modify the behavior of the - KDC. Where appropriate, the name of an option may be the same as the - flag that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field - to the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of -this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates -that - the ticket to be issued is to have -its - forwardable flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based is also -for- - wardable. - - 2 FORWARDED - The FORWARDED option is only -specified - in a request to the -ticket-granting - server and will only be honored if -the - ticket-granting ticket in the -request - has its FORWARDABLE bit set. -This - option indicates that this is a -request - for forwarding. The address(es) of -the - host from which the resulting ticket -is - to be valid are included in -the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that -the - ticket to be issued is to have its -prox- - iable flag set. It may only be set -on - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - the initial request, or in a -subsequent - request if the ticket-granting ticket -on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this -is - a request for a proxy. This option -will - only be honored if the -ticket-granting - ticket in the request has its -PROXIABLE - bit set. The address(es) of the -host - from which the resulting ticket is to -be - valid are included in the -addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates -that - the ticket to be issued is to have -its - MAY-POSTDATE flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based also has -its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that -this - is a request for a postdated -ticket. - This option will only be honored if -the - ticket-granting ticket on which - it is based has its MAY-POSTDATE - flag set. - The resulting ticket will also have -its - INVALID flag set, and that flag may -be - reset by a subsequent request to the -KDC - after the starttime in the ticket -has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that -the - ticket to be issued is to have -its - RENEWABLE flag set. It may only be -set - on the initial request, or when -the - ticket-granting ticket on which -the - request is based is also renewable. -If - this option is requested, then the -rtime - field in the request contains -the - desired absolute expiration time for -the - ticket. - - 9-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option -indicates - that the ticket to be issued is not -to - identify the user to which it -was - issued. Instead, the principal -identif- - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - ier is to be generic, as specified -by - the policy of the realm (e.g. -usually - anonymous@realm). The purpose of -the - ticket is only to securely distribute -a - session key, and not to identify -the - user. The ANONYMOUS flag on the -ticket - to be returned should be set. If -the - local realms policy does not -permit - anonymous credentials, the request is -to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited -field - is disabled. Tickets issued without -the - performance of this check will be -noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be -checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that -a - renewable ticket will be acceptable if -a - ticket with the requested life -cannot - otherwise be provided. If a ticket -with - the requested life cannot be -provided, - then a renewable ticket may be -issued - with a renew-till equal to the -the - requested endtime. The value of -the - renew-till field may still be limited -by - local limits, or limits selected by -the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the -ticket- - granting service. The -ENC-TKT-IN-SKEY - option indicates that the ticket for -the - end server is to be encrypted in -the - session key from the additional -ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the -ticket- - granting service. The RENEW -option - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - indicates that the present request -is - for a renewal. The ticket provided -is - encrypted in the secret key for -the - server on which it is valid. -This - option will only be honored if -the - ticket to be renewed has its -RENEWABLE - flag set and if the time in its -renew- - till field has not passed. The -ticket - to be renewed is passed in the -padata - field as part of the -authentication - header. - - 31 VALIDATE - This option is used only by the -ticket- - granting service. The VALIDATE -option - indicates that the request is to -vali- - date a postdated ticket. It will -only - be honored if the ticket presented -is - postdated, presently has its -INVALID - flag set, and would be otherwise -usable - at this time. A ticket cannot be -vali- - dated before its starttime. The -ticket - presented for validation is encrypted -in - the key of the server for which it -is - valid and is passed in the padata -field - as part of the authentication header. - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, - or alternatively from the session key in the ticket-granting ticket, - both from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies - the desired start time for the requested ticket. If this field is - omitted then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date - of the ticket granting ticket or other preauthentication credentials. -rtime - This field is the requested renew-till time sent from a client to the - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated - randomly, but if the correct time is known, it may suffice[25]. -etype - This field specifies the desired encryption algorithm to be used in - the response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses - for the client's host. If a proxy is requested, this field will - contain other addresses. The contents of this field are usually copied - by the KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be - used in place of the server's key to encrypt the new ticket. If more - than one option which requires additional tickets has been specified, - then the additional tickets are used in the order specified by the - ordering of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that -is passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for -either an initial (AS) request or a subsequent (TGS) request. There is no -message type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP -or KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or -if absent, the session key from the ticket-granting ticket used in the -request. In that case, no version number will be present in the -EncryptedData sequence. - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section - 6.3.2). This ability is useful to ease transitions if a realm name - needs to change (e.g. when a company is acquired); in such a case all - existing password-derived entries in the KDC database would be flagged - as needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related - information that forms the encrypted part of a message. The - description of the encrypted part of the message follows each - appearance of this field. The encrypted part is encoded as described - in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. -last-req - This field is returned by the KDC and specifies the time(s) of the - last request by a principal. Depending on what information is - available, this might be the last time that a request for a - ticket-granting ticket was made, or the last time that a request based - on a ticket-granting ticket was successful. It also might cover all - servers for a realm, or just the particular server. Some - implementations may display this information to the user to aid in - discovering unauthorized use of one's identity. It is similar in - spirit to the last login time displayed when logging into timesharing - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up - to the application client (usually the login program) to take - appropriate action (such as notifying the user) if the expiration time - is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will - be the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is -often referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the - selected options are indicated by the bit being set (1), and the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - unselected options and reserved fields being reset (0). The encoding - of the bits is specified in section 5.2. The meanings of the options - are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of -this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option -indicates - that the ticket the client is -presenting - to a server is encrypted in the -session - key from the server's -ticket-granting - ticket. When this option is not -speci- - fied, the ticket is encrypted in -the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells -the - server that the client requires -mutual - authentication, and that it must -respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over - the encoding of the KRB-SAFE sequence. First, the cksum is zeroed and - the checksum is computed over the encoding of the KRB-SAFE sequence, - then the checksum is set to the result of that computation, and - finally the KRB-SAFE sequence is encoded again. -user-data - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By - checking the timestamp, the recipient of the message is able to make - sure that it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast - protocols), but the recipient may arbitrarily reject such messages. - This field along with s-address can be used to help detect messages - which have been incorrectly or maliciously delivered to the wrong - recipient. - -5.7. KRB_PRIV message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's -addr - r-address[5] HostAddress OPTIONAL -- recip's -addr -} - -pvno and msg-type - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format - of the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by - the intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce - must never be re-used; it should be generated randomly by the - recipient of the message and provided to the sender of the message in - an application specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is not protected by any encryption, -it is quite possible for an intruder to synthesize or modify such a -message. In particular, this means that the client should not use any -fields in this message for security-critical purposes, such as setting a -system clock or generating a fresh authenticator. The message can be -useful, however, for advising a user on the reason for some failure. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, - e-typed-data[14] SEQUENCE of ETypedData -OPTIONAL -} - -ETypedData ::= SEQUENCE { - e-data-type [1] INTEGER, - e-data-value [2] OCTET STRING, -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. - Its value ranges from 0 to 999999. It appears along with stime. The - two fields are used in conjunction to specify a reasonably accurate - timestamp. -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the - list of error codes in section 8. Implementations are encouraged to - provide for national language support in the display of error - messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - application to help it recover from or handle the error. If the - errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will - contain an encoding of a sequence of padata fields, each corresponding - to an acceptable pre-authentication method and optionally containing - data for the method: - - METHOD-DATA ::= SEQUENCE of PA-DATA - - If the error-code is KRB_AP_ERR_METHOD, then the e-data field will - contain an encoding of the following sequence: - - METHOD-DATA ::= SEQUENCE { - method-type[0] INTEGER, - method-data[1] OCTET STRING OPTIONAL - } - - method-type will indicate the required alternate method; method-data - will contain any required additional information. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. - The checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to - an AS request, then the checksum should be calulated using the - client's secret key ONLY if there has been suitable preauthentication - to prove knowledge of the secret key by the client[33]. If a checksum - can not be computed because the key to be used is not available, no - checksum will be included. -e-typed-data - [This field for discussion, may be deleted from final spec] This field - contains optional data that may be used to help the client recover - from the indicated error. [This could contain the METHOD-DATA - specified since I don't think anyone actually uses it yet. It could - also contain the PA-DATA sequence for the preauth required error if we - had a clear way to transition to the use of this field from the use of - the untype e-data field.] For example, this field may specify the key - version of the key used to verify preauthentication: - - e-data-type := 20 -- Key version number - e-data-value := Integer -- Key version number used to verify -preauthentication - -6. Encryption and Checksum Specifications - -The Kerberos protocols described in this document are designed to use -stream encryption ciphers, which can be simulated using commonly available -block encryption ciphers, such as the Data Encryption Standard, [DES77] in -conjunction with block chaining and checksum methods [DESM80]. Encryption -is used to prove the identities of the network entities participating in -message exchanges. The Key Distribution Center for each realm is trusted by -all principals registered in that realm to store a secret key in -confidence. Proof of knowledge of this secret key is used to verify the -authenticity of a principal. - -The KDC uses the principal's secret key (in the AS exchange) or a shared -session key (in the TGS exchange) to encrypt responses to ticket requests; - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -the ability to obtain the secret key or session key implies the knowledge -of the appropriate keys and the identity of the KDC. The ability of a -principal to decrypt the KDC response and present a Ticket and a properly -formed Authenticator (generated with the session key from the KDC response) -to a service verifies the identity of the principal; likewise the ability -of the service to extract the session key from the Ticket and prove its -knowledge thereof in a response verifies the identity of the service. - -The Kerberos protocols generally assume that the encryption used is secure -from cryptanalysis; however, in some cases, the order of fields in the -encrypted portions of messages are arranged to minimize the effects of -poorly chosen keys. It is still important to choose good keys. If keys are -derived from user-typed passwords, those passwords need to be well chosen -to make brute force attacks more difficult. Poorly chosen keys still make -easy targets for intruders. - -The following sections specify the encryption and checksum mechanisms -currently defined for Kerberos. The encodings, chaining, and padding -requirements for each are described. For encryption methods, it is often -desirable to place random information (often referred to as a confounder) -at the start of the message. The requirements for a confounder are -specified with each encryption mechanism. - -Some encryption systems use a block-chaining method to improve the the -security characteristics of the ciphertext. However, these chaining methods -often don't provide an integrity check upon decryption. Such systems (such -as DES in CBC mode) must be augmented with a checksum of the plain-text -which can be verified at decryption and used to detect any tampering or -damage. Such checksums should be good at detecting burst errors in the -input. If any damage is detected, the decryption routine is expected to -return an error indicating the failure of an integrity check. Each -encryption type is expected to provide and verify an appropriate checksum. -The specification of each encryption method sets out its checksum -requirements. - -Finally, where a key is to be derived from a user's password, an algorithm -for converting the password to a key of the appropriate type is included. -It is desirable for the string to key function to be one-way, and for the -mapping to be different in different realms. This is important because -users who are registered in more than one realm will often use the same -password in each, and it is desirable that an attacker compromising the -Kerberos server in one realm not obtain or derive the user's key in -another. - -For an discussion of the integrity characteristics of the candidate -encryption and checksum methods considered for Kerberos, the the reader is -referred to [SG92]. - -6.1. Encryption Specifications - -The following ASN.1 definition describes all encrypted messages. The -enc-part field which appears in the unencrypted part of messages in section -5 is a sequence consisting of an encryption type, an optional key version -number, and the ciphertext. - -EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -} - - - -etype - This field identifies which encryption algorithm was used to encipher - the cipher. Detailed specifications for selected encryption types - appear later in this section. -kvno - This field contains the version number of the key under which data is - encrypted. It is only present in messages encrypted under long lasting - keys, such as principals' secret keys. -cipher - This field contains the enciphered text, encoded as an OCTET STRING. - -The cipher field is generated by applying the specified encryption -algorithm to data composed of the message and algorithm-specific inputs. -Encryption mechanisms defined for use with Kerberos must take sufficient -measures to guarantee the integrity of the plaintext, and we recommend they -also take measures to protect against precomputed dictionary attacks. If -the encryption algorithm is not itself capable of doing so, the protections -can often be enhanced by adding a checksum and a confounder. - -The suggested format for the data to be encrypted includes a confounder, a -checksum, the encoded plaintext, and any necessary padding. The msg-seq -field contains the part of the protocol message described in section 5 -which is to be encrypted. The confounder, checksum, and padding are all -untagged and untyped, and their length is exactly sufficient to hold the -appropriate item. The type and length is implicit and specified by the -particular encryption type being used (etype). The format for the data to -be encrypted is described in the following diagram: - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - -One generates a random confounder of the appropriate length, placing it in -confounder; zeroes out check; calculates the appropriate checksum over -confounder, check, and msg-seq, placing the result in check; adds the -necessary padding; then encrypts using the specified encryption type and -the appropriate key. - -Unless otherwise specified, a definition of an encryption algorithm that -specifies a checksum, a length for the confounder field, or an octet -boundary for padding uses this ciphertext format[36]. Those fields which -are not specified will be omitted. - -In the interest of allowing all implementations using a particular -encryption type to communicate with all others using that type, the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -specification of an encryption type defines any checksum that is needed as -part of the encryption process. If an alternative checksum is to be used, a -new encryption type must be defined. - -Some cryptosystems require additional information beyond the key and the -data to be encrypted. For example, DES, when used in cipher-block-chaining -mode, requires an initialization vector. If required, the description for -each encryption type must specify the source of such additional -information. 6.2. Encryption Keys - -The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - -keytype - This field specifies the type of encryption key that follows in the - keyvalue field. It will almost always correspond to the encryption - algorithm used to generate the EncryptedData, though more than one - algorithm may use the same type of key (the mapping is many to one). - This might happen, for example, if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a different - chaining mechanism. -keyvalue - This field contains the key itself, encoded as an octet string. - -All negative values for the encryption key type are reserved for local use. -All non-negative values are reserved for officially assigned type fields -and interpreta- tions. - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - -If no encryption is in use, the encryption system is said to be the NULL -encryption system. In the NULL encryption system there is no checksum, -confounder or padding. The ciphertext is simply the plaintext. The NULL Key -is used by the null encryption system and is zero octets in length, with -keytype zero (0). - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - -The des-cbc-crc encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -A CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the -confounder and message sequence (msg-seq) and placed in the cksum field. -DES blocks are 8 bytes. As a result, the data to be encrypted (the -concatenation of confounder, checksum, and message) must be padded to an 8 -byte boundary before encryption. The details of the encryption of this data -are identical to those for the des-cbc-md5 encryption mode. - -Note that, since the CRC-32 checksum is not collision-proof, an attacker -could use a probabilistic chosen-plaintext attack to generate a valid -message even if a confounder is used [SG92]. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. The use of the CRC-32 as the checksum for ticket or -authenticator is no longer mandated as an interoperability requirement for - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -Kerberos Version 5 Specification 1 (See section 9.1 for specific details). - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - -The des-cbc-md4 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD4 checksum (described in [MD492]) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. The details of the encryption of this data are identical -to those for the des-cbc-md5 encryption mode. - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - -The des-cbc-md5 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD5 checksum (described in [MD5-92].) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. - -Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are -concatenated to make the 64-bit inputs for the DES algorithms. The first -octet supplies the 8 most significant bits (with the octet's MSbit used as -the DES input block's MSbit, etc.), the second octet the next 8 bits, ..., -and the eighth octet supplies the 8 least significant bits. - -Encryption under DES using cipher block chaining requires an additional -input in the form of an initialization vector. Unless otherwise specified, -zero should be used as the initialization vector. Kerberos' use of DES -requires an 8 octet confounder. - -The DES specifications identify some 'weak' and 'semi-weak' keys; those -keys shall not be used for encrypting messages for use in Kerberos. -Additionally, because of the way that keys are derived for the encryption -of checksums, keys shall not be used that yield 'weak' or 'semi-weak' keys -when eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0. - -A DES key is 8 octets of data, with keytype one (1). This consists of 56 -bits of key, and 8 parity bits (one per octet). The key is encoded as a -series of 8 octets written in MSB-first order. The bits within the key are -also encoded in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where -B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the -parity bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 -as the MSbit). [See the FIPS 81 introduction for reference.] - -String to key transformation - -To generate a DES key from a text string (password), a "salt" is -concatenated to the text string, and then padded with ASCII nulls to an 8 -byte boundary. This "salt" is normally the realm and each component of the -principal's name appended. However, sometimes different salts are used --- -for example, when a realm is renamed, or if a user changes her username, or -for compatibility with Kerberos V4 (whose string-to-key algorithm uses a -null string for the salt). This string is then fan-folded and -eXclusive-ORed with itself to form an 8 byte DES key. Before - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -eXclusive-ORing a block, every byte is shifted one bit to the left to leave -the lowest bit zero. The key is the "corrected" by correcting the parity on -the key, and if the key matches a 'weak' or 'semi-weak' key as described in -the DES specification, it is eXclusive-ORed with the constant -00000000000000F0. This key is then used to generate a DES CBC checksum on -the initial string (with the salt appended). The result of the CBC checksum -is the "corrected" as described above to form the result which is return as -the key. Pseudocode follows: - - name_to_default_salt(realm, name) { - s = realm - for(each component in name) { - s = s + component; - } - return s; - } - - key_correction(key) { - fixparity(key); - if (is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - string_to_key(string,salt) { - - odd = 1; - s = string + salt; - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - left shift every byte in 8byteblock one bit; - tempkey = tempkey XOR 8byteblock; - } - tempkey = key_correction(tempkey); - key = key_correction(DES-CBC-check(s,tempkey)); - return(key); - } - -6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with Key -Derivation [Horowitz] - -NOTE: This description currently refers to documents, the contents of which -might be bettered included by value in this spec. The description below was -provided by Marc Horowitz, and the form in which it will finally appear is -yet to be determined. This description is included in this version of the -draft because it does describe the implemenation ready for use with the MIT -implementation. Note also that the encryption identifier has been left -unspecified here because the value from Marc Horowitz's spec conflicted -with some other impmenentations implemented based on perevious versions of -the specification. - -This encryption type is based on the Triple DES cryptosystem, the HMAC-SHA1 -[Krawczyk96] message authentication algorithm, and key derivation for - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -Kerberos V5 [HorowitzB96]. - -The des3-cbc-hmac-sha1 encryption type has been assigned the value ??. The -hmac-sha1-des3 checksum type has been assigned the value 12. - -Encryption Type des3-cbc-hmac-sha1 - -EncryptedData using this type must be generated as described in -[Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. The -keyed hash algorithm is HMAC-SHA1. Unless otherwise specified, a zero IV -must be used. If the length of the input data is not a multiple of the -block size, zero octets must be used to pad the plaintext to the next -eight-octet boundary. The counfounder must be eight random octets (one -block). - -Checksum Type hmac-sha1-des3 - -Checksums using this type must be generated as described in [Horowitz96]. -The keyed hash algorithm is HMAC-SHA1. - -Common Requirements - -The EncryptionKey value is 24 octets long. The 7 most significant bits of -each octet contain key bits, and the least significant bit is the inverse -of the xor of the key bits. - -For the purposes of key derivation, the block size is 64 bits, and the key -size is 168 bits. The 168 bits output by key derivation are converted to an -EncryptionKey value as follows. First, the 168 bits are divided into three -groups of 56 bits, which are expanded individually into 64 bits as follows: - - 1 2 3 4 5 6 7 p - 9 10 11 12 13 14 15 p -17 18 19 20 21 22 23 p -25 26 27 28 29 30 31 p -33 34 35 36 37 38 39 p -41 42 43 44 45 46 47 p -49 50 51 52 53 54 55 p -56 48 40 32 24 16 8 p - -The "p" bits are parity bits computed over the data bits. The output of the -three expansions are concatenated to form the EncryptionKey value. - -When the HMAC-SHA1 of a string is computed, the key is used in the -EncryptedKey form. - -Key Derivation - -In the Kerberos protocol, cryptographic keys are used in a number of -places. In order to minimize the effect of compromising a key, it is -desirable to use a different key for each of these places. Key derivation -[Horowitz96] can be used to construct different keys for each operation -from the keys transported on the network. For this to be possible, a small -change to the specification is necessary. - -This section specifies a profile for the use of key derivation [Horowitz96] -with Kerberos. For each place where a key is used, a ``key usage'' must is -specified for that purpose. The key, key usage, and encryption/checksum -type together describe the transformation from plaintext to ciphertext, or - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -plaintext to checksum. - -Key Usage Values - -This is a complete list of places keys are used in the kerberos protocol, -with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) -10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) -11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) -12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) -13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) -14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) -15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) -18. KRB-ERROR checksum (e-cksum in section 5.9.1) -19. AD-KDCIssued checksum (ad-checksum in appendix B.1) -20. Checksum for Mandatory Ticket Extensions (appendix B.6) -21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - -Key usage values between 1024 and 2047 (inclusive) are reserved for -application use. Applications should use even values for encryption and odd -values for checksums within this range. - -A few of these key usages need a little clarification. A service which -receives an AP-REQ has no way to know if the enclosed Ticket was part of an -AS-REP or TGS-REP. Therefore, key usage 2 must always be used for -generating a Ticket, whether it is in response to an AS- REQ or TGS-REQ. - -There might exist other documents which define protocols in terms of the -RFC1510 encryption types or checksum types. Such documents would not know -about key usages. In order that these documents continue to be meaningful -until they are updated, key usages 1024 and 1025 must be used to derive -keys for encryption and checksums, respectively. New protocols defined in - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -terms of the Kerberos encryption and checksum types should use their own -key usages. Key usages may be registered with IANA to avoid conflicts. Key -usages must be unsigned 32 bit integers. Zero is not permitted. - -Defining Cryptosystems Using Key Derivation - -Kerberos requires that the ciphertext component of EncryptedData be -tamper-resistant as well as confidential. This implies encryption and -integrity functions, which must each use their own separate keys. So, for -each key usage, two keys must be generated, one for encryption (Ke), and -one for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - -where the protocol key is from the EncryptionKey from the wire protocol, -and the key usage is represented as a 32 bit integer in network byte order. -The ciphertest must be generated from the plaintext as follows: - - ciphertext = E(Ke, confounder | plaintext | padding) | - H(Ki, confounder | plaintext | padding) - -The confounder and padding are specific to the encryption algorithm E. - -When generating a checksum only, there is no need for a confounder or -padding. Again, a new key (Kc) must be used. Checksums must be generated -from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - - MAC = H(Kc, plaintext) - -Note that each enctype is described by an encryption algorithm E and a -keyed hash algorithm H, and each checksum type is described by a keyed hash -algorithm H. HMAC, with an appropriate hash, is recommended for use as H. - -Key Derivation from Passwords - -The well-known constant for password key derivation must be the byte string -{0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values correspond to the -ASCII encoding for the string "kerberos". - -6.4. Checksums - -The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - -cksumtype - This field indicates the algorithm used to generate the accompanying - checksum. -checksum - This field contains the checksum itself, encoded as an octet string. - -Detailed specification of selected checksum types appear later in this -section. Negative values for the checksum type are reserved for local use. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -All non-negative values are reserved for officially assigned type fields -and interpretations. - -Checksums used by Kerberos can be classified by two properties: whether -they are collision-proof, and whether they are keyed. It is infeasible to -find two plaintexts which generate the same checksum value for a -collision-proof checksum. A key is required to perturb or initialize the -algorithm in a keyed checksum. To prevent message-stream modification by an -active attacker, unkeyed checksums should only be used when the checksum -and message will be subsequently encrypted (e.g. the checksums defined as -part of the encryption algorithms covered earlier in this section). - -Collision-proof checksums can be made tamper-proof if the checksum value is -encrypted before inclusion in a message. In such cases, the composition of -the checksum and the encryption algorithm must be considered a separate -checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum -algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for -the encrypted forms of unkeyed collision-proof checksums, Kerberos prepends -a confounder before the checksum is calculated. - -6.4.1. The CRC-32 Checksum (crc32) - -The CRC-32 checksum calculates a checksum based on a cyclic redundancy -check as described in ISO 3309 [ISO3309]. The resulting checksum is four -(4) octets in length. The CRC-32 is neither keyed nor collision-proof. The -use of this checksum is not recommended. An attacker using a probabilistic -chosen-plaintext attack as described in [SG92] might be able to generate an -alternative message that satisfies the checksum. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - -The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm -[MD4-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed -to be collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - -The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD4 -checksum algorithm, and encrypting the confounder and the checksum using -DES in cipher-block-chaining (CBC) mode using a variant of the key, where -the variant is computed by eXclusive-ORing the key with the constant -F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The -resulting checksum is 24 octets long (8 octets of which are redundant). -This checksum is tamper-proof and believed to be collision-proof. - -The DES specifications identify some weak keys' and 'semi-weak keys'; those -keys shall not be used for generating RSA-MD4 checksums for use in -Kerberos. - -The format for the checksum is described in the follow- ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.4. The RSA MD5 Checksum (rsa-md5) - -The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm. -[MD5-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed -to be collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - -The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD5 -checksum algorithm, and encrypting the confounder and the checksum using -DES in cipher-block-chaining (CBC) mode using a variant of the key, where -the variant is computed by eXclusive-ORing the key with the hexadecimal -constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The -resulting checksum is 24 octets long (8 octets of which are redundant). -This checksum is tamper-proof and believed to be collision-proof. - -The DES specifications identify some 'weak keys' and 'semi-weak keys'; -those keys shall not be used for encrypting RSA-MD5 checksums for use in -Kerberos. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.6. DES cipher-block chained checksum (des-mac) - -The DES-MAC checksum is computed by prepending an 8 octet confounder to the -plaintext, performing a DES CBC-mode encryption on the result using the key -and an initialization vector of zero, taking the last block of the -ciphertext, prepending the same confounder and encrypting the pair using -DES in cipher-block-chaining (CBC) mode using a a variant of the key, where -the variant is computed by eXclusive-ORing the key with the hexadecimal -constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The -resulting checksum is 128 bits (16 octets) long, 64 bits of which are -redundant. This checksum is tamper-proof and collision-proof. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -| des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) -} - -The DES specifications identify some 'weak' and 'semi-weak' keys; those -keys shall not be used for generating DES-MAC checksums for use in -Kerberos, nor shall a key be used whose variant is 'weak' or 'semi-weak'. - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k) - -The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by -applying the RSA MD4 checksum algorithm and encrypting the results using -DES in cipher-block-chaining (CBC) mode using a DES key as both key and -initialization vector. The resulting checksum is 16 octets long. This -checksum is tamper-proof and believed to be collision-proof. Note that this -checksum type is the old method for encoding the RSA-MD4-DES checksum and -it is no longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - -The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption -of the plaintext, and using the last block of the ciphertext as the -checksum value. It is keyed with an encryption key and an initialization -vector; any uses which do not specify an additional initialization vector -will use the key as both key and initialization vector. The resulting -checksum is 64 bits (8 octets) long. This checksum is tamper-proof and -collision-proof. Note that this checksum type is the old method for -encoding the DES-MAC checksum and it is no longer recommended. The DES -specifications identify some 'weak keys' and 'semi-weak keys'; those keys -shall not be used for generating DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - -7.1. Realm Names - -Although realm names are encoded as GeneralStrings and although a realm can -technically select any name it chooses, interoperability across realm -boundaries requires agreement on how realm names are to be assigned, and -what information they imply. - -To enforce these conventions, each realm must conform to the conventions -itself, and it must require that any realms with which inter-realm keys are -shared also conform to the conventions and require the same from its -neighbors. - -Kerberos realm names are case sensitive. Realm names that differ only in -the case of the characters are not equivalent. There are presently four -styles of realm names: domain, X500, other, and reserved. Examples of each -style follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - -Domain names must look like domain names: they consist of components -separated by periods (.) and they contain neither colons (:) nor slashes -(/). Domain names must be converted to upper case when used as realm names. - -X.500 names contain an equal (=) and cannot contain a colon (:) before the -equal. The realm names for X.500 names will be string representations of -the names with components separated by slashes. Leading and trailing -slashes will not be included. - -Names that fall into the other category must begin with a prefix that -contains no equal (=) or period (.) and the prefix must be followed by a -colon (:) and the rest of the name. All prefixes must be assigned before -they may be used. Presently none are assigned. - -The reserved category includes strings which do not fall into the first -three categories. All names in this category are reserved. It is unlikely -that names will be assigned to this category unless there is a very strong -argument for not using the 'other' category. - -These rules guarantee that there will be no conflicts between the various -name styles. The following additional constraints apply to the assignment -of realm names in the domain and X.500 categories: the name of a realm for -the domain or X.500 formats must either be used by the organization owning -(to whom it was assigned) an Internet domain name or X.500 name, or in the -case that no such names are registered, authority to use a realm name may -be derived from the authority of the parent realm. For example, if there is -no domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm -can authorize the creation of a realm with that name. - -This is acceptable because the organization to which the parent is assigned -is presumably the organization authorized to assign names to its children -in the X.500 and domain name systems as well. If the parent assigns a realm -name without also registering it in the domain name or X.500 hierarchy, it -is the parent's responsibility to make sure that there will not in the -future exists a name identical to the realm name of the child unless it is -assigned to the same entity as the realm name. - -7.2. Principal Names - -As was the case for realm names, conventions are needed to ensure that all -agree on what information is implied by a principal name. The name-type -field that is part of the principal name indicates the kind of information -implied by the name. The name-type should be treated as a hint. Ignoring -the name type, no two names can be the same (i.e. at least one of the -components, or the realm, must be different). The following name types are -defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE -principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, -rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -When a name implies no information other than its uniqueness at a -particular time the name type PRINCIPAL should be used. The principal name -type should be used for users, and it might also be used for a unique -server. If the name is a unique machine generated ID that is guaranteed -never to be reassigned then the name type of UID should be used (note that -it is generally a bad idea to reassign names of any type since stale -entries might remain in access control lists). - -If the first component of a name identifies a service and the remaining -components identify an instance of the service in a server specified -manner, then the name type of SRV-INST should be used. An example of this -name type is the Kerberos ticket-granting service whose name has a first -component of krbtgt and a second component identifying the realm for which -the ticket is valid. - -If instance is a single component following the service name and the -instance identifies the host on which the server is running, then the name -type SRV-HST should be used. This type is typically used for Internet -services such as telnet and the Berkeley R commands. If the separate -components of the host name appear as successive components following the -name of the service, then the name type SRV-XHST should be used. This type -might be used to identify servers on hosts with X.500 names where the slash -(/) might otherwise be ambiguous. - -A name type of NT-X500-PRINCIPAL should be used when a name from an X.509 -certificiate is translated into a Kerberos name. The encoding of the X.509 -name as a Kerberos principal shall conform to the encoding rules specified -in RFC 2253. - -A name type of UNKNOWN should be used when the form of the name is not -known. When comparing names, a name of type UNKNOWN will match principals -authenticated with names of any type. A principal authenticated with a name -of type UNKNOWN, however, will only match other names of type UNKNOWN. - -Names of any type with an initial component of 'krbtgt' are reserved for -the Kerberos ticket granting service. See section 8.2.3 for the form of -such names. - -7.2.1. Name of server principals - -The principal identifier for a server on a host will generally be composed -of two parts: (1) the realm of the KDC with which the server is registered, -and (2) a two-component name of type NT-SRV-HST if the host name is an -Internet domain name or a multi-component name of type NT-SRV-XHST if the -name of the host is of a form such as X.500 that allows slash (/) -separators. The first component of the two- or multi-component name will -identify the service and the latter components will identify the host. -Where the name of the host is not case sensitive (for example, with -Internet domain names) the name of the host must be lower case. If -specified by the application protocol for services such as telnet and the -Berkeley R commands which run with system privileges, the first component -may be the string 'host' instead of a service specific identifier. When a -host has an official name and one or more aliases, the official name of the -host must be used when constructing the name of the server principal. - -8. Constants and other defined values - -8.1. Host address types - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -All negative values for the host address type are reserved for local use. -All non-negative values are reserved for officially assigned type fields -and interpretations. - -The values of the types for the following addresses are chosen to match the -defined address family constants in the Berkeley Standard Distributions of -Unix. They can be found in with symbolic names AF_xxx (where xxx is an -abbreviation of the address family name). - -Internet (IPv4) Addresses - -Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB -order. The type of IPv4 addresses is two (2). - -Internet (IPv6) Addresses [Westerlund] - -IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The -type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The -following addresses (see [RFC1884]) MUST not appear in any Kerberos packet: - - * the Unspecified Address - * the Loopback Address - * Link-Local addresses - -IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - -CHAOSnet addresses - -CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order. -The type of CHAOSnet addresses is five (5). - -ISO addresses - -ISO addresses are variable-length. The type of ISO addresses is seven (7). - -Xerox Network Services (XNS) addresses - -XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The -type of XNS addresses is six (6). - -AppleTalk Datagram Delivery Protocol (DDP) addresses - -AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit -network number. The first octet of the address is the node number; the -remaining two octets encode the network number in MSB order. The type of -AppleTalk DDP addresses is sixteen (16). - -DECnet Phase IV addresses - -DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The -type of DECnet Phase IV addresses is twelve (12). - -Netbios addresses - -Netbios addresses are 16-octet addresses typically composed of 1 to 15 -characters, trailing blank (ascii char 20) filled, with a 16th octet of -0x0. The type of Netbios addresses is 20 (0x14). - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -8.2. KDC messages - -8.2.1. UDP/IP transport - -When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP -IP transport, the client shall send a UDP datagram containing only an -encoding of the request to port 88 (decimal) at the KDC's IP address; the -KDC will respond with a reply datagram containing only an encoding of the -reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at -the sender's IP address. Kerberos servers supporting IP transport must -accept UDP requests on port 88 (decimal). The response to a request made -through UDP/IP transport must also use UDP/IP transport. - -8.2.2. TCP/IP transport [Westerlund,Danielsson] - -Kerberos servers (KDC's) should accept TCP requests on port 88 (decimal) -and clients should support the sending of TCP requests on port 88 -(decimal). When the KRB_KDC_REQ message is sent to the KDC over a TCP -stream, a new connection will be established for each authentication -exchange (request and response). The KRB_KDC_REP or KRB_ERROR message will -be returned to the client on the same TCP stream that was established for -the request. The response to a request made through TCP/IP transport must -also use TCP/IP transport. Implementors should note that some extentions to -the Kerberos protocol will not work if any implementation not supporting -the TCP transport is involved (client or KDC). Implementors are strongly -urged to support the TCP transport on both the client and server and are -advised that the current notation of "should" support will likely change in -the future to must support. The KDC may close the TCP stream after sending -a response, but may leave the stream open if it expects a followup - in -which case it may close the stream at any time if resource constratints or -other factors make it desirable to do so. Care must be taken in managing -TCP/IP connections with the KDC to prevent denial of service attacks based -on the number of TCP/IP connections with the KDC that remain open. If -multiple exchanges with the KDC are needed for certain forms of -preauthentication, multiple TCP connections may be required. A client may -close the stream after receiving response, and should close the stream if -it does not expect to send followup messages. The client must be prepared -to have the stream closed by the KDC at anytime, in which case it must -simply connect again when it is ready to send subsequent messages. - -The first four octets of the TCP stream used to transmit the request -request will encode in network byte order the length of the request -(KRB_KDC_REQ), and the length will be followed by the request itself. The -response will similarly be preceeded by a 4 octet encoding in network byte -order of the length of the KRB_KDC_REP or the KRB_ERROR message and will be -followed by the KRB_KDC_REP or the KRB_ERROR response. If the sign bit is -set on integer represented by the first 4 octets, then the next 4 octets -will be read, extending the length of the field by another 4 octets (less 1 -bit). - -8.2.3. OSI transport - -During authentication of an OSI client to an OSI server, the mutual -authentication of an OSI server to an OSI client, the transfer of -credentials from an OSI client to an OSI server, or during exchange of -private or integrity checked messages, Kerberos protocol messages may be -treated as opaque objects and the type of the authentication mechanism will -be: - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), -security(5),kerberosv5(2)} - -Depending on the situation, the opaque object will be an authentication -header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message -(KRB_SAFE), a private message (KRB_PRIV), or a credentials message -(KRB_CRED). The opaque data contains an application code as specified in -the ASN.1 description for each message. The application code may be used by -Kerberos to determine the message type. - -8.2.3. Name of the TGS - -The principal identifier of the ticket-granting service shall be composed -of three parts: (1) the realm of the KDC issuing the TGS ticket (2) a -two-part name of type NT-SRV-INST, with the first part "krbtgt" and the -second part the name of the realm which will accept the ticket-granting -ticket. For example, a ticket-granting ticket issued by the ATHENA.MIT.EDU -realm to be used to get tickets from the ATHENA.MIT.EDU KDC has a principal -identifier of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") -(name). A ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be -used to get tickets from the MIT.EDU realm has a principal identifier of -"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name). - -8.3. Protocol constants and associated values - -The following tables list constants used in the protocol and defines their -meanings. Ranges are specified in the "specification" section that limit -the values of constants for which values are defined here. This allows -implementations to make assumptions about the maximum values that will be -received for these constants. Implementation receiving values outside the -range specified in the "specification" section may reject the request, but -they must recover cleanly. - -Encryption type etype value block size minimum pad size confounder -size -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - 4 -des3-cbc-md5 5 8 0 8 - 6 -des3-cbc-sha1 7 8 0 8 -sign-dsa-generate 8 (pkinit) -encrypt-rsa-priv 9 (pkinit) -encrypt-rsa-pub 10 (pkinit) -rsa-pub-md5 11 (pkinit) -rsa-pub-sha1 12 (pkinit) -des3kd-cbc-sha1 ?? 8 0 8 -ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - -Checksum type sumtype value checksum size -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -rsa-md5-des3 9 24 -hmac-sha1-des3 12 20 (I had this as 10, is it -12) - -padata type padata-type value - -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - 4 -PA-ENC-UNIX-TIME 5 -PA-SANDIA-SECUREID 6 -PA-SESAME 7 -PA-OSF-DCE 8 -PA-CYBERSAFE-SECUREID 9 -PA-AFS3-SALT 10 -PA-ETYPE-INFO 11 -SAM-CHALLENGE 12 (sam/otp) -SAM-RESPONSE 13 (sam/otp) -PA-PK-AS-REQ 14 (pkinit) -PA-PK-AS-REP 15 (pkinit) -PA-PK-AS-SIGN 16 (pkinit) -PA-PK-KEY-REQ 17 (pkinit) -PA-PK-KEY-REP 18 (pkinit) -PA-USE-SPECIFIED-KVNO 20 - -authorization data type ad-type value -AD-KDC-ISSUED 1 -AD-INTENDED-FOR-SERVER 2 -AD-INTENDED-FOR-APPLICATION-CLASS 3 -AD-IF-RELEVANT 4 -AD-OR 5 -AD-MANDATORY-TICKET-EXTENSIONS 6 -AD-IN-TICKET-EXTENSIONS 7 -reserved values 8-63 -OSF-DCE 64 -SESAME 65 - -Ticket Extension Types - -TE-TYPE-NULL 0 Null ticket extension -TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization data - 2 TE-TYPE-PKCROSS-KDC (I have reservations) -TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket -TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - 5 TE-TYPE-DEST-HOST (I have reservations) - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward -credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for -users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, -rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID -KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested protocol version number not -supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end -time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password -to reset -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was -invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired -[40] -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user -only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field -failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not -available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method -required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in -message -KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path -KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry with TCP -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this -implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) -KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) - -9. Interoperability requirements - -Version 5 of the Kerberos protocol supports a myriad of options. Among -these are multiple encryption and checksum types, alternative encoding -schemes for the transited field, optional mechanisms for -pre-authentication, the handling of tickets with no addresses, options for -mutual authentication, user to user authentication, support for proxies, -forwarding, postdating, and renewing tickets, the format of realm names, -and the handling of authorization data. - -In order to ensure the interoperability of realms, it is necessary to -define a minimal configuration which must be supported by all -implementations. This minimal configuration is subject to change as -technology does. For example, if at some later date it is discovered that -one of the required encryption or checksum algorithms is not secure, it -will be replaced. - -9.1. Specification 2 - -This section defines the second specification of these options. -Implementations which are configured in this way can be said to support -Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may -be found in RFC1510. - -Transport - -TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance -to specification 2. Kerberos clients claiming conformance to specification -2 must support UDP/IP transport for messages with the KDC and should -support TCP/IP transport. - -Encryption and checksum methods - -The following encryption and checksum mechanisms must be supported. -Implementations may support other mechanisms as well, but the additional -mechanisms may only be used when communicating with principals known to - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -also support them: This list is to be determined. - -Encryption: DES-CBC-MD5 -Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - -Realm Names - -All implementations must understand hierarchical realms in both the -Internet Domain and the X.500 style. When a ticket granting ticket for an -unknown realm is requested, the KDC must be able to determine the names of -the intermediate realms between the KDCs realm and the requested realm. - -Transited field encoding - -DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. -Alternative encodings may be supported, but they may be used only when that -encoding is supported by ALL intermediate realms. - -Pre-authentication methods - -The TGS-REQ method must be supported. The TGS-REQ method is not used on the -initial request. The PA-ENC-TIMESTAMP method must be supported by clients -but whether it is enabled by default may be determined on a realm by realm -basis. If not used in the initial request and the error -KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an -acceptable method, the client should retry the initial request using the -PA-ENC-TIMESTAMP preauthentication method. Servers need not support the -PA-ENC-TIMESTAMP method, but if not supported the server should ignore the -presence of PA-ENC-TIMESTAMP pre-authentication in a request. - -Mutual authentication - -Mutual authentication (via the KRB_AP_REP message) must be supported. - -Ticket addresses and flags - -All KDC's must pass on tickets that carry no addresses (i.e. if a TGT -contains no addresses, the KDC will return derivative tickets), but each -realm may set its own policy for issuing such tickets, and each application -server will set its own policy with respect to accepting them. - -Proxies and forwarded tickets must be supported. Individual realms and -application servers can set their own policy on when such tickets will be -accepted. - -All implementations must recognize renewable and postdated tickets, but -need not actually implement them. If these options are not supported, the -starttime and endtime in the ticket shall specify a ticket's entire useful -life. When a postdated ticket is decoded by a server, all implementations -shall make the presence of the postdated flag visible to the calling -server. - -User-to-user authentication - -Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC -option) must be provided by implementations, but individual realms may -decide as a matter of policy to reject such requests on a per-principal or -realm-wide basis. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -Authorization data - -Implementations must pass all authorization data subfields from -ticket-granting tickets to any derivative tickets unless directed to -suppress a subfield as part of the definition of that registered subfield -type (it is never incorrect to pass on a subfield, and no registered -subfield types presently specify suppression at the KDC). - -Implementations must make the contents of any authorization data subfields -available to the server when a ticket is used. Implementations are not -required to allow clients to specify the contents of the authorization data -fields. - -Constant ranges - -All protocol constants are constrained to 32 bit (signed) values unless -further constrained by the protocol definition. This limit is provided to -allow implementations to make assumptions about the maximum values that -will be received for these constants. Implementation receiving values -outside this range may reject the request, but they must recover cleanly. - -9.2. Recommended KDC values - -Following is a list of recommended values for a KDC implementation, based -on the list of suggested configuration constants (see section 4.4). - -minimum lifetime 5 minutes -maximum renewable lifetime 1 week -maximum ticket lifetime 1 day -empty addresses only when suitable restrictions appear - in authorization data -proxiable, etc. Allowed. - -10. REFERENCES - -[NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - -[MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - -[SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - -[NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - -[DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - -[KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - -[Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - -[DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - -[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - -[X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - -[Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - -[DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - -[DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - -[SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - -[IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - -[MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - -[MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - -[KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - -[Horowitz96] Horowitz, M., "Key Derivation for Authentication, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - Integrity, and Privacy", draft-horowitz-key-derivation-02.txt, - August 1998. - -[HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-01.txt, September 1998. - -[Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - -A. Pseudo-code for protocol processing - -This appendix provides pseudo-code describing how the messages are to be -constructed and interpreted by clients and servers. - -A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) -then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -new_tkt.starttime+client.max_rlife, - -new_tkt.starttime+server.max_rlife, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - -A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all that -*/ - /* should be are set -*/ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly -*/ - /* call this routine to get the appropriate ticket-granting ticket -*/ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - kerberos := lookup(name of local kerberose server (or servers)); - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and choosing -the - correct key for decryption. The name of the server appears in the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is operating is - determined by the instance from the ticket-granting ticket. The -realm - in the ticket-granting ticket is the realm under which the ticket - granting ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) -then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof and -keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would -*/ - /* have been rejected in the initial authentication stage, so -*/ - /* there is no need to check again here -*/ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing -*/ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -new_tkt.starttime+client.max_rlife, - -new_tkt.starttime+server.max_rlife, - -new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till field -out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into -decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data -+ - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + -tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept it */ - if (check_transited_field(new_tkt.transited) == OK) - set new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), -second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, -server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of -resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session -key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - -A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - -A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - -A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - -A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - -A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof and keyed) -then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number not present) -then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - -A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - -A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - -A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - -B. Definition of common authorization data elements - -This appendix contains the definitions of common authorization data -elements. These common authorization data elements are recursivly defined, -meaning the ad-data for these types will itself contain a sequence of -authorization data whose interpretation is affected by the encapsulating -element. Depending on the meaning of the encapsulating element, the -encapsulated elements may be ignored, might be interpreted as issued -directly by the KDC, or they might be stored in a separate plaintext part -of the ticket. The types of the encapsulating elements are specified as -part of the Kerberos specification because the behavior based on these -values should be understood across implementations whereas other elements -need only be understood by the applications which they affect. - -In the definitions that follow, the value of the ad-type for the element -will be specified in the subsection number, and the value of the ad-data -will be as shown in the ASN.1 structure that follows the subsection -heading. - -B.1. KDC Issued - -AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. -} - -ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the ticket - itself (i.e. using the same hash function and the same encryption - algorithm used to encrypt the ticket) and using a key derived from the - same key used to protect the ticket. -i-realm, i-sname - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - The name of the issuing principal if different from the KDC itself. - This field would be used when the KDC can verify the authenticity of - elements signed by the issuing principal and it allows this KDC to - notify the application server of the validity of those elements. -elements - A sequence of authorization data elements issued by the KDC. - -The KDC-issued ad-data field is intended to provide a means for Kerberos -principal credentials to embed within themselves privilege attributes and -other mechanisms for positive authorization, amplifying the priveleges of -the principal beyond what can be done using a credentials without such an -a-data element. - -This can not be provided without this element because the definition of the -authorization-data field allows elements to be added at will by the bearer -of a TGT at the time that they request service tickets and elements may -also be added to a delegated ticket by inclusion in the authenticator. - -For KDC-issued elements this is prevented because the elements are signed -by the KDC by including a checksum encrypted using the server's key (the -same key used to encrypt the ticket - or a key derived from that key). -Elements encapsulated with in the KDC-issued element will be ignored by the -application server if this "signature" is not present. Further, elements -encapsulated within this element from a ticket granting ticket may be -interpreted by the KDC, and used as a basis according to policy for -including new signed elements within derivative tickets, but they will not -be copied to a derivative ticket directly. If they are copied directly to a -derivative ticket by a KDC that is not aware of this element, the signature -will not be correct for the application ticket elements, and the field will -be ignored by the application server. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.2. Intended for server - -AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData -} - -AD elements encapsulated within the intended-for-server element may be -ignored if the application server is not in the list of principal names of -intended servers. Further, a KDC issuing a ticket for an application server -can remove this element if the application server is not in the list of -intended servers. - -Application servers should check for their principal name in the -intended-server field of this element. If their principal name is not -found, this element should be ignored. If found, then the encapsulated -elements should be evaluated in the same manner as if they were present in -the top level authorization data field. Applications and application -servers that do not implement this element should reject tickets that -contain authorization data elements of this type. - -B.3. Intended for application class - -AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0] - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements -encapsulated within the intended-for-application-class element may be -ignored if the application server is not in one of the named classes of -application servers. Examples of application server classes include -"FILESYSTEM", and other kinds of servers. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.4. If relevant - -AD-IF-RELEVANT AuthorizationData - -AD elements encapsulated within the if-relevant element are intended for -interpretation only by application servers that understand the particular -ad-type of the embedded element. Application servers that do not understand -the type of an element embedded within the if-relevant element may ignore -the uninterpretable element. This element promotes interoperability across -implementations which may have local extensions for authorization. - -B.5. And-Or - -AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData -} - -When restrictive AD elements encapsulated within the and-or element are -encountered, only the number specified in condition-count of the -encapsulated conditions must be met in order to satisfy this element. This -element may be used to implement an "or" operation by setting the -condition-count field to 1, and it may specify an "and" operation by -setting the condition count to the number of embedded elements. Application -servers that do not implement this element must reject tickets that contain -authorization data elements of this type. - -B.6. Mandatory ticket extensions - -AD-Mandatory-Ticket-Extensions Checksum - -An authorization data element of type mandatory-ticket-extensions specifies -a collision-proof checksum using the same hash algorithm used to protect -the integrity of the ticket itself. This checksum will be calculated over -an individual extension field. If there are more than one extension, -multiple Mandatory-Ticket-Extensions authorization data elements may be -present, each with a checksum for a different extension field. This -restriction indicates that the ticket should not be accepted if a ticket -extension is not present in the ticket for which the checksum does not -match that checksum specified in the authorization data element. -Application servers that do not implement this element must reject tickets -that contain authorization data elements of this type. - -B.7. Authorization Data in ticket extensions - -AD-IN-Ticket-Extensions Checksum - -An authorization data element of type in-ticket-extensions specifies a -collision-proof checksum using the same hash algorithm used to protect the - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -integrity of the ticket itself. This checksum is calculated over a separate -external AuthorizationData field carried in the ticket extensions. -Application servers that do not implement this element must reject tickets -that contain authorization data elements of this type. Application servers -that do implement this element will search the ticket extensions for -authorization data fields, calculate the specified checksum over each -authorization data field and look for one matching the checksum in this -in-ticket-extensions element. If not found, then the ticket must be -rejected. If found, the corresponding authorization data elements will be -interpreted in the same manner as if they were contained in the top level -authorization data field. - -Note that if multiple external authorization data fields are present in a -ticket, each will have a corresponding element of type in-ticket-extensions -in the top level authorization data field, and the external entries will be -linked to the corresponding element by their checksums. - -C. Definition of common ticket extensions - -This appendix contains the definitions of common ticket extensions. Support -for these extensions is optional. However, certain extensions have -associated authorization data elements that may require rejection of a -ticket containing an extension by application servers that do not implement -the particular extension. Other extensions have been defined beyond those -described in this specification. Such extensions are described elswhere and -for some of those extensions the reserved number may be found in the list -of constants. - -It is known that older versions of Kerberos did not support this field, and -that some clients will strip this field from a ticket when they parse and -then reassemble a ticket as it is passed to the application servers. The -presence of the extension will not break such clients, but any functionaly -dependent on the extensions will not work when such tickets are handled by -old clients. In such situations, some implementation may use alternate -methods to transmit the information in the extensions field. - -C.1. Null ticket extension - -TE-NullExtension OctetString -- The empty Octet String - -The te-data field in the null ticket extension is an octet string of lenght -zero. This extension may be included in a ticket granting ticket so that -the KDC can determine on presentation of the ticket granting ticket whether -the client software will strip the extensions field. - -C.2. External Authorization Data - -TE-ExternalAuthorizationData AuthorizationData - -The te-data field in the external authorization data ticket extension is -field of type AuthorizationData containing one or more authorization data -elements. If present, a corresponding authorization data element will be -present in the primary authorization data for the ticket and that element -will contain a checksum of the external authorization data ticket -extension. - ------------------------------------------------------------------------ -[TM] Project Athena, Athena, and Kerberos are trademarks of the -Massachusetts Institute of Technology (MIT). No commercial use of these -trademarks may be made without prior written permission of MIT. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -[1] Note, however, that many applications use Kerberos' functions only upon -the initiation of a stream-based network connection. Unless an application -subsequently provides integrity protection for the data stream, the -identity verification applies only to the initiation of the connection, and -does not guarantee that subsequent messages on the connection originate -from the same principal. - -[2] Secret and private are often used interchangeably in the literature. In -our usage, it takes two (or more) to share a secret, thus a shared DES key -is a secret key. Something is only private when no one but its owner knows -it. Thus, in public key cryptosystems, one has a public and a private key. - -[3] Of course, with appropriate permission the client could arrange -registration of a separately-named prin- cipal in a remote realm, and -engage in normal exchanges with that realm's services. However, for even -small numbers of clients this becomes cumbersome, and more automatic -methods as described here are necessary. - -[4] Though it is permissible to request or issue tick- ets with no network -addresses specified. - -[5] The password-changing request must not be honored unless the requester -can provide the old password (the user's current secret key). Otherwise, it -would be possible for someone to walk up to an unattended ses- sion and -change another user's password. - -[6] To authenticate a user logging on to a local system, the credentials -obtained in the AS exchange may first be used in a TGS exchange to obtain -credentials for a local server. Those credentials must then be verified by -a local server through successful completion of the Client/Server exchange. - -[7] "Random" means that, among other things, it should be impossible to -guess the next session key based on knowledge of past session keys. This -can only be achieved in a pseudo-random number generator if it is based on -cryptographic principles. It is more desirable to use a truly random number -generator, such as one based on measurements of random physical phenomena. - -[8] Tickets contain both an encrypted and unencrypted portion, so cleartext -here refers to the entire unit, which can be copied from one message and -replayed in another without any cryptographic skill. - -[9] Note that this can make applications based on unreliable transports -difficult to code correctly. If the transport might deliver duplicated -messages, either a new authenticator must be generated for each retry, or -the application server must match requests and replies and replay the first -reply in response to a detected duplicate. - -[10] This is used for user-to-user authentication as described in [8]. - -[11] Note that the rejection here is restricted to authenticators from the -same principal to the same server. Other client principals communicating -with the same server principal should not be have their authenticators -rejected if the time and microsecond fields happen to match some other -client's authenticator. - -[12] In the Kerberos version 4 protocol, the timestamp in the reply was the -client's timestamp plus one. This is not necessary in version 5 because -version 5 messages are formatted in such a way that it is not possible to - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - -create the reply by judicious message surgery (even in encrypted form) -without knowledge of the appropriate encryption keys. - -[13] Note that for encrypting the KRB_AP_REP message, the sub-session key -is not used, even if present in the Authenticator. - -[14] Implementations of the protocol may wish to provide routines to choose -subkeys based on session keys and random numbers and to generate a -negotiated key to be returned in the KRB_AP_REP message. - -[15]This can be accomplished in several ways. It might be known beforehand -(since the realm is part of the principal identifier), it might be stored -in a nameserver, or it might be obtained from a configura- tion file. If -the realm to be used is obtained from a nameserver, there is a danger of -being spoofed if the nameservice providing the realm name is not authenti- -cated. This might result in the use of a realm which has been compromised, -and would result in an attacker's ability to compromise the authentication -of the application server to the client. - -[16] If the client selects a sub-session key, care must be taken to ensure -the randomness of the selected sub- session key. One approach would be to -generate a random number and XOR it with the session key from the -ticket-granting ticket. - -[17] This allows easy implementation of user-to-user authentication [8], -which uses ticket-granting ticket session keys in lieu of secret server -keys in situa- tions where such secret keys could be easily comprom- ised. - -[18] For the purpose of appending, the realm preceding the first listed -realm is considered to be the null realm (""). - -[19] For the purpose of interpreting null subfields, the client's realm is -considered to precede those in the transited field, and the server's realm -is considered to follow them. - -[20] This means that a client and server running on the same host and -communicating with one another using the KRB_SAFE messages should not share -a common replay cache to detect KRB_SAFE replays. - -[21] The implementation of the Kerberos server need not combine the -database and the server on the same machine; it is feasible to store the -principal database in, say, a network name service, as long as the entries -stored therein are protected from disclosure to and modification by -unauthorized parties. However, we recommend against such strategies, as -they can make system management and threat analysis quite complex. - -[22] See the discussion of the padata field in section 5.4.2 for details on -why this can be useful. - -[23] Warning for implementations that unpack and repack data structures -during the generation and verification of embedded checksums: Because any -checksums applied to data structures must be checked against the original -data the length of bit strings must be preserved within a data structure -between the time that a checksum is generated through transmission to the -time that the checksum is verified. - -[24] It is NOT recommended that this time value be used to adjust the -workstation's clock since the workstation cannot reliably determine that -such a KRB_AS_REP actually came from the proper KDC in a timely manner. - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - - -INTERNET-DRAFT draft-ietf-cat-kerberos-r-03 November 18 1998 - - - -[25] Note, however, that if the time is used as the nonce, one must make -sure that the workstation time is monotonically increasing. If the time is -ever reset backwards, there is a small, but finite, probability that a -nonce will be reused. - -[27] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[29] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[31] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[32] If supported by the encryption method in use, an initialization vector -may be passed to the encryption procedure, in order to achieve proper -cipher chaining. The initialization vector might come from the last block -of the ciphertext from the previous KRB_PRIV message, but it is the -application's choice whether or not to use such an initialization vector. -If left out, the default initialization vector for the encryption algorithm -will be used. - -[33] This prevents an attacker who generates an incorrect AS request from -obtaining verifiable plaintext for use in an off-line password guessing -attack. - -[35] In the above specification, UNTAGGED OCTET STRING(length) is the -notation for an octet string with its tag and length removed. It is not a -valid ASN.1 type. The tag bits and length must be removed from the -confounder since the purpose of the confounder is so that the message -starts with random data, but the tag and its length are fixed. For other -fields, the length and tag would be redundant if they were included because -they are specified by the encryption type. [36] The ordering of the fields -in the CipherText is important. Additionally, messages encoded in this -format must include a length as part of the msg-seq field. This allows the -recipient to verify that the message has not been truncated. Without a -length, an attacker could use a chosen plaintext attack to generate a -message which could be truncated, while leaving the checksum intact. Note -that if the msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, -then the length is part of that encoding. - -[37] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[38] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[39] A variant of the key is used to limit the use of a key to a particular -function, separating the functions of generating a checksum from other -encryption performed using the session key. The constant F0F0F0F0F0F0F0F0 -was chosen because it maintains key parity. The properties of DES precluded -the use of the complement. The same constant is used for similar purpose in -the Message Integrity Check in the Privacy Enhanced Mail standard. - -[40] This error carries additional information in the e- data field. The -contents of the e-data field for this message is described in section -5.9.1. - - -Neuman, Ts'o, Kohl Expires: 18 May 1999 - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt deleted file mode 100644 index 16af15dbce9f..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt +++ /dev/null @@ -1,6780 +0,0 @@ -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - June 25, 1999 - Expires December 25, 1999 -draft-ietf-cat-kerberos-revisions-04.txt - -The Kerberos Network Authentication Service (V5) - -STATUS OF THIS MEMO - -This document is an Internet-Draft and is in full conformance with all -provisions of Section 10 of RFC2026. Internet-Drafts are working documents -of the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It is -inappropriate to use Internet- Drafts as reference material or to cite them -other than as "work in progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. To learn the current status of any -Internet-Draft, please check the '1id-abstracts.txt' listing contained in -the Internet-Drafts Shadow Directories. - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-revisions-04.txt, and expires December 25th, 1999. -Please send comments to: krb-protocol@MIT.EDU - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the Kerberos -network authentication system is based. It also specifies Version 5 of the -Kerberos protocol. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed -standard and are being considered for advancement for draft standard through -the IETF standard process. Comments are encouraged on the presentation, but -only minor refinements to the protocol as implemented or extensions that fit -within current protocol framework will be considered at this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested by -Denning and Sacco [DS81]. The original design and implementation of Kerberos -Versions 1 through 4 was the work of two former Project Athena staff -members, Steve Miller of Digital Equipment Corporation and Clifford Neuman -(now at the Information Sciences Institute of the University of Southern -California), along with Jerome Saltzer, Technical Director of Project -Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members -of Project Athena have also contributed to the work on Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol was -led by Clifford Neuman and John Kohl with much input from the community. The -development of the MIT reference implementation was led at MIT by John Kohl -and Theodore T'so, with help and contributed code from many others. Since -RFC1510 was issued, extensions and revisions to the protocol have been -proposed by many individuals. Some of these proposals are reflected in this -document. Where such changes involved significant effort, the document cites -the contribution of the proposer. - -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. Details on the differences between Kerberos Versions 4 and -5 can be found in [KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. a -workstation user or a network server) on an open (unprotected) network. This -is accomplished without relying on assertions by the host operating system, -without basing trust on host addresses, without requiring physical security -of all the hosts on the network, and under the assumption that packets -traveling along the network can be read, modified, and inserted at will[1]. -Kerberos performs authentication under these conditions as a trusted -third-party authentication service by using conventional (shared secret key -[2] cryptography. Kerberos extensions have been proposed and implemented -that provide for the use of public key cryptography during certain phases of -the authentication protocol. These extensions provide for authentication of - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -users registered with public key certification authorities, and allow the -system to provide certain benefits of public key cryptography in situations -where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in the -client's key. The credentials consist of 1) a 'ticket' for the server and 2) -a temporary encryption key (often called a "session key"). The client -transmits the ticket (which contains the client's identity and a copy of the -session key, all encrypted in the server's key) to the server. The session -key (now shared by the client and server) is used to authenticate the -client, and may optionally be used to authenticate the server. It may also -be used to encrypt further communication between the two parties or to -exchange a separate sub-session key to be used to encrypt further -communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their secret -keys. Code libraries provide encryption and implement the Kerberos protocol. -In order to add authentication to its transactions, a typical network -application adds one or two calls to the Kerberos library directly or -through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request for -a ticket for the desired server to the AS. The reply is sent encrypted in -the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client uses -the TGT to authenticate itself to the TGS in the same manner as if it were -contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry points -within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent "in -the clear" (parts of it are encrypted, but this encryption doesn't thwart -replay) and might be intercepted and reused by an attacker, additional -information is sent to prove that the message originated with the principal -to whom the ticket was issued. This information (called the authenticator) -is encrypted in the session key, and includes a timestamp. The timestamp -proves that the message was recently generated and is not a replay. -Encrypting the authenticator in the session key proves that it was generated -by a party possessing the session key. Since no one except the requesting -principal and the server know the session key (it is never sent over the -network in the clear) this guarantees the identity of the client. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest -function) of the client's message, keyed with the session key. Privacy and -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -The authentication exchanges mentioned above require read-only access to the -Kerberos database. Sometimes, however, the entries in the database must be -modified, such as when adding new principals or changing a principal's key. -This is done using a protocol between a client and a third Kerberos server, -the Kerberos Administration Server (KADM). There is also a protocol for -maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server in -another. Each organization wishing to run a Kerberos server establishes its -own 'realm'. The name of the realm in which a client is registered is part -of the client's name, and can be used by the end-service to decide whether -to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate key -may be used for each direction) registers the ticket-granting service of -each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share an -inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is not -directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical organization -is not used, it may be necessary to consult a database in order to construct -an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in authenticating -the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93] , or on other authorization services. - -Applications should not be modified to accept the issuance of a service -ticket by the Kerberos server (even by an modified Kerberos server) as -granting authority to use the service, since such applications may become -vulnerable to the bypass of this authorization check in an environment if -they interoperate with other KDCs or where other options for application -authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to successfully - mount an offline dictionary attack by repeatedly attempting to decrypt, - with successive entries from a dictionary, messages obtained which are - encrypted under a key derived from the user's password. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A typical - mode of access control will use access control lists (ACLs) to grant - permissions to particular principals. If a stale ACL entry remains for - a deleted principal and the principal identifier is reused, the new - principal will inherit rights specified in the stale ACL entry. By not - re-using principal identifiers, the danger of inadvertent access is - removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been recently - generated using the session key known only by the client and server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access allowed - for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted by - the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. Note - that in some cases a Server may itself be a client of some other server - (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use that - ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and ticket-granting - ticket requests. The initial ticket portion is sometimes referred to as - the Authentication Server (or service). The ticket-granting ticket - portion is sometimes referred to as the ticket-granting server (or - service). - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. -Principal - A uniquely named client or server instance that participates in a - network communication. -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than one - server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a lifetime - limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the various -flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the KDC -before use, by presenting them to the KDC in a TGS request with the VALIDATE -option specified. The KDC will only validate tickets after their starttime -has passed. The validation is required so that postdated tickets which have -been stolen before their starttime can be rendered permanently invalid -(through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set in -the KDC request. The KDC will issue a new ticket with a new session key and -a later expiration time. All other fields of the ticket are left unmodified -by the renewal process. When the latest permissible expiration time arrives, -the ticket expires permanently. At each renewal, the KDC may consult a -hot-list to determine if the ticket had been reported stolen since its last -renewal; it will refuse to renew such stolen tickets, and thus the usable -lifetime of stolen tickets is reduced. - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets in -a batch queue, since they will be on-line longer and more prone to theft. -Postdated tickets provide a way to obtain these tickets from the KDC at job -submission time, but to leave them "dormant" until they are activated and -validated by a further request of the KDC. If a ticket theft were reported -in the interim, the KDC would refuse to validate the ticket, and the thief -would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This flag -must be set in a ticket-granting ticket in order to issue a postdated ticket -based on the presented ticket. It is reset by default; it may be requested -by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message. -This flag does not allow a client to obtain a postdated ticket-granting -ticket; postdated ticket-granting tickets can only by obtained by requesting -the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a -postdated ticket will be the remaining life of the ticket-granting ticket at -the time of the request, unless the RENEWABLE option is also set, in which -case it can be the full life (endtime-starttime) of the ticket-granting -ticket. The KDC may limit how far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the identity -of the client, but only for a particular purpose. A principal can allow a -service to take on the principal's identity for a particular purpose by -granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually -also a proxy, user's wishing to delegate their identity for ANY purpose must -use the ticket forwarding mechanism described in the next section to forward -a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When set, -this flag tells the ticket-granting server that it is OK to issue a new -ticket (but not a ticket-granting ticket) with a different network address -based on this ticket. This flag is set if requested by the client on initial -authentication. By default, the client will request that it be set when -requesting a ticket granting ticket, and reset when requesting any other -ticket. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print server -a proxy to access the client's files on a particular file server in order to -satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in the -ticket[4]. When granting a proxy, the client must specify the new network -address from which the proxy is to be used, or indicate that the proxy is to -be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may require -additional authentication from the agent presenting the proxy in order to -provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request that -it be set by setting the FORWARDABLE option in the AS request when they -request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user to -enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. It -is also set in all tickets issued based on tickets with the FORWARDED flag -set. Application servers may choose to process FORWARDED tickets differently -than non-FORWARDED tickets. - -2.7. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -3. Message Exchanges - -The following sections describe the interactions between network clients and -servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the Kerberos -Authentication Server is initiated by a client when it wishes to obtain -authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the initiation -of a login session to obtain credentials for a Ticket-Granting Server which -will subsequently be used to obtain credentials for other servers (see -section 3.3) without requiring further use of the client's secret key. This -exchange is also used to request credentials for services which must not be -mediated through the Ticket-Granting Service, but rather require a -principal's secret key, such as the password-changing service[5]. This -exchange does not by itself provide any assurance of the the identity of the -user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The response, -KRB_AS_REP, contains a ticket for the client to present to the server, and a -session key that will be shared by the client and the server. The session -key and additional information are encrypted in the client's secret key. The -KRB_AS_REP message contains information which can be used to detect replays, -and to associate it with the message to which it replies. Various errors can -occur; these are indicated by an error response (KRB_ERROR) instead of the -KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR -message contains information which can be used to associate it with the -message to which it replies. The lack of encryption in the KRB_ERROR message -precludes the ability to detect replays, fabrications, or modifications of -such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends a -reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is encrypted -in that principal's key. The initial request supports an optional field that -can be used to pass additional information that might be needed for the -initial exchange. This field may be used for preauthentication as described -in section [hl<>]. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether the -requested ticket is to be renewable, proxiable, or forwardable; whether it -should be postdated or allow postdating of derivative tickets; and whether a -renewable ticket will be accepted in lieu of a non-renewable ticket if the -requested ticket expiration date cannot be satisfied by a non-renewable -ticket (due to configuration constraints; see section 4). See section A.1 -for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format for -the ticket is described in section 5.3.1. The contents of the ticket are -determined as follows. - -3.1.3. Generation of KRB_AS_REP message - -The authentication server looks up the client and server principals named in -the KRB_AS_REQ in its database, extracting their respective keys. If -required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS -request is used by the KDC to select the encryption method to be used for -encrypting the response to the client. If there is more than one supported, -strong encryption type in the etype list, the first valid etype for which an -encryption key is available is used. The encryption method used to respond -to a TGS request is taken from the keytype of the session key found in the -ticket granting ticket. [***I will change the example keytypes to be 3DES -based examples 7/14***] - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise -the requested start time is checked against the policy of the local realm -(the administrator might decide to prohibit certain types or ranges of -postdated tickets), and if acceptable, the ticket's start time is set as - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -requested and the INVALID flag is set in the new ticket. The postdated -ticket must be validated before use by presenting it to the KDC after the -start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option has -been set and a renewable ticket is to be issued, then the renew-till field -is set to the minimum of: - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set by - the policy of the local realm. - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using the -requested encryption method, and sends it to the client. See section A.2 for -pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, start -and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate a -KRB_AS_REP format message which decrypts properly but is not from the proper -KDC. If the host wishes to verify the identity of the user, it must require -the user to present application credentials which can be verified using a -securely-stored secret key for the host. If those credentials can be -verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS or -TGS exchange. - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is -referred to elsewhere as the 'authentication header.' - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) a -ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use of -a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors are -possible. If an error occurs, the server is expected to reply to the client -with a KRB_ERROR message. This message may be encapsulated in the -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If the -message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE -error. If the key version indicated by the Ticket in the KRB_AP_REQ is not -one the server can use (e.g., it indicates an old key, and the server no -longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is -returned. If the USE-SESSION-KEY flag is set in the ap-options field, it -indicates to the server that the ticket is encrypted in the session key from -the server's ticket-granting ticket rather than its secret key[10]. Since it -is possible for the server to be registered in multiple realms, with -different keys in each, the srealm field in the unencrypted portion of the -ticket in the KRB_AP_REQ is used to specify which secret key the server -should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is -returned if the server doesn't have the proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client -from the ticket are compared against the same fields in the authenticator. -If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -not match, for example, if the wrong session key was used to encrypt the -authenticator). The addresses in the ticket (if any) are then searched for -an address matching the operating-system reported address of the client. If -no match is found or the server insists on ticket addresses but none are -present in the ticket, the KRB_AP_ERR_BADADDR error is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW -error is returned. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must -remember any authenticator presented within the allowable clock skew, so -that a replay attempt is guaranteed to fail. If a server loses track of any -authenticator presented within the allowable clock skew, it must reject all -requests until the clock skew interval has passed. This assures that any -lost or re-played authenticators will fall outside the allowable clock skew -and can no longer be successfully replayed (If this is not done, an attacker -could conceivably record the ticket and authenticator sent over the network -to a server, then disable the client's host, pose as the disabled host, and -replay the ticket and authenticator to subvert the authentication.). If a -sequence number is provided in the authenticator, the server saves it for -later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is -present, the server either saves it for later use or uses it to help -generate its own choice for a subkey to be returned in a KRB_AP_REP message. - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -If all these checks succeed without an error, the server is assured that the -client possesses the credentials of the principal named in the ticket and -thus, the client has been authenticated to the server. See section A.10 for -pseudocode. - -Passing these checks provides only authentication of the named principal; it -does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name of -the user, the requested operation, local acces control information such as -that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server need -not explicitly reply to the KRB_AP_REQ. However, if mutual authentication -(not only authenticating the client to the server, but also the server to -the client) is being performed, the KRB_AP_REQ message will have -MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is -required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not acceptable -to the application's protocol. The timestamp and microsecond field used in -the reply must be the client's timestamp and microsecond field (as provided -in the authenticator)[12]. If a sequence number is to be included, it should -be randomly chosen as described above for the authenticator. A subkey may be - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -included if the server desires to negotiate a different subkey. The -KRB_AP_REP message is encrypted in the session key extracted from the -ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server -share an encryption key which can be used by the application. The 'true -session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption or -checksum type) to the application programmer; the Kerberos protocol does not -constrain the implementation options, but an example of how this might be -done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever reason, -one of the parties was prevented from using a key with more than 40 unknown -bits, this method would allow the the party which is prevented from using -more than 40 bits to either propose (if the client) an initial key with a -known quantity for 16 of those bits, or to mask 16 of the bits (if the -server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server is -initiated by a client when it wishes to obtain authentication credentials -for a given server (which might be registered in a remote realm), when it -wishes to renew or validate an existing ticket, or when it wishes to obtain -a proxy ticket. In the first case, the client must already have acquired a -ticket for the Ticket-Granting Service using the AS exchange (the -ticket-granting ticket is usually obtained when a client initially -authenticates to the system, such as when a user logs in). The message -format for the TGS exchange is almost identical to that for the AS exchange. -The primary difference is that encryption and decryption in the TGS exchange -does not take place under the client's key. Instead, the session key from -the ticket-granting ticket or renewable ticket, or sub-session key from an -Authenticator is used. As is the case for all application servers, expired -tickets are not accepted by the TGS, so once a renewable or ticket-granting -ticket expires, the client must use a separate exchange to obtain valid -tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed authorization -data to be sealed in the ticket for authorization use by the application -server, or additional tickets (the use of which are described later). The -TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the -session key from the ticket-granting ticket or renewable ticket, or if -present, in the sub-session key from the Authenticator (part of the -authentication header). The KRB_ERROR message contains an error code and -text explaining what went wrong. The KRB_ERROR message is not encrypted. The -KRB_TGS_REP message contains information which can be used to detect -replays, and to associate it with the message to which it replies. The -KRB_ERROR message also contains information which can be used to associate -it with the message to which it replies, but the lack of encryption in the -KRB_ERROR message precludes the ability to detect replays or fabrications of -such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15]. If the -client does not already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted by requesting a -ticket-granting ticket for the destination realm from a Kerberos server for -which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ -message recursively). The Kerberos server may return a TGT for the desired -realm in which case one can proceed. Alternatively, the Kerberos server may -return a TGT for a realm which is 'closer' to the desired realm (further - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -along the standard hierarchical path), in which case this step must be -repeated with a Kerberos server in the realm specified in the returned TGT. -If neither are returned, then the request must be retried with a Kerberos -server for a realm higher in the hierarchy. This request will itself require -a ticket-granting ticket for the higher realm which must be obtained by -recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. The -list might be obtained through a configuration file or network service or it -may be generated from the name of the realm; as long as the secret keys -exchanged by realms are kept secret, only denial of service results from -using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for application server use -and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be encrypted[16]. -If the sub-session key is not specified, the session key from the -ticket-granting ticket will be used. If the enc-authorization-data is -present, it must be encrypted in the sub-session key, if present, from the -authenticator portion of the authentication header, or if not present, using -the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which it -was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP), -but with its type field set to KRB_TGS_REP. The detailed specification is in -section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm -"closest" to the requested realm with which it does share a key, and use -that realm instead. This is the only case where the response from the KDC -will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited field -needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. The -PROXY option will not be honored on requests for additional ticket-granting -tickets. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting -ticket has the MAY-POSTDATE flag set, then the resulting ticket will be -postdated and the requested starttime is checked against the policy of the -local realm. If acceptable, the ticket's start time is set as requested, and -the INVALID flag is set. The postdated ticket must be validated before use -by presenting it to the KDC after the starttime has been reached. However, -in no case may the starttime, endtime, or renew-till time of a newly-issued -postdated ticket extend beyond the renew-till time of the ticket-granting -ticket. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional ticket -using the key for the server to which the additional ticket was issued and -verify that it is a ticket-granting ticket. If the name of the requested -server is missing from the request, the name of the client in the additional -ticket will be used. Otherwise the name of the requested server will be -compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as part -of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is set -in the ticket, that the INVALID flag is not set in the ticket, and that the -renew_till time is still in the future. If the VALIDATE option is rqeuested, -the KDC will check that the starttime has passed and the INVALID flag is -set. If the PROXY option is requested, then the KDC will check that the -PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket -passes the hotlist check described in the next paragraph, the KDC will issue -the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal expiration -time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and the -key version number fields are left out since these values are stored along -with the client's database record, and that record is not needed to satisfy -a request based on a ticket-granting ticket. See section A.6 for pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, subject -to the constraints outlined above in the section describing the AS exchange. -The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket to -be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own -realm. Instead, its responsibility is to add the name of the previous realm. -This prevents a malicious Kerberos server from intentionally leaving out its -own name (it could, however, omit other realms' names). - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since the -endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its contents -are encoded. The initially supported encoding is optimized for the normal -case of inter-realm communication: a hierarchical arrangement of realms -using either domain or X.500 style realm names. This encoding (called -DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they -would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. Thus, -"," means that all realms along the path between the client and the server -have been traversed. ",EDU, /COM," means that that all realms from the -client's realm up to EDU (in a domain style hierarchy) have been traversed, -and that everything from /COM down to the server's realm in an X.500 style -has also been traversed. This could occur if the EDU realm in one hierarchy -shares an inter-realm key directly with the /COM realm in another hierarchy. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC), -generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by one's -peer. Connection state is presently required to maintain the session key, so -maintaining the next sequence number should not present an additional -problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_SAFE, respectively. A mismatch -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If -the sender's address was included in the control information, the recipient - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -verifies that the operating system's report of the sender's address matches -the sender's address in the message, and (if a recipient address is -specified or the recipient requires an address) that one of the recipient's -addresses appears as the recipient's address in the message. A failed match -for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and -usec and/or the sequence number fields are checked. If timestamp and usec -are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT -error is generated. If an incorrect sequence number is included, or a -sequence number is expected but not present, the KRB_AP_ERR_BADORDER error -is generated. If neither a time-stamp and usec or a sequence number is -present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is -computed over the data and control information, and if it doesn't match the -received checksum, a KRB_AP_ERR_MODIFIED error is generated. - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_PRIV, respectively. A mismatch -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was -included in the control information, the recipient verifies that the -operating system's report of the sender's address matches the sender's -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses appears -as the recipient's address in the message. A failed match for either case -generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the -sequence number fields are checked. If timestamp and usec are expected and -not present, or they are present but not current, the KRB_AP_ERR_SKEW error -is generated. If the server name, along with the client name, time and - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence -number is included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It then -constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED -message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in -the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and r-address -fields, are placed in the encrypted part of the KRB_CRED message which is -then encrypted under an encryption key previosuly exchanged in the KRB_AP -exchange (usually the last key negotiated via subkeys, or the session key if -no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If decryption -shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is -generated. - -If present or required, the recipient verifies that the operating system's -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's address -in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field -if required) are checked next. If the timestamp and usec are not present, or -they are present but not current, the KRB_AP_ERR_SKEW error is generated. - -If all the checks succeed, the application stores each of the new tickets in -its ticket cache together with the session key and other information in the -corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED -message. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -4. The Kerberos Database - -The Kerberos server must have access to a database contain- ing the -principal identifiers and secret keys of principals to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The key -can be encrypted before storage under a Kerberos "master key" to protect it -in case the database is compromised but the master key is not. In that case, -an extra field must be added to indicate the master key version used, see -below.) The p_kvno field is the key version number of the principal's secret -key. The max_life field contains the maximum allowable lifetime (endtime - -starttime) for any Ticket issued for this principal. The max_renewable_life -field contains the maximum allowable total lifetime for any renewable Ticket -issued for this principal. (See section 3.1 for a description of how these -lifetimes are used in determining the lifetime of a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal records -with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. not -the result of disclosure of the old key), the old key should be retained by -the server until all tickets that had been issued using that key have -expired. Because of this, it is possible for several keys to be active for a -single principal. Ciphertext encrypted in a principal's key is always tagged -with the version of the key that was used for encryption, to help the -recipient find the proper key for decryption. - -When more than one key is active for a particular principal, the principal -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may -or may not be the same). Whenever Kerberos issues a ticket, or responds to a -request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error to -any client attempting to gain tickets as or for the principal. (A database -may want to maintain two expiration dates: one for the principal, and one -for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether a -server is appropriate trusted to recieve credentials delegated by a client, -or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user in -the last-req field (see section 5.2). - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This -field would be used to indicate how long old keys must remain valid to allow -the continued use of outstanding tickets. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -Optional field in ASN.1 sequences - -For optional integer value and date fields in ASN.1 sequences where a -default value has been specified, certain default values will not be allowed -in the encoding because these values will always be represented through -defaulting by the absence of the optional field. For example, one will not -send a microsecond zero value because one must make sure that there is only -one way to encode this value. - -Additional fields in ASN.1 sequences - -Implementations receiving Kerberos messages with additional fields present -in ASN.1 sequences should carry the those fields through, unmodified, when -the message is forwarded. Implementations should not drop such fields if the -sequence is reencoded. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 specification, -section 8.7 [X509-88]. - -5.3. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A PrincipalName -is a typed sequence of components consisting of the following sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the same - (i.e. at least one of the components, or the realm, must be different). - This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding -shall specify the UTC time zone (Z) and shall not include any fractional -portions of the seconds. It further shall not include any separators. -Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm -on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - -ad-data - This field contains authorization data to be interpreted according to - the value of the corresponding ad-type field. -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the interpretation -of the encapsulating element determines which of the embedded elements must -be interpreted, and which may be ignored. Definitions for these common -elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -APOptions ::= BIT STRING - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - -TicketFlags ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- transited-policy-checked(12), - -- ok-as-delegate(13) - -KDCOptions ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -- unused7(7), - -- renewable(8), - -- unused9(9), - -- unused10(10), - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - -- unused11(11), - -- unused12(12), - -- unused13(13), - -- disable-transited-check(26), - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest number of bits needed to include the -highest order bit that is set (1), but in no case less than 32 bits. The -ASN.1 representation of the bit strings uses unnamed bits, with the meaning -of the individual bits defined by the comments in the specification above. -Implementations should accept values of bit strings of any length and treat -the value of flags corresponding to bits beyond the end of the bit string as -if the bit were reset (0). Comparison of bit strings of different length -should treat the smaller string as if it were padded with zeros beyond the -high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute value - of the lr-type field is one (1), then the lr-value subfield is the time - of last initial request for a TGT. If it is two (2), then the lr-value - subfield is the time of last initial request. If it is three (3), then - the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). If it is - (6), then the lr-value subfield is the time when the password will - expire. -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A Ticket -contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be -registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos and -the end server (the server's secret key). See section 6 for the format of -the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - the two will always be identical. -sname - This field specifies all components of the name part of the server's - identity, including those parts that identify a specific instance of a - service. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - [*** This change is still subject to discussion. Several alternatives - for this - including none at all - will be distributed to the cat and - krb-protocol mailing lists before the Oslo IETF, and an alternative - will be selected and the spec modified by 7/14/99 ***] This optional - field contains a sequence of extentions that may be used to carry - information that must be carried with the ticket to support several - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - extensions, including but not limited to plaintext authorization data, - tokens for exchanging inter-realm keys, and other information that must - be associated with a ticket for use by the application server. See - Appendix C for definitions of some common extensions. - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of the - appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The meanings - of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -cname - This field contains the name part of the client's principal identifier. -transited - This field lists the names of the Kerberos realms that took part in - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. - When the names of CA's are to be embedded inthe transited field (as - specified for some extentions to the protocol), the X.500 names of the - CA's should be mapped into items in the transited field using the - mapping defined by RFC2253. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the necessary - information for implementation of a `hot list' service at the KDC. An - end service that is particularly paranoid could refuse to accept - tickets for which the initial authentication occurred "too far" in the - past. This field is also returned as part of the response from the KDC. - When returned as part of the response to initial authentication - (KRB_AS_REP), this is the current time on the Ker- beros server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated as - that of the authtime field. -endtime - This field contains the time after which the ticket will not be honored - (its expiration time). Note that individual services may place their - own limits on the life of a ticket and may reject tickets which have - not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is that - such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not sent - over the network in cleartext, credentials can't be stolen simply by - listening to the network; an attacker has to gain access to the session - key (perhaps through operating system security breaches or a careless - user's unattended session) to make use of stolen tickets. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's workstation could use - the credentials from there. Including the network addresses only makes - it more difficult, not impossible, for an attacker to walk off with - stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, and - that a better name for this field would be restrictions. Unfortunately, - it is not possible to change the name of this field at this time. - - This field contains restrictions on any authority obtained on the basis - of authentication using the ticket. It is possible for any principal in - posession of credentials to add entries to the authorization data field - since these entries further restrict what can be done with the ticket. - Such additions can be made by specifying the additional entries when a - new ticket is obtained during the TGS exchange, or they may be added - during chained delegation using the authorization data field of the - authenticator. - - Because entries may be added to this field by the holder of - credentials, it is not allowable for the presence of an entry in the - authorization data field of a ticket to amplify the priveleges one - would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - obtains a ticket in its own name (e.g. the ticket is issued in the name - of a privelege server), and this entity adds restrictions on its own - authority and delegates the restricted authority through a proxy to the - client. The client would then present this authorization credential to - the application server separately from the authentication exchange. - - Similarly, if one specifies the authorization-data field of a proxy and - leaves the host addresses blank, the resulting ticket and session key - can be treated as a capability. See [Neu93] for some suggested uses of - this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -5.3.2. Authenticators - -An authenticator is a record sent with a ticket to a server to certify the -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. Its - value (before encryption) ranges from 0 to 999999. It often appears - along with ctime. The two fields are used together to specify a - reasonably accurate timestamp. -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that for - messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is sent. - Sequence numbers fall in the range of 0 through 2^32 - 1 and wrap to - zero following the value 2^32 - 1. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. -authorization-data - This field is the same as described for the ticket in section 5.3.1. It - is optional and will only appear when additional restrictions are to be - placed on the use of a ticket, beyond those carried in the ticket - itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial -ticket or an additional ticket. In either case, the message is sent from the -client to the Authentication Server to request credentials for a service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -The fields in this message are: - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting ticket - and authenticator). The checksum in the authenticator (which must be - collision-proof) is to be computed over the KDC-REQ-BODY encoding. In - most requests for initial authentication (KRB_AS_REQ) and most replies - (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions to - the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. This - is accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - with patimestamp containing the client's time and pausec containing the - microseconds which may be omitted if a client will not generate more - than one request per second. The ciphertext (padata-value) consists of - the PA-ENC-TS-ENC sequence, encrypted using the client's secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC or - the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - specified in separate documents. See [Pat92] for additional uses of - this field. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -padata-type - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets as - well as other information that is to modify the behavior of the KDC. - Where appropriate, the name of an option may be the same as the flag - that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field to - the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of -this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates -that - the ticket to be issued is to have -its - forwardable flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based is also -for- - wardable. - - 2 FORWARDED - The FORWARDED option is only -specified - in a request to the -ticket-granting - server and will only be honored if -the - ticket-granting ticket in the -request - has its FORWARDABLE bit set. -This - option indicates that this is a -request - for forwarding. The address(es) of -the - host from which the resulting ticket -is - to be valid are included in -the - addresses field of the request. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - 3 PROXIABLE - The PROXIABLE option indicates that -the - ticket to be issued is to have its -prox- - iable flag set. It may only be set -on - the initial request, or in a -subsequent - request if the ticket-granting ticket -on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this -is - a request for a proxy. This option -will - only be honored if the -ticket-granting - ticket in the request has its -PROXIABLE - bit set. The address(es) of the -host - from which the resulting ticket is to -be - valid are included in the -addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates -that - the ticket to be issued is to have -its - MAY-POSTDATE flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based also has -its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that -this - is a request for a postdated -ticket. - This option will only be honored if -the - ticket-granting ticket on which it -is - based has its MAY-POSTDATE flag -set. - The resulting ticket will also have -its - INVALID flag set, and that flag may -be - reset by a subsequent request to the -KDC - after the starttime in the ticket -has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that -the - ticket to be issued is to have -its - RENEWABLE flag set. It may only be -set - on the initial request, or when -the - ticket-granting ticket on which -the - request is based is also renewable. -If - this option is requested, then the -rtime - field in the request contains -the - desired absolute expiration time for -the - ticket. - - 9-13 UNUSED - These options are presently unused. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option -indicates - that the ticket to be issued is not -to - identify the user to which it -was - issued. Instead, the principal -identif- - ier is to be generic, as specified -by - the policy of the realm (e.g. -usually - anonymous@realm). The purpose of -the - ticket is only to securely distribute -a - session key, and not to identify -the - user. The ANONYMOUS flag on the -ticket - to be returned should be set. If -the - local realms policy does not -permit - anonymous credentials, the request is -to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited -field - is disabled. Tickets issued without -the - performance of this check will be -noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be -checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that -a - renewable ticket will be acceptable if -a - ticket with the requested life -cannot - otherwise be provided. If a ticket -with - the requested life cannot be -provided, - then a renewable ticket may be -issued - with a renew-till equal to the -the - requested endtime. The value of -the - renew-till field may still be limited -by - local limits, or limits selected by -the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the -ticket- - granting service. The -ENC-TKT-IN-SKEY - option indicates that the ticket for -the - end server is to be encrypted in -the - session key from the additional -ticket- - granting ticket provided. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the -ticket- - granting service. The RENEW -option - indicates that the present request -is - for a renewal. The ticket provided -is - encrypted in the secret key for -the - server on which it is valid. -This - option will only be honored if -the - ticket to be renewed has its -RENEWABLE - flag set and if the time in its -renew- - till field has not passed. The -ticket - to be renewed is passed in the -padata - field as part of the -authentication - header. - - 31 VALIDATE - This option is used only by the -ticket- - granting service. The VALIDATE -option - indicates that the request is to -vali- - date a postdated ticket. It will -only - be honored if the ticket presented -is - postdated, presently has its -INVALID - flag set, and would be otherwise -usable - at this time. A ticket cannot be -vali- - dated before its starttime. The -ticket - presented for validation is encrypted -in - the key of the server for which it -is - valid and is passed in the padata -field - as part of the authentication header. - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, or - alternatively from the session key in the ticket-granting ticket, both - from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies the - desired start time for the requested ticket. If this field is omitted - then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date of - the ticket granting ticket or other preauthentication credentials. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -rtime - This field is the requested renew-till time sent from a client to the - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated randomly, - but if the correct time is known, it may suffice[25]. -etype - This field specifies the desired encryption algorithm to be used in the - response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses for - the client's host. If a proxy is requested, this field will contain - other addresses. The contents of this field are usually copied by the - KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be used - in place of the server's key to encrypt the new ticket. If more than - one option which requires additional tickets has been specified, then - the additional tickets are used in the order specified by the ordering - of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that is -passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for either -an initial (AS) request or a subsequent (TGS) request. There is no message -type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or -KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or if -absent, the session key from the ticket-granting ticket used in the request. -In that case, no version number will be present in the EncryptedData -sequence. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section 6.3.2). - This ability is useful to ease transitions if a realm name needs to - change (e.g. when a company is acquired); in such a case all existing - password-derived entries in the KDC database would be flagged as - needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related information - that forms the encrypted part of a message. The description of the - encrypted part of the message follows each appearance of this field. - The encrypted part is encoded as described in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -last-req - This field is returned by the KDC and specifies the time(s) of the last - request by a principal. Depending on what information is available, - this might be the last time that a request for a ticket-granting ticket - was made, or the last time that a request based on a ticket-granting - ticket was successful. It also might cover all servers for a realm, or - just the particular server. Some implementations may display this - information to the user to aid in discovering unauthorized use of one's - identity. It is similar in spirit to the last login time displayed when - logging into timesharing systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up to - the application client (usually the login program) to take appropriate - action (such as notifying the user) if the expiration time is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will be - the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is often -referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). The encoding of the bits - is specified in section 5.2. The meanings of the options are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over the - encoding of the KRB-SAFE sequence. First, the cksum is zeroed and the - checksum is computed over the encoding of the KRB-SAFE sequence, then - the checksum is set to the result of that computation, and finally the - KRB-SAFE sequence is encoded again. -user-data - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By checking - the timestamp, the recipient of the message is able to make sure that - it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. - It may be omitted if not required by the application protocol. The - application designer considering omission of this field is warned, that - the inclusion of this address prevents some kinds of replay attacks - (e.g., reflection attacks) and that it is only acceptable to omit this - address if there is sufficient information in the integrity protected - part of the application message for the recipient to unambiguously - determine if it was the intended recipient. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast protocols), - but the recipient may arbitrarily reject such messages. This field - along with s-address can be used to help detect messages which have - been incorrectly or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's -addr - r-address[5] HostAddress OPTIONAL -- recip's -addr -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format of - the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by the - intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce must - never be re-used; it should be generated randomly by the recipient of - the message and provided to the sender of the message in an application - specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is only optionally integrity -protected, it is quite possible for an intruder to synthesize or modify such -a message. In particular, this means that unless appropriate integrity -protection mechanisms have been applied to the KRB_ERROR message, the client -should not use any fields in this message for security-critical purposes, -such as setting a system clock or generating a fresh authenticator. The -message can be useful, however, for advising a user on the reason for some -failure. - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, -(*REMOVE7/14*) e-typed-data[14] SEQUENCE of ETypedData -OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. Its - value ranges from 0 to 999999. It appears along with stime. The two - fields are used in conjunction to specify a reasonably accurate - timestamp. - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the list - of error codes in section 8. Implementations are encouraged to provide - for national language support in the display of error messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - application to help it recover from or handle the error. If present, - this field will contain the encoding of a sequence of TypedData - (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED, - in which case it will contain the encoding of a sequence of of padata - fields (METHOD-DATA below), each corresponding to an acceptable - pre-authentication method and optionally containing data for the - method: - - TYPED-DATA ::= SEQUENCE of TypeData - METHOD-DATA ::= SEQUENCE of PA-DATA - - TypedData ::= SEQUENCE { - data-type[0] INTEGER, - data-value[1] OCTET STRING OPTIONAL - } - - Note that e-data-types have been reserved for all PA data types defined - prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, when - using new PA data types defined in July 1999 or later, the METHOD-DATA - sequence must itself be encapsulated in an TypedData element of type - TD-PADATA. All new implementations interpreting the METHOD-DATA field - for the KDC_ERR_PREAUTH_REQUIRED message must accept a type of - TD-PADATA, extract the typed data field and interpret the use any - elements encapsulated in the TD-PADATA elements as if they were present - in the METHOD-DATA sequence. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. The - checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to an - AS request, then the checksum should be calulated using the client's - secret key ONLY if there has been suitable preauthentication to prove - knowledge of the secret key by the client[33]. If a checksum can not be - computed because the key to be used is not available, no checksum will - be included. -e-typed-data - [***Will be deleted 7/14***] This field contains optional data that may - be used to help the client recover from the indicated error. [This - could contain the METHOD-DATA specified since I don't think anyone - actually uses it yet. It could also contain the PA-DATA sequence for - the preauth required error if we had a clear way to transition to the - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - use of this field from the use of the untyped e-data field.] For - example, this field may specify the key version of the key used to - verify preauthentication: - - e-data-type := 20 -- Key version number - e-data-value := Integer -- Key version number used to - verify preauthentication - -6. Encryption and Checksum Specifications - -The Kerberos protocols described in this document are designed to use stream -encryption ciphers, which can be simulated using commonly available block -encryption ciphers, such as the Data Encryption Standard, [DES77] in -conjunction with block chaining and checksum methods [DESM80]. Encryption is -used to prove the identities of the network entities participating in -message exchanges. The Key Distribution Center for each realm is trusted by -all principals registered in that realm to store a secret key in confidence. -Proof of knowledge of this secret key is used to verify the authenticity of -a principal. [*** Discussion above will change to use 3DES as example -7/14/99 ***] - -The KDC uses the principal's secret key (in the AS exchange) or a shared -session key (in the TGS exchange) to encrypt responses to ticket requests; -the ability to obtain the secret key or session key implies the knowledge of -the appropriate keys and the identity of the KDC. The ability of a principal -to decrypt the KDC response and present a Ticket and a properly formed -Authenticator (generated with the session key from the KDC response) to a -service verifies the identity of the principal; likewise the ability of the -service to extract the session key from the Ticket and prove its knowledge -thereof in a response verifies the identity of the service. - -The Kerberos protocols generally assume that the encryption used is secure -from cryptanalysis; however, in some cases, the order of fields in the -encrypted portions of messages are arranged to minimize the effects of -poorly chosen keys. It is still important to choose good keys. If keys are -derived from user-typed passwords, those passwords need to be well chosen to -make brute force attacks more difficult. Poorly chosen keys still make easy -targets for intruders. - -The following sections specify the encryption and checksum mechanisms -currently defined for Kerberos. The encodings, chaining, and padding -requirements for each are described. For encryption methods, it is often -desirable to place random information (often referred to as a confounder) at -the start of the message. The requirements for a confounder are specified -with each encryption mechanism. - -Some encryption systems use a block-chaining method to improve the the -security characteristics of the ciphertext. However, these chaining methods -often don't provide an integrity check upon decryption. Such systems (such -as DES in CBC mode) must be augmented with a checksum of the plain-text -which can be verified at decryption and used to detect any tampering or -damage. Such checksums should be good at detecting burst errors in the -input. If any damage is detected, the decryption routine is expected to -return an error indicating the failure of an integrity check. Each -encryption type is expected to provide and verify an appropriate checksum. -The specification of each encryption method sets out its checksum -requirements. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -Finally, where a key is to be derived from a user's password, an algorithm -for converting the password to a key of the appropriate type is included. It -is desirable for the string to key function to be one-way, and for the -mapping to be different in different realms. This is important because users -who are registered in more than one realm will often use the same password -in each, and it is desirable that an attacker compromising the Kerberos -server in one realm not obtain or derive the user's key in another. - -For an discussion of the integrity characteristics of the candidate -encryption and checksum methods considered for Kerberos, the reader is -referred to [SG92]. - -6.1. Encryption Specifications - -The following ASN.1 definition describes all encrypted messages. The -enc-part field which appears in the unencrypted part of messages in section -5 is a sequence consisting of an encryption type, an optional key version -number, and the ciphertext. - -EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext -} - -etype - This field identifies which encryption algorithm was used to encipher - the cipher. Detailed specifications for selected encryption types - appear later in this section. -kvno - This field contains the version number of the key under which data is - encrypted. It is only present in messages encrypted under long lasting - keys, such as principals' secret keys. -cipher - This field contains the enciphered text, encoded as an OCTET STRING. - -The cipher field is generated by applying the specified encryption algorithm -to data composed of the message and algorithm-specific inputs. Encryption -mechanisms defined for use with Kerberos must take sufficient measures to -guarantee the integrity of the plaintext, and we recommend they also take -measures to protect against precomputed dictionary attacks. If the -encryption algorithm is not itself capable of doing so, the protections can -often be enhanced by adding a checksum and a confounder. - -The suggested format for the data to be encrypted includes a confounder, a -checksum, the encoded plaintext, and any necessary padding. The msg-seq -field contains the part of the protocol message described in section 5 which -is to be encrypted. The confounder, checksum, and padding are all untagged -and untyped, and their length is exactly sufficient to hold the appropriate -item. The type and length is implicit and specified by the particular -encryption type being used (etype). The format for the data to be encrypted -is described in the following diagram: - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - -One generates a random confounder of the appropriate length, placing it in -confounder; zeroes out check; calculates the appropriate checksum over -confounder, check, and msg-seq, placing the result in check; adds the -necessary padding; then encrypts using the specified encryption type and the -appropriate key. - -Unless otherwise specified, a definition of an encryption algorithm that -specifies a checksum, a length for the confounder field, or an octet -boundary for padding uses this ciphertext format[36]. Those fields which are -not specified will be omitted. - -In the interest of allowing all implementations using a particular -encryption type to communicate with all others using that type, the -specification of an encryption type defines any checksum that is needed as -part of the encryption process. If an alternative checksum is to be used, a -new encryption type must be defined. - -Some cryptosystems require additional information beyond the key and the -data to be encrypted. For example, DES, when used in cipher-block-chaining -mode, requires an initialization vector. If required, the description for -each encryption type must specify the source of such additional information. -6.2. Encryption Keys - -The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - -keytype - This field specifies the type of encryption that is to be performed - using the key that follows in the keyvalue field. It will always - correspond to the etype to be used to generate or decode the - EncryptedData. In cases when multiple algorithms use a common kind of - key (e.g., if the encryption algorithm uses an alternate checksum - algorithm for an integrity check, or a different chaining mechanism), - the keytype provides information needed to determine which algorithm is - to be used. -keyvalue - This field contains the key itself, encoded as an octet string. - -All negative values for the encryption key type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpreta- tions. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - -If no encryption is in use, the encryption system is said to be the NULL -encryption system. In the NULL encryption system there is no checksum, -confounder or padding. The ciphertext is simply the plaintext. The NULL Key -is used by the null encryption system and is zero octets in length, with -keytype zero (0). - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - -The des-cbc-crc encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. A -CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the -confounder and message sequence (msg-seq) and placed in the cksum field. DES -blocks are 8 bytes. As a result, the data to be encrypted (the concatenation -of confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. The details of the encryption of this data are identical -to those for the des-cbc-md5 encryption mode. - -Note that, since the CRC-32 checksum is not collision-proof, an attacker -could use a probabilistic chosen-plaintext attack to generate a valid -message even if a confounder is used [SG92]. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. The use of the CRC-32 as the checksum for ticket or -authenticator is no longer mandated as an interoperability requirement for -Kerberos Version 5 Specification 1 (See section 9.1 for specific details). - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - -The des-cbc-md4 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD4 checksum (described in [MD492]) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. The details of the encryption of this data are identical -to those for the des-cbc-md5 encryption mode. - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - -The des-cbc-md5 encryption mode encrypts information under the Data -Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. -An MD5 checksum (described in [MD5-92].) is applied to the confounder and -message sequence (msg-seq) and placed in the cksum field. DES blocks are 8 -bytes. As a result, the data to be encrypted (the concatenation of -confounder, checksum, and message) must be padded to an 8 byte boundary -before encryption. - -Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are -concatenated to make the 64-bit inputs for the DES algorithms. The first -octet supplies the 8 most significant bits (with the octet's MSbit used as -the DES input block's MSbit, etc.), the second octet the next 8 bits, ..., -and the eighth octet supplies the 8 least significant bits. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -Encryption under DES using cipher block chaining requires an additional -input in the form of an initialization vector. Unless otherwise specified, -zero should be used as the initialization vector. Kerberos' use of DES -requires an 8 octet confounder. - -The DES specifications identify some 'weak' and 'semi-weak' keys; those keys -shall not be used for encrypting messages for use in Kerberos. Additionally, -because of the way that keys are derived for the encryption of checksums, -keys shall not be used that yield 'weak' or 'semi-weak' keys when -eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0. - -A DES key is 8 octets of data, with keytype one (1). This consists of 56 -bits of key, and 8 parity bits (one per octet). The key is encoded as a -series of 8 octets written in MSB-first order. The bits within the key are -also encoded in MSB order. For example, if the encryption key is -(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where -B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity -bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the -MSbit). [See the FIPS 81 introduction for reference.] - -String to key transformation - -To generate a DES key from a text string (password), a "salt" is -concatenated to the text string, and then padded with ASCII nulls to an 8 -byte boundary. This "salt" is normally the realm and each component of the -principal's name appended. However, sometimes different salts are used --- -for example, when a realm is renamed, or if a user changes her username, or -for compatibility with Kerberos V4 (whose string-to-key algorithm uses a -null string for the salt). This string is then fan-folded and eXclusive-ORed -with itself to form an 8 byte DES key. Before eXclusive-ORing a block, every -byte is shifted one bit to the left to leave the lowest bit zero. The key is -the "corrected" by correcting the parity on the key, and if the key matches -a 'weak' or 'semi-weak' key as described in the DES specification, it is -eXclusive-ORed with the constant 00000000000000F0. This key is then used to -generate a DES CBC checksum on the initial string (with the salt appended). -The result of the CBC checksum is the "corrected" as described above to form -the result which is return as the key. Pseudocode follows: - - name_to_default_salt(realm, name) { - s = realm - for(each component in name) { - s = s + component; - } - return s; - } - - key_correction(key) { - fixparity(key); - if (is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - string_to_key(string,salt) { - - odd = 1; - s = string + salt; - tempkey = NULL; - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - left shift every byte in 8byteblock one bit; - tempkey = tempkey XOR 8byteblock; - } - tempkey = key_correction(tempkey); - key = key_correction(DES-CBC-check(s,tempkey)); - return(key); - } - -6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with Key -Derivation [Horowitz] - -[*** Note that there are several 3DES varients in use in different Kerberos -implemenations, updates to this section will be sent to the cat list and -krb-protocol list prior to the Oslo IETF, including the key derivation and -non-key derivation varients ***] NOTE: This description currently refers to -documents, the contents of which might be bettered included by value in this -spec. The description below was provided by Marc Horowitz, and the form in -which it will finally appear is yet to be determined. This description is -included in this version of the draft because it does describe the -implemenation ready for use with the MIT implementation. Note also that the -encryption identifier has been left unspecified here because the value from -Marc Horowitz's spec conflicted with some other impmenentations implemented -based on perevious versions of the specification. - -This encryption type is based on the Triple DES cryptosystem, the HMAC-SHA1 -[Krawczyk96] message authentication algorithm, and key derivation for -Kerberos V5 [HorowitzB96]. - -The des3-cbc-hmac-sha1 encryption type has been assigned the value ??. The -hmac-sha1-des3 checksum type has been assigned the value 12. - -Encryption Type des3-cbc-hmac-sha1 - -EncryptedData using this type must be generated as described in -[Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. The -keyed hash algorithm is HMAC-SHA1. Unless otherwise specified, a zero IV -must be used. If the length of the input data is not a multiple of the block -size, zero octets must be used to pad the plaintext to the next eight-octet -boundary. The counfounder must be eight random octets (one block). - -Checksum Type hmac-sha1-des3 - -Checksums using this type must be generated as described in [Horowitz96]. -The keyed hash algorithm is HMAC-SHA1. - -Common Requirements - -The EncryptionKey value is 24 octets long. The 7 most significant bits of -each octet contain key bits, and the least significant bit is the inverse of -the xor of the key bits. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -For the purposes of key derivation, the block size is 64 bits, and the key -size is 168 bits. The 168 bits output by key derivation are converted to an -EncryptionKey value as follows. First, the 168 bits are divided into three -groups of 56 bits, which are expanded individually into 64 bits as follows: - - 1 2 3 4 5 6 7 p - 9 10 11 12 13 14 15 p -17 18 19 20 21 22 23 p -25 26 27 28 29 30 31 p -33 34 35 36 37 38 39 p -41 42 43 44 45 46 47 p -49 50 51 52 53 54 55 p -56 48 40 32 24 16 8 p - -The "p" bits are parity bits computed over the data bits. The output of the -three expansions are concatenated to form the EncryptionKey value. - -When the HMAC-SHA1 of a string is computed, the key is used in the -EncryptedKey form. - -Key Derivation - -In the Kerberos protocol, cryptographic keys are used in a number of places. -In order to minimize the effect of compromising a key, it is desirable to -use a different key for each of these places. Key derivation [Horowitz96] -can be used to construct different keys for each operation from the keys -transported on the network. For this to be possible, a small change to the -specification is necessary. - -This section specifies a profile for the use of key derivation [Horowitz96] -with Kerberos. For each place where a key is used, a ``key usage'' must is -specified for that purpose. The key, key usage, and encryption/checksum type -together describe the transformation from plaintext to ciphertext, or -plaintext to checksum. - -Key Usage Values - -This is a complete list of places keys are used in the kerberos protocol, -with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) -10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) -11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) -12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) -13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) -14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) -15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) -18. KRB-ERROR checksum (e-cksum in section 5.9.1) -19. AD-KDCIssued checksum (ad-checksum in appendix B.1) -20. Checksum for Mandatory Ticket Extensions (appendix B.6) -21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - -Key usage values between 1024 and 2047 (inclusive) are reserved for -application use. Applications should use even values for encryption and odd -values for checksums within this range. - -A few of these key usages need a little clarification. A service which -receives an AP-REQ has no way to know if the enclosed Ticket was part of an -AS-REP or TGS-REP. Therefore, key usage 2 must always be used for generating -a Ticket, whether it is in response to an AS- REQ or TGS-REQ. - -There might exist other documents which define protocols in terms of the -RFC1510 encryption types or checksum types. Such documents would not know -about key usages. In order that these documents continue to be meaningful -until they are updated, key usages 1024 and 1025 must be used to derive keys -for encryption and checksums, respectively. New protocols defined in terms -of the Kerberos encryption and checksum types should use their own key -usages. Key usages may be registered with IANA to avoid conflicts. Key -usages must be unsigned 32 bit integers. Zero is not permitted. - -Defining Cryptosystems Using Key Derivation - -Kerberos requires that the ciphertext component of EncryptedData be -tamper-resistant as well as confidential. This implies encryption and -integrity functions, which must each use their own separate keys. So, for -each key usage, two keys must be generated, one for encryption (Ke), and one -for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - -where the protocol key is from the EncryptionKey from the wire protocol, and -the key usage is represented as a 32 bit integer in network byte order. The -ciphertest must be generated from the plaintext as follows: - - ciphertext = E(Ke, confounder | plaintext | padding) | - H(Ki, confounder | plaintext | padding) - -The confounder and padding are specific to the encryption algorithm E. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -When generating a checksum only, there is no need for a confounder or -padding. Again, a new key (Kc) must be used. Checksums must be generated -from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - - MAC = H(Kc, plaintext) - -Note that each enctype is described by an encryption algorithm E and a keyed -hash algorithm H, and each checksum type is described by a keyed hash -algorithm H. HMAC, with an appropriate hash, is recommended for use as H. - -Key Derivation from Passwords - -The well-known constant for password key derivation must be the byte string -{0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values correspond to the -ASCII encoding for the string "kerberos". - -6.4. Checksums - -The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - -cksumtype - This field indicates the algorithm used to generate the accompanying - checksum. -checksum - This field contains the checksum itself, encoded as an octet string. - -Detailed specification of selected checksum types appear later in this -section. Negative values for the checksum type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpretations. - -Checksums used by Kerberos can be classified by two properties: whether they -are collision-proof, and whether they are keyed. It is infeasible to find -two plaintexts which generate the same checksum value for a collision-proof -checksum. A key is required to perturb or initialize the algorithm in a -keyed checksum. To prevent message-stream modification by an active -attacker, unkeyed checksums should only be used when the checksum and -message will be subsequently encrypted (e.g. the checksums defined as part -of the encryption algorithms covered earlier in this section). - -Collision-proof checksums can be made tamper-proof if the checksum value is -encrypted before inclusion in a message. In such cases, the composition of -the checksum and the encryption algorithm must be considered a separate -checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum -algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for the -encrypted forms of unkeyed collision-proof checksums, Kerberos prepends a -confounder before the checksum is calculated. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -6.4.1. The CRC-32 Checksum (crc32) - -The CRC-32 checksum calculates a checksum based on a cyclic redundancy check -as described in ISO 3309 [ISO3309]. The resulting checksum is four (4) -octets in length. The CRC-32 is neither keyed nor collision-proof. The use -of this checksum is not recommended. An attacker using a probabilistic -chosen-plaintext attack as described in [SG92] might be able to generate an -alternative message that satisfies the checksum. The use of collision-proof -checksums is recommended for environments where such attacks represent a -significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - -The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm -[MD4-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed to -be collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - -The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD4 -checksum algorithm, and encrypting the confounder and the checksum using DES -in cipher-block-chaining (CBC) mode using a variant of the key, where the -variant is computed by eXclusive-ORing the key with the constant -F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The -resulting checksum is 24 octets long (8 octets of which are redundant). This -checksum is tamper-proof and believed to be collision-proof. - -The DES specifications identify some weak keys' and 'semi-weak keys'; those -keys shall not be used for generating RSA-MD4 checksums for use in Kerberos. - -The format for the checksum is described in the follow- ing diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.4. The RSA MD5 Checksum (rsa-md5) - -The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm. -[MD5-92]. The algorithm takes as input an input message of arbitrary length -and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed to -be collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - -The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by -prepending an 8 octet confounder before the text, applying the RSA MD5 -checksum algorithm, and encrypting the confounder and the checksum using DES - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -in cipher-block-chaining (CBC) mode using a variant of the key, where the -variant is computed by eXclusive-ORing the key with the hexadecimal constant -F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting -checksum is 24 octets long (8 octets of which are redundant). This checksum -is tamper-proof and believed to be collision-proof. - -The DES specifications identify some 'weak keys' and 'semi-weak keys'; those -keys shall not be used for encrypting RSA-MD5 checksums for use in Kerberos. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) -} - -6.4.6. DES cipher-block chained checksum (des-mac) - -The DES-MAC checksum is computed by prepending an 8 octet confounder to the -plaintext, performing a DES CBC-mode encryption on the result using the key -and an initialization vector of zero, taking the last block of the -ciphertext, prepending the same confounder and encrypting the pair using DES -in cipher-block-chaining (CBC) mode using a a variant of the key, where the -variant is computed by eXclusive-ORing the key with the hexadecimal constant -F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting -checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This -checksum is tamper-proof and collision-proof. - -The format for the checksum is described in the following diagram: - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ -| des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - -The format cannot be described in ASN.1, but for those who prefer an -ASN.1-like notation: - -des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) -} - -The DES specifications identify some 'weak' and 'semi-weak' keys; those keys -shall not be used for generating DES-MAC checksums for use in Kerberos, nor -shall a key be used whose variant is 'weak' or 'semi-weak'. - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k) - -The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by -applying the RSA MD4 checksum algorithm and encrypting the results using DES -in cipher-block-chaining (CBC) mode using a DES key as both key and - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -initialization vector. The resulting checksum is 16 octets long. This -checksum is tamper-proof and believed to be collision-proof. Note that this -checksum type is the old method for encoding the RSA-MD4-DES checksum and it -is no longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - -The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption -of the plaintext, and using the last block of the ciphertext as the checksum -value. It is keyed with an encryption key and an initialization vector; any -uses which do not specify an additional initialization vector will use the -key as both key and initialization vector. The resulting checksum is 64 bits -(8 octets) long. This checksum is tamper-proof and collision-proof. Note -that this checksum type is the old method for encoding the DES-MAC checksum -and it is no longer recommended. The DES specifications identify some 'weak -keys' and 'semi-weak keys'; those keys shall not be used for generating -DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - -7.1. Realm Names - -Although realm names are encoded as GeneralStrings and although a realm can -technically select any name it chooses, interoperability across realm -boundaries requires agreement on how realm names are to be assigned, and -what information they imply. - -To enforce these conventions, each realm must conform to the conventions -itself, and it must require that any realms with which inter-realm keys are -shared also conform to the conventions and require the same from its -neighbors. - -Kerberos realm names are case sensitive. Realm names that differ only in the -case of the characters are not equivalent. There are presently four styles -of realm names: domain, X500, other, and reserved. Examples of each style -follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - -Domain names must look like domain names: they consist of components -separated by periods (.) and they contain neither colons (:) nor slashes -(/). Domain names must be converted to upper case when used as realm names. - -X.500 names contain an equal (=) and cannot contain a colon (:) before the -equal. The realm names for X.500 names will be string representations of the -names with components separated by slashes. Leading and trailing slashes -will not be included. - -Names that fall into the other category must begin with a prefix that -contains no equal (=) or period (.) and the prefix must be followed by a -colon (:) and the rest of the name. All prefixes must be assigned before -they may be used. Presently none are assigned. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -The reserved category includes strings which do not fall into the first -three categories. All names in this category are reserved. It is unlikely -that names will be assigned to this category unless there is a very strong -argument for not using the 'other' category. - -These rules guarantee that there will be no conflicts between the various -name styles. The following additional constraints apply to the assignment of -realm names in the domain and X.500 categories: the name of a realm for the -domain or X.500 formats must either be used by the organization owning (to -whom it was assigned) an Internet domain name or X.500 name, or in the case -that no such names are registered, authority to use a realm name may be -derived from the authority of the parent realm. For example, if there is no -domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can -authorize the creation of a realm with that name. - -This is acceptable because the organization to which the parent is assigned -is presumably the organization authorized to assign names to its children in -the X.500 and domain name systems as well. If the parent assigns a realm -name without also registering it in the domain name or X.500 hierarchy, it -is the parent's responsibility to make sure that there will not in the -future exists a name identical to the realm name of the child unless it is -assigned to the same entity as the realm name. - -7.2. Principal Names - -As was the case for realm names, conventions are needed to ensure that all -agree on what information is implied by a principal name. The name-type -field that is part of the principal name indicates the kind of information -implied by the name. The name-type should be treated as a hint. Ignoring the -name type, no two names can be the same (i.e. at least one of the -components, or the realm, must be different). The following name types are -defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE -principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, -rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - -When a name implies no information other than its uniqueness at a particular -time the name type PRINCIPAL should be used. The principal name type should -be used for users, and it might also be used for a unique server. If the -name is a unique machine generated ID that is guaranteed never to be -reassigned then the name type of UID should be used (note that it is -generally a bad idea to reassign names of any type since stale entries might -remain in access control lists). - -If the first component of a name identifies a service and the remaining -components identify an instance of the service in a server specified manner, -then the name type of SRV-INST should be used. An example of this name type -is the Kerberos ticket-granting service whose name has a first component of -krbtgt and a second component identifying the realm for which the ticket is -valid. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -If instance is a single component following the service name and the -instance identifies the host on which the server is running, then the name -type SRV-HST should be used. This type is typically used for Internet -services such as telnet and the Berkeley R commands. If the separate -components of the host name appear as successive components following the -name of the service, then the name type SRV-XHST should be used. This type -might be used to identify servers on hosts with X.500 names where the slash -(/) might otherwise be ambiguous. - -A name type of NT-X500-PRINCIPAL should be used when a name from an X.509 -certificiate is translated into a Kerberos name. The encoding of the X.509 -name as a Kerberos principal shall conform to the encoding rules specified -in RFC 2253. - -A name type of UNKNOWN should be used when the form of the name is not -known. When comparing names, a name of type UNKNOWN will match principals -authenticated with names of any type. A principal authenticated with a name -of type UNKNOWN, however, will only match other names of type UNKNOWN. - -Names of any type with an initial component of 'krbtgt' are reserved for the -Kerberos ticket granting service. See section 8.2.3 for the form of such -names. - -7.2.1. Name of server principals - -The principal identifier for a server on a host will generally be composed -of two parts: (1) the realm of the KDC with which the server is registered, -and (2) a two-component name of type NT-SRV-HST if the host name is an -Internet domain name or a multi-component name of type NT-SRV-XHST if the -name of the host is of a form such as X.500 that allows slash (/) -separators. The first component of the two- or multi-component name will -identify the service and the latter components will identify the host. Where -the name of the host is not case sensitive (for example, with Internet -domain names) the name of the host must be lower case. If specified by the -application protocol for services such as telnet and the Berkeley R commands -which run with system privileges, the first component may be the string -'host' instead of a service specific identifier. When a host has an official -name and one or more aliases, the official name of the host must be used -when constructing the name of the server principal. - -8. Constants and other defined values - -8.1. Host address types - -All negative values for the host address type are reserved for local use. -All non-negative values are reserved for officially assigned type fields and -interpretations. - -The values of the types for the following addresses are chosen to match the -defined address family constants in the Berkeley Standard Distributions of -Unix. They can be found in with symbolic names AF_xxx (where xxx is an -abbreviation of the address family name). - -Internet (IPv4) Addresses - -Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB -order. The type of IPv4 addresses is two (2). - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -Internet (IPv6) Addresses [Westerlund] - -IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The -type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The -following addresses (see [RFC1884]) MUST not appear in any Kerberos packet: - - * the Unspecified Address - * the Loopback Address - * Link-Local addresses - -IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - -CHAOSnet addresses - -CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order. -The type of CHAOSnet addresses is five (5). - -ISO addresses - -ISO addresses are variable-length. The type of ISO addresses is seven (7). - -Xerox Network Services (XNS) addresses - -XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The -type of XNS addresses is six (6). - -AppleTalk Datagram Delivery Protocol (DDP) addresses - -AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit network -number. The first octet of the address is the node number; the remaining two -octets encode the network number in MSB order. The type of AppleTalk DDP -addresses is sixteen (16). - -DECnet Phase IV addresses - -DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The -type of DECnet Phase IV addresses is twelve (12). - -Netbios addresses - -Netbios addresses are 16-octet addresses typically composed of 1 to 15 -characters, trailing blank (ascii char 20) filled, with a 16th octet of 0x0. -The type of Netbios addresses is 20 (0x14). - -8.2. KDC messages - -8.2.1. UDP/IP transport - -When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP -IP transport, the client shall send a UDP datagram containing only an -encoding of the request to port 88 (decimal) at the KDC's IP address; the -KDC will respond with a reply datagram containing only an encoding of the -reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at -the sender's IP address. Kerberos servers supporting IP transport must -accept UDP requests on port 88 (decimal). The response to a request made -through UDP/IP transport must also use UDP/IP transport. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -8.2.2. TCP/IP transport [Westerlund,Danielsson] - -Kerberos servers (KDC's) should accept TCP requests on port 88 (decimal) and -clients should support the sending of TCP requests on port 88 (decimal). -When the KRB_KDC_REQ message is sent to the KDC over a TCP stream, a new -connection will be established for each authentication exchange (request and -response). The KRB_KDC_REP or KRB_ERROR message will be returned to the -client on the same TCP stream that was established for the request. The -response to a request made through TCP/IP transport must also use TCP/IP -transport. Implementors should note that some extentions to the Kerberos -protocol will not work if any implementation not supporting the TCP -transport is involved (client or KDC). Implementors are strongly urged to -support the TCP transport on both the client and server and are advised that -the current notation of "should" support will likely change in the future to -must support. The KDC may close the TCP stream after sending a response, but -may leave the stream open if it expects a followup - in which case it may -close the stream at any time if resource constratints or other factors make -it desirable to do so. Care must be taken in managing TCP/IP connections -with the KDC to prevent denial of service attacks based on the number of -TCP/IP connections with the KDC that remain open. If multiple exchanges with -the KDC are needed for certain forms of preauthentication, multiple TCP -connections may be required. A client may close the stream after receiving -response, and should close the stream if it does not expect to send followup -messages. The client must be prepared to have the stream closed by the KDC -at anytime, in which case it must simply connect again when it is ready to -send subsequent messages. - -The first four octets of the TCP stream used to transmit the request request -will encode in network byte order the length of the request (KRB_KDC_REQ), -and the length will be followed by the request itself. The response will -similarly be preceeded by a 4 octet encoding in network byte order of the -length of the KRB_KDC_REP or the KRB_ERROR message and will be followed by -the KRB_KDC_REP or the KRB_ERROR response. If the sign bit is set on the -integer represented by the first 4 octets, then the next 4 octets will be -read, extending the length of the field by another 4 octets (less the sign -bit which is reserved for future expansion). - -8.2.3. OSI transport - -During authentication of an OSI client to an OSI server, the mutual -authentication of an OSI server to an OSI client, the transfer of -credentials from an OSI client to an OSI server, or during exchange of -private or integrity checked messages, Kerberos protocol messages may be -treated as opaque objects and the type of the authentication mechanism will -be: - -OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), - security(5),kerberosv5(2)} - -Depending on the situation, the opaque object will be an authentication -header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message -(KRB_SAFE), a private message (KRB_PRIV), or a credentials message -(KRB_CRED). The opaque data contains an application code as specified in the -ASN.1 description for each message. The application code may be used by -Kerberos to determine the message type. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -8.2.3. Name of the TGS - -The principal identifier of the ticket-granting service shall be composed of -three parts: (1) the realm of the KDC issuing the TGS ticket (2) a two-part -name of type NT-SRV-INST, with the first part "krbtgt" and the second part -the name of the realm which will accept the ticket-granting ticket. For -example, a ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be -used to get tickets from the ATHENA.MIT.EDU KDC has a principal identifier -of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A -ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get -tickets from the MIT.EDU realm has a principal identifier of -"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name). - -8.3. Protocol constants and associated values - -The following tables list constants used in the protocol and defines their -meanings. Ranges are specified in the "specification" section that limit the -values of constants for which values are defined here. This allows -implementations to make assumptions about the maximum values that will be -received for these constants. Implementation receiving values outside the -range specified in the "specification" section may reject the request, but -they must recover cleanly. - -Encryption type etype value block size minimum pad size confounder -size -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - 4 -des3-cbc-md5 5 8 0 8 - 6 -des3-cbc-sha1 7 8 0 8 -sign-dsa-generate 8 -(old-pkinit-will-remove) -dsaWithSHA1-CmsOID 9 (pkinit) -md5WithRSAEncryption-CmsOID 10 (pkinit) -sha1WithRSAEncryption-CmsOID 11 (pkinit) -rc2CBC-EnvOID 12 (pkinit) -rsaEncryption-EnvOID 13 (pkinit from PKCS#1 -v1.5) -rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 -v2.0) -des-ede3-cbc-Env-OID 15 (pkinit) -des3kd-cbc-sha1 ?? 8 0 8 -ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - -Checksum type sumtype value checksum size -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 -rsa-md5-des3 9 24 -hmac-sha1-des3 12 20 (I had this as 10, is it -12) - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -padata type padata-type value - -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - 4 -PA-ENC-UNIX-TIME 5 -PA-SANDIA-SECUREID 6 -PA-SESAME 7 -PA-OSF-DCE 8 -PA-CYBERSAFE-SECUREID 9 -PA-AFS3-SALT 10 -PA-ETYPE-INFO 11 -SAM-CHALLENGE 12 (sam/otp) -SAM-RESPONSE 13 (sam/otp) -PA-PK-AS-REQ 14 (pkinit) -PA-PK-AS-REP 15 (pkinit) -PA-PK-AS-SIGN 16 (***remove on 7/14***) -PA-PK-KEY-REQ 17 (***remove on 7/14***) -PA-PK-KEY-REP 18 (***remove on 7/14***) -PA-USE-SPECIFIED-KVNO 20 -SAM-REDIRECT 21 (sam/otp) -PA-GET-FROM-TYPED-DATA 22 - -data-type value form of typed-data - - 1-21 -TD-PADATA 22 -TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS -TD-KRB-PRINCIPAL 102 -TD-KRB-REALM 103 -TD-TRUSTED-CERTIFIERS 104 -TD-CERTIFICATE-INDEX 105 - -authorization data type ad-type value -AD-IF-RELEVANT 1 -AD-INTENDED-FOR-SERVER 2 -AD-INTENDED-FOR-APPLICATION-CLASS 3 -AD-KDC-ISSUED 4 -AD-OR 5 -AD-MANDATORY-TICKET-EXTENSIONS 6 -AD-IN-TICKET-EXTENSIONS 7 -reserved values 8-63 -OSF-DCE 64 -SESAME 65 - -Ticket Extension Types - -TE-TYPE-NULL 0 Null ticket extension -TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization data - 2 TE-TYPE-PKCROSS-KDC (I have reservations) -TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket -TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - 5 TE-TYPE-DEST-HOST (I have reservations) - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward -credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for -users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, -rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID -KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested protocol version # not -supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end -time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was -invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired -[40] -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user -only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KDC_ERR_SVC_UNAVAILABLE 29 A service is not available -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field -failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not -available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method -required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in -message -KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path -KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry with TCP -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this -implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) -KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) -KRB_AP_ERR_NO_TGT 67 (user-to-user) -KDC_ERR_WRONG_REALM 68 (user-to-user) -KRB_AP_ERR_USER_TO_USER_REQUIRED 69 (user-to-user) -KDC_ERR_CANT_VERIFY_CERTIFICATE 70 (pkinit) -KDC_ERR_INVALID_CERTIFICATE 71 (pkinit) -KDC_ERR_REVOKED_CERTIFICATE 72 (pkinit) -KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 (pkinit) -KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 (pkinit) -KDC_ERR_CLIENT_NAME_MISMATCH 75 (pkinit) -KDC_ERR_KDC_NAME_MISMATCH 76 (pkinit) - -9. Interoperability requirements - -Version 5 of the Kerberos protocol supports a myriad of options. Among these -are multiple encryption and checksum types, alternative encoding schemes for -the transited field, optional mechanisms for pre-authentication, the -handling of tickets with no addresses, options for mutual authentication, -user to user authentication, support for proxies, forwarding, postdating, -and renewing tickets, the format of realm names, and the handling of -authorization data. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -In order to ensure the interoperability of realms, it is necessary to define -a minimal configuration which must be supported by all implementations. This -minimal configuration is subject to change as technology does. For example, -if at some later date it is discovered that one of the required encryption -or checksum algorithms is not secure, it will be replaced. - -9.1. Specification 2 - -This section defines the second specification of these options. -Implementations which are configured in this way can be said to support -Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may -be found in RFC1510. - -Transport - -TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance -to specification 2. Kerberos clients claiming conformance to specification 2 -must support UDP/IP transport for messages with the KDC and should support -TCP/IP transport. - -Encryption and checksum methods - -The following encryption and checksum mechanisms must be supported. -Implementations may support other mechanisms as well, but the additional -mechanisms may only be used when communicating with principals known to also -support them: This list is to be determined. [***This section will change, -and alternatives will be sent to the cat and krb-protocol list prior to the -Oslo IETF - change will be made 7/14/99 ***] - -Encryption: DES-CBC-MD5 -Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - -Realm Names - -All implementations must understand hierarchical realms in both the Internet -Domain and the X.500 style. When a ticket granting ticket for an unknown -realm is requested, the KDC must be able to determine the names of the -intermediate realms between the KDCs realm and the requested realm. - -Transited field encoding - -DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. -Alternative encodings may be supported, but they may be used only when that -encoding is supported by ALL intermediate realms. - -Pre-authentication methods - -The TGS-REQ method must be supported. The TGS-REQ method is not used on the -initial request. The PA-ENC-TIMESTAMP method must be supported by clients -but whether it is enabled by default may be determined on a realm by realm -basis. If not used in the initial request and the error -KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an -acceptable method, the client should retry the initial request using the -PA-ENC-TIMESTAMP preauthentication method. Servers need not support the -PA-ENC-TIMESTAMP method, but if not supported the server should ignore the -presence of PA-ENC-TIMESTAMP pre-authentication in a request. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -Mutual authentication - -Mutual authentication (via the KRB_AP_REP message) must be supported. - -Ticket addresses and flags - -All KDC's must pass on tickets that carry no addresses (i.e. if a TGT -contains no addresses, the KDC will return derivative tickets), but each -realm may set its own policy for issuing such tickets, and each application -server will set its own policy with respect to accepting them. - -Proxies and forwarded tickets must be supported. Individual realms and -application servers can set their own policy on when such tickets will be -accepted. - -All implementations must recognize renewable and postdated tickets, but need -not actually implement them. If these options are not supported, the -starttime and endtime in the ticket shall specify a ticket's entire useful -life. When a postdated ticket is decoded by a server, all implementations -shall make the presence of the postdated flag visible to the calling server. - -User-to-user authentication - -Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC option) -must be provided by implementations, but individual realms may decide as a -matter of policy to reject such requests on a per-principal or realm-wide -basis. - -Authorization data - -Implementations must pass all authorization data subfields from -ticket-granting tickets to any derivative tickets unless directed to -suppress a subfield as part of the definition of that registered subfield -type (it is never incorrect to pass on a subfield, and no registered -subfield types presently specify suppression at the KDC). - -Implementations must make the contents of any authorization data subfields -available to the server when a ticket is used. Implementations are not -required to allow clients to specify the contents of the authorization data -fields. - -Constant ranges - -All protocol constants are constrained to 32 bit (signed) values unless -further constrained by the protocol definition. This limit is provided to -allow implementations to make assumptions about the maximum values that will -be received for these constants. Implementation receiving values outside -this range may reject the request, but they must recover cleanly. - -9.2. Recommended KDC values - -Following is a list of recommended values for a KDC implementation, based on -the list of suggested configuration constants (see section 4.4). - -minimum lifetime 5 minutes -maximum renewable lifetime 1 week -maximum ticket lifetime 1 day -empty addresses only when suitable restrictions appear - in authorization data -proxiable, etc. Allowed. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -10. REFERENCES - -[NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - -[MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - -[SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - -[NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - -[DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - -[KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - -[Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - -[DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - -[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - -[X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - -[Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - -[DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -[DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - -[SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - -[IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - -[MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - -[MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - -[KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - -[Horowitz96] Horowitz, M., "Key Derivation for Authentication, - Integrity, and Privacy", draft-horowitz-key-derivation-02.txt, - August 1998. - -[HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-01.txt, September 1998. - -[Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -A. Pseudo-code for protocol processing - -This appendix provides pseudo-code describing how the messages are to be -constructed and interpreted by clients and servers. - -A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) -then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - set new_tkt.flags.PROXIABLE; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all that -*/ - /* should be are set -*/ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly -*/ - /* call this routine to get the appropriate ticket-granting ticket -*/ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and choosing -the - correct key for decryption. The name of the server appears in the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is operating is - determined by the instance from the ticket-granting ticket. The -realm - in the ticket-granting ticket is the realm under which the ticket - granting ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) -then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof and - keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would -*/ - /* have been rejected in the initial authentication stage, so -*/ - /* there is no need to check again here -*/ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing -*/ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till field out -*/ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into -decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data -+ - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + -tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept it */ - if (check_transited_field(new_tkt.transited) == OK) - set new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of -resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - -A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - -A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number - not present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - -A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - -A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -B. Definition of common authorization data elements - -This appendix contains the definitions of common authorization data -elements. These common authorization data elements are recursivly defined, -meaning the ad-data for these types will itself contain a sequence of -authorization data whose interpretation is affected by the encapsulating -element. Depending on the meaning of the encapsulating element, the -encapsulated elements may be ignored, might be interpreted as issued -directly by the KDC, or they might be stored in a separate plaintext part of -the ticket. The types of the encapsulating elements are specified as part of -the Kerberos specification because the behavior based on these values should -be understood across implementations whereas other elements need only be -understood by the applications which they affect. - -In the definitions that follow, the value of the ad-type for the element -will be specified in the subsection number, and the value of the ad-data -will be as shown in the ASN.1 structure that follows the subsection heading. - -B.1. If relevant - -AD-IF-RELEVANT AuthorizationData - -AD elements encapsulated within the if-relevant element are intended for -interpretation only by application servers that understand the particular -ad-type of the embedded element. Application servers that do not understand -the type of an element embedded within the if-relevant element may ignore -the uninterpretable element. This element promotes interoperability across -implementations which may have local extensions for authorization. - -B.2. Intended for server - -AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData -} - -AD elements encapsulated within the intended-for-server element may be -ignored if the application server is not in the list of principal names of -intended servers. Further, a KDC issuing a ticket for an application server -can remove this element if the application server is not in the list of -intended servers. - -Application servers should check for their principal name in the -intended-server field of this element. If their principal name is not found, -this element should be ignored. If found, then the encapsulated elements -should be evaluated in the same manner as if they were present in the top -level authorization data field. Applications and application servers that do -not implement this element should reject tickets that contain authorization -data elements of this type. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -B.3. Intended for application class - -AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0] -SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements -encapsulated within the intended-for-application-class element may be -ignored if the application server is not in one of the named classes of -application servers. Examples of application server classes include -"FILESYSTEM", and other kinds of servers. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - -B.4. KDC Issued - -AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. -} - -ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the ticket - itself (i.e. using the same hash function and the same encryption - algorithm used to encrypt the ticket) and using a key derived from the - same key used to protect the ticket. -i-realm, i-sname - The name of the issuing principal if different from the KDC itself. - This field would be used when the KDC can verify the authenticity of - elements signed by the issuing principal and it allows this KDC to - notify the application server of the validity of those elements. -elements - A sequence of authorization data elements issued by the KDC. - -The KDC-issued ad-data field is intended to provide a means for Kerberos -principal credentials to embed within themselves privilege attributes and -other mechanisms for positive authorization, amplifying the priveleges of -the principal beyond what can be done using a credentials without such an -a-data element. - -This can not be provided without this element because the definition of the -authorization-data field allows elements to be added at will by the bearer -of a TGT at the time that they request service tickets and elements may also -be added to a delegated ticket by inclusion in the authenticator. - -For KDC-issued elements this is prevented because the elements are signed by -the KDC by including a checksum encrypted using the server's key (the same -key used to encrypt the ticket - or a key derived from that key). Elements -encapsulated with in the KDC-issued element will be ignored by the -application server if this "signature" is not present. Further, elements -encapsulated within this element from a ticket granting ticket may be -interpreted by the KDC, and used as a basis according to policy for -including new signed elements within derivative tickets, but they will not -be copied to a derivative ticket directly. If they are copied directly to a -derivative ticket by a KDC that is not aware of this element, the signature -will not be correct for the application ticket elements, and the field will -be ignored by the application server. - -This element and the elements it encapulates may be safely ignored by -applications, application servers, and KDCs that do not implement this -element. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -B.5. And-Or - -AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData -} - -When restrictive AD elements encapsulated within the and-or element are -encountered, only the number specified in condition-count of the -encapsulated conditions must be met in order to satisfy this element. This -element may be used to implement an "or" operation by setting the -condition-count field to 1, and it may specify an "and" operation by setting -the condition count to the number of embedded elements. Application servers -that do not implement this element must reject tickets that contain -authorization data elements of this type. - -B.6. Mandatory ticket extensions - -AD-Mandatory-Ticket-Extensions Checksum - -An authorization data element of type mandatory-ticket-extensions specifies -a collision-proof checksum using the same hash algorithm used to protect the -integrity of the ticket itself. This checksum will be calculated over an -individual extension field. If there are more than one extension, multiple -Mandatory-Ticket-Extensions authorization data elements may be present, each -with a checksum for a different extension field. This restriction indicates -that the ticket should not be accepted if a ticket extension is not present -in the ticket for which the checksum does not match that checksum specified -in the authorization data element. Application servers that do not implement -this element must reject tickets that contain authorization data elements of -this type. - -B.7. Authorization Data in ticket extensions - -AD-IN-Ticket-Extensions Checksum - -An authorization data element of type in-ticket-extensions specifies a -collision-proof checksum using the same hash algorithm used to protect the -integrity of the ticket itself. This checksum is calculated over a separate -external AuthorizationData field carried in the ticket extensions. -Application servers that do not implement this element must reject tickets -that contain authorization data elements of this type. Application servers -that do implement this element will search the ticket extensions for -authorization data fields, calculate the specified checksum over each -authorization data field and look for one matching the checksum in this -in-ticket-extensions element. If not found, then the ticket must be -rejected. If found, the corresponding authorization data elements will be -interpreted in the same manner as if they were contained in the top level -authorization data field. - -Note that if multiple external authorization data fields are present in a -ticket, each will have a corresponding element of type in-ticket-extensions -in the top level authorization data field, and the external entries will be -linked to the corresponding element by their checksums. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -C. Definition of common ticket extensions - -This appendix contains the definitions of common ticket extensions. Support -for these extensions is optional. However, certain extensions have -associated authorization data elements that may require rejection of a -ticket containing an extension by application servers that do not implement -the particular extension. Other extensions have been defined beyond those -described in this specification. Such extensions are described elswhere and -for some of those extensions the reserved number may be found in the list of -constants. - -It is known that older versions of Kerberos did not support this field, and -that some clients will strip this field from a ticket when they parse and -then reassemble a ticket as it is passed to the application servers. The -presence of the extension will not break such clients, but any functionaly -dependent on the extensions will not work when such tickets are handled by -old clients. In such situations, some implementation may use alternate -methods to transmit the information in the extensions field. - -C.1. Null ticket extension - -TE-NullExtension OctetString -- The empty Octet String - -The te-data field in the null ticket extension is an octet string of lenght -zero. This extension may be included in a ticket granting ticket so that the -KDC can determine on presentation of the ticket granting ticket whether the -client software will strip the extensions field. - -C.2. External Authorization Data - -TE-ExternalAuthorizationData AuthorizationData - -The te-data field in the external authorization data ticket extension is -field of type AuthorizationData containing one or more authorization data -elements. If present, a corresponding authorization data element will be -present in the primary authorization data for the ticket and that element -will contain a checksum of the external authorization data ticket extension. - ------------------------------------------------------------------------ -[TM] Project Athena, Athena, and Kerberos are trademarks of the -Massachusetts Institute of Technology (MIT). No commercial use of these -trademarks may be made without prior written permission of MIT. - -[1] Note, however, that many applications use Kerberos' functions only upon -the initiation of a stream-based network connection. Unless an application -subsequently provides integrity protection for the data stream, the identity -verification applies only to the initiation of the connection, and does not -guarantee that subsequent messages on the connection originate from the same -principal. - -[2] Secret and private are often used interchangeably in the literature. In -our usage, it takes two (or more) to share a secret, thus a shared DES key -is a secret key. Something is only private when no one but its owner knows -it. Thus, in public key cryptosystems, one has a public and a private key. - -[3] Of course, with appropriate permission the client could arrange -registration of a separately-named prin- cipal in a remote realm, and engage -in normal exchanges with that realm's services. However, for even small -numbers of clients this becomes cumbersome, and more automatic methods as -described here are necessary. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -[4] Though it is permissible to request or issue tick- ets with no network -addresses specified. - -[5] The password-changing request must not be honored unless the requester -can provide the old password (the user's current secret key). Otherwise, it -would be possible for someone to walk up to an unattended ses- sion and -change another user's password. - -[6] To authenticate a user logging on to a local system, the credentials -obtained in the AS exchange may first be used in a TGS exchange to obtain -credentials for a local server. Those credentials must then be verified by a -local server through successful completion of the Client/Server exchange. - -[7] "Random" means that, among other things, it should be impossible to -guess the next session key based on knowledge of past session keys. This can -only be achieved in a pseudo-random number generator if it is based on -cryptographic principles. It is more desirable to use a truly random number -generator, such as one based on measurements of random physical phenomena. - -[8] Tickets contain both an encrypted and unencrypted portion, so cleartext -here refers to the entire unit, which can be copied from one message and -replayed in another without any cryptographic skill. - -[9] Note that this can make applications based on unreliable transports -difficult to code correctly. If the transport might deliver duplicated -messages, either a new authenticator must be generated for each retry, or -the application server must match requests and replies and replay the first -reply in response to a detected duplicate. - -[10] This is used for user-to-user authentication as described in [8]. - -[11] Note that the rejection here is restricted to authenticators from the -same principal to the same server. Other client principals communicating -with the same server principal should not be have their authenticators -rejected if the time and microsecond fields happen to match some other -client's authenticator. - -[12] In the Kerberos version 4 protocol, the timestamp in the reply was the -client's timestamp plus one. This is not necessary in version 5 because -version 5 messages are formatted in such a way that it is not possible to -create the reply by judicious message surgery (even in encrypted form) -without knowledge of the appropriate encryption keys. - -[13] Note that for encrypting the KRB_AP_REP message, the sub-session key is -not used, even if present in the Authenticator. - -[14] Implementations of the protocol may wish to provide routines to choose -subkeys based on session keys and random numbers and to generate a -negotiated key to be returned in the KRB_AP_REP message. - -[15]This can be accomplished in several ways. It might be known beforehand -(since the realm is part of the principal identifier), it might be stored in -a nameserver, or it might be obtained from a configura- tion file. If the -realm to be used is obtained from a nameserver, there is a danger of being -spoofed if the nameservice providing the realm name is not authenti- cated. -This might result in the use of a realm which has been compromised, and -would result in an attacker's ability to compromise the authentication of -the application server to the client. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -[16] If the client selects a sub-session key, care must be taken to ensure -the randomness of the selected sub- session key. One approach would be to -generate a random number and XOR it with the session key from the -ticket-granting ticket. - -[17] This allows easy implementation of user-to-user authentication [8], -which uses ticket-granting ticket session keys in lieu of secret server keys -in situa- tions where such secret keys could be easily comprom- ised. - -[18] For the purpose of appending, the realm preceding the first listed -realm is considered to be the null realm (""). - -[19] For the purpose of interpreting null subfields, the client's realm is -considered to precede those in the transited field, and the server's realm -is considered to follow them. - -[20] This means that a client and server running on the same host and -communicating with one another using the KRB_SAFE messages should not share -a common replay cache to detect KRB_SAFE replays. - -[21] The implementation of the Kerberos server need not combine the database -and the server on the same machine; it is feasible to store the principal -database in, say, a network name service, as long as the entries stored -therein are protected from disclosure to and modification by unauthorized -parties. However, we recommend against such strategies, as they can make -system management and threat analysis quite complex. - -[22] See the discussion of the padata field in section 5.4.2 for details on -why this can be useful. - -[23] Warning for implementations that unpack and repack data structures -during the generation and verification of embedded checksums: Because any -checksums applied to data structures must be checked against the original -data the length of bit strings must be preserved within a data structure -between the time that a checksum is generated through transmission to the -time that the checksum is verified. - -[24] It is NOT recommended that this time value be used to adjust the -workstation's clock since the workstation cannot reliably determine that -such a KRB_AS_REP actually came from the proper KDC in a timely manner. - -[25] Note, however, that if the time is used as the nonce, one must make -sure that the workstation time is monotonically increasing. If the time is -ever reset backwards, there is a small, but finite, probability that a nonce -will be reused. - -[27] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[29] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - -[31] An application code in the encrypted part of a message provides an -additional check that the message was decrypted properly. - - -Neuman, Ts'o, Kohl Expires: 25 December, -1999 - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-04 June 25, -1999 - -[32] If supported by the encryption method in use, an initialization vector -may be passed to the encryption procedure, in order to achieve proper cipher -chaining. The initialization vector might come from the last block of the -ciphertext from the previous KRB_PRIV message, but it is the application's -choice whether or not to use such an initialization vector. If left out, the -default initialization vector for the encryption algorithm will be used. - -[33] This prevents an attacker who generates an incorrect AS request from -obtaining verifiable plaintext for use in an off-line password guessing -attack. - -[35] In the above specification, UNTAGGED OCTET STRING(length) is the -notation for an octet string with its tag and length removed. It is not a -valid ASN.1 type. The tag bits and length must be removed from the -confounder since the purpose of the confounder is so that the message starts -with random data, but the tag and its length are fixed. For other fields, -the length and tag would be redundant if they were included because they are -specified by the encryption type. [36] The ordering of the fields in the -CipherText is important. Additionally, messages encoded in this format must -include a length as part of the msg-seq field. This allows the recipient to -verify that the message has not been truncated. Without a length, an -attacker could use a chosen plaintext attack to generate a message which -could be truncated, while leaving the checksum intact. Note that if the -msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length -is part of that encoding. - -[37] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[38] In some cases, it may be necessary to use a different "mix-in" string -for compatibility reasons; see the discussion of padata in section 5.4.2. - -[39] A variant of the key is used to limit the use of a key to a particular -function, separating the functions of generating a checksum from other -encryption performed using the session key. The constant F0F0F0F0F0F0F0F0 -was chosen because it maintains key parity. The properties of DES precluded -the use of the complement. The same constant is used for similar purpose in -the Message Integrity Check in the Privacy Enhanced Mail standard. - -[40] This error carries additional information in the e- data field. The -contents of the e-data field for this message is described in section 5.9.1. diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt deleted file mode 100644 index 15921248c117..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt +++ /dev/null @@ -1,6866 +0,0 @@ -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - March 10, 2000 - Expires September 10, 2000 - -The Kerberos Network Authentication Service (V5) -draft-ietf-cat-kerberos-revisions-05.txt - -STATUS OF THIS MEMO - -This document is an Internet-Draft and is in full conformance with all -provisions of Section 10 of RFC 2026. Internet-Drafts are working documents -of the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It is -inappropriate to use Internet-Drafts as reference material or to cite them -other than as "work in progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -To learn the current status of any Internet-Draft, please check the -"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow -Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), -ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-revisions-05.txt, and expires September 10, 2000. -Please send comments to: krb-protocol@MIT.EDU - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the Kerberos -network authentication system is based. It also specifies Version 5 of the -Kerberos protocol. - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed -standard and are being considered for advancement for draft standard through -the IETF standard process. Comments are encouraged on the presentation, but -only minor refinements to the protocol as implemented or extensions that fit -within current protocol framework will be considered at this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested by -Denning and Sacco [DS81]. The original design and implementation of Kerberos -Versions 1 through 4 was the work of two former Project Athena staff -members, Steve Miller of Digital Equipment Corporation and Clifford Neuman -(now at the Information Sciences Institute of the University of Southern -California), along with Jerome Saltzer, Technical Director of Project -Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members -of Project Athena have also contributed to the work on Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol was -led by Clifford Neuman and John Kohl with much input from the community. The -development of the MIT reference implementation was led at MIT by John Kohl -and Theodore T'so, with help and contributed code from many others. Since -RFC1510 was issued, extensions and revisions to the protocol have been -proposed by many individuals. Some of these proposals are reflected in this -document. Where such changes involved significant effort, the document cites -the contribution of the proposer. - -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. Details on the differences between Kerberos Versions 4 and -5 can be found in [KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. a -workstation user or a network server) on an open (unprotected) network. This -is accomplished without relying on assertions by the host operating system, -without basing trust on host addresses, without requiring physical security -of all the hosts on the network, and under the assumption that packets -traveling along the network can be read, modified, and inserted at will[1]. -Kerberos performs authentication under these conditions as a trusted -third-party authentication service by using conventional (shared secret key -[2] cryptography. Kerberos extensions have been proposed and implemented -that provide for the use of public key cryptography during certain phases of -the authentication protocol. These extensions provide for authentication of -users registered with public key certification authorities, and allow the -system to provide certain benefits of public key cryptography in situations -where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in the -client's key. The credentials consist of 1) a 'ticket' for the server and 2) -a temporary encryption key (often called a "session key"). The client -transmits the ticket (which contains the client's identity and a copy of the -session key, all encrypted in the server's key) to the server. The session -key (now shared by the client and server) is used to authenticate the -client, and may optionally be used to authenticate the server. It may also -be used to encrypt further communication between the two parties or to -exchange a separate sub-session key to be used to encrypt further -communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their secret -keys. Code libraries provide encryption and implement the Kerberos protocol. -In order to add authentication to its transactions, a typical network -application adds one or two calls to the Kerberos library directly or -through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request for -a ticket for the desired server to the AS. The reply is sent encrypted in -the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client uses -the TGT to authenticate itself to the TGS in the same manner as if it were -contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry points -within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent "in -the clear" (parts of it are encrypted, but this encryption doesn't thwart -replay) and might be intercepted and reused by an attacker, additional -information is sent to prove that the message originated with the principal -to whom the ticket was issued. This information (called the authenticator) -is encrypted in the session key, and includes a timestamp. The timestamp -proves that the message was recently generated and is not a replay. -Encrypting the authenticator in the session key proves that it was generated -by a party possessing the session key. Since no one except the requesting -principal and the server know the session key (it is never sent over the -network in the clear) this guarantees the identity of the client. - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -function) of the client's message, keyed with the session key. Privacy and -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -The authentication exchanges mentioned above require read-only access to the -Kerberos database. Sometimes, however, the entries in the database must be -modified, such as when adding new principals or changing a principal's key. -This is done using a protocol between a client and a third Kerberos server, -the Kerberos Administration Server (KADM). There is also a protocol for -maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server in -another. Each organization wishing to run a Kerberos server establishes its -own 'realm'. The name of the realm in which a client is registered is part -of the client's name, and can be used by the end-service to decide whether -to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate key -may be used for each direction) registers the ticket-granting service of -each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share an -inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is not -directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical organization -is not used, it may be necessary to consult a database in order to construct -an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in authenticating -the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93], or on other authorization services. -Separately authenticated authorization credentials may be embedded in a -tickets authorization data when encapsulated by the kdc-issued authorization -data element. - -Applications should not be modified to accept the mere issuance of a service -ticket by the Kerberos server (even by a modified Kerberos server) as -granting authority to use the service, since such applications may become -vulnerable to the bypass of this authorization check in an environment if -they interoperate with other KDCs or where other options for application -authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to successfully - mount an offline dictionary attack by repeatedly attempting to decrypt, - with successive entries from a dictionary, messages obtained which are - encrypted under a key derived from the user's password. - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A typical - mode of access control will use access control lists (ACLs) to grant - permissions to particular principals. If a stale ACL entry remains for - a deleted principal and the principal identifier is reused, the new - principal will inherit rights specified in the stale ACL entry. By not - re-using principal identifiers, the danger of inadvertent access is - removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been recently - generated using the session key known only by the client and server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access allowed - for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted by - the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. Note - that in some cases a Server may itself be a client of some other server - (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use that - ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and ticket-granting - ticket requests. The initial ticket portion is sometimes referred to as - the Authentication Server (or service). The ticket-granting ticket - portion is sometimes referred to as the ticket-granting server (or - service). -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. -Principal - A uniquely named client or server instance that participates in a - network communication. -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than one - server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a lifetime - limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the various -flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the KDC -before use, by presenting them to the KDC in a TGS request with the VALIDATE -option specified. The KDC will only validate tickets after their starttime -has passed. The validation is required so that postdated tickets which have -been stolen before their starttime can be rendered permanently invalid -(through a hot-list mechanism) (see section 3.3.3.1). - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set in -the KDC request. The KDC will issue a new ticket with a new session key and -a later expiration time. All other fields of the ticket are left unmodified -by the renewal process. When the latest permissible expiration time arrives, -the ticket expires permanently. At each renewal, the KDC may consult a -hot-list to determine if the ticket had been reported stolen since its last -renewal; it will refuse to renew such stolen tickets, and thus the usable -lifetime of stolen tickets is reduced. - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets in -a batch queue, since they will be on-line longer and more prone to theft. -Postdated tickets provide a way to obtain these tickets from the KDC at job -submission time, but to leave them "dormant" until they are activated and -validated by a further request of the KDC. If a ticket theft were reported -in the interim, the KDC would refuse to validate the ticket, and the thief -would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This flag -must be set in a ticket-granting ticket in order to issue a postdated ticket -based on the presented ticket. It is reset by default; it may be requested - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message. -This flag does not allow a client to obtain a postdated ticket-granting -ticket; postdated ticket-granting tickets can only by obtained by requesting -the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a -postdated ticket will be the remaining life of the ticket-granting ticket at -the time of the request, unless the RENEWABLE option is also set, in which -case it can be the full life (endtime-starttime) of the ticket-granting -ticket. The KDC may limit how far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the identity -of the client, but only for a particular purpose. A principal can allow a -service to take on the principal's identity for a particular purpose by -granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually -also a proxy, user's wishing to delegate their identity for ANY purpose must -use the ticket forwarding mechanism described in the next section to forward -a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When set, -this flag tells the ticket-granting server that it is OK to issue a new -ticket (but not a ticket-granting ticket) with a different network address -based on this ticket. This flag is set if requested by the client on initial -authentication. By default, the client will request that it be set when -requesting a ticket granting ticket, and reset when requesting any other -ticket. - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print server -a proxy to access the client's files on a particular file server in order to -satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in the -ticket[4]. When granting a proxy, the client must specify the new network -address from which the proxy is to be used, or indicate that the proxy is to -be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may require -additional authentication from the agent presenting the proxy in order to -provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request that -it be set by setting the FORWARDABLE option in the AS request when they -request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user to -enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. It -is also set in all tickets issued based on tickets with the FORWARDED flag -set. Application servers may choose to process FORWARDED tickets differently -than non-FORWARDED tickets. - -2.7. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - -3. Message Exchanges - -The following sections describe the interactions between network clients and -servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the Kerberos -Authentication Server is initiated by a client when it wishes to obtain -authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the initiation - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -of a login session to obtain credentials for a Ticket-Granting Server which -will subsequently be used to obtain credentials for other servers (see -section 3.3) without requiring further use of the client's secret key. This -exchange is also used to request credentials for services which must not be -mediated through the Ticket-Granting Service, but rather require a -principal's secret key, such as the password-changing service[5]. This -exchange does not by itself provide any assurance of the the identity of the -user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The response, -KRB_AS_REP, contains a ticket for the client to present to the server, and a -session key that will be shared by the client and the server. The session -key and additional information are encrypted in the client's secret key. The -KRB_AS_REP message contains information which can be used to detect replays, -and to associate it with the message to which it replies. Various errors can -occur; these are indicated by an error response (KRB_ERROR) instead of the -KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR -message contains information which can be used to associate it with the -message to which it replies. The lack of encryption in the KRB_ERROR message -precludes the ability to detect replays, fabrications, or modifications of -such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends a -reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is encrypted -in that principal's key. The initial request supports an optional field that -can be used to pass additional information that might be needed for the -initial exchange. This field may be used for preauthentication as described -in section [hl<>]. - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether the -requested ticket is to be renewable, proxiable, or forwardable; whether it -should be postdated or allow postdating of derivative tickets; and whether a -renewable ticket will be accepted in lieu of a non-renewable ticket if the -requested ticket expiration date cannot be satisfied by a non-renewable -ticket (due to configuration constraints; see section 4). See section A.1 -for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format for -the ticket is described in section 5.3.1. The contents of the ticket are -determined as follows. - -3.1.3. Generation of KRB_AS_REP message - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -The authentication server looks up the client and server principals named in -the KRB_AS_REQ in its database, extracting their respective keys. If -required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS -request is used by the KDC to select the encryption method to be used for -encrypting the response to the client. If there is more than one supported, -strong encryption type in the etype list, the first valid etype for which an -encryption key is available is used. The encryption method used to respond -to a TGS request is taken from the keytype of the session key found in the -ticket granting ticket. [***I will change the example keytypes to be 3DES -based examples 7/14***] - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise -the requested start time is checked against the policy of the local realm -(the administrator might decide to prohibit certain types or ranges of -postdated tickets), and if acceptable, the ticket's start time is set as -requested and the INVALID flag is set in the new ticket. The postdated -ticket must be validated before use by presenting it to the KDC after the -start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option has -been set and a renewable ticket is to be issued, then the renew-till field -is set to the minimum of: - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set by - the policy of the local realm. - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using the -requested encryption method, and sends it to the client. See section A.2 for -pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, start -and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate a -KRB_AS_REP format message which decrypts properly but is not from the proper -KDC. If the host wishes to verify the identity of the user, it must require -the user to present application credentials which can be verified using a -securely-stored secret key for the host. If those credentials can be -verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS or -TGS exchange. - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is -referred to elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) a -ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use of -a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors are -possible. If an error occurs, the server is expected to reply to the client -with a KRB_ERROR message. This message may be encapsulated in the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If the -message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE -error. If the key version indicated by the Ticket in the KRB_AP_REQ is not -one the server can use (e.g., it indicates an old key, and the server no -longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is -returned. If the USE-SESSION-KEY flag is set in the ap-options field, it -indicates to the server that the ticket is encrypted in the session key from -the server's ticket-granting ticket rather than its secret key[10]. Since it -is possible for the server to be registered in multiple realms, with -different keys in each, the srealm field in the unencrypted portion of the -ticket in the KRB_AP_REQ is used to specify which secret key the server -should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is -returned if the server doesn't have the proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client -from the ticket are compared against the same fields in the authenticator. -If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might -not match, for example, if the wrong session key was used to encrypt the -authenticator). The addresses in the ticket (if any) are then searched for -an address matching the operating-system reported address of the client. If -no match is found or the server insists on ticket addresses but none are -present in the ticket, the KRB_AP_ERR_BADADDR error is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW -error is returned. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must -remember any authenticator presented within the allowable clock skew, so -that a replay attempt is guaranteed to fail. If a server loses track of any -authenticator presented within the allowable clock skew, it must reject all -requests until the clock skew interval has passed. This assures that any -lost or re-played authenticators will fall outside the allowable clock skew -and can no longer be successfully replayed (If this is not done, an attacker -could conceivably record the ticket and authenticator sent over the network -to a server, then disable the client's host, pose as the disabled host, and -replay the ticket and authenticator to subvert the authentication.). If a -sequence number is provided in the authenticator, the server saves it for -later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is -present, the server either saves it for later use or uses it to help -generate its own choice for a subkey to be returned in a KRB_AP_REP message. - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - -If all these checks succeed without an error, the server is assured that the -client possesses the credentials of the principal named in the ticket and -thus, the client has been authenticated to the server. See section A.10 for -pseudocode. - -Passing these checks provides only authentication of the named principal; it -does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name of -the user, the requested operation, local acces control information such as -that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server need -not explicitly reply to the KRB_AP_REQ. However, if mutual authentication -(not only authenticating the client to the server, but also the server to -the client) is being performed, the KRB_AP_REQ message will have -MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is -required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not acceptable -to the application's protocol. The timestamp and microsecond field used in -the reply must be the client's timestamp and microsecond field (as provided -in the authenticator)[12]. If a sequence number is to be included, it should -be randomly chosen as described above for the authenticator. A subkey may be -included if the server desires to negotiate a different subkey. The -KRB_AP_REP message is encrypted in the session key extracted from the -ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server -share an encryption key which can be used by the application. The 'true -session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption or -checksum type) to the application programmer; the Kerberos protocol does not -constrain the implementation options, but an example of how this might be -done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever reason, -one of the parties was prevented from using a key with more than 40 unknown -bits, this method would allow the the party which is prevented from using -more than 40 bits to either propose (if the client) an initial key with a -known quantity for 16 of those bits, or to mask 16 of the bits (if the -server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server is -initiated by a client when it wishes to obtain authentication credentials -for a given server (which might be registered in a remote realm), when it -wishes to renew or validate an existing ticket, or when it wishes to obtain -a proxy ticket. In the first case, the client must already have acquired a -ticket for the Ticket-Granting Service using the AS exchange (the -ticket-granting ticket is usually obtained when a client initially -authenticates to the system, such as when a user logs in). The message -format for the TGS exchange is almost identical to that for the AS exchange. -The primary difference is that encryption and decryption in the TGS exchange -does not take place under the client's key. Instead, the session key from -the ticket-granting ticket or renewable ticket, or sub-session key from an -Authenticator is used. As is the case for all application servers, expired -tickets are not accepted by the TGS, so once a renewable or ticket-granting -ticket expires, the client must use a separate exchange to obtain valid -tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed authorization -data to be sealed in the ticket for authorization use by the application -server, or additional tickets (the use of which are described later). The -TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the -session key from the ticket-granting ticket or renewable ticket, or if -present, in the sub-session key from the Authenticator (part of the -authentication header). The KRB_ERROR message contains an error code and - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -text explaining what went wrong. The KRB_ERROR message is not encrypted. The -KRB_TGS_REP message contains information which can be used to detect -replays, and to associate it with the message to which it replies. The -KRB_ERROR message also contains information which can be used to associate -it with the message to which it replies, but the lack of encryption in the -KRB_ERROR message precludes the ability to detect replays or fabrications of -such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15]. If the -client does not already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted by requesting a -ticket-granting ticket for the destination realm from a Kerberos server for -which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ -message recursively). The Kerberos server may return a TGT for the desired -realm in which case one can proceed. Alternatively, the Kerberos server may -return a TGT for a realm which is 'closer' to the desired realm (further -along the standard hierarchical path), in which case this step must be -repeated with a Kerberos server in the realm specified in the returned TGT. -If neither are returned, then the request must be retried with a Kerberos -server for a realm higher in the hierarchy. This request will itself require -a ticket-granting ticket for the higher realm which must be obtained by -recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. The -list might be obtained through a configuration file or network service or it -may be generated from the name of the realm; as long as the secret keys -exchanged by realms are kept secret, only denial of service results from -using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for application server use -and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be encrypted[16]. -If the sub-session key is not specified, the session key from the -ticket-granting ticket will be used. If the enc-authorization-data is -present, it must be encrypted in the sub-session key, if present, from the -authenticator portion of the authentication header, or if not present, using -the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which it -was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP), -but with its type field set to KRB_TGS_REP. The detailed specification is in -section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm -"closest" to the requested realm with which it does share a key, and use -that realm instead. This is the only case where the response from the KDC -will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited field -needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. The -PROXY option will not be honored on requests for additional ticket-granting - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -tickets. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting -ticket has the MAY-POSTDATE flag set, then the resulting ticket will be -postdated and the requested starttime is checked against the policy of the -local realm. If acceptable, the ticket's start time is set as requested, and -the INVALID flag is set. The postdated ticket must be validated before use -by presenting it to the KDC after the starttime has been reached. However, -in no case may the starttime, endtime, or renew-till time of a newly-issued -postdated ticket extend beyond the renew-till time of the ticket-granting -ticket. - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional ticket -using the key for the server to which the additional ticket was issued and -verify that it is a ticket-granting ticket. If the name of the requested -server is missing from the request, the name of the client in the additional -ticket will be used. Otherwise the name of the requested server will be -compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as part -of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is set -in the ticket, that the INVALID flag is not set in the ticket, and that the -renew_till time is still in the future. If the VALIDATE option is rqeuested, -the KDC will check that the starttime has passed and the INVALID flag is -set. If the PROXY option is requested, then the KDC will check that the -PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket -passes the hotlist check described in the next paragraph, the KDC will issue -the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal expiration -time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -key version number fields are left out since these values are stored along -with the client's database record, and that record is not needed to satisfy -a request based on a ticket-granting ticket. See section A.6 for pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, subject -to the constraints outlined above in the section describing the AS exchange. -The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket to -be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own -realm. Instead, its responsibility is to add the name of the previous realm. -This prevents a malicious Kerberos server from intentionally leaving out its -own name (it could, however, omit other realms' names). - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since the -endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its contents -are encoded. The initially supported encoding is optimized for the normal -case of inter-realm communication: a hierarchical arrangement of realms -using either domain or X.500 style realm names. This encoding (called -DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they -would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. Thus, -"," means that all realms along the path between the client and the server -have been traversed. ",EDU, /COM," means that that all realms from the -client's realm up to EDU (in a domain style hierarchy) have been traversed, -and that everything from /COM down to the server's realm in an X.500 style -has also been traversed. This could occur if the EDU realm in one hierarchy -shares an inter-realm key directly with the /COM realm in another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC), -generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by one's -peer. Connection state is presently required to maintain the session key, so -maintaining the next sequence number should not present an additional -problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_SAFE, respectively. A mismatch -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If -the sender's address was included in the control information, the recipient -verifies that the operating system's report of the sender's address matches -the sender's address in the message, and (if a recipient address is -specified or the recipient requires an address) that one of the recipient's -addresses appears as the recipient's address in the message. A failed match -for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and -usec and/or the sequence number fields are checked. If timestamp and usec -are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT -error is generated. If an incorrect sequence number is included, or a -sequence number is expected but not present, the KRB_AP_ERR_BADORDER error -is generated. If neither a time-stamp and usec or a sequence number is -present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is -computed over the data and control information, and if it doesn't match the -received checksum, a KRB_AP_ERR_MODIFIED error is generated. - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -The message is first checked by verifying that the protocol version and type -fields match the current version and KRB_PRIV, respectively. A mismatch -generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The -application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was -included in the control information, the recipient verifies that the -operating system's report of the sender's address matches the sender's -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses appears -as the recipient's address in the message. A failed match for either case -generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the -sequence number fields are checked. If timestamp and usec are expected and -not present, or they are present but not current, the KRB_AP_ERR_SKEW error -is generated. If the server name, along with the client name, time and -microsecond fields from the Authenticator match any recently-seen such -tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence -number is included, or a sequence number is expected but not present, the -KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or -a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It then -constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED -message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in -the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and r-address -fields, are placed in the encrypted part of the KRB_CRED message which is -then encrypted under an encryption key previosuly exchanged in the KRB_AP -exchange (usually the last key negotiated via subkeys, or the session key if -no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates a -KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If decryption -shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -generated. - -If present or required, the recipient verifies that the operating system's -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's address -in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field -if required) are checked next. If the timestamp and usec are not present, or -they are present but not current, the KRB_AP_ERR_SKEW error is generated. - -If all the checks succeed, the application stores each of the new tickets in -its ticket cache together with the session key and other information in the -corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED -message. - -4. The Kerberos Database - -The Kerberos server must have access to a database containing the principal -identifiers and secret keys of principals to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The key -can be encrypted before storage under a Kerberos "master key" to protect it -in case the database is compromised but the master key is not. In that case, -an extra field must be added to indicate the master key version used, see -below.) The p_kvno field is the key version number of the principal's secret -key. The max_life field contains the maximum allowable lifetime (endtime - -starttime) for any Ticket issued for this principal. The max_renewable_life -field contains the maximum allowable total lifetime for any renewable Ticket -issued for this principal. (See section 3.1 for a description of how these -lifetimes are used in determining the lifetime of a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal records -with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. not -the result of disclosure of the old key), the old key should be retained by -the server until all tickets that had been issued using that key have -expired. Because of this, it is possible for several keys to be active for a -single principal. Ciphertext encrypted in a principal's key is always tagged -with the version of the key that was used for encryption, to help the -recipient find the proper key for decryption. - -When more than one key is active for a particular principal, the principal -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -or may not be the same). Whenever Kerberos issues a ticket, or responds to a -request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error to -any client attempting to gain tickets as or for the principal. (A database -may want to maintain two expiration dates: one for the principal, and one -for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether a -server is appropriate trusted to recieve credentials delegated by a client, -or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user in -the last-req field (see section 5.2). - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -field would be used to indicate how long old keys must remain valid to allow -the continued use of outstanding tickets. - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -Optional field in ASN.1 sequences - -For optional integer value and date fields in ASN.1 sequences where a -default value has been specified, certain default values will not be allowed -in the encoding because these values will always be represented through -defaulting by the absence of the optional field. For example, one will not -send a microsecond zero value because one must make sure that there is only -one way to encode this value. - -Additional fields in ASN.1 sequences - -Implementations receiving Kerberos messages with additional fields present -in ASN.1 sequences should carry the those fields through, unmodified, when -the message is forwarded. Implementations should not drop such fields if the -sequence is reencoded. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 specification, -section 8.7 [X509-88]. - -5.3. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A PrincipalName -is a typed sequence of components consisting of the following sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the same - (i.e. at least one of the components, or the realm, must be different). - This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding -shall specify the UTC time zone (Z) and shall not include any fractional -portions of the seconds. It further shall not include any separators. -Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm -on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - -ad-data - This field contains authorization data to be interpreted according to - the value of the corresponding ad-type field. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the interpretation -of the encapsulating element determines which of the embedded elements must -be interpreted, and which may be ignored. Definitions for these common -elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - - - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved for - registered use. - -APOptions ::= BIT STRING - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - -TicketFlags ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- transited-policy-checked(12), - -- ok-as-delegate(13) - -KDCOptions ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - -- unused7(7), - -- renewable(8), - -- unused9(9), - -- unused10(10), - -- unused11(11), - -- unused12(12), - -- unused13(13), - -- disable-transited-check(26), - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest number of bits needed to include the -highest order bit that is set (1), but in no case less than 32 bits. The -ASN.1 representation of the bit strings uses unnamed bits, with the meaning -of the individual bits defined by the comments in the specification above. -Implementations should accept values of bit strings of any length and treat -the value of flags corresponding to bits beyond the end of the bit string as -if the bit were reset (0). Comparison of bit strings of different length -should treat the smaller string as if it were padded with zeros beyond the -high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute value - of the lr-type field is one (1), then the lr-value subfield is the time - of last initial request for a TGT. If it is two (2), then the lr-value - subfield is the time of last initial request. If it is three (3), then - the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). If it is - (6), then the lr-value subfield is the time when the password will - expire. -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A Ticket -contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos and -the end server (the server's secret key). See section 6 for the format of -the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - the two will always be identical. -sname - This field specifies all components of the name part of the server's - identity, including those parts that identify a specific instance of a - service. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - This optional field contains a sequence of extentions that may be used - to carry information that must be carried with the ticket to support - several extensions, including but not limited to plaintext - authorization data, tokens for exchanging inter-realm keys, and other - information that must be associated with a ticket for use by the - application server. See Appendix C for definitions of some common - extensions. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of the - appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The meanings - of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. -cname - This field contains the name part of the client's principal identifier. -transited - This field lists the names of the Kerberos realms that took part in - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - When the names of CA's are to be embedded inthe transited field (as - specified for some extentions to the protocol), the X.500 names of the - CA's should be mapped into items in the transited field using the - mapping defined by RFC2253. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the necessary - information for implementation of a `hot list' service at the KDC. An - end service that is particularly paranoid could refuse to accept - tickets for which the initial authentication occurred "too far" in the - past. This field is also returned as part of the response from the KDC. - When returned as part of the response to initial authentication - (KRB_AS_REP), this is the current time on the Kerberos server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated as - that of the authtime field. -endtime - This field contains the time after which the ticket will not be honored - (its expiration time). Note that individual services may place their - own limits on the life of a ticket and may reject tickets which have - not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is that - such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not sent - over the network in cleartext, credentials can't be stolen simply by - listening to the network; an attacker has to gain access to the session - key (perhaps through operating system security breaches or a careless - user's unattended session) to make use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's workstation could use - the credentials from there. Including the network addresses only makes - it more difficult, not impossible, for an attacker to walk off with - stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, and - that a better name for this field would be restrictions. Unfortunately, - it is not possible to change the name of this field at this time. - - This field contains restrictions on any authority obtained on the basis - of authentication using the ticket. It is possible for any principal in - posession of credentials to add entries to the authorization data field - since these entries further restrict what can be done with the ticket. - Such additions can be made by specifying the additional entries when a - new ticket is obtained during the TGS exchange, or they may be added - during chained delegation using the authorization data field of the - authenticator. - - Because entries may be added to this field by the holder of - credentials, except when an entry is separately authenticated by - encapulation in the kdc-issued element, it is not allowable for the - presence of an entry in the authorization data field of a ticket to - amplify the priveleges one would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - may obtain a ticket in its own name (e.g. the ticket is issued in the - name of a privelege server), and this entity adds restrictions on its - own authority and delegates the restricted authority through a proxy to - the client. The client would then present this authorization credential - to the application server separately from the authentication exchange. - Alternatively, such authorization credentials may be embedded in the - ticket authenticating the authorized entity, when the authorization is - separately authenticated using the kdc-issued authorization data - element (see B.4). - - Similarly, if one specifies the authorization-data field of a proxy and - leaves the host addresses blank, the resulting ticket and session key - can be treated as a capability. See [Neu93] for some suggested uses of - this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.3.2. Authenticators - -An authenticator is a record sent with a ticket to a server to certify the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. Its - value (before encryption) ranges from 0 to 999999. It often appears - along with ctime. The two fields are used together to specify a - reasonably accurate timestamp. -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that for - messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is sent. - Sequence numbers fall in the range of 0 through 2^32 - 1 and wrap to - zero following the value 2^32 - 1. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. -authorization-data - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - This field is the same as described for the ticket in section 5.3.1. It - is optional and will only appear when additional restrictions are to be - placed on the use of a ticket, beyond those carried in the ticket - itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial -ticket or an additional ticket. In either case, the message is sent from the -client to the Authentication Server to request credentials for a service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -The fields in this message are: - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting ticket - and authenticator). The checksum in the authenticator (which must be - collision-proof) is to be computed over the KDC-REQ-BODY encoding. In - most requests for initial authentication (KRB_AS_REQ) and most replies - (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions to - the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. This - is accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - with patimestamp containing the client's time and pausec containing the - microseconds which may be omitted if a client will not generate more - than one request per second. The ciphertext (padata-value) consists of - the PA-ENC-TS-ENC sequence, encrypted using the client's secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC or - the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - specified in separate documents. See [Pat92] for additional uses of - this field. -padata-type - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets as - well as other information that is to modify the behavior of the KDC. - Where appropriate, the name of an option may be the same as the flag - that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field to - the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates that - the ticket to be issued is to have its - forwardable flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based is also for- - wardable. - - 2 FORWARDED - The FORWARDED option is only specified - in a request to the ticket-granting - server and will only be honored if the - ticket-granting ticket in the request - has its FORWARDABLE bit set. This - option indicates that this is a request - for forwarding. The address(es) of the - host from which the resulting ticket is - to be valid are included in the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that the - ticket to be issued is to have its prox- - iable flag set. It may only be set on - the initial request, or in a subsequent - request if the ticket-granting ticket on - which it is based is also proxiable. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - 4 PROXY - The PROXY option indicates that this is - a request for a proxy. This option will - only be honored if the ticket-granting - ticket in the request has its PROXIABLE - bit set. The address(es) of the host - from which the resulting ticket is to be - valid are included in the addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates that - the ticket to be issued is to have its - MAY-POSTDATE flag set. It may only be - set on the initial request, or in a sub- - sequent request if the ticket-granting - ticket on which it is based also has its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that this - is a request for a postdated ticket. - This option will only be honored if the - ticket-granting ticket on which it is - based has its MAY-POSTDATE flag set. - The resulting ticket will also have its - INVALID flag set, and that flag may be - reset by a subsequent request to the KDC - after the starttime in the ticket has - been reached. - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that the - ticket to be issued is to have its - RENEWABLE flag set. It may only be set - on the initial request, or when the - ticket-granting ticket on which the - request is based is also renewable. If - this option is requested, then the rtime - field in the request contains the - desired absolute expiration time for the - ticket. - - 9-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option indicates - that the ticket to be issued is not to - identify the user to which it was - issued. Instead, the principal identif- - ier is to be generic, as specified by - the policy of the realm (e.g. usually - anonymous@realm). The purpose of the - ticket is only to securely distribute a - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - session key, and not to identify the - user. The ANONYMOUS flag on the ticket - to be returned should be set. If the - local realms policy does not permit - anonymous credentials, the request is to - be rejected. - - 15-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited field - is disabled. Tickets issued without the - performance of this check will be noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that a - renewable ticket will be acceptable if a - ticket with the requested life cannot - otherwise be provided. If a ticket with - the requested life cannot be provided, - then a renewable ticket may be issued - with a renew-till equal to the the - requested endtime. The value of the - renew-till field may still be limited by - local limits, or limits selected by the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the ticket- - granting service. The ENC-TKT-IN-SKEY - option indicates that the ticket for the - end server is to be encrypted in the - session key from the additional ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the ticket- - granting service. The RENEW option - indicates that the present request is - for a renewal. The ticket provided is - encrypted in the secret key for the - server on which it is valid. This - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - option will only be honored if the - ticket to be renewed has its RENEWABLE - flag set and if the time in its renew- - till field has not passed. The ticket - to be renewed is passed in the padata - field as part of the authentication - header. - - 31 VALIDATE - This option is used only by the ticket- - granting service. The VALIDATE option - indicates that the request is to vali- - date a postdated ticket. It will only - be honored if the ticket presented is - postdated, presently has its INVALID - flag set, and would be otherwise usable - at this time. A ticket cannot be vali- - dated before its starttime. The ticket - presented for validation is encrypted in - the key of the server for which it is - valid and is passed in the padata field - as part of the authentication header. - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, or - alternatively from the session key in the ticket-granting ticket, both - from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies the - desired start time for the requested ticket. If this field is omitted - then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date of - the ticket granting ticket or other preauthentication credentials. -rtime - This field is the requested renew-till time sent from a client to the - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated randomly, - but if the correct time is known, it may suffice[25]. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -etype - This field specifies the desired encryption algorithm to be used in the - response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses for - the client's host. If a proxy is requested, this field will contain - other addresses. The contents of this field are usually copied by the - KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be used - in place of the server's key to encrypt the new ticket. If more than - one option which requires additional tickets has been specified, then - the additional tickets are used in the order specified by the ordering - of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that is -passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for either -an initial (AS) request or a subsequent (TGS) request. There is no message -type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or -KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or if -absent, the session key from the ticket-granting ticket used in the request. -In that case, no version number will be present in the EncryptedData -sequence. - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section 6.3.2). - This ability is useful to ease transitions if a realm name needs to - change (e.g. when a company is acquired); in such a case all existing - password-derived entries in the KDC database would be flagged as - needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related information - that forms the encrypted part of a message. The description of the - encrypted part of the message follows each appearance of this field. - The encrypted part is encoded as described in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. -last-req - This field is returned by the KDC and specifies the time(s) of the last - request by a principal. Depending on what information is available, - this might be the last time that a request for a ticket-granting ticket - was made, or the last time that a request based on a ticket-granting - ticket was successful. It also might cover all servers for a realm, or - just the particular server. Some implementations may display this - information to the user to aid in discovering unauthorized use of one's - identity. It is similar in spirit to the last login time displayed when - logging into timesharing systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up to - the application client (usually the login program) to take appropriate - action (such as notifying the user) if the expiration time is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will be - the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is often -referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). The encoding of the bits - is specified in section 5.2. The meanings of the options are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over the - encoding of the KRB-SAFE sequence. First, the cksum is zeroed and the - checksum is computed over the encoding of the KRB-SAFE sequence, then - the checksum is set to the result of that computation, and finally the - KRB-SAFE sequence is encoded again. -user-data - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By checking - the timestamp, the recipient of the message is able to make sure that - it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. - It may be omitted if not required by the application protocol. The - application designer considering omission of this field is warned, that - the inclusion of this address prevents some kinds of replay attacks - (e.g., reflection attacks) and that it is only acceptable to omit this - address if there is sufficient information in the integrity protected - part of the application message for the recipient to unambiguously - determine if it was the intended recipient. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast protocols), - but the recipient may arbitrarily reject such messages. This field - along with s-address can be used to help detect messages which have - been incorrectly or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's addr - r-address[5] HostAddress OPTIONAL -- recip's addr -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format of - the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by the - intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce must - never be re-used; it should be generated randomly by the recipient of - the message and provided to the sender of the message in an application - specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is only optionally integrity -protected, it is quite possible for an intruder to synthesize or modify such -a message. In particular, this means that unless appropriate integrity -protection mechanisms have been applied to the KRB_ERROR message, the client -should not use any fields in this message for security-critical purposes, -such as setting a system clock or generating a fresh authenticator. The -message can be useful, however, for advising a user on the reason for some -failure. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. Its - value ranges from 0 to 999999. It appears along with stime. The two - fields are used in conjunction to specify a reasonably accurate - timestamp. -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the list - of error codes in section 8. Implementations are encouraged to provide - for national language support in the display of error messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - application to help it recover from or handle the error. If present, - this field will contain the encoding of a sequence of TypedData - (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED, - in which case it will contain the encoding of a sequence of of padata - fields (METHOD-DATA below), each corresponding to an acceptable - pre-authentication method and optionally containing data for the - method: - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - TYPED-DATA ::= SEQUENCE of TypeData - METHOD-DATA ::= SEQUENCE of PA-DATA - - TypedData ::= SEQUENCE { - data-type[0] INTEGER, - data-value[1] OCTET STRING OPTIONAL - } - - Note that e-data-types have been reserved for all PA data types defined - prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, when - using new PA data types defined in July 1999 or later, the METHOD-DATA - sequence must itself be encapsulated in an TypedData element of type - TD-PADATA. All new implementations interpreting the METHOD-DATA field - for the KDC_ERR_PREAUTH_REQUIRED message must accept a type of - TD-PADATA, extract the typed data field and interpret the use any - elements encapsulated in the TD-PADATA elements as if they were present - in the METHOD-DATA sequence. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. The - checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to an - AS request, then the checksum should be calulated using the client's - secret key ONLY if there has been suitable preauthentication to prove - knowledge of the secret key by the client[33]. If a checksum can not be - computed because the key to be used is not available, no checksum will - be included. - - 6. Encryption and Checksum Specifications - - The Kerberos protocols described in this document are designed to use - stream encryption ciphers, which can be simulated using commonly - available block encryption ciphers, such as the Data Encryption - Standard [DES77], and triple DES variants, in conjunction with block - chaining and checksum methods [DESM80]. Encryption is used to prove the - identities of the network entities participating in message exchanges. - The Key Distribution Center for each realm is trusted by all principals - registered in that realm to store a secret key in confidence. Proof of - knowledge of this secret key is used to verify the authenticity of a - principal. - - The KDC uses the principal's secret key (in the AS exchange) or a - shared session key (in the TGS exchange) to encrypt responses to ticket - requests; the ability to obtain the secret key or session key implies - the knowledge of the appropriate keys and the identity of the KDC. The - ability of a principal to decrypt the KDC response and present a Ticket - and a properly formed Authenticator (generated with the session key - from the KDC response) to a service verifies the identity of the - principal; likewise the ability of the service to extract the session - key from the Ticket and prove its knowledge thereof in a response - verifies the identity of the service. - - The Kerberos protocols generally assume that the encryption used is - secure from cryptanalysis; however, in some cases, the order of fields - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - in the encrypted portions of messages are arranged to minimize the - effects of poorly chosen keys. It is still important to choose good - keys. If keys are derived from user-typed passwords, those passwords - need to be well chosen to make brute force attacks more difficult. - Poorly chosen keys still make easy targets for intruders. - - The following sections specify the encryption and checksum mechanisms - currently defined for Kerberos. The encodings, chaining, and padding - requirements for each are described. For encryption methods, it is - often desirable to place random information (often referred to as a - confounder) at the start of the message. The requirements for a - confounder are specified with each encryption mechanism. - - Some encryption systems use a block-chaining method to improve the the - security characteristics of the ciphertext. However, these chaining - methods often don't provide an integrity check upon decryption. Such - systems (such as DES in CBC mode) must be augmented with a checksum of - the plain-text which can be verified at decryption and used to detect - any tampering or damage. Such checksums should be good at detecting - burst errors in the input. If any damage is detected, the decryption - routine is expected to return an error indicating the failure of an - integrity check. Each encryption type is expected to provide and verify - an appropriate checksum. The specification of each encryption method - sets out its checksum requirements. - - Finally, where a key is to be derived from a user's password, an - algorithm for converting the password to a key of the appropriate type - is included. It is desirable for the string to key function to be - one-way, and for the mapping to be different in different realms. This - is important because users who are registered in more than one realm - will often use the same password in each, and it is desirable that an - attacker compromising the Kerberos server in one realm not obtain or - derive the user's key in another. - - For an discussion of the integrity characteristics of the candidate - encryption and checksum methods considered for Kerberos, the reader is - referred to [SG92]. - - 6.1. Encryption Specifications - - The following ASN.1 definition describes all encrypted messages. The - enc-part field which appears in the unencrypted part of messages in - section 5 is a sequence consisting of an encryption type, an optional - key version number, and the ciphertext. - - EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext - } - - - - etype - This field identifies which encryption algorithm was used to - encipher the cipher. Detailed specifications for selected - encryption types appear later in this section. - kvno - This field contains the version number of the key under which data - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - is encrypted. It is only present in messages encrypted under long - lasting keys, such as principals' secret keys. - cipher - This field contains the enciphered text, encoded as an OCTET - STRING. - The cipher field is generated by applying the specified encryption - algorithm to data composed of the message and algorithm-specific - inputs. Encryption mechanisms defined for use with Kerberos must take - sufficient measures to guarantee the integrity of the plaintext, and we - recommend they also take measures to protect against precomputed - dictionary attacks. If the encryption algorithm is not itself capable - of doing so, the protections can often be enhanced by adding a checksum - and a confounder. - - The suggested format for the data to be encrypted includes a - confounder, a checksum, the encoded plaintext, and any necessary - padding. The msg-seq field contains the part of the protocol message - described in section 5 which is to be encrypted. The confounder, - checksum, and padding are all untagged and untyped, and their length is - exactly sufficient to hold the appropriate item. The type and length is - implicit and specified by the particular encryption type being used - (etype). The format for the data to be encrypted for some methods is - described in the following diagram, but other methods may deviate from - this layour - so long as the definition of the method defines the - layout actually in use. - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL - } - - One generates a random confounder of the appropriate length, placing it - in confounder; zeroes out check; calculates the appropriate checksum - over confounder, check, and msg-seq, placing the result in check; adds - the necessary padding; then encrypts using the specified encryption - type and the appropriate key. - - Unless otherwise specified, a definition of an encryption algorithm - that specifies a checksum, a length for the confounder field, or an - octet boundary for padding uses this ciphertext format[36]. Those - fields which are not specified will be omitted. - - In the interest of allowing all implementations using a particular - encryption type to communicate with all others using that type, the - specification of an encryption type defines any checksum that is needed - as part of the encryption process. If an alternative checksum is to be - used, a new encryption type must be defined. - - Some cryptosystems require additional information beyond the key and - the data to be encrypted. For example, DES, when used in - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - cipher-block-chaining mode, requires an initialization vector. If - required, the description for each encryption type must specify the - source of such additional information. 6.2. Encryption Keys - - The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - - keytype - This field specifies the type of encryption that is to be - performed using the key that follows in the keyvalue field. It - will always correspond to the etype to be used to generate or - decode the EncryptedData. In cases when multiple algorithms use a - common kind of key (e.g., if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a - different chaining mechanism), the keytype provides information - needed to determine which algorithm is to be used. - keyvalue - This field contains the key itself, encoded as an octet string. - All negative values for the encryption key type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpreta- tions. - - 6.3. Encryption Systems - - 6.3.1. The NULL Encryption System (null) - - If no encryption is in use, the encryption system is said to be the - NULL encryption system. In the NULL encryption system there is no - checksum, confounder or padding. The ciphertext is simply the - plaintext. The NULL Key is used by the null encryption system and is - zero octets in length, with keytype zero (0). - - 6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - - The des-cbc-crc encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. A CRC-32 checksum (described in ISO 3309 [ISO3309]) is - applied to the confounder and message sequence (msg-seq) and placed in - the cksum field. DES blocks are 8 bytes. As a result, the data to be - encrypted (the concatenation of confounder, checksum, and message) must - be padded to an 8 byte boundary before encryption. The details of the - encryption of this data are identical to those for the des-cbc-md5 - encryption mode. - - Note that, since the CRC-32 checksum is not collision-proof, an - attacker could use a probabilistic chosen-plaintext attack to generate - a valid message even if a confounder is used [SG92]. The use of - collision-proof checksums is recommended for environments where such - attacks represent a significant threat. The use of the CRC-32 as the - checksum for ticket or authenticator is no longer mandated as an - interoperability requirement for Kerberos Version 5 Specification 1 - (See section 9.1 for specific details). - - 6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The des-cbc-md4 encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. An MD4 checksum (described in [MD492]) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be encrypted - (the concatenation of confounder, checksum, and message) must be padded - to an 8 byte boundary before encryption. The details of the encryption - of this data are identical to those for the des-cbc-md5 encryption - mode. - - 6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - - The des-cbc-md5 encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. An MD5 checksum (described in [MD5-92].) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be encrypted - (the concatenation of confounder, checksum, and message) must be padded - to an 8 byte boundary before encryption. - - Plaintext and DES ciphtertext are encoded as blocks of 8 octets which - are concatenated to make the 64-bit inputs for the DES algorithms. The - first octet supplies the 8 most significant bits (with the octet's - MSbit used as the DES input block's MSbit, etc.), the second octet the - next 8 bits, ..., and the eighth octet supplies the 8 least significant - bits. - - Encryption under DES using cipher block chaining requires an additional - input in the form of an initialization vector. Unless otherwise - specified, zero should be used as the initialization vector. Kerberos' - use of DES requires an 8 octet confounder. - - The DES specifications identify some 'weak' and 'semi-weak' keys; those - keys shall not be used for encrypting messages for use in Kerberos. - Additionally, because of the way that keys are derived for the - encryption of checksums, keys shall not be used that yield 'weak' or - 'semi-weak' keys when eXclusive-ORed with the hexadecimal constant - F0F0F0F0F0F0F0F0. - - A DES key is 8 octets of data, with keytype one (1). This consists of - 56 bits of key, and 8 parity bits (one per octet). The key is encoded - as a series of 8 octets written in MSB-first order. The bits within the - key are also encoded in MSB order. For example, if the encryption key - is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where - B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the - parity bits, the first octet of the key would be B1,B2,...,B7,P1 (with - B1 as the MSbit). [See the FIPS 81 introduction for reference.] - - String to key transformation - - To generate a DES key from a text string (password), a "salt" is - concatenated to the text string, and then padded with ASCII nulls to an - 8 byte boundary. This "salt" is normally the realm and each component - of the principal's name appended. However, sometimes different salts - are used --- for example, when a realm is renamed, or if a user changes - her username, or for compatibility with Kerberos V4 (whose - string-to-key algorithm uses a null string for the salt). This string - is then fan-folded and eXclusive-ORed with itself to form an 8 byte DES - key. Before eXclusive-ORing a block, every byte is shifted one bit to - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - the left to leave the lowest bit zero. The key is the "corrected" by - correcting the parity on the key, and if the key matches a 'weak' or - 'semi-weak' key as described in the DES specification, it is - eXclusive-ORed with the constant 00000000000000F0. This key is then - used to generate a DES CBC checksum on the initial string (with the - salt appended). The result of the CBC checksum is the "corrected" as - described above to form the result which is return as the key. - Pseudocode follows: - - name_to_default_salt(realm, name) { - s = realm - for(each component in name) { - s = s + component; - } - return s; - } - - key_correction(key) { - fixparity(key); - if (is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - string_to_key(string,salt) { - - odd = 1; - s = string + salt; - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - left shift every byte in 8byteblock one bit; - tempkey = tempkey XOR 8byteblock; - } - tempkey = key_correction(tempkey); - key = key_correction(DES-CBC-check(s,tempkey)); - return(key); - } - - 6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with and - without Key Derivation [Original draft by Marc Horowitz, revisions by - David Miller] - - This encryption type is based on the Triple DES cryptosystem, the - HMAC-SHA1 [Krawczyk96] message authentication algorithm, and key - derivation for Kerberos V5 [HorowitzB96]. Key derivation may or may not - be used in conjunction with the use of Triple DES keys. - - Algorithm Identifiers - - The des3-cbc-hmac-sha1 encryption type has been assigned the value 7. - The des3-cbc-hmac-sha1-kd encryption type, specifying the key - derivation variant of the encryption type, has been assigned the value - 16. The hmac-sha1-des3 checksum type has been assigned the value 13. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - The hmac-sha1-des3-kd checksum type, specifying the key derivation - variant of the checksum, has been assigned the value 12. - - Triple DES Key Production - - The EncryptionKey value is 24 octets long. The 7 most significant bits - of each octet contain key bits, and the least significant bit is the - inverse of the xor of the key bits. - - For the purposes of key derivation, the block size is 64 bits, and the - key size is 168 bits. The 168 bits output by key derivation are - converted to an EncryptionKey value as follows. First, the 168 bits are - divided into three groups of 56 bits, which are expanded individually - into 64 bits as follows: - - 1 2 3 4 5 6 7 p - 9 10 11 12 13 14 15 p - 17 18 19 20 21 22 23 p - 25 26 27 28 29 30 31 p - 33 34 35 36 37 38 39 p - 41 42 43 44 45 46 47 p - 49 50 51 52 53 54 55 p - 56 48 40 32 24 16 8 p - - The "p" bits are parity bits computed over the data bits. The output of - the three expansions are concatenated to form the EncryptionKey value. - - When the HMAC-SHA1 of a string is computed, the key is used in the - EncryptedKey form. - - The string-to-key function is used to tranform UNICODE passwords into - DES3 keys. The DES3 string-to-key function relies on the "N-fold" - algorithm, which is detailed in [9]. The description of the N-fold - algorithm in that document is as follows: - o To n-fold a number X, replicate the input value to a length that - is the least common multiple of n and the length of X. Before each - repetition, the input is rotated to the right by 13 bit positions. - The successive n-bit chunks are added together using - 1's-complement addition (that is, addition with end-around carry) - to yield an n-bit result" - o The n-fold algorithm, as with DES string-to-key, is applied to the - password string concatenated with a salt value. The salt value is - derived in the same was as for the DES string-to-key algorithm. - For 3-key triple DES then, the operation will involve a 168-fold - of the input password string. The remainder of the string-to-key - function for DES3 is shown here in pseudocode: - - DES3string-to-key(passwordString, key) - - salt = name_to_default_salt(realm, name) - s = passwordString + salt - tmpKey1 = 168-fold(s) - parityFix(tmpKey1); - if not weakKey(tmpKey1) - /* - * Encrypt temp key in itself with a - * zero initialization vector - * - * Function signature is DES3encrypt(plain, key, iv) - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - * with cipher as the return value - */ - tmpKey2 = DES3encrypt(tmpKey1, tmpKey1, zeroIvec) - /* - * Encrypt resultant temp key in itself with third component - * of first temp key as initialization vector - */ - key = DES3encrypt(tmpKey2, tmpKey1, tmpKey1[2]) - parityFix(key) - if not weakKey(key) - return SUCCESS - else - return FAILURE - else - return FAILURE - - The weakKey function above is the same weakKey function used with DES - keys, but applied to each of the three single DES keys that comprise - the triple DES key. - - The lengths of UNICODE encoded character strings include the trailing - terminator character (0). - - Encryption Types des3-cbc-hmac-sha1 and des3-cbc-hmac-sha1-kd - - EncryptedData using this type must be generated as described in - [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. - The checksum algorithm is HMAC-SHA1. If the key derivation variant of - the encryption type is used, encryption key values are modified - according to the method under the Key Derivation section below. - - Unless otherwise specified, a zero IV must be used. - - If the length of the input data is not a multiple of the block size, - zero octets must be used to pad the plaintext to the next eight-octet - boundary. The counfounder must be eight random octets (one block). - - Checksum Types hmac-sha1-des3 and hmac-sha1-des3-kd - - Checksums using this type must be generated as described in - [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. If the key - derivation variant of the checksum type is used, checksum key values - are modified according to the method under the Key Derivation section - below. - - Key Derivation - - In the Kerberos protocol, cryptographic keys are used in a number of - places. In order to minimize the effect of compromising a key, it is - desirable to use a different key for each of these places. Key - derivation [Horowitz96] can be used to construct different keys for - each operation from the keys transported on the network. For this to be - possible, a small change to the specification is necessary. - - This section specifies a profile for the use of key derivation - [Horowitz96] with Kerberos. For each place where a key is used, a ``key - usage'' must is specified for that purpose. The key, key usage, and - encryption/checksum type together describe the transformation from - plaintext to ciphertext, or plaintext to checksum. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - Key Usage Values - - This is a complete list of places keys are used in the kerberos - protocol, with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) - 10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) - 11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) - 12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) - 13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) - 14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) - 15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) - 18. KRB-ERROR checksum (e-cksum in section 5.9.1) - 19. AD-KDCIssued checksum (ad-checksum in appendix B.1) - 20. Checksum for Mandatory Ticket Extensions (appendix B.6) - 21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - - Key usage values between 1024 and 2047 (inclusive) are reserved for - application use. Applications should use even values for encryption and - odd values for checksums within this range. - - A few of these key usages need a little clarification. A service which - receives an AP-REQ has no way to know if the enclosed Ticket was part - of an AS-REP or TGS-REP. Therefore, key usage 2 must always be used for - generating a Ticket, whether it is in response to an AS- REQ or - TGS-REQ. - - There might exist other documents which define protocols in terms of - the RFC1510 encryption types or checksum types. Such documents would - not know about key usages. In order that these documents continue to be - meaningful until they are updated, key usages 1024 and 1025 must be - used to derive keys for encryption and checksums, respectively. New - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - protocols defined in terms of the Kerberos encryption and checksum - types should use their own key usages. Key usages may be registered - with IANA to avoid conflicts. Key usages must be unsigned 32 bit - integers. Zero is not permitted. - - Defining Cryptosystems Using Key Derivation - - Kerberos requires that the ciphertext component of EncryptedData be - tamper-resistant as well as confidential. This implies encryption and - integrity functions, which must each use their own separate keys. So, - for each key usage, two keys must be generated, one for encryption - (Ke), and one for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - - where the protocol key is from the EncryptionKey from the wire - protocol, and the key usage is represented as a 32 bit integer in - network byte order. The ciphertest must be generated from the plaintext - as follows: - - ciphertext = E(Ke, confounder | plaintext | padding) | - H(Ki, confounder | plaintext | padding) - - The confounder and padding are specific to the encryption algorithm E. - - When generating a checksum only, there is no need for a confounder or - padding. Again, a new key (Kc) must be used. Checksums must be - generated from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - MAC = H(Kc, plaintext) - - Note that each enctype is described by an encryption algorithm E and a - keyed hash algorithm H, and each checksum type is described by a keyed - hash algorithm H. HMAC, with an appropriate hash, is required for use - as H. - - Key Derivation from Passwords - - The well-known constant for password key derivation must be the byte - string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values - correspond to the ASCII encoding for the string "kerberos". - - 6.4. Checksums - - The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - - cksumtype - This field indicates the algorithm used to generate the - accompanying checksum. - checksum - This field contains the checksum itself, encoded as an octet - string. - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - Detailed specification of selected checksum types appear later in this - section. Negative values for the checksum type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpretations. - - Checksums used by Kerberos can be classified by two properties: whether - they are collision-proof, and whether they are keyed. It is infeasible - to find two plaintexts which generate the same checksum value for a - collision-proof checksum. A key is required to perturb or initialize - the algorithm in a keyed checksum. To prevent message-stream - modification by an active attacker, unkeyed checksums should only be - used when the checksum and message will be subsequently encrypted (e.g. - the checksums defined as part of the encryption algorithms covered - earlier in this section). - - Collision-proof checksums can be made tamper-proof if the checksum - value is encrypted before inclusion in a message. In such cases, the - composition of the checksum and the encryption algorithm must be - considered a separate checksum algorithm (e.g. RSA-MD5 encrypted using - DES is a new checksum algorithm of type RSA-MD5-DES). For most keyed - checksums, as well as for the encrypted forms of unkeyed - collision-proof checksums, Kerberos prepends a confounder before the - checksum is calculated. - - 6.4.1. The CRC-32 Checksum (crc32) - - The CRC-32 checksum calculates a checksum based on a cyclic redundancy - check as described in ISO 3309 [ISO3309]. The resulting checksum is - four (4) octets in length. The CRC-32 is neither keyed nor - collision-proof. The use of this checksum is not recommended. An - attacker using a probabilistic chosen-plaintext attack as described in - [SG92] might be able to generate an alternative message that satisfies - the checksum. The use of collision-proof checksums is recommended for - environments where such attacks represent a significant threat. - - 6.4.2. The RSA MD4 Checksum (rsa-md4) - - The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm - [MD4-92]. The algorithm takes as input an input message of arbitrary - length and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is - believed to be collision-proof. - - 6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - - The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by - prepending an 8 octet confounder before the text, applying the RSA MD4 - checksum algorithm, and encrypting the confounder and the checksum - using DES in cipher-block-chaining (CBC) mode using a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - constant F0F0F0F0F0F0F0F0[39]. The initialization vector should be - zero. The resulting checksum is 24 octets long (8 octets of which are - redundant). This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some weak keys' and 'semi-weak keys'; - those keys shall not be used for generating RSA-MD4 checksums for use - in Kerberos. - - The format for the checksum is described in the follow- ing diagram: - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - | des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - 6.4.4. The RSA MD5 Checksum (rsa-md5) - - The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm. - [MD5-92]. The algorithm takes as input an input message of arbitrary - length and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is - believed to be collision-proof. - - 6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - - The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by - prepending an 8 octet confounder before the text, applying the RSA MD5 - checksum algorithm, and encrypting the confounder and the checksum - using DES in cipher-block-chaining (CBC) mode using a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector should - be zero. The resulting checksum is 24 octets long (8 octets of which - are redundant). This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some 'weak keys' and 'semi-weak keys'; - those keys shall not be used for encrypting RSA-MD5 checksums for use - in Kerberos. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - | des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - 6.4.6. DES cipher-block chained checksum (des-mac) - - The DES-MAC checksum is computed by prepending an 8 octet confounder to - the plaintext, performing a DES CBC-mode encryption on the result using - the key and an initialization vector of zero, taking the last block of - the ciphertext, prepending the same confounder and encrypting the pair - using DES in cipher-block-chaining (CBC) mode using a a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector should - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - be zero. The resulting checksum is 128 bits (16 octets) long, 64 bits - of which are redundant. This checksum is tamper-proof and - collision-proof. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - | des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) - } - - The DES specifications identify some 'weak' and 'semi-weak' keys; those - keys shall not be used for generating DES-MAC checksums for use in - Kerberos, nor shall a key be used whose variant is 'weak' or - 'semi-weak'. - - 6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative - (rsa-md4-des-k) - - The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum - by applying the RSA MD4 checksum algorithm and encrypting the results - using DES in cipher-block-chaining (CBC) mode using a DES key as both - key and initialization vector. The resulting checksum is 16 octets - long. This checksum is tamper-proof and believed to be collision-proof. - Note that this checksum type is the old method for encoding the - RSA-MD4-DES checksum and it is no longer recommended. - - 6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - - The DES-MAC-K checksum is computed by performing a DES CBC-mode - encryption of the plaintext, and using the last block of the ciphertext - as the checksum value. It is keyed with an encryption key and an - initialization vector; any uses which do not specify an additional - initialization vector will use the key as both key and initialization - vector. The resulting checksum is 64 bits (8 octets) long. This - checksum is tamper-proof and collision-proof. Note that this checksum - type is the old method for encoding the DES-MAC checksum and it is no - longer recommended. The DES specifications identify some 'weak keys' - and 'semi-weak keys'; those keys shall not be used for generating - DES-MAC checksums for use in Kerberos. - - 7. Naming Constraints - - 7.1. Realm Names - - Although realm names are encoded as GeneralStrings and although a realm - can technically select any name it chooses, interoperability across - realm boundaries requires agreement on how realm names are to be - assigned, and what information they imply. - - To enforce these conventions, each realm must conform to the - conventions itself, and it must require that any realms with which - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - inter-realm keys are shared also conform to the conventions and require - the same from its neighbors. - - Kerberos realm names are case sensitive. Realm names that differ only - in the case of the characters are not equivalent. There are presently - four styles of realm names: domain, X500, other, and reserved. Examples - of each style follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - - Domain names must look like domain names: they consist of components - separated by periods (.) and they contain neither colons (:) nor - slashes (/). Domain names must be converted to upper case when used as - realm names. - - X.500 names contain an equal (=) and cannot contain a colon (:) before - the equal. The realm names for X.500 names will be string - representations of the names with components separated by slashes. - Leading and trailing slashes will not be included. - - Names that fall into the other category must begin with a prefix that - contains no equal (=) or period (.) and the prefix must be followed by - a colon (:) and the rest of the name. All prefixes must be assigned - before they may be used. Presently none are assigned. - - The reserved category includes strings which do not fall into the first - three categories. All names in this category are reserved. It is - unlikely that names will be assigned to this category unless there is a - very strong argument for not using the 'other' category. - - These rules guarantee that there will be no conflicts between the - various name styles. The following additional constraints apply to the - assignment of realm names in the domain and X.500 categories: the name - of a realm for the domain or X.500 formats must either be used by the - organization owning (to whom it was assigned) an Internet domain name - or X.500 name, or in the case that no such names are registered, - authority to use a realm name may be derived from the authority of the - parent realm. For example, if there is no domain name for E40.MIT.EDU, - then the administrator of the MIT.EDU realm can authorize the creation - of a realm with that name. - - This is acceptable because the organization to which the parent is - assigned is presumably the organization authorized to assign names to - its children in the X.500 and domain name systems as well. If the - parent assigns a realm name without also registering it in the domain - name or X.500 hierarchy, it is the parent's responsibility to make sure - that there will not in the future exists a name identical to the realm - name of the child unless it is assigned to the same entity as the realm - name. - - 7.2. Principal Names - - As was the case for realm names, conventions are needed to ensure that - all agree on what information is implied by a principal name. The - name-type field that is part of the principal name indicates the kind - of information implied by the name. The name-type should be treated as - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - a hint. Ignoring the name type, no two names can be the same (i.e. at - least one of the components, or the realm, must be different). The - following name types are defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, or DCE principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcommands) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - - When a name implies no information other than its uniqueness at a - particular time the name type PRINCIPAL should be used. The principal - name type should be used for users, and it might also be used for a - unique server. If the name is a unique machine generated ID that is - guaranteed never to be reassigned then the name type of UID should be - used (note that it is generally a bad idea to reassign names of any - type since stale entries might remain in access control lists). - - If the first component of a name identifies a service and the remaining - components identify an instance of the service in a server specified - manner, then the name type of SRV-INST should be used. An example of - this name type is the Kerberos ticket-granting service whose name has a - first component of krbtgt and a second component identifying the realm - for which the ticket is valid. - - If instance is a single component following the service name and the - instance identifies the host on which the server is running, then the - name type SRV-HST should be used. This type is typically used for - Internet services such as telnet and the Berkeley R commands. If the - separate components of the host name appear as successive components - following the name of the service, then the name type SRV-XHST should - be used. This type might be used to identify servers on hosts with - X.500 names where the slash (/) might otherwise be ambiguous. - - A name type of NT-X500-PRINCIPAL should be used when a name from an - X.509 certificiate is translated into a Kerberos name. The encoding of - the X.509 name as a Kerberos principal shall conform to the encoding - rules specified in RFC 2253. - - A name type of UNKNOWN should be used when the form of the name is not - known. When comparing names, a name of type UNKNOWN will match - principals authenticated with names of any type. A principal - authenticated with a name of type UNKNOWN, however, will only match - other names of type UNKNOWN. - - Names of any type with an initial component of 'krbtgt' are reserved - for the Kerberos ticket granting service. See section 8.2.3 for the - form of such names. - - 7.2.1. Name of server principals - - The principal identifier for a server on a host will generally be - composed of two parts: (1) the realm of the KDC with which the server - is registered, and (2) a two-component name of type NT-SRV-HST if the - host name is an Internet domain name or a multi-component name of type - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - NT-SRV-XHST if the name of the host is of a form such as X.500 that - allows slash (/) separators. The first component of the two- or - multi-component name will identify the service and the latter - components will identify the host. Where the name of the host is not - case sensitive (for example, with Internet domain names) the name of - the host must be lower case. If specified by the application protocol - for services such as telnet and the Berkeley R commands which run with - system privileges, the first component may be the string 'host' instead - of a service specific identifier. When a host has an official name and - one or more aliases, the official name of the host must be used when - constructing the name of the server principal. - - 8. Constants and other defined values - - 8.1. Host address types - - All negative values for the host address type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpretations. - - The values of the types for the following addresses are chosen to match - the defined address family constants in the Berkeley Standard - Distributions of Unix. They can be found in with symbolic names AF_xxx - (where xxx is an abbreviation of the address family name). - - Internet (IPv4) Addresses - - Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in - MSB order. The type of IPv4 addresses is two (2). - - Internet (IPv6) Addresses [Westerlund] - - IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. - The type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. - The following addresses (see [RFC1884]) MUST not appear in any Kerberos - packet: - o the Unspecified Address - o the Loopback Address - o Link-Local addresses - IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - - CHAOSnet addresses - - CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB - order. The type of CHAOSnet addresses is five (5). - - ISO addresses - - ISO addresses are variable-length. The type of ISO addresses is seven - (7). - - Xerox Network Services (XNS) addresses - - XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. - The type of XNS addresses is six (6). - - AppleTalk Datagram Delivery Protocol (DDP) addresses - - AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - network number. The first octet of the address is the node number; the - remaining two octets encode the network number in MSB order. The type - of AppleTalk DDP addresses is sixteen (16). - - DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. - The type of DECnet Phase IV addresses is twelve (12). - - Netbios addresses - - Netbios addresses are 16-octet addresses typically composed of 1 to 15 - characters, trailing blank (ascii char 20) filled, with a 16th octet of - 0x0. The type of Netbios addresses is 20 (0x14). - - 8.2. KDC messages - - 8.2.1. UDP/IP transport - - When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using - UDP IP transport, the client shall send a UDP datagram containing only - an encoding of the request to port 88 (decimal) at the KDC's IP - address; the KDC will respond with a reply datagram containing only an - encoding of the reply message (either a KRB_ERROR or a KRB_KDC_REP) to - the sending port at the sender's IP address. Kerberos servers - supporting IP transport must accept UDP requests on port 88 (decimal). - The response to a request made through UDP/IP transport must also use - UDP/IP transport. - - 8.2.2. TCP/IP transport [Westerlund,Danielsson] - - Kerberos servers (KDC's) should accept TCP requests on port 88 - (decimal) and clients should support the sending of TCP requests on - port 88 (decimal). When the KRB_KDC_REQ message is sent to the KDC over - a TCP stream, a new connection will be established for each - authentication exchange (request and response). The KRB_KDC_REP or - KRB_ERROR message will be returned to the client on the same TCP stream - that was established for the request. The response to a request made - through TCP/IP transport must also use TCP/IP transport. Implementors - should note that some extentions to the Kerberos protocol will not work - if any implementation not supporting the TCP transport is involved - (client or KDC). Implementors are strongly urged to support the TCP - transport on both the client and server and are advised that the - current notation of "should" support will likely change in the future - to must support. The KDC may close the TCP stream after sending a - response, but may leave the stream open if it expects a followup - in - which case it may close the stream at any time if resource constratints - or other factors make it desirable to do so. Care must be taken in - managing TCP/IP connections with the KDC to prevent denial of service - attacks based on the number of TCP/IP connections with the KDC that - remain open. If multiple exchanges with the KDC are needed for certain - forms of preauthentication, multiple TCP connections may be required. A - client may close the stream after receiving response, and should close - the stream if it does not expect to send followup messages. The client - must be prepared to have the stream closed by the KDC at anytime, in - which case it must simply connect again when it is ready to send - subsequent messages. - - The first four octets of the TCP stream used to transmit the request - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - request will encode in network byte order the length of the request - (KRB_KDC_REQ), and the length will be followed by the request itself. - The response will similarly be preceeded by a 4 octet encoding in - network byte order of the length of the KRB_KDC_REP or the KRB_ERROR - message and will be followed by the KRB_KDC_REP or the KRB_ERROR - response. If the sign bit is set on the integer represented by the - first 4 octets, then the next 4 octets will be read, extending the - length of the field by another 4 octets (less the sign bit which is - reserved for future expansion). - - 8.2.3. OSI transport - - During authentication of an OSI client to an OSI server, the mutual - authentication of an OSI server to an OSI client, the transfer of - credentials from an OSI client to an OSI server, or during exchange of - private or integrity checked messages, Kerberos protocol messages may - be treated as opaque objects and the type of the authentication - mechanism will be: - - OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),kerberosv5(2)} - - Depending on the situation, the opaque object will be an authentication - header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe - message (KRB_SAFE), a private message (KRB_PRIV), or a credentials - message (KRB_CRED). The opaque data contains an application code as - specified in the ASN.1 description for each message. The application - code may be used by Kerberos to determine the message type. - - 8.2.3. Name of the TGS - - The principal identifier of the ticket-granting service shall be - composed of three parts: (1) the realm of the KDC issuing the TGS - ticket (2) a two-part name of type NT-SRV-INST, with the first part - "krbtgt" and the second part the name of the realm which will accept - the ticket-granting ticket. For example, a ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm), - ("krbtgt", "MIT.EDU") (name). - - 8.3. Protocol constants and associated values - - The following tables list constants used in the protocol and defines - their meanings. Ranges are specified in the "specification" section - that limit the values of constants for which values are defined here. - This allows implementations to make assumptions about the maximum - values that will be received for these constants. Implementation - receiving values outside the range specified in the "specification" - section may reject the request, but they must recover cleanly. - - Encryption type etype value block size minimum pad size confounder size - NULL 0 1 0 0 - des-cbc-crc 1 8 4 8 - des-cbc-md4 2 8 0 8 - des-cbc-md5 3 8 0 8 - 4 - des3-cbc-md5 5 8 0 8 - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - 6 - des3-cbc-sha1 7 8 0 8 - dsaWithSHA1-CmsOID 9 (pkinit) - md5WithRSAEncryption-CmsOID 10 (pkinit) - sha1WithRSAEncryption-CmsOID 11 (pkinit) - rc2CBC-EnvOID 12 (pkinit) - rsaEncryption-EnvOID 13 (pkinit from PKCS#1 v1.5) - rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 v2.0) - des-ede3-cbc-Env-OID 15 (pkinit) - des3-cbc-sha1-kd 16 (Tom Yu) - rc4-hmac 23 (swift) - rc4-hmac-exp 24 (swift) - - ENCTYPE_PK_CROSS 48 (reserved for pkcross) - 0x8003 - - Checksum type sumtype value checksum size - CRC32 1 4 - rsa-md4 2 16 - rsa-md4-des 3 24 - des-mac 4 16 - des-mac-k 5 8 - rsa-md4-des-k 6 16 (drop rsa ?) - rsa-md5 7 16 (drop rsa ?) - rsa-md5-des 8 24 (drop rsa ?) - rsa-md5-des3 9 24 (drop rsa ?) - hmac-sha1-des3-kd 12 20 - hmac-sha1-des3 13 20 - - padata type padata-type value - - PA-TGS-REQ 1 - PA-ENC-TIMESTAMP 2 - PA-PW-SALT 3 - 4 - PA-ENC-UNIX-TIME 5 (depricated) - PA-SANDIA-SECUREID 6 - PA-SESAME 7 - PA-OSF-DCE 8 - PA-CYBERSAFE-SECUREID 9 - PA-AFS3-SALT 10 - PA-ETYPE-INFO 11 - PA-SAM-CHALLENGE 12 (sam/otp) - PA-SAM-RESPONSE 13 (sam/otp) - PA-PK-AS-REQ 14 (pkinit) - PA-PK-AS-REP 15 (pkinit) - PA-USE-SPECIFIED-KVNO 20 - PA-SAM-REDIRECT 21 (sam/otp) - PA-GET-FROM-TYPED-DATA 22 - PA-SAM-ETYPE-INFO 23 (sam/otp) - -data-type value form of typed-data - - 1-21 -TD-PADATA 22 -TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS -TD-KRB-PRINCIPAL 102 -TD-KRB-REALM 103 -TD-TRUSTED-CERTIFIERS 104 - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -TD-CERTIFICATE-INDEX 105 - -authorization data type ad-type value -AD-IF-RELEVANT 1 -AD-INTENDED-FOR-SERVER 2 -AD-INTENDED-FOR-APPLICATION-CLASS 3 -AD-KDC-ISSUED 4 -AD-OR 5 -AD-MANDATORY-TICKET-EXTENSIONS 6 -AD-IN-TICKET-EXTENSIONS 7 -reserved values 8-63 -OSF-DCE 64 -SESAME 65 -AD-OSF-DCE-PKI-CERTID 66 (hemsath@us.ibm.com) - -Ticket Extension Types - -TE-TYPE-NULL 0 Null ticket extension -TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization data - 2 TE-TYPE-PKCROSS-KDC (I have reservations) -TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket -TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - 5 TE-TYPE-DEST-HOST (I have reservations) - -alternate authentication type method-type value -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - -transited encoding type tr-type value -DOMAIN-X500-COMPRESS 1 -reserved values all others - -Label Value Meaning or MIT code - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID -KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired -KDC_ERR_BAD_PVNO 3 Requested prot vers number not supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than end time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change password -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired [40] -KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match -KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only -KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path -KDC_ERR_SVC_UNAVAILABLE 29 A service is not available -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method required -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message -KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path -KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry with TCP -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation -KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) -KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) -KDC_ERROR_INVALID_SIG 64 (pkinit) -KDC_ERR_KEY_TOO_WEAK 65 (pkinit) - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - -KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) -KRB_AP_ERR_NO_TGT 67 (user-to-user) -KDC_ERR_WRONG_REALM 68 (user-to-user) -KRB_AP_ERR_USER_TO_USER_REQUIRED 69 (user-to-user) -KDC_ERR_CANT_VERIFY_CERTIFICATE 70 (pkinit) -KDC_ERR_INVALID_CERTIFICATE 71 (pkinit) -KDC_ERR_REVOKED_CERTIFICATE 72 (pkinit) -KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 (pkinit) -KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 (pkinit) -KDC_ERR_CLIENT_NAME_MISMATCH 75 (pkinit) -KDC_ERR_KDC_NAME_MISMATCH 76 (pkinit) - - 9. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of options. Among - these are multiple encryption and checksum types, alternative encoding - schemes for the transited field, optional mechanisms for - pre-authentication, the handling of tickets with no addresses, options - for mutual authentication, user to user authentication, support for - proxies, forwarding, postdating, and renewing tickets, the format of - realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it is necessary to - define a minimal configuration which must be supported by all - implementations. This minimal configuration is subject to change as - technology does. For example, if at some later date it is discovered - that one of the required encryption or checksum algorithms is not - secure, it will be replaced. - - 9.1. Specification 2 - - This section defines the second specification of these options. - Implementations which are configured in this way can be said to support - Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) - may be found in RFC1510. - - Transport - - TCP/IP and UDP/IP transport must be supported by KDCs claiming - conformance to specification 2. Kerberos clients claiming conformance - to specification 2 must support UDP/IP transport for messages with the - KDC and should support TCP/IP transport. - - Encryption and checksum methods - - The following encryption and checksum mechanisms must be supported. - Implementations may support other mechanisms as well, but the - additional mechanisms may only be used when communicating with - principals known to also support them: This list is to be determined. - - Encryption: DES-CBC-MD5, one triple des variant (tbd) - Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 (tbd) - - Realm Names - - All implementations must understand hierarchical realms in both the - Internet Domain and the X.500 style. When a ticket granting ticket for - an unknown realm is requested, the KDC must be able to determine the - names of the intermediate realms between the KDCs realm and the - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - requested realm. - - Transited field encoding - - DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. - Alternative encodings may be supported, but they may be used only when - that encoding is supported by ALL intermediate realms. - - Pre-authentication methods - - The TGS-REQ method must be supported. The TGS-REQ method is not used on - the initial request. The PA-ENC-TIMESTAMP method must be supported by - clients but whether it is enabled by default may be determined on a - realm by realm basis. If not used in the initial request and the error - KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an - acceptable method, the client should retry the initial request using - the PA-ENC-TIMESTAMP preauthentication method. Servers need not support - the PA-ENC-TIMESTAMP method, but if not supported the server should - ignore the presence of PA-ENC-TIMESTAMP pre-authentication in a - request. - - Mutual authentication - - Mutual authentication (via the KRB_AP_REP message) must be supported. - - Ticket addresses and flags - - All KDC's must pass on tickets that carry no addresses (i.e. if a TGT - contains no addresses, the KDC will return derivative tickets), but - each realm may set its own policy for issuing such tickets, and each - application server will set its own policy with respect to accepting - them. - - Proxies and forwarded tickets must be supported. Individual realms and - application servers can set their own policy on when such tickets will - be accepted. - - All implementations must recognize renewable and postdated tickets, but - need not actually implement them. If these options are not supported, - the starttime and endtime in the ticket shall specify a ticket's entire - useful life. When a postdated ticket is decoded by a server, all - implementations shall make the presence of the postdated flag visible - to the calling server. - - User-to-user authentication - - Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC - option) must be provided by implementations, but individual realms may - decide as a matter of policy to reject such requests on a per-principal - or realm-wide basis. - - Authorization data - - Implementations must pass all authorization data subfields from - ticket-granting tickets to any derivative tickets unless directed to - suppress a subfield as part of the definition of that registered - subfield type (it is never incorrect to pass on a subfield, and no - registered subfield types presently specify suppression at the KDC). - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - Implementations must make the contents of any authorization data - subfields available to the server when a ticket is used. - Implementations are not required to allow clients to specify the - contents of the authorization data fields. - - Constant ranges - - All protocol constants are constrained to 32 bit (signed) values unless - further constrained by the protocol definition. This limit is provided - to allow implementations to make assumptions about the maximum values - that will be received for these constants. Implementation receiving - values outside this range may reject the request, but they must recover - cleanly. - - 9.2. Recommended KDC values - - Following is a list of recommended values for a KDC implementation, - based on the list of suggested configuration constants (see section - 4.4). - - minimum lifetime 5 minutes - maximum renewable lifetime 1 week - maximum ticket lifetime 1 day - empty addresses only when suitable restrictions appear - in authorization data - proxiable, etc. Allowed. - - 10. REFERENCES - - [NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - - [MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - - [SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - - [NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - - [DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - - [KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - - [Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - - [DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - - [LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - - [X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - - [Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - - [DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - - [DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - - [SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - - [IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - - [MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - - [MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - - [KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - - [Horowitz96] Horowitz, M., "Key Derivation for Authentication, - Integrity, and Privacy", draft-horowitz-key-derivation-02.txt, - August 1998. - - [HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-01.txt, September 1998. - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - - A. Pseudo-code for protocol processing - - This appendix provides pseudo-code describing how the messages are to - be constructed and interpreted by clients and servers. - - A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", - "localrealm" */ - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable skew) - then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - - A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - - A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all that */ - /* should be are set */ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly */ - /* call this routine to get the appropriate ticket-granting ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and - choosing the correct key for decryption. The name of the - server appears in the plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is - operating is determined by the instance from the - ticket-granting ticket. The realm in the ticket-granting - ticket is the realm under which the ticket granting - ticket was issued. It is possible for a single Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not req.sname) - then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket would */ - /* have been rejected in the initial authentication stage, so */ - /* there is no need to check again here */ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the - renew-till field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into - decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := - req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := - compress_transited(tgt.transited + tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not - set) then - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept it */ - if (check_transited_field(new_tkt.transited) == OK) - set new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), - second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), - server.key, server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using - use_etype, tgt.key; - - send(resp); - - A.7. KRB_TGS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of - resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of - resp.enc-part - using resp.enc-part.etype and - tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - - A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using session_key; - - A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using - retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - decr_ticket.caddr) then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - - A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - - A.12. KRB_AP_REP verification - - receive packet; - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - - A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - - A.14. KRB_SAFE verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - - A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number - not present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - - A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - - A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - - A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - - A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - if (repeated(packet.timestamp,packet.usec,packet.s-address)) then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - - A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - B. Definition of common authorization data elements - - This appendix contains the definitions of common authorization data - elements. These common authorization data elements are recursivly - defined, meaning the ad-data for these types will itself contain a - sequence of authorization data whose interpretation is affected by the - encapsulating element. Depending on the meaning of the encapsulating - element, the encapsulated elements may be ignored, might be interpreted - as issued directly by the KDC, or they might be stored in a separate - plaintext part of the ticket. The types of the encapsulating elements - are specified as part of the Kerberos specification because the - behavior based on these values should be understood across - implementations whereas other elements need only be understood by the - applications which they affect. - - In the definitions that follow, the value of the ad-type for the - element will be specified in the subsection number, and the value of - the ad-data will be as shown in the ASN.1 structure that follows the - subsection heading. - - B.1. If relevant - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - AD-IF-RELEVANT AuthorizationData - - AD elements encapsulated within the if-relevant element are intended - for interpretation only by application servers that understand the - particular ad-type of the embedded element. Application servers that do - not understand the type of an element embedded within the if-relevant - element may ignore the uninterpretable element. This element promotes - interoperability across implementations which may have local extensions - for authorization. - - B.2. Intended for server - - AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData - } - - AD elements encapsulated within the intended-for-server element may be - ignored if the application server is not in the list of principal names - of intended servers. Further, a KDC issuing a ticket for an application - server can remove this element if the application server is not in the - list of intended servers. - - Application servers should check for their principal name in the - intended-server field of this element. If their principal name is not - found, this element should be ignored. If found, then the encapsulated - elements should be evaluated in the same manner as if they were present - in the top level authorization data field. Applications and application - servers that do not implement this element should reject tickets that - contain authorization data elements of this type. - - B.3. Intended for application class - - AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { - intended-application-class[0] SEQUENCE OF GeneralString elements[1] - AuthorizationData } AD elements encapsulated within the - intended-for-application-class element may be ignored if the - application server is not in one of the named classes of application - servers. Examples of application server classes include "FILESYSTEM", - and other kinds of servers. - - This element and the elements it encapulates may be safely ignored by - applications, application servers, and KDCs that do not implement this - element. - - B.4. KDC Issued - - AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. - } - - ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the - ticket itself (i.e. using the same hash function and the same - encryption algorithm used to encrypt the ticket) and using a key - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - derived from the same key used to protect the ticket. - i-realm, i-sname - The name of the issuing principal if different from the KDC - itself. This field would be used when the KDC can verify the - authenticity of elements signed by the issuing principal and it - allows this KDC to notify the application server of the validity - of those elements. - elements - A sequence of authorization data elements issued by the KDC. - The KDC-issued ad-data field is intended to provide a means for - Kerberos principal credentials to embed within themselves privilege - attributes and other mechanisms for positive authorization, amplifying - the priveleges of the principal beyond what can be done using a - credentials without such an a-data element. - - This can not be provided without this element because the definition of - the authorization-data field allows elements to be added at will by the - bearer of a TGT at the time that they request service tickets and - elements may also be added to a delegated ticket by inclusion in the - authenticator. - - For KDC-issued elements this is prevented because the elements are - signed by the KDC by including a checksum encrypted using the server's - key (the same key used to encrypt the ticket - or a key derived from - that key). Elements encapsulated with in the KDC-issued element will be - ignored by the application server if this "signature" is not present. - Further, elements encapsulated within this element from a ticket - granting ticket may be interpreted by the KDC, and used as a basis - according to policy for including new signed elements within derivative - tickets, but they will not be copied to a derivative ticket directly. - If they are copied directly to a derivative ticket by a KDC that is not - aware of this element, the signature will not be correct for the - application ticket elements, and the field will be ignored by the - application server. - - This element and the elements it encapulates may be safely ignored by - applications, application servers, and KDCs that do not implement this - element. - - B.5. And-Or - - AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData - } - - When restrictive AD elements encapsulated within the and-or element are - encountered, only the number specified in condition-count of the - encapsulated conditions must be met in order to satisfy this element. - This element may be used to implement an "or" operation by setting the - condition-count field to 1, and it may specify an "and" operation by - setting the condition count to the number of embedded elements. - Application servers that do not implement this element must reject - tickets that contain authorization data elements of this type. - - B.6. Mandatory ticket extensions - - AD-Mandatory-Ticket-Extensions Checksum - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - An authorization data element of type mandatory-ticket-extensions - specifies a collision-proof checksum using the same hash algorithm used - to protect the integrity of the ticket itself. This checksum will be - calculated over an individual extension field. If there are more than - one extension, multiple Mandatory-Ticket-Extensions authorization data - elements may be present, each with a checksum for a different extension - field. This restriction indicates that the ticket should not be - accepted if a ticket extension is not present in the ticket for which - the checksum does not match that checksum specified in the - authorization data element. Application servers that do not implement - this element must reject tickets that contain authorization data - elements of this type. - - B.7. Authorization Data in ticket extensions - - AD-IN-Ticket-Extensions Checksum - - An authorization data element of type in-ticket-extensions specifies a - collision-proof checksum using the same hash algorithm used to protect - the integrity of the ticket itself. This checksum is calculated over a - separate external AuthorizationData field carried in the ticket - extensions. Application servers that do not implement this element must - reject tickets that contain authorization data elements of this type. - Application servers that do implement this element will search the - ticket extensions for authorization data fields, calculate the - specified checksum over each authorization data field and look for one - matching the checksum in this in-ticket-extensions element. If not - found, then the ticket must be rejected. If found, the corresponding - authorization data elements will be interpreted in the same manner as - if they were contained in the top level authorization data field. - - Note that if multiple external authorization data fields are present in - a ticket, each will have a corresponding element of type - in-ticket-extensions in the top level authorization data field, and the - external entries will be linked to the corresponding element by their - checksums. - - C. Definition of common ticket extensions - - This appendix contains the definitions of common ticket extensions. - Support for these extensions is optional. However, certain extensions - have associated authorization data elements that may require rejection - of a ticket containing an extension by application servers that do not - implement the particular extension. Other extensions have been defined - beyond those described in this specification. Such extensions are - described elswhere and for some of those extensions the reserved number - may be found in the list of constants. - - It is known that older versions of Kerberos did not support this field, - and that some clients will strip this field from a ticket when they - parse and then reassemble a ticket as it is passed to the application - servers. The presence of the extension will not break such clients, but - any functionaly dependent on the extensions will not work when such - tickets are handled by old clients. In such situations, some - implementation may use alternate methods to transmit the information in - the extensions field. - - C.1. Null ticket extension - - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - TE-NullExtension OctetString -- The empty Octet String - - The te-data field in the null ticket extension is an octet string of - lenght zero. This extension may be included in a ticket granting ticket - so that the KDC can determine on presentation of the ticket granting - ticket whether the client software will strip the extensions field. - - C.2. External Authorization Data - - TE-ExternalAuthorizationData AuthorizationData - - The te-data field in the external authorization data ticket extension - is field of type AuthorizationData containing one or more authorization - data elements. If present, a corresponding authorization data element - will be present in the primary authorization data for the ticket and - that element will contain a checksum of the external authorization data - ticket extension. - ----------------------------------------------------------------------- - [TM] Project Athena, Athena, and Kerberos are trademarks of the - Massachusetts Institute of Technology (MIT). No commercial use of these - trademarks may be made without prior written permission of MIT. - - [1] Note, however, that many applications use Kerberos' functions only - upon the initiation of a stream-based network connection. Unless an - application subsequently provides integrity protection for the data - stream, the identity verification applies only to the initiation of the - connection, and does not guarantee that subsequent messages on the - connection originate from the same principal. - - [2] Secret and private are often used interchangeably in the - literature. In our usage, it takes two (or more) to share a secret, - thus a shared DES key is a secret key. Something is only private when - no one but its owner knows it. Thus, in public key cryptosystems, one - has a public and a private key. - - [3] Of course, with appropriate permission the client could arrange - registration of a separately-named prin- cipal in a remote realm, and - engage in normal exchanges with that realm's services. However, for - even small numbers of clients this becomes cumbersome, and more - automatic methods as described here are necessary. - - [4] Though it is permissible to request or issue tick- ets with no - network addresses specified. - - [5] The password-changing request must not be honored unless the - requester can provide the old password (the user's current secret key). - Otherwise, it would be possible for someone to walk up to an unattended - ses- sion and change another user's password. - - [6] To authenticate a user logging on to a local system, the - credentials obtained in the AS exchange may first be used in a TGS - exchange to obtain credentials for a local server. Those credentials - must then be verified by a local server through successful completion - of the Client/Server exchange. - - [7] "Random" means that, among other things, it should be impossible to - guess the next session key based on knowledge of past session keys. - This can only be achieved in a pseudo-random number generator if it is - based on cryptographic principles. It is more desirable to use a truly - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - random number generator, such as one based on measurements of random - physical phenomena. - - [8] Tickets contain both an encrypted and unencrypted portion, so - cleartext here refers to the entire unit, which can be copied from one - message and replayed in another without any cryptographic skill. - - [9] Note that this can make applications based on unreliable transports - difficult to code correctly. If the transport might deliver duplicated - messages, either a new authenticator must be generated for each retry, - or the application server must match requests and replies and replay - the first reply in response to a detected duplicate. - - [10] This is used for user-to-user authentication as described in [8]. - - [11] Note that the rejection here is restricted to authenticators from - the same principal to the same server. Other client principals - communicating with the same server principal should not be have their - authenticators rejected if the time and microsecond fields happen to - match some other client's authenticator. - - [12] In the Kerberos version 4 protocol, the timestamp in the reply was - the client's timestamp plus one. This is not necessary in version 5 - because version 5 messages are formatted in such a way that it is not - possible to create the reply by judicious message surgery (even in - encrypted form) without knowledge of the appropriate encryption keys. - - [13] Note that for encrypting the KRB_AP_REP message, the sub-session - key is not used, even if present in the Authenticator. - - [14] Implementations of the protocol may wish to provide routines to - choose subkeys based on session keys and random numbers and to generate - a negotiated key to be returned in the KRB_AP_REP message. - - [15]This can be accomplished in several ways. It might be known - beforehand (since the realm is part of the principal identifier), it - might be stored in a nameserver, or it might be obtained from a - configura- tion file. If the realm to be used is obtained from a - nameserver, there is a danger of being spoofed if the nameservice - providing the realm name is not authenti- cated. This might result in - the use of a realm which has been compromised, and would result in an - attacker's ability to compromise the authentication of the application - server to the client. - - [16] If the client selects a sub-session key, care must be taken to - ensure the randomness of the selected sub- session key. One approach - would be to generate a random number and XOR it with the session key - from the ticket-granting ticket. - - [17] This allows easy implementation of user-to-user authentication - [8], which uses ticket-granting ticket session keys in lieu of secret - server keys in situa- tions where such secret keys could be easily - comprom- ised. - - [18] For the purpose of appending, the realm preceding the first listed - realm is considered to be the null realm (""). - - [19] For the purpose of interpreting null subfields, the client's realm - is considered to precede those in the transited field, and the server's - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - realm is considered to follow them. - - [20] This means that a client and server running on the same host and - communicating with one another using the KRB_SAFE messages should not - share a common replay cache to detect KRB_SAFE replays. - - [21] The implementation of the Kerberos server need not combine the - database and the server on the same machine; it is feasible to store - the principal database in, say, a network name service, as long as the - entries stored therein are protected from disclosure to and - modification by unauthorized parties. However, we recommend against - such strategies, as they can make system management and threat analysis - quite complex. - - [22] See the discussion of the padata field in section 5.4.2 for - details on why this can be useful. - - [23] Warning for implementations that unpack and repack data structures - during the generation and verification of embedded checksums: Because - any checksums applied to data structures must be checked against the - original data the length of bit strings must be preserved within a data - structure between the time that a checksum is generated through - transmission to the time that the checksum is verified. - - [24] It is NOT recommended that this time value be used to adjust the - workstation's clock since the workstation cannot reliably determine - that such a KRB_AS_REP actually came from the proper KDC in a timely - manner. - - [25] Note, however, that if the time is used as the nonce, one must - make sure that the workstation time is monotonically increasing. If the - time is ever reset backwards, there is a small, but finite, probability - that a nonce will be reused. - - [27] An application code in the encrypted part of a message provides an - additional check that the message was decrypted properly. - - [29] An application code in the encrypted part of a message provides an - additional check that the message was decrypted properly. - - [31] An application code in the encrypted part of a message provides an - additional check that the message was decrypted properly. - - [32] If supported by the encryption method in use, an initialization - vector may be passed to the encryption procedure, in order to achieve - proper cipher chaining. The initialization vector might come from the - last block of the ciphertext from the previous KRB_PRIV message, but it - is the application's choice whether or not to use such an - initialization vector. If left out, the default initialization vector - for the encryption algorithm will be used. - - [33] This prevents an attacker who generates an incorrect AS request - from obtaining verifiable plaintext for use in an off-line password - guessing attack. - - [35] In the above specification, UNTAGGED OCTET STRING(length) is the - notation for an octet string with its tag and length removed. It is not - a valid ASN.1 type. The tag bits and length must be removed from the - confounder since the purpose of the confounder is so that the message - -Neuman, Ts'o, Kohl Expires: 10 September, 2000 - - - - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-05 June 25, 1999 - - starts with random data, but the tag and its length are fixed. For - other fields, the length and tag would be redundant if they were - included because they are specified by the encryption type. [36] The - ordering of the fields in the CipherText is important. Additionally, - messages encoded in this format must include a length as part of the - msg-seq field. This allows the recipient to verify that the message has - not been truncated. Without a length, an attacker could use a chosen - plaintext attack to generate a message which could be truncated, while - leaving the checksum intact. Note that if the msg-seq is an encoding of - an ASN.1 SEQUENCE or OCTET STRING, then the length is part of that - encoding. - - [37] In some cases, it may be necessary to use a different "mix-in" - string for compatibility reasons; see the discussion of padata in - section 5.4.2. - - [38] In some cases, it may be necessary to use a different "mix-in" - string for compatibility reasons; see the discussion of padata in - section 5.4.2. - - [39] A variant of the key is used to limit the use of a key to a - particular function, separating the functions of generating a checksum - from other encryption performed using the session key. The constant - F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The - properties of DES precluded the use of the complement. The same - constant is used for similar purpose in the Message Integrity Check in - the Privacy Enhanced Mail standard. - - [40] This error carries additional information in the e- data field. - The contents of the e-data field for this message is described in - section 5.9.1. diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt deleted file mode 100644 index ae79e8a7c4fb..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt +++ /dev/null @@ -1,7301 +0,0 @@ -INTERNET-DRAFT Clifford Neuman - John Kohl - Theodore Ts'o - July 14, 2000 - Expires January 14, 2001 - -The Kerberos Network Authentication Service (V5) - - -draft-ietf-cat-kerberos-revisions-06.txt - -STATUS OF THIS MEMO - -This document is an Internet-Draft and is in full conformance with all -provisions of Section 10 of RFC 2026. Internet-Drafts are working documents -of the Internet Engineering Task Force (IETF), its areas, and its working -groups. Note that other groups may also distribute working documents as -Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months and -may be updated, replaced, or obsoleted by other documents at any time. It -is inappropriate to use Internet-Drafts as reference material or to cite -them other than as "work in progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -To learn the current status of any Internet-Draft, please check the -"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow -Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), -ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). - -The distribution of this memo is unlimited. It is filed as -draft-ietf-cat-kerberos-revisions-06.txt, and expires January 14, 2001. -Please send comments to: krb-protocol@MIT.EDU - - This document is getting closer to a last call, but there are several - issues to be discussed. Some, but not all of these issues, are - highlighted in comments in the draft. We hope to resolve these issues - on the mailing list for the Kerberos working group, leading up to and - during the Pittsburgh IETF on a section by section basis, since this - is a long document, and it has been difficult to consider it as a - whole. Once sections are agreed to, it is out intent to issue the more - formal WG and IETF last calls. - -ABSTRACT - -This document provides an overview and specification of Version 5 of the -Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol -and its intended use that require more detailed or clearer explanation than -was provided in RFC1510. This document is intended to provide a detailed -description of the protocol, suitable for implementation, together with -descriptions of the appropriate use of protocol messages and fields within -those messages. - -This document is not intended to describe Kerberos to the end user, system -administrator, or application developer. Higher level papers describing -Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88], -are available elsewhere. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -OVERVIEW - -This INTERNET-DRAFT describes the concepts and model upon which the -Kerberos network authentication system is based. It also specifies Version -5 of the Kerberos protocol. - -The motivations, goals, assumptions, and rationale behind most design -decisions are treated cursorily; they are more fully described in a paper -available in IEEE communications [NT94] and earlier in the Kerberos portion -of the Athena Technical Plan [MNSS87]. The protocols have been a proposed -standard and are being considered for advancement for draft standard -through the IETF standard process. Comments are encouraged on the -presentation, but only minor refinements to the protocol as implemented or -extensions that fit within current protocol framework will be considered at -this time. - -Requests for addition to an electronic mailing list for discussion of -Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU. -This mailing list is gatewayed onto the Usenet as the group -comp.protocols.kerberos. Requests for further information, including -documents and code availability, may be sent to info-kerberos@MIT.EDU. - -BACKGROUND - -The Kerberos model is based in part on Needham and Schroeder's trusted -third-party authentication protocol [NS78] and on modifications suggested -by Denning and Sacco [DS81]. The original design and implementation of -Kerberos Versions 1 through 4 was the work of two former Project Athena -staff members, Steve Miller of Digital Equipment Corporation and Clifford -Neuman (now at the Information Sciences Institute of the University of -Southern California), along with Jerome Saltzer, Technical Director of -Project Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many -other members of Project Athena have also contributed to the work on -Kerberos. - -Version 5 of the Kerberos protocol (described in this document) has evolved -from Version 4 based on new requirements and desires for features not -available in Version 4. The design of Version 5 of the Kerberos protocol -was led by Clifford Neuman and John Kohl with much input from the -community. The development of the MIT reference implementation was led at -MIT by John Kohl and Theodore T'so, with help and contributed code from -many others. Since RFC1510 was issued, extensions and revisions to the -protocol have been proposed by many individuals. Some of these proposals -are reflected in this document. Where such changes involved significant -effort, the document cites the contribution of the proposer. - -Reference implementations of both version 4 and version 5 of Kerberos are -publicly available and commercial implementations have been developed and -are widely used. Details on the differences between Kerberos Versions 4 and -5 can be found in [KNT92]. - -1. Introduction - -Kerberos provides a means of verifying the identities of principals, (e.g. -a workstation user or a network server) on an open (unprotected) network. -This is accomplished without relying on assertions by the host operating -system, without basing trust on host addresses, without requiring physical -security of all the hosts on the network, and under the assumption that -packets traveling along the network can be read, modified, and inserted at -will[1]. Kerberos performs authentication under these conditions as a -trusted third-party authentication service by using conventional (shared -secret key [2] cryptography. Kerberos extensions have been proposed and -implemented that provide for the use of public key cryptography during -certain phases of the authentication protocol. These extensions provide for - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -authentication of users registered with public key certification -authorities, and allow the system to provide certain benefits of public key -cryptography in situations where they are needed. - -The basic Kerberos authentication process proceeds as follows: A client -sends a request to the authentication server (AS) requesting 'credentials' -for a given server. The AS responds with these credentials, encrypted in -the client's key. The credentials consist of 1) a 'ticket' for the server -and 2) a temporary encryption key (often called a "session key"). The -client transmits the ticket (which contains the client's identity and a -copy of the session key, all encrypted in the server's key) to the server. -The session key (now shared by the client and server) is used to -authenticate the client, and may optionally be used to authenticate the -server. It may also be used to encrypt further communication between the -two parties or to exchange a separate sub-session key to be used to encrypt -further communication. - -Implementation of the basic protocol consists of one or more authentication -servers running on physically secure hosts. The authentication servers -maintain a database of principals (i.e., users and servers) and their -secret keys. Code libraries provide encryption and implement the Kerberos -protocol. In order to add authentication to its transactions, a typical -network application adds one or two calls to the Kerberos library directly -or through the Generic Security Services Application Programming Interface, -GSSAPI, described in separate document. These calls result in the -transmission of the necessary messages to achieve authentication. - -The Kerberos protocol consists of several sub-protocols (or exchanges). -There are two basic methods by which a client can ask a Kerberos server for -credentials. In the first approach, the client sends a cleartext request -for a ticket for the desired server to the AS. The reply is sent encrypted -in the client's secret key. Usually this request is for a ticket-granting -ticket (TGT) which can later be used with the ticket-granting server (TGS). -In the second method, the client sends a request to the TGS. The client -uses the TGT to authenticate itself to the TGS in the same manner as if it -were contacting any other application server that requires Kerberos -authentication. The reply is encrypted in the session key from the TGT. -Though the protocol specification describes the AS and the TGS as separate -servers, they are implemented in practice as different protocol entry -points within a single Kerberos server. - -Once obtained, credentials may be used to verify the identity of the -principals in a transaction, to ensure the integrity of messages exchanged -between them, or to preserve privacy of the messages. The application is -free to choose whatever protection may be necessary. - -To verify the identities of the principals in a transaction, the client -transmits the ticket to the application server. Since the ticket is sent -"in the clear" (parts of it are encrypted, but this encryption doesn't -thwart replay) and might be intercepted and reused by an attacker, -additional information is sent to prove that the message originated with -the principal to whom the ticket was issued. This information (called the -authenticator) is encrypted in the session key, and includes a timestamp. -The timestamp proves that the message was recently generated and is not a -replay. Encrypting the authenticator in the session key proves that it was -generated by a party possessing the session key. Since no one except the -requesting principal and the server know the session key (it is never sent -over the network in the clear) this guarantees the identity of the client. - -The integrity of the messages exchanged between principals can also be -guaranteed using the session key (passed in the ticket and contained in the -credentials). This approach provides detection of both replay attacks and -message stream modification attacks. It is accomplished by generating and -transmitting a collision-proof checksum (elsewhere called a hash or digest -function) of the client's message, keyed with the session key. Privacy and - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -integrity of the messages exchanged between principals can be secured by -encrypting the data to be passed using the session key contained in the -ticket or the subsession key found in the authenticator. - -The authentication exchanges mentioned above require read-only access to -the Kerberos database. Sometimes, however, the entries in the database must -be modified, such as when adding new principals or changing a principal's -key. This is done using a protocol between a client and a third Kerberos -server, the Kerberos Administration Server (KADM). There is also a protocol -for maintaining multiple copies of the Kerberos database. Neither of these -protocols are described in this document. - -1.1. Cross-Realm Operation - -The Kerberos protocol is designed to operate across organizational -boundaries. A client in one organization can be authenticated to a server -in another. Each organization wishing to run a Kerberos server establishes -its own 'realm'. The name of the realm in which a client is registered is -part of the client's name, and can be used by the end-service to decide -whether to honor a request. - -By establishing 'inter-realm' keys, the administrators of two realms can -allow a client authenticated in the local realm to prove its identity to -servers in other realms[3]. The exchange of inter-realm keys (a separate -key may be used for each direction) registers the ticket-granting service -of each realm as a principal in the other realm. A client is then able to -obtain a ticket-granting ticket for the remote realm's ticket-granting -service from its local realm. When that ticket-granting ticket is used, the -remote ticket-granting service uses the inter-realm key (which usually -differs from its own normal TGS key) to decrypt the ticket-granting ticket, -and is thus certain that it was issued by the client's own TGS. Tickets -issued by the remote ticket-granting service will indicate to the -end-service that the client was authenticated from another realm. - -A realm is said to communicate with another realm if the two realms share -an inter-realm key, or if the local realm shares an inter-realm key with an -intermediate realm that communicates with the remote realm. An -authentication path is the sequence of intermediate realms that are -transited in communicating from one realm to another. - -Realms are typically organized hierarchically. Each realm shares a key with -its parent and a different key with each child. If an inter-realm key is -not directly shared by two realms, the hierarchical organization allows an -authentication path to be easily constructed. If a hierarchical -organization is not used, it may be necessary to consult a database in -order to construct an authentication path between realms. - -Although realms are typically hierarchical, intermediate realms may be -bypassed to achieve cross-realm authentication through alternate -authentication paths (these might be established to make communication -between two realms more efficient). It is important for the end-service to -know which realms were transited when deciding how much faith to place in -the authentication process. To facilitate this decision, a field in each -ticket contains the names of the realms that were involved in -authenticating the client. - -The application server is ultimately responsible for accepting or rejecting -authentication and should check the transited field. The application server -may choose to rely on the KDC for the application server's realm to check -the transited field. The application server's KDC will set the -TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate -realms may also check the transited field as they issue -ticket-granting-tickets for other realms, but they are encouraged not to do -so. A client may request that the KDC's not check the transited field by -setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not -required to honor this flag. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - [JBrezak] Should there be a section here on how clients determine what - realm a service is in? Something like: - - The client may not immediately know what realm a particular service - principal is in. There are 2 basic mechanisms that can be used to - determine the realm of a service. The first requires that the client - fully specify the service principal including the realm in the - Kerberos protocol request. If the Kerberos server for the specified - realm does not have a principal that exactly matches the service in - the request, the Kerberos server will return an error indicating that - the service principal was not found. Alternatively the client can make - a request providing just the service principal name and requesting - name canonicalization from the Kerberos server. The Kerberos server - will attempt to locate a service principal in its database that best - matches the request principal or provide a referral to another - Kerberos realm that may be contain the requested service principal. - -1.2. Authorization - -As an authentication service, Kerberos provides a means of verifying the -identity of principals on a network. Authentication is usually useful -primarily as a first step in the process of authorization, determining -whether a client may use a service, which objects the client is allowed to -access, and the type of access allowed for each. Kerberos does not, by -itself, provide authorization. Possession of a client ticket for a service -provides only for authentication of the client to that service, and in the -absence of a separate authorization procedure, it should not be considered -by an application as authorizing the use of that service. - -Such separate authorization methods may be implemented as application -specific access control functions and may be based on files such as the -application server, or on separately issued authorization credentials such -as those based on proxies [Neu93], or on other authorization services. -Separately authenticated authorization credentials may be embedded in a -tickets authorization data when encapsulated by the kdc-issued -authorization data element. - -Applications should not be modified to accept the mere issuance of a -service ticket by the Kerberos server (even by a modified Kerberos server) -as granting authority to use the service, since such applications may -become vulnerable to the bypass of this authorization check in an -environment if they interoperate with other KDCs or where other options for -application authentication (e.g. the PKTAPP proposal) are provided. - -1.3. Environmental assumptions - -Kerberos imposes a few assumptions on the environment in which it can -properly function: - - * 'Denial of service' attacks are not solved with Kerberos. There are - places in these protocols where an intruder can prevent an application - from participating in the proper authentication steps. Detection and - solution of such attacks (some of which can appear to be nnot-uncommon - 'normal' failure modes for the system) is usually best left to the - human administrators and users. - * Principals must keep their secret keys secret. If an intruder somehow - steals a principal's key, it will be able to masquerade as that - principal or impersonate any server to the legitimate principal. - * 'Password guessing' attacks are not solved by Kerberos. If a user - chooses a poor password, it is possible for an attacker to - successfully mount an offline dictionary attack by repeatedly - attempting to decrypt, with successive entries from a dictionary, - messages obtained which are encrypted under a key derived from the - user's password. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - * Each host on the network must have a clock which is 'loosely - synchronized' to the time of the other hosts; this synchronization is - used to reduce the bookkeeping needs of application servers when they - do replay detection. The degree of "looseness" can be configured on a - per-server basis, but is typically on the order of 5 minutes. If the - clocks are synchronized over the network, the clock synchronization - protocol must itself be secured from network attackers. - * Principal identifiers are not recycled on a short-term basis. A - typical mode of access control will use access control lists (ACLs) to - grant permissions to particular principals. If a stale ACL entry - remains for a deleted principal and the principal identifier is - reused, the new principal will inherit rights specified in the stale - ACL entry. By not re-using principal identifiers, the danger of - inadvertent access is removed. - -1.4. Glossary of terms - -Below is a list of terms used throughout this document. - -Authentication - Verifying the claimed identity of a principal. -Authentication header - A record containing a Ticket and an Authenticator to be presented to a - server as part of the authentication process. -Authentication path - A sequence of intermediate realms transited in the authentication - process when communicating from one realm to another. -Authenticator - A record containing information that can be shown to have been - recently generated using the session key known only by the client and - server. -Authorization - The process of determining whether a client may use a service, which - objects the client is allowed to access, and the type of access - allowed for each. -Capability - A token that grants the bearer permission to access an object or - service. In Kerberos, this might be a ticket whose use is restricted - by the contents of the authorization data field, but which lists no - network addresses, together with the session key necessary to use the - ticket. -Ciphertext - The output of an encryption function. Encryption transforms plaintext - into ciphertext. -Client - A process that makes use of a network service on behalf of a user. - Note that in some cases a Server may itself be a client of some other - server (e.g. a print server may be a client of a file server). -Credentials - A ticket plus the secret session key necessary to successfully use - that ticket in an authentication exchange. -KDC - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host on - which it runs. The KDC services both initial ticket and - ticket-granting ticket requests. The initial ticket portion is - sometimes referred to as the Authentication Server (or service). The - ticket-granting ticket portion is sometimes referred to as the - ticket-granting server (or service). -Kerberos - Aside from the 3-headed dog guarding Hades, the name given to Project - Athena's authentication service, the protocol used by that service, or - the code used to implement the authentication service. -Plaintext - The input to an encryption function or the output of a decryption - function. Decryption transforms ciphertext into plaintext. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -Principal - A uniquely named client or server instance that participates in a - network communication. -Principal identifier - The name used to uniquely identify each different principal. -Seal - To encipher a record containing several fields in such a way that the - fields cannot be individually replaced without either knowledge of the - encryption key or leaving evidence of tampering. -Secret key - An encryption key shared by a principal and the KDC, distributed - outside the bounds of the system, with a long lifetime. In the case of - a human user's principal, the secret key is derived from a password. -Server - A particular Principal which provides a resource to network clients. - The server is sometimes refered to as the Application Server. -Service - A resource provided to network clients; often provided by more than - one server (for example, remote file service). -Session key - A temporary encryption key used between two principals, with a - lifetime limited to the duration of a single login "session". -Sub-session key - A temporary encryption key used between two principals, selected and - exchanged by the principals using the session key, and with a lifetime - limited to the duration of a single association. -Ticket - A record that helps a client authenticate itself to a server; it - contains the client's identity, a session key, a timestamp, and other - information, all sealed using the server's secret key. It only serves - to authenticate a client when presented along with a fresh - Authenticator. - -2. Ticket flag uses and requests - -Each Kerberos ticket contains a set of flags which are used to indicate -various attributes of that ticket. Most flags may be requested by a client -when the ticket is obtained; some are automatically turned on and off by a -Kerberos server as required. The following sections explain what the -various flags mean, and gives examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - -The INITIAL flag indicates that a ticket was issued using the AS protocol -and not issued based on a ticket-granting ticket. Application servers that -want to require the demonstrated knowledge of a client's secret key (e.g. a -password-changing program) can insist that this flag be set in any tickets -they accept, and thus be assured that the client's key was recently -presented to the application client. - -The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the -initial authentication, regardless of whether the current ticket was issued -directly (in which case INITIAL will also be set) or issued on the basis of -a ticket-granting ticket (in which case the INITIAL flag is clear, but the -PRE-AUTHENT and HW-AUTHENT flags are carried forward from the -ticket-granting ticket). - -2.2. Invalid tickets - -The INVALID flag indicates that a ticket is invalid. Application servers -must reject tickets which have this flag set. A postdated ticket will -usually be issued in this form. Invalid tickets must be validated by the -KDC before use, by presenting them to the KDC in a TGS request with the -VALIDATE option specified. The KDC will only validate tickets after their -starttime has passed. The validation is required so that postdated tickets -which have been stolen before their starttime can be rendered permanently -invalid (through a hot-list mechanism) (see section 3.3.3.1). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -2.3. Renewable tickets - -Applications may desire to hold tickets which can be valid for long periods -of time. However, this can expose their credentials to potential theft for -equally long periods, and those stolen credentials would be valid until the -expiration time of the ticket(s). Simply using short-lived tickets and -obtaining new ones periodically would require the client to have long-term -access to its secret key, an even greater risk. Renewable tickets can be -used to mitigate the consequences of theft. Renewable tickets have two -"expiration times": the first is when the current instance of the ticket -expires, and the second is the latest permissible value for an individual -expiration time. An application client must periodically (i.e. before it -expires) present a renewable ticket to the KDC, with the RENEW option set -in the KDC request. The KDC will issue a new ticket with a new session key -and a later expiration time. All other fields of the ticket are left -unmodified by the renewal process. When the latest permissible expiration -time arrives, the ticket expires permanently. At each renewal, the KDC may -consult a hot-list to determine if the ticket had been reported stolen -since its last renewal; it will refuse to renew such stolen tickets, and -thus the usable lifetime of stolen tickets is reduced. - -The RENEWABLE flag in a ticket is normally only interpreted by the -ticket-granting service (discussed below in section 3.3). It can usually be -ignored by application servers. However, some particularly careful -application servers may wish to disallow renewable tickets. - -If a renewable ticket is not renewed by its expiration time, the KDC will -not renew the ticket. The RENEWABLE flag is reset by default, but a client -may request it be set by setting the RENEWABLE option in the KRB_AS_REQ -message. If it is set, then the renew-till field in the ticket contains the -time after which the ticket may not be renewed. - -2.4. Postdated tickets - -Applications may occasionally need to obtain tickets for use much later, -e.g. a batch submission system would need tickets to be valid at the time -the batch job is serviced. However, it is dangerous to hold valid tickets -in a batch queue, since they will be on-line longer and more prone to -theft. Postdated tickets provide a way to obtain these tickets from the KDC -at job submission time, but to leave them "dormant" until they are -activated and validated by a further request of the KDC. If a ticket theft -were reported in the interim, the KDC would refuse to validate the ticket, -and the thief would be foiled. - -The MAY-POSTDATE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. This -flag must be set in a ticket-granting ticket in order to issue a postdated -ticket based on the presented ticket. It is reset by default; it may be -requested by a client by setting the ALLOW-POSTDATE option in the -KRB_AS_REQ message. This flag does not allow a client to obtain a postdated -ticket-granting ticket; postdated ticket-granting tickets can only by -obtained by requesting the postdating in the KRB_AS_REQ message. The life -(endtime-starttime) of a postdated ticket will be the remaining life of the -ticket-granting ticket at the time of the request, unless the RENEWABLE -option is also set, in which case it can be the full life -(endtime-starttime) of the ticket-granting ticket. The KDC may limit how -far in the future a ticket may be postdated. - -The POSTDATED flag indicates that a ticket has been postdated. The -application server can check the authtime field in the ticket to see when -the original authentication occurred. Some services may choose to reject -postdated tickets, or they may only accept them within a certain period -after the original authentication. When the KDC issues a POSTDATED ticket, -it will also be marked as INVALID, so that the application client must -present the ticket to the KDC to be validated before use. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -2.5. Proxiable and proxy tickets - -At times it may be necessary for a principal to allow a service to perform -an operation on its behalf. The service must be able to take on the -identity of the client, but only for a particular purpose. A principal can -allow a service to take on the principal's identity for a particular -purpose by granting it a proxy. - -The process of granting a proxy using the proxy and proxiable flags is used -to provide credentials for use with specific services. Though conceptually -also a proxy, user's wishing to delegate their identity for ANY purpose -must use the ticket forwarding mechanism described in the next section to -forward a ticket granting ticket. - -The PROXIABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. When -set, this flag tells the ticket-granting server that it is OK to issue a -new ticket (but not a ticket-granting ticket) with a different network -address based on this ticket. This flag is set if requested by the client -on initial authentication. By default, the client will request that it be -set when requesting a ticket granting ticket, and reset when requesting any -other ticket. - -This flag allows a client to pass a proxy to a server to perform a remote -request on its behalf, e.g. a print service client can give the print -server a proxy to access the client's files on a particular file server in -order to satisfy a print request. - -In order to complicate the use of stolen credentials, Kerberos tickets are -usually valid from only those network addresses specifically included in -the ticket[4]. When granting a proxy, the client must specify the new -network address from which the proxy is to be used, or indicate that the -proxy is to be issued for use from any address. - -The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. -Application servers may check this flag and at their option they may -require additional authentication from the agent presenting the proxy in -order to provide an audit trail. - -2.6. Forwardable tickets - -Authentication forwarding is an instance of a proxy where the service is -granted complete use of the client's identity. An example where it might be -used is when a user logs in to a remote system and wants authentication to -work from that system as if the login were local. - -The FORWARDABLE flag in a ticket is normally only interpreted by the -ticket-granting service. It can be ignored by application servers. The -FORWARDABLE flag has an interpretation similar to that of the PROXIABLE -flag, except ticket-granting tickets may also be issued with different -network addresses. This flag is reset by default, but users may request -that it be set by setting the FORWARDABLE option in the AS request when -they request their initial ticket- granting ticket. - -This flag allows for authentication forwarding without requiring the user -to enter a password again. If the flag is not set, then authentication -forwarding is not permitted, but the same result can still be achieved if -the user engages in the AS exchange specifying the requested network -addresses and supplies a password. - -The FORWARDED flag is set by the TGS when a client presents a ticket with -the FORWARDABLE flag set and requests a forwarded ticket by specifying the -FORWARDED KDC option and supplying a set of addresses for the new ticket. -It is also set in all tickets issued based on tickets with the FORWARDED -flag set. Application servers may choose to process FORWARDED tickets -differently than non-FORWARDED tickets. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -2.7 Name canonicalization [JBrezak] - -If a client does not have the full name information for a principal, it can -request that the Kerberos server attempt to lookup the name in its database -and return a canonical form of the requested principal or a referral to a -realm that has the requested principal in its namespace. Name -canonicalization allows a principal to have alternate names. Name -canonicalization must not be used to locate principal names supplied from -wildcards and is not a mechanism to be used to search a Kerberos database. - -The CANONICALIZE flag in a ticket request is used to indicate to the -Kerberos server that the client will accept an alternative name to the -principal in the request or a referral to another realm. Both the AS and -TGS must be able to interpret requests with this flag. - -By using this flag, the client can avoid extensive configuration needed to -map specific host names to a particular realm. - -2.8. Other KDC options - -There are two additional options which may be set in a client's request of -the KDC. The RENEWABLE-OK option indicates that the client will accept a -renewable ticket if a ticket with the requested life cannot otherwise be -provided. If a ticket with the requested life cannot be provided, then the -KDC may issue a renewable ticket with a renew-till equal to the the -requested endtime. The value of the renew-till field may still be adjusted -by site-determined limits or limits imposed by the individual principal or -server. - -The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service. -It indicates that the ticket to be issued for the end server is to be -encrypted in the session key from the a additional second ticket-granting -ticket provided with the request. See section 3.3.3 for specific details. - -3. Message Exchanges - -The following sections describe the interactions between network clients -and servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The Authentication Service (AS) Exchange between the client and the -Kerberos Authentication Server is initiated by a client when it wishes to -obtain authentication credentials for a given server but currently holds no -credentials. In its basic form, the client's secret key is used for -encryption and decryption. This exchange is typically used at the -initiation of a login session to obtain credentials for a Ticket-Granting -Server which will subsequently be used to obtain credentials for other -servers (see section 3.3) without requiring further use of the client's -secret key. This exchange is also used to request credentials for services -which must not be mediated through the Ticket-Granting Service, but rather -require a principal's secret key, such as the password-changing service[5]. -This exchange does not by itself provide any assurance of the the identity -of the user[6]. - -The exchange consists of two messages: KRB_AS_REQ from the client to -Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these -messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -In the request, the client sends (in cleartext) its own identity and the -identity of the server for which it is requesting credentials. The -response, KRB_AS_REP, contains a ticket for the client to present to the -server, and a session key that will be shared by the client and the server. -The session key and additional information are encrypted in the client's -secret key. The KRB_AS_REP message contains information which can be used -to detect replays, and to associate it with the message to which it -replies. Various errors can occur; these are indicated by an error response -(KRB_ERROR) instead of the KRB_AS_REP response. The error message is not -encrypted. The KRB_ERROR message contains information which can be used to -associate it with the message to which it replies. The lack of encryption -in the KRB_ERROR message precludes the ability to detect replays, -fabrications, or modifications of such messages. - -Without preautentication, the authentication server does not know whether -the client is actually the principal named in the request. It simply sends -a reply without knowing or caring whether they are the same. This is -acceptable because nobody but the principal whose identity was given in the -request will be able to use the reply. Its critical information is -encrypted in that principal's key. The initial request supports an optional -field that can be used to pass additional information that might be needed -for the initial exchange. This field may be used for preauthentication as -described in section [hl<>]. - -3.1.1. Generation of KRB_AS_REQ message - -The client may specify a number of options in the initial request. Among -these options are whether pre-authentication is to be performed; whether -the requested ticket is to be renewable, proxiable, or forwardable; whether -it should be postdated or allow postdating of derivative tickets; whether -the client requests name-canonicalization; and whether a renewable ticket -will be accepted in lieu of a non-renewable ticket if the requested ticket -expiration date cannot be satisfied by a non-renewable ticket (due to -configuration constraints; see section 4). See section A.1 for pseudocode. - -The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - -If all goes well, processing the KRB_AS_REQ message will result in the -creation of a ticket for the client to present to the server. The format -for the ticket is described in section 5.3.1. The contents of the ticket -are determined as follows. - -3.1.3. Generation of KRB_AS_REP message - -The authentication server looks up the client and server principals named -in the KRB_AS_REQ in its database, extracting their respective keys. If -the requested client principal named in the request is not found in its -database, then an error message with a KDC_ERR_C_PRINCIPAL_UNKNOWN is -returned. If the request had the CANONICALIZE option set, then the AS can -attempt to lookup the client principal name in an alternate database, if it -is found an error message with a KDC_ERR_WRONG_REALM error code and the -cname and crealm in the error message must contain the true client -principal name and realm. - -If required, the server pre-authenticates the request, and if the -pre-authentication check fails, an error message with the code -KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the -requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP -is returned. Otherwise it generates a 'random' session key[7]. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -If there are multiple encryption keys registered for a client in the -Kerberos database (or if the key registered supports multiple encryption -types; e.g. DES3-CBC-SHA1 and DES3-CBC-SHA1-KD), then the etype field from -the AS request is used by the KDC to select the encryption method to be -used for encrypting the response to the client. If there is more than one -supported, strong encryption type in the etype list, the first valid etype -for which an encryption key is available is used. The encryption method -used to respond to a TGS request is taken from the keytype of the session -key found in the ticket granting ticket. - - JBrezak - the behavior of PW-SALT, and ETYPE-INFO should be explained - here; also about using keys that have different string-to-key - functions like AFSsalt - -When the etype field is present in a KDC request, whether an AS or TGS -request, the KDC will attempt to assign the type of the random session key -from the list of methods in the etype field. The KDC will select the -appropriate type using the list of methods provided together with -information from the Kerberos database indicating acceptable encryption -methods for the application server. The KDC will not issue tickets with a -weak session key encryption type. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. -Otherwise the requested start time is checked against the policy of the -local realm (the administrator might decide to prohibit certain types or -ranges of postdated tickets), and if acceptable, the ticket's start time is -set as requested and the INVALID flag is set in the new ticket. The -postdated ticket must be validated before use by presenting it to the KDC -after the start time has been reached. - -The expiration time of the ticket will be set to the minimum of the -following: - - * The expiration time (endtime) requested in the KRB_AS_REQ message. - * The ticket's start time plus the maximum allowable lifetime associated - with the client principal (the authentication server's database - includes a maximum ticket lifetime field in each principal's record; - see section 4). - * The ticket's start time plus the maximum allowable lifetime associated - with the server principal. - * The ticket's start time plus the maximum lifetime set by the policy of - the local realm. - -If the requested expiration time minus the start time (as determined above) -is less than a site-determined minimum lifetime, an error message with code -KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the -ticket exceeds what was determined as above, and if the 'RENEWABLE-OK' -option was requested, then the 'RENEWABLE' flag is set in the new ticket, -and the renew-till value is set as if the 'RENEWABLE' option were requested -(the field and option names are described fully in section 5.4.1). - -If the RENEWABLE option has been requested or if the RENEWABLE-OK option -has been set and a renewable ticket is to be issued, then the renew-till -field is set to the minimum of: - - * Its requested value. - * The start time of the ticket plus the minimum of the two maximum - renewable lifetimes associated with the principals' database entries. - * The start time of the ticket plus the maximum renewable lifetime set - by the policy of the local realm. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The flags field of the new ticket will have the following options set if -they have been requested and if the policy of the local realm allows: -FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new -ticket is post-dated (the start time is in the future), its INVALID flag -will also be set. - -If all of the above succeed, the server formats a KRB_AS_REP message (see -section 5.4.2), copying the addresses in the request into the caddr of the -response, placing any required pre-authentication data into the padata of -the response, and encrypts the ciphertext part in the client's key using -the requested encryption method, and sends it to the client. See section -A.2 for pseudocode. - -3.1.4. Generation of KRB_ERROR message - -Several errors can occur, and the Authentication Server responds by -returning an error message, KRB_ERROR, to the client, with the error-code -and e-text fields set to appropriate values. The error message contents and -details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - -If the reply message type is KRB_AS_REP, then the client verifies that the -cname and crealm fields in the cleartext portion of the reply match what it -requested. If any padata fields are present, they may be used to derive the -proper secret key to decrypt the message. The client decrypts the encrypted -part of the response using its secret key, verifies that the nonce in the -encrypted part matches the nonce it supplied in its request (to detect -replays). It also verifies that the sname and srealm in the response match -those in the request (or are otherwise expected values), and that the host -address field is also correct. It then stores the ticket, session key, -start and expiration times, and other information for later use. The -key-expiration field from the encrypted part of the response may be checked -to notify the user of impending key expiration (the client program could -then suggest remedial action, such as a password change). See section A.3 -for pseudocode. - -Proper decryption of the KRB_AS_REP message is not sufficient to verify the -identity of the user; the user and an attacker could cooperate to generate -a KRB_AS_REP format message which decrypts properly but is not from the -proper KDC. If the host wishes to verify the identity of the user, it must -require the user to present application credentials which can be verified -using a securely-stored secret key for the host. If those credentials can -be verified, then the identity of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - -If the reply message type is KRB_ERROR, then the client interprets it as an -error and performs whatever application-specific tasks are necessary to -recover. If the client set the CANONICALIZE option and a -KDC_ERR_WRONG_REALM error was returned, the AS request should be retried to -the realm and client principal name specified in the error message crealm -and cname field respectively. - -3.2. The Client/Server Authentication Exchange - - Summary -Message direction Message type Section -Client to Application server KRB_AP_REQ 5.5.1 -[optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - -The client/server authentication (CS) exchange is used by network -applications to authenticate the client to the server and vice versa. The -client must have already acquired credentials for the server using the AS -or TGS exchange. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.2.1. The KRB_AP_REQ message - -The KRB_AP_REQ contains authentication information which should be part of -the first message in an authenticated transaction. It contains a ticket, an -authenticator, and some additional bookkeeping information (see section -5.5.1 for the exact format). The ticket by itself is insufficient to -authenticate a client, since tickets are passed across the network in -cleartext[DS90], so the authenticator is used to prevent invalid replay of -tickets by proving to the server that the client knows the session key of -the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message -is referred to elsewhere as the 'authentication header.' - -3.2.2. Generation of a KRB_AP_REQ message - -When a client wishes to initiate authentication to a server, it obtains -(either through a credentials cache, the AS exchange, or the TGS exchange) -a ticket and session key for the desired service. The client may re-use any -tickets it holds until they expire. To use a ticket the client constructs a -new Authenticator from the the system time, its name, and optionally an -application specific checksum, an initial sequence number to be used in -KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in -negotiations for a session key unique to this particular session. -Authenticators may not be re-used and will be rejected if replayed to a -server[LGDSR87]. If a sequence number is to be included, it should be -randomly chosen so that even after many messages have been exchanged it is -not likely to collide with other sequence numbers in use. - -The client may indicate a requirement of mutual authentication or the use -of a session-key based ticket by setting the appropriate flag(s) in the -ap-options field of the message. - -The Authenticator is encrypted in the session key and combined with the -ticket to form the KRB_AP_REQ message which is then sent to the end server -along with any additional application-specific information. See section A.9 -for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - -Authentication is based on the server's current time of day (clocks must be -loosely synchronized), the authenticator, and the ticket. Several errors -are possible. If an error occurs, the server is expected to reply to the -client with a KRB_ERROR message. This message may be encapsulated in the -application protocol if its 'raw' form is not acceptable to the protocol. -The format of error messages is described in section 5.9.1. - -The algorithm for verifying authentication information is as follows. If -the message type is not KRB_AP_REQ, the server returns the -KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket in -the KRB_AP_REQ is not one the server can use (e.g., it indicates an old -key, and the server no longer possesses a copy of the old key), the -KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION-KEY flag is set -in the ap-options field, it indicates to the server that the ticket is -encrypted in the session key from the server's ticket-granting ticket -rather than its secret key[10]. Since it is possible for the server to be -registered in multiple realms, with different keys in each, the srealm -field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to -specify which secret key the server should use to decrypt that ticket. The -KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the -proper key to decipher the ticket. - -The ticket is decrypted using the version of the server's key specified by -the ticket. If the decryption routines detect a modification of the ticket -(each encryption system must provide safeguards to detect modified -ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned -(chances are good that different keys were used to encrypt and decrypt). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The authenticator is decrypted using the session key extracted from the -decrypted ticket. If decryption shows it to have been modified, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the -client from the ticket are compared against the same fields in the -authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is -returned (they might not match, for example, if the wrong session key was -used to encrypt the authenticator). The addresses in the ticket (if any) -are then searched for an address matching the operating-system reported -address of the client. If no match is found or the server insists on ticket -addresses but none are present in the ticket, the KRB_AP_ERR_BADADDR error -is returned. - -If the local (server) time and the client time in the authenticator differ -by more than the allowable clock skew (e.g., 5 minutes), the -KRB_AP_ERR_SKEW error is returned. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The -server must remember any authenticator presented within the allowable clock -skew, so that a replay attempt is guaranteed to fail. If a server loses -track of any authenticator presented within the allowable clock skew, it -must reject all requests until the clock skew interval has passed. This -assures that any lost or re-played authenticators will fall outside the -allowable clock skew and can no longer be successfully replayed (If this is -not done, an attacker could conceivably record the ticket and authenticator -sent over the network to a server, then disable the client's host, pose as -the disabled host, and replay the ticket and authenticator to subvert the -authentication.). If a sequence number is provided in the authenticator, -the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV -messages. If a subkey is present, the server either saves it for later use -or uses it to help generate its own choice for a subkey to be returned in a -KRB_AP_REP message. - -The server computes the age of the ticket: local (server) time minus the -start time inside the Ticket. If the start time is later than the current -time by more than the allowable clock skew or if the INVALID flag is set in -the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the -current time is later than end time by more than the allowable clock skew, -the KRB_AP_ERR_TKT_EXPIRED error is returned. - -If all these checks succeed without an error, the server is assured that -the client possesses the credentials of the principal named in the ticket -and thus, the client has been authenticated to the server. See section A.10 -for pseudocode. - -Passing these checks provides only authentication of the named principal; -it does not imply authorization to use the named service. Applications must -make a separate authorization decisions based upon the authenticated name -of the user, the requested operation, local acces control information such -as that contained in a .k5login or .k5users file, and possibly a separate -distributed authorization service. - -3.2.4. Generation of a KRB_AP_REP message - -Typically, a client's request will include both the authentication -information and its initial request in the same message, and the server -need not explicitly reply to the KRB_AP_REQ. However, if mutual -authentication (not only authenticating the client to the server, but also -the server to the client) is being performed, the KRB_AP_REQ message will - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -have MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message -is required in response. As with the error message, this message may be -encapsulated in the application protocol if its "raw" form is not -acceptable to the application's protocol. The timestamp and microsecond -field used in the reply must be the client's timestamp and microsecond -field (as provided in the authenticator)[12]. If a sequence number is to be -included, it should be randomly chosen as described above for the -authenticator. A subkey may be included if the server desires to negotiate -a different subkey. The KRB_AP_REP message is encrypted in the session key -extracted from the ticket. See section A.11 for pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - -If a KRB_AP_REP message is returned, the client uses the session key from -the credentials obtained for the server[13] to decrypt the message, and -verifies that the timestamp and microsecond fields match those in the -Authenticator it sent to the server. If they match, then the client is -assured that the server is genuine. The sequence number and subkey (if -present) are retained for later use. See section A.12 for pseudocode. - -3.2.6. Using the encryption key - -After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and -server share an encryption key which can be used by the application. The -'true session key' to be used for KRB_PRIV, KRB_SAFE, or other -application-specific uses may be chosen by the application based on the -subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases, -the use of this session key will be implicit in the protocol; in others the -method of use must be chosen from several alternatives. We leave the -protocol negotiations of how to use the key (e.g. selecting an encryption -or checksum type) to the application programmer; the Kerberos protocol does -not constrain the implementation options, but an example of how this might -be done follows. - -One way that an application may choose to negotiate a key to be used for -subequent integrity and privacy protection is for the client to propose a -key in the subkey field of the authenticator. The server can then choose a -key using the proposed key from the client as input, returning the new -subkey in the subkey field of the application reply. This key could then be -used for subsequent communication. To make this example more concrete, if -the encryption method in use required a 56 bit key, and for whatever -reason, one of the parties was prevented from using a key with more than 40 -unknown bits, this method would allow the the party which is prevented from -using more than 40 bits to either propose (if the client) an initial key -with a known quantity for 16 of those bits, or to mask 16 of the bits (if -the server) with the known quantity. The application implementor is warned, -however, that this is only an example, and that an analysis of the -particular crytosystem to be used, and the reasons for limiting the key -length, must be made before deciding whether it is acceptable to mask bits -of the key. - -With both the one-way and mutual authentication exchanges, the peers should -take care not to send sensitive information to each other without proper -assurances. In particular, applications that require privacy or integrity -should use the KRB_AP_REP response from the server to client to assure both -client and server of their peer's identity. If an application protocol -requires privacy of its messages, it can use the KRB_PRIV message (section -3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - -The TGS exchange between a client and the Kerberos Ticket-Granting Server -is initiated by a client when it wishes to obtain authentication -credentials for a given server (which might be registered in a remote -realm), when it wishes to renew or validate an existing ticket, or when it -wishes to obtain a proxy ticket. In the first case, the client must already -have acquired a ticket for the Ticket-Granting Service using the AS -exchange (the ticket-granting ticket is usually obtained when a client -initially authenticates to the system, such as when a user logs in). The -message format for the TGS exchange is almost identical to that for the AS -exchange. The primary difference is that encryption and decryption in the -TGS exchange does not take place under the client's key. Instead, the -session key from the ticket-granting ticket or renewable ticket, or -sub-session key from an Authenticator is used. As is the case for all -application servers, expired tickets are not accepted by the TGS, so once a -renewable or ticket-granting ticket expires, the client must use a separate -exchange to obtain valid tickets. - -The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the -client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or -KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the -client plus a request for credentials. The authentication information -consists of the authentication header (KRB_AP_REQ) which includes the -client's previously obtained ticket-granting, renewable, or invalid ticket. -In the ticket-granting ticket and proxy cases, the request may include one -or more of: a list of network addresses, a collection of typed -authorization data to be sealed in the ticket for authorization use by the -application server, or additional tickets (the use of which are described -later). The TGS reply (KRB_TGS_REP) contains the requested credentials, -encrypted in the session key from the ticket-granting ticket or renewable -ticket, or if present, in the sub-session key from the Authenticator (part -of the authentication header). The KRB_ERROR message contains an error code -and text explaining what went wrong. The KRB_ERROR message is not -encrypted. The KRB_TGS_REP message contains information which can be used -to detect replays, and to associate it with the message to which it -replies. The KRB_ERROR message also contains information which can be used -to associate it with the message to which it replies, but the lack of -encryption in the KRB_ERROR message precludes the ability to detect replays -or fabrications of such messages. - -3.3.1. Generation of KRB_TGS_REQ message - -Before sending a request to the ticket-granting service, the client must -determine in which realm the application server is registered[15], if it is -known. If the client does know the service principal name and realm and it -does not already possess a ticket-granting ticket for the appropriate -realm, then one must be obtained. This is first attempted by requesting a -ticket-granting ticket for the destination realm from a Kerberos server for -which the client does posess a ticket-granting ticket (using the -KRB_TGS_REQ message recursively). The Kerberos server may return a TGT for -the desired realm in which case one can proceed. - -If the client does not know the realm of the service or the true service -principal name, then the CANONICALIZE option must be used in the request. -This will cause the TGS to locate the service principal based on the target -service name in the ticket and return the service principal name in the -response. Alternatively, the Kerberos server may return a TGT for a realm -which is 'closer' to the desired realm (further along the standard - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -hierarchical path) or the realm that may contain the requested service -principal name in a request with the CANONCALIZE option set [JBrezak], in -which case this step must be repeated with a Kerberos server in the realm -specified in the returned TGT. If neither are returned, then the request -must be retried with a Kerberos server for a realm higher in the hierarchy. -This request will itself require a ticket-granting ticket for the higher -realm which must be obtained by recursively applying these directions. - -Once the client obtains a ticket-granting ticket for the appropriate realm, -it determines which Kerberos servers serve that realm, and contacts one. -The list might be obtained through a configuration file or network service -or it may be generated from the name of the realm; as long as the secret -keys exchanged by realms are kept secret, only denial of service results -from using a false Kerberos server. - -As in the AS exchange, the client may specify a number of options in the -KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing -an authentication header as an element of the padata field, and including -the same fields as used in the KRB_AS_REQ message along with several -optional fields: the enc-authorization-data field for application server -use and additional tickets required by some options. - -In preparing the authentication header, the client can select a sub-session -key under which the response from the Kerberos server will be -encrypted[16]. If the sub-session key is not specified, the session key -from the ticket-granting ticket will be used. If the enc-authorization-data -is present, it must be encrypted in the sub-session key, if present, from -the authenticator portion of the authentication header, or if not present, -using the session key from the ticket-granting ticket. - -Once prepared, the message is sent to a Kerberos server for the destination -realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - -The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ -message, but there are many additional checks to be performed. First, the -Kerberos server must determine which server the accompanying ticket is for -and it must select the appropriate key to decrypt it. For a normal -KRB_TGS_REQ message, it will be for the ticket granting service, and the -TGS's key will be used. If the TGT was issued by another realm, then the -appropriate inter-realm key must be used. If the accompanying ticket is not -a ticket granting ticket for the current realm, but is for an application -server in the current realm, the RENEW, VALIDATE, or PROXY options are -specified in the request, and the server for which a ticket is requested is -the server named in the accompanying ticket, then the KDC will decrypt the -ticket in the authentication header using the key of the server for which -it was issued. If no ticket can be found in the padata field, the -KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - -Once the accompanying ticket has been decrypted, the user-supplied checksum -in the Authenticator must be verified against the contents of the request, -and the message rejected if the checksums do not match (with an error code -of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not -collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the -checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is -returned. If the authorization-data are present, they are decrypted using -the sub-session key from the Authenticator. - -If any of the decryptions indicate failed integrity checks, the -KRB_AP_ERR_BAD_INTEGRITY error is returned. If the CANONICALIZE option is -set in the KRB_TGS_REQ, then the requested service name may not be the true -principal name or the service may not be in the TGS realm. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.3.3. Generation of KRB_TGS_REP message - -The KRB_TGS_REP message shares its format with the KRB_AS_REP -(KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The detailed -specification is in section 5.4.2. - -The response will include a ticket for the requested server. The Kerberos -database is queried to retrieve the record for the requested server -(including the key with which the ticket will be encrypted). If the request -is for a ticket granting ticket for a remote realm, and if no key is shared -with the requested realm, then the Kerberos server will select the realm -"closest" to the requested realm with which it does share a key, and use -that realm instead. If the CANONICALIZE option is set, the TGS may return a -ticket containing the server name of the true service principal. If the -requested server cannot be found in the TGS database, then a TGT for -another trusted realm may be returned instead of a ticket for the service. -This TGT is a referral mechanism to cause the client to retry the request -to the realm of the TGT. These are the only cases where the response for -the KDC will be for a different server than that requested by the client. - -By default, the address field, the client's name and realm, the list of -transited realms, the time of initial authentication, the expiration time, -and the authorization data of the newly-issued ticket will be copied from -the ticket-granting ticket (TGT) or renewable ticket. If the transited -field needs to be updated, but the transited type is not supported, the -KDC_ERR_TRTYPE_NOSUPP error is returned. - -If the request specifies an endtime, then the endtime of the new ticket is -set to the minimum of (a) that request, (b) the endtime from the TGT, and -(c) the starttime of the TGT plus the minimum of the maximum life for the -application server and the maximum life for the local realm (the maximum -life for the requesting principal was already applied when the TGT was -issued). If the new ticket is to be a renewal, then the endtime above is -replaced by the minimum of (a) the value of the renew_till field of the -ticket and (b) the starttime for the new ticket plus the life -(endtime-starttime) of the old ticket. - -If the FORWARDED option has been requested, then the resulting ticket will -contain the addresses specified by the client. This option will only be -honored if the FORWARDABLE flag is set in the TGT. The PROXY option is -similar; the resulting ticket will contain the addresses specified by the -client. It will be honored only if the PROXIABLE flag in the TGT is set. -The PROXY option will not be honored on requests for additional -ticket-granting tickets. - -If the requested start time is absent, indicates a time in the past, or is -within the window of acceptable clock skew for the KDC and the POSTDATE -option has not been specified, then the start time of the ticket is set to -the authentication server's current time. If it indicates a time in the -future beyond the acceptable clock skew, but the POSTDATED option has not -been specified or the MAY-POSTDATE flag is not set in the TGT, then the -error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the -ticket-granting ticket has the MAY-POSTDATE flag set, then the resulting -ticket will be postdated and the requested starttime is checked against the -policy of the local realm. If acceptable, the ticket's start time is set as -requested, and the INVALID flag is set. The postdated ticket must be -validated before use by presenting it to the KDC after the starttime has -been reached. However, in no case may the starttime, endtime, or renew-till -time of a newly-issued postdated ticket extend beyond the renew-till time -of the ticket-granting ticket. - -If the ENC-TKT-IN-SKEY option has been specified and an additional ticket -has been included in the request, the KDC will decrypt the additional -ticket using the key for the server to which the additional ticket was -issued and verify that it is a ticket-granting ticket. If the name of the - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -requested server is missing from the request, the name of the client in the -additional ticket will be used. Otherwise the name of the requested server -will be compared to the name of the client in the additional ticket and if -different, the request will be rejected. If the request succeeds, the -session key from the additional ticket will be used to encrypt the new -ticket that is issued instead of using the key of the server for which the -new ticket will be used[17]. - -If the name of the server in the ticket that is presented to the KDC as -part of the authentication header is not that of the ticket-granting server -itself, the server is registered in the realm of the KDC, and the RENEW -option is requested, then the KDC will verify that the RENEWABLE flag is -set in the ticket, that the INVALID flag is not set in the ticket, and that -the renew_till time is still in the future. If the VALIDATE option is -rqeuested, the KDC will check that the starttime has passed and the INVALID -flag is set. If the PROXY option is requested, then the KDC will check that -the PROXIABLE flag is set in the ticket. If the tests succeed, and the -ticket passes the hotlist check described in the next paragraph, the KDC -will issue the appropriate new ticket. - -3.3.3.1. Checking for revoked tickets - -Whenever a request is made to the ticket-granting server, the presented -ticket(s) is(are) checked against a hot-list of tickets which have been -canceled. This hot-list might be implemented by storing a range of issue -timestamps for 'suspect tickets'; if a presented ticket had an authtime in -that range, it would be rejected. In this way, a stolen ticket-granting -ticket or renewable ticket cannot be used to gain additional tickets -(renewals or otherwise) once the theft has been reported. Any normal ticket -obtained before it was reported stolen will still be valid (because they -require no interaction with the KDC), but only until their normal -expiration time. - -The ciphertext part of the response in the KRB_TGS_REP message is encrypted -in the sub-session key from the Authenticator, if present, or the session -key key from the ticket-granting ticket. It is not encrypted using the -client's secret key. Furthermore, the client's key's expiration date and -the key version number fields are left out since these values are stored -along with the client's database record, and that record is not needed to -satisfy a request based on a ticket-granting ticket. See section A.6 for -pseudocode. - -3.3.3.2. Encoding the transited field - -If the identity of the server in the TGT that is presented to the KDC as -part of the authentication header is that of the ticket-granting service, -but the TGT was issued from another realm, the KDC will look up the -inter-realm key shared with that realm and use that key to decrypt the -ticket. If the ticket is valid, then the KDC will honor the request, -subject to the constraints outlined above in the section describing the AS -exchange. The realm part of the client's identity will be taken from the -ticket-granting ticket. The name of the realm that issued the -ticket-granting ticket will be added to the transited field of the ticket -to be issued. This is accomplished by reading the transited field from the -ticket-granting ticket (which is treated as an unordered set of realm -names), adding the new realm to the set, then constructing and writing out -its encoded (shorthand) form (this may involve a rearrangement of the -existing encoding). - -Note that the ticket-granting service does not add the name of its own -realm. Instead, its responsibility is to add the name of the previous -realm. This prevents a malicious Kerberos server from intentionally leaving -out its own name (it could, however, omit other realms' names). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The names of neither the local realm nor the principal's realm are to be -included in the transited field. They appear elsewhere in the ticket and -both are known to have taken part in authenticating the principal. Since -the endpoints are not included, both local and single-hop inter-realm -authentication result in a transited field that is empty. - -Because the name of each realm transited is added to this field, it might -potentially be very long. To decrease the length of this field, its -contents are encoded. The initially supported encoding is optimized for the -normal case of inter-realm communication: a hierarchical arrangement of -realms using either domain or X.500 style realm names. This encoding -(called DOMAIN-X500-COMPRESS) is now described. - -Realm names in the transited field are separated by a ",". The ",", "\", -trailing "."s, and leading spaces (" ") are special characters, and if they -are part of a realm name, they must be quoted in the transited field by -preced- ing them with a "\". - -A realm name ending with a "." is interpreted as being prepended to the -previous realm. For example, we can encode traversal of EDU, MIT.EDU, -ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - -Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that -they would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - -A realm name beginning with a "/" is interpreted as being appended to the -previous realm[18]. If it is to stand by itself, then it should be preceded -by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO, -/COM/HP, /COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". - -Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they -they would not be included in this field, and we would have: - - "/COM,/HP" - -A null subfield preceding or following a "," indicates that all realms -between the previous realm and the next realm have been traversed[19]. -Thus, "," means that all realms along the path between the client and the -server have been traversed. ",EDU, /COM," means that that all realms from -the client's realm up to EDU (in a domain style hierarchy) have been -traversed, and that everything from /COM down to the server's realm in an -X.500 style has also been traversed. This could occur if the EDU realm in -one hierarchy shares an inter-realm key directly with the /COM realm in -another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - -When the KRB_TGS_REP is received by the client, it is processed in the same -manner as the KRB_AS_REP processing described above. The primary difference -is that the ciphertext part of the response must be decrypted using the -session key from the ticket-granting ticket rather than the client's secret -key. The server name returned in the reply is the true principal name of -the service. See section A.7 for pseudocode. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.4. The KRB_SAFE Exchange - -The KRB_SAFE message may be used by clients requiring the ability to detect -modifications of messages they exchange. It achieves this by including a -keyed collision-proof checksum of the user data and some control -information. The checksum is keyed with an encryption key (usually the last -key negotiated via subkeys, or the session key if no negotiation has -occured). - -3.4.1. Generation of a KRB_SAFE message - -When an application wishes to send a KRB_SAFE message, it collects its data -and the appropriate control information and computes a checksum over them. -The checksum algorithm should be a keyed one-way hash function (such as the -RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES -MAC), generated using the sub-session key if present, or the session key. -Different algorithms may be selected by changing the checksum type in the -message. Unkeyed or non-collision-proof checksums are not suitable for this -use. - -The control information for the KRB_SAFE message includes both a timestamp -and a sequence number. The designer of an application using the KRB_SAFE -message must choose at least one of the two mechanisms. This choice should -be based on the needs of the application protocol. - -Sequence numbers are useful when all messages sent will be received by -one's peer. Connection state is presently required to maintain the session -key, so maintaining the next sequence number should not present an -additional problem. - -If the application protocol is expected to tolerate lost messages without -them being resent, the use of the timestamp is the appropriate replay -detection mechanism. Using timestamps is also the appropriate mechanism for -multi-cast protocols where all of one's peers share a common sub-session -key, but some messages will be sent to a subset of one's peers. - -After computing the checksum, the client then transmits the information and -checksum to the recipient in the message format specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - -When an application receives a KRB_SAFE message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and -type fields match the current version and KRB_SAFE, respectively. A -mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. -The application verifies that the checksum used is a collision-proof keyed -checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If -the sender's address was included in the control information, the recipient -verifies that the operating system's report of the sender's address matches -the sender's address in the message, and (if a recipient address is -specified or the recipient requires an address) that one of the recipient's -addresses appears as the recipient's address in the message. A failed match -for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp -and usec and/or the sequence number fields are checked. If timestamp and -usec are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT -error is generated. If an incorrect sequence number is included, or a -sequence number is expected but not present, the KRB_AP_ERR_BADORDER error -is generated. If neither a time-stamp and usec or a sequence number is -present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is -computed over the data and control information, and if it doesn't match the -received checksum, a KRB_AP_ERR_MODIFIED error is generated. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -If all the checks succeed, the application is assured that the message was -generated by its peer and was not modi- fied in transit. - -3.5. The KRB_PRIV Exchange - -The KRB_PRIV message may be used by clients requiring confidentiality and -the ability to detect modifications of exchanged messages. It achieves this -by encrypting the messages and adding control information. - -3.5.1. Generation of a KRB_PRIV message - -When an application wishes to send a KRB_PRIV message, it collects its data -and the appropriate control information (specified in section 5.7.1) and -encrypts them under an encryption key (usually the last key negotiated via -subkeys, or the session key if no negotiation has occured). As part of the -control information, the client must choose to use either a timestamp or a -sequence number (or both); see the discussion in section 3.4.1 for -guidelines on which to use. After the user data and control information are -encrypted, the client transmits the ciphertext and some 'envelope' -information to the recipient. - -3.5.2. Receipt of KRB_PRIV message - -When an application receives a KRB_PRIV message, it verifies it as follows. -If any error occurs, an error code is reported for use by the application. - -The message is first checked by verifying that the protocol version and -type fields match the current version and KRB_PRIV, respectively. A -mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. -The application then decrypts the ciphertext and processes the resultant -plaintext. If decryption shows the data to have been modified, a -KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was -included in the control information, the recipient verifies that the -operating system's report of the sender's address matches the sender's -address in the message, and (if a recipient address is specified or the -recipient requires an address) that one of the recipient's addresses -appears as the recipient's address in the message. A failed match for -either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and -usec and/or the sequence number fields are checked. If timestamp and usec -are expected and not present, or they are present but not current, the -KRB_AP_ERR_SKEW error is generated. If the server name, along with the -client name, time and microsecond fields from the Authenticator match any -recently-seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an -incorrect sequence number is included, or a sequence number is expected but -not present, the KRB_AP_ERR_BADORDER error is generated. If neither a -time-stamp and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED -error is generated. - -If all the checks succeed, the application can assume the message was -generated by its peer, and was securely transmitted (without intruders able -to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - -The KRB_CRED message may be used by clients requiring the ability to send -Kerberos credentials from one host to another. It achieves this by sending -the tickets together with encrypted data containing the session keys and -other information associated with the tickets. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -3.6.1. Generation of a KRB_CRED message - -When an application wishes to send a KRB_CRED message it first (using the -KRB_TGS exchange) obtains credentials to be sent to the remote host. It -then constructs a KRB_CRED message using the ticket or tickets so obtained, -placing the session key needed to use each ticket in the key field of the -corresponding KrbCredInfo sequence of the encrypted part of the the -KRB_CRED message. - -Other information associated with each ticket and obtained during the -KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence -in the encrypted part of the KRB_CRED message. The current time and, if -specifically required by the application the nonce, s-address, and -r-address fields, are placed in the encrypted part of the KRB_CRED message -which is then encrypted under an encryption key previosuly exchanged in the -KRB_AP exchange (usually the last key negotiated via subkeys, or the -session key if no negotiation has occured). - -3.6.2. Receipt of KRB_CRED message - -When an application receives a KRB_CRED message, it verifies it. If any -error occurs, an error code is reported for use by the application. The -message is verified by checking that the protocol version and type fields -match the current version and KRB_CRED, respectively. A mismatch generates -a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then -decrypts the ciphertext and processes the resultant plaintext. If -decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY -error is generated. - -If present or required, the recipient verifies that the operating system's -report of the sender's address matches the sender's address in the message, -and that one of the recipient's addresses appears as the recipient's -address in the message. A failed match for either case generates a -KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce -field if required) are checked next. If the timestamp and usec are not -present, or they are present but not current, the KRB_AP_ERR_SKEW error is -generated. - -If all the checks succeed, the application stores each of the new tickets -in its ticket cache together with the session key and other information in -the corresponding KrbCredInfo sequence from the encrypted part of the -KRB_CRED message. - -4. The Kerberos Database - -The Kerberos server must have access to a database containing the principal -identifiers and secret keys of principals to be authenticated[21]. - -4.1. Database contents - -A database entry should contain at least the following fields: - -Field Value - -name Principal's identifier -key Principal's secret key -p_kvno Principal's key version -max_life Maximum lifetime for Tickets -max_renewable_life Maximum total lifetime for renewable Tickets - -The name field is an encoding of the principal's identifier. The key field -contains an encryption key. This key is the principal's secret key. (The -key can be encrypted before storage under a Kerberos "master key" to -protect it in case the database is compromised but the master key is not. -In that case, an extra field must be added to indicate the master key - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -version used, see below.) The p_kvno field is the key version number of the -principal's secret key. The max_life field contains the maximum allowable -lifetime (endtime - starttime) for any Ticket issued for this principal. -The max_renewable_life field contains the maximum allowable total lifetime -for any renewable Ticket issued for this principal. (See section 3.1 for a -description of how these lifetimes are used in determining the lifetime of -a given Ticket.) - -A server may provide KDC service to several realms, as long as the database -representation provides a mechanism to distinguish between principal -records with identifiers which differ only in the realm name. - -When an application server's key changes, if the change is routine (i.e. -not the result of disclosure of the old key), the old key should be -retained by the server until all tickets that had been issued using that -key have expired. Because of this, it is possible for several keys to be -active for a single principal. Ciphertext encrypted in a principal's key is -always tagged with the version of the key that was used for encryption, to -help the recipient find the proper key for decryption. - -When more than one key is active for a particular principal, the principal -will have more than one record in the Kerberos database. The keys and key -version numbers will differ between the records (the rest of the fields may -or may not be the same). Whenever Kerberos issues a ticket, or responds to -a request for initial authentication, the most recent key (known by the -Kerberos server) will be used for encryption. This is the key with the -highest key version number. - -4.2. Additional fields - -Project Athena's KDC implementation uses additional fields in its database: - -Field Value - -K_kvno Kerberos' key version -expiration Expiration date for entry -attributes Bit field of attributes -mod_date Timestamp of last modification -mod_name Modifying principal's identifier - -The K_kvno field indicates the key version of the Kerberos master key under -which the principal's secret key is encrypted. - -After an entry's expiration date has passed, the KDC will return an error -to any client attempting to gain tickets as or for the principal. (A -database may want to maintain two expiration dates: one for the principal, -and one for the principal's current key. This allows password aging to work -independently of the principal's expiration date. However, due to the -limited space in the responses, the KDC must combine the key expiration and -principal expiration date into a single value called 'key_exp', which is -used as a hint to the user to take administrative action.) - -The attributes field is a bitfield used to govern the operations involving -the principal. This field might be useful in conjunction with user -registration procedures, for site-specific policy implementations (Project -Athena currently uses it for their user registration process controlled by -the system-wide database service, Moira [LGDSR87]), to identify whether a -principal can play the role of a client or server or both, to note whether -a server is appropriate trusted to recieve credentials delegated by a -client, or to identify the 'string to key' conversion algorithm used for a -principal's key[22]. Other bits are used to indicate that certain ticket -options should not be allowed in tickets encrypted under a principal's key -(one bit each): Disallow issuing postdated tickets, disallow issuing -forwardable tickets, disallow issuing tickets based on TGT authentication, -disallow issuing renewable tickets, disallow issuing proxiable tickets, and -disallow issuing tickets for which the principal is the server. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The mod_date field contains the time of last modification of the entry, and -the mod_name field contains the name of the principal which last modified -the entry. - -4.3. Frequently Changing Fields - -Some KDC implementations may wish to maintain the last time that a request -was made by a particular principal. Information that might be maintained -includes the time of the last request, the time of the last request for a -ticket-granting ticket, the time of the last use of a ticket-granting -ticket, or other times. This information can then be returned to the user -in the last-req field (see section 5.2). - -Other frequently changing information that can be maintained is the latest -expiration time for any tickets that have been issued using each key. This -field would be used to indicate how long old keys must remain valid to -allow the continued use of outstanding tickets. - -4.4. Site Constants - -The KDC implementation should have the following configurable constants or -options, to allow an administrator to make and enforce policy decisions: - - * The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant should - reflect reasonable expectations of round-trip time to the KDC, - encryption/decryption time, and processing time by the client and - target server, and it should allow for a minimum 'useful' lifetime. - * The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - * The maximum allowable lifetime of a ticket (endtime - starttime). - * Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be issued - if the request specifies some authorization_data). - * Whether proxiable, forwardable, renewable or post-datable tickets are - to be issued. - -5. Message Specifications - -The following sections describe the exact contents and encoding of protocol -messages and objects. The ASN.1 base definitions are presented in the first -subsection. The remaining subsections specify the protocol objects (tickets -and authenticators) and messages. Specification of encryption and checksum -techniques, and the fields related to them, appear in section 6. - -Optional field in ASN.1 sequences - -For optional integer value and date fields in ASN.1 sequences where a -default value has been specified, certain default values will not be -allowed in the encoding because these values will always be represented -through defaulting by the absence of the optional field. For example, one -will not send a microsecond zero value because one must make sure that -there is only one way to encode this value. - -Additional fields in ASN.1 sequences - -Implementations receiving Kerberos messages with additional fields present -in ASN.1 sequences should carry the those fields through, unmodified, when -the message is forwarded. Implementations should not drop such fields if -the sequence is reencoded. - -5.1. ASN.1 Distinguished Encoding Representation - -All uses of ASN.1 in Kerberos shall use the Distinguished Encoding -Representation of the data elements as described in the X.509 -specification, section 8.7 [X509-88]. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.2. ASN.1 Base Definitions - -The following ASN.1 base definitions are used in the rest of this section. -Note that since the underscore character (_) is not permitted in ASN.1 -names, the hyphen (-) is used in its place for the purposes of ASN.1 names. - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString -} - -Kerberos realms are encoded as GeneralStrings. Realms shall not contain a -character with the code 0 (the ASCII NUL). Most realms will usually consist -of several components separated by periods (.), in the style of Internet -Domain Names, or separated by slashes (/) in the style of X.500 names. -Acceptable forms for realm names are specified in section 7. A -PrincipalName is a typed sequence of components consisting of the following -sub-fields: - -name-type - This field specifies the type of name that follows. Pre-defined values - for this field are specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the - same (i.e. at least one of the components, or the realm, must be - different). This constraint may be eliminated in the future. -name-string - This field encodes a sequence of components that form a name, each - component encoded as a GeneralString. Taken together, a PrincipalName - and a Realm form a principal identifier. Most PrincipalNames will have - only a few components (typically one or two). - -KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - -The timestamps used in Kerberos are encoded as GeneralizedTimes. An -encoding shall specify the UTC time zone (Z) and shall not include any -fractional portions of the seconds. It further shall not include any -separators. Example: The only valid format for UTC time 6 minutes, 27 -seconds after 9 pm on 6 November 1985 is 19851106210627Z. - -HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING -} - -HostAddresses ::= SEQUENCE OF HostAddress - -The host adddress encodings consists of two fields: - -addr-type - This field specifies the type of address that follows. Pre-defined - values for this field are specified in section 8.1. -address - This field encodes a single address of type addr-type. - -The two forms differ slightly. HostAddress contains exactly one address; -HostAddresses contains a sequence of possibly many addresses. - -AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING -} - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -ad-data - This field contains authorization data to be interpreted according to - the value of the corresponding ad-type field. -ad-type - This field specifies the format for the ad-data subfield. All negative - values are reserved for local use. Non-negative values are reserved - for registered use. - -Each sequence of type and data is refered to as an authorization element. -Elements may be application specific, however, there is a common set of -recursive elements that should be understood by all implementations. These -elements contain other elements embedded within them, and the -interpretation of the encapsulating element determines which of the -embedded elements must be interpreted, and which may be ignored. -Definitions for these common elements may be found in Appendix B. - -TicketExtensions ::= SEQUENCE OF SEQUENCE { - te-type[0] INTEGER, - te-data[1] OCTET STRING -} - - - -te-data - This field contains opaque data that must be caried with the ticket to - support extensions to the Kerberos protocol including but not limited - to some forms of inter-realm key exchange and plaintext authorization - data. See appendix C for some common uses of this field. -te-type - This field specifies the format for the te-data subfield. All negative - values are reserved for local use. Non-negative values are reserved - for registered use. - -APOptions ::= BIT STRING - -- reserved(0), - -- use-session-key(1), - -- mutual-required(2) - -TicketFlags ::= BIT STRING - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- may-postdate(5), - -- postdated(6), - -- invalid(7), - -- renewable(8), - -- initial(9), - -- pre-authent(10), - -- hw-authent(11), - -- transited-policy-checked(12), - -- ok-as-delegate(13) - -KDCOptions ::= BIT STRING io - -- reserved(0), - -- forwardable(1), - -- forwarded(2), - -- proxiable(3), - -- proxy(4), - -- allow-postdate(5), - -- postdated(6), - -- unused7(7), - -- renewable(8), - -- unused9(9), - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - -- unused10(10), - -- unused11(11), - -- unused12(12), - -- unused13(13), - -- requestanonymous(14), - -- canonicalize(15), - -- disable-transited-check(26), - -- renewable-ok(27), - -- enc-tkt-in-skey(28), - -- renew(30), - -- validate(31) - -ASN.1 Bit strings have a length and a value. When used in Kerberos for the -APOptions, TicketFlags, and KDCOptions, the length of the bit string on -generated values should be the smallest number of bits needed to include -the highest order bit that is set (1), but in no case less than 32 bits. -The ASN.1 representation of the bit strings uses unnamed bits, with the -meaning of the individual bits defined by the comments in the specification -above. Implementations should accept values of bit strings of any length -and treat the value of flags corresponding to bits beyond the end of the -bit string as if the bit were reset (0). Comparison of bit strings of -different length should treat the smaller string as if it were padded with -zeros beyond the high order bits to the length of the longer string[23]. - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime -} - -lr-type - This field indicates how the following lr-value field is to be - interpreted. Negative values indicate that the information pertains - only to the responding server. Non-negative values pertain to all - servers for the realm. If the lr-type field is zero (0), then no - information is conveyed by the lr-value subfield. If the absolute - value of the lr-type field is one (1), then the lr-value subfield is - the time of last initial request for a TGT. If it is two (2), then the - lr-value subfield is the time of last initial request. If it is three - (3), then the lr-value subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), then the lr-value - subfield is the time of the last renewal. If it is five (5), then the - lr-value subfield is the time of last request (of any type). If it is - (6), then the lr-value subfield is the time when the password will - expire. -lr-value - This field contains the time of the last request. the time must be - interpreted according to the contents of the accompanying lr-type - subfield. - -See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, -EncryptionKey, EncryptionType, and KeyType. - -5.3. Tickets and Authenticators - -This section describes the format and encryption parameters for tickets and -authenticators. When a ticket or authenticator is included in a protocol -message it is treated as an opaque object. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.3.1. Tickets - -A ticket is a record that helps a client authenticate to a service. A -Ticket contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData, - extensions[4] TicketExtensions OPTIONAL -} - --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be -registered - contents[1] OCTET STRING -} - -The encoding of EncTicketPart is encrypted in the key shared by Kerberos -and the end server (the server's secret key). See section 6 for the format -of the ciphertext. - -tkt-vno - This field specifies the version number for the ticket format. This - document describes version number 5. -realm - This field specifies the realm that issued a ticket. It also serves to - identify the realm part of the server's principal identifier. Since a - Kerberos server can only issue tickets for servers within its realm, - the two will always be identical. -sname - This field specifies all components of the name part of the server's - identity, including those parts that identify a specific instance of a - service. -enc-part - This field holds the encrypted encoding of the EncTicketPart sequence. -extensions - This optional field contains a sequence of extentions that may be used - to carry information that must be carried with the ticket to support - several extensions, including but not limited to plaintext - authorization data, tokens for exchanging inter-realm keys, and other - information that must be associated with a ticket for use by the - application server. See Appendix C for definitions of some common - extensions. - - Note that some older versions of Kerberos did not support this field. - Because this is an optional field it will not break older clients, but - older clients might strip this field from the ticket before sending it - to the application server. This limits the usefulness of this ticket - field to environments where the ticket will not be parsed and - reconstructed by these older Kerberos clients. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - If it is known that the client will strip this field from the ticket, - as an interim measure the KDC may append this field to the end of the - enc-part of the ticket and append a traler indicating the lenght of - the appended extensions field. (this paragraph is open for discussion, - including the form of the traler). -flags - This field indicates which of various options were used or requested - when the ticket was issued. It is a bit-field, where the selected - options are indicated by the bit being set (1), and the unselected - options and reserved fields being reset (0). Bit 0 is the most - significant bit. The encoding of the bits is specified in section 5.2. - The flags are described in more detail above in section 2. The - meanings of the flags are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 FORWARDABLE - The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, this - flag tells the ticket-granting server - that it is OK to issue a new ticket- - granting ticket with a different network - address based on the presented ticket. - - 2 FORWARDED - When set, this flag indicates that the - ticket has either been forwarded or was - issued based on authentication involving - a forwarded ticket-granting ticket. - - 3 PROXIABLE - The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical to - that of the FORWARDABLE flag, except - that the PROXIABLE flag tells the - ticket-granting server that only non- - ticket-granting tickets may be issued - with different network addresses. - - 4 PROXY - When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE - The MAY-POSTDATE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. This flag tells - the ticket-granting server that a post- - dated ticket may be issued based on this - ticket-granting ticket. - - 6 POSTDATED - This flag indicates that this ticket has - been postdated. The end-service can - check the authtime field to see when the - original authentication occurred. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 7 INVALID - This flag indicates that a ticket is - invalid, and it must be validated by the - KDC before use. Application servers - must reject tickets which have this flag - set. - - 8 RENEWABLE - The RENEWABLE flag is normally only - interpreted by the TGS, and can usually - be ignored by end servers (some particu- - larly careful servers may wish to disal- - low renewable tickets). A renewable - ticket can be used to obtain a replace- - ment ticket that expires at a later - date. - - 9 INITIAL - This flag indicates that this ticket was - issued using the AS protocol, and not - issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT - This flag indicates that during initial - authentication, the client was authenti- - cated by the KDC before a ticket was - issued. The strength of the pre- - authentication method is not indicated, - but is acceptable to the KDC. - - 11 HW-AUTHENT - This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected to - be possessed solely by the named client. - The hardware authentication method is - selected by the KDC and the strength of - the method is not indicated. - - 12 TRANSITED This flag indicates that the KDC for the - POLICY-CHECKED realm has checked the transited field - against a realm defined policy for - trusted certifiers. If this flag is - reset (0), then the application server - must check the transited field itself, - and if unable to do so it must reject - the authentication. If the flag is set - (1) then the application server may skip - its own validation of the transited - field, relying on the validation - performed by the KDC. At its option the - application server may still apply its - own validation based on a separate - policy for acceptance. - - 13 OK-AS-DELEGATE This flag indicates that the server (not - the client) specified in the ticket has - been determined by policy of the realm - to be a suitable recipient of - delegation. A client can use the - presence of this flag to help it make a - decision whether to delegate credentials - (either grant a proxy or a forwarded - ticket granting ticket) to this server. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - The client is free to ignore the value - of this flag. When setting this flag, - an administrator should consider the - Security and placement of the server on - which the service will run, as well as - whether the service requires the use of - delegated credentials. - - 14 ANONYMOUS - This flag indicates that the principal - named in the ticket is a generic princi- - pal for the realm and does not identify - the individual using the ticket. The - purpose of the ticket is only to - securely distribute a session key, and - not to identify the user. Subsequent - requests using the same ticket and ses- - sion may be considered as originating - from the same user, but requests with - the same username but a different ticket - are likely to originate from different - users. - - 15-31 RESERVED - Reserved for future use. - -key - This field exists in the ticket and the KDC response and is used to - pass the session key from Kerberos to the application server and the - client. The field's encoding is described in section 6.2. -crealm - This field contains the name of the realm in which the client is - registered and in which initial authentication took place. -cname - This field contains the name part of the client's principal - identifier. -transited - This field lists the names of the Kerberos realms that took part in - authenticating the user to whom this ticket was issued. It does not - specify the order in which the realms were transited. See section - 3.3.3.2 for details on how this field encodes the traversed realms. - When the names of CA's are to be embedded inthe transited field (as - specified for some extentions to the protocol), the X.500 names of the - CA's should be mapped into items in the transited field using the - mapping defined by RFC2253. -authtime - This field indicates the time of initial authentication for the named - principal. It is the time of issue for the original ticket on which - this ticket is based. It is included in the ticket to provide - additional information to the end service, and to provide the - necessary information for implementation of a `hot list' service at - the KDC. An end service that is particularly paranoid could refuse to - accept tickets for which the initial authentication occurred "too far" - in the past. This field is also returned as part of the response from - the KDC. When returned as part of the response to initial - authentication (KRB_AS_REP), this is the current time on the Kerberos - server[24]. -starttime - This field in the ticket specifies the time after which the ticket is - valid. Together with endtime, this field specifies the life of the - ticket. If it is absent from the ticket, its value should be treated - as that of the authtime field. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -endtime - This field contains the time after which the ticket will not be - honored (its expiration time). Note that individual services may place - their own limits on the life of a ticket and may reject tickets which - have not yet expired. As such, this is really an upper bound on the - expiration time for the ticket. -renew-till - This field is only present in tickets that have the RENEWABLE flag set - in the flags field. It indicates the maximum endtime that may be - included in a renewal. It can be thought of as the absolute expiration - time for the ticket, including all renewals. -caddr - This field in a ticket contains zero (if omitted) or more (if present) - host addresses. These are the addresses from which the ticket can be - used. If there are no addresses, the ticket can be used from any - location. The decision by the KDC to issue or by the end server to - accept zero-address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to issue or - accept such tickets. The suggested and default policy, however, is - that such tickets will only be issued or accepted when additional - information that can be used to restrict the use of the ticket is - included in the authorization_data field. Such a ticket is a - capability. - - Network addresses are included in the ticket to make it harder for an - attacker to use stolen credentials. Because the session key is not - sent over the network in cleartext, credentials can't be stolen simply - by listening to the network; an attacker has to gain access to the - session key (perhaps through operating system security breaches or a - careless user's unattended session) to make use of stolen tickets. - - It is important to note that the network address from which a - connection is received cannot be reliably determined. Even if it could - be, an attacker who has compromised the client's workstation could use - the credentials from there. Including the network addresses only makes - it more difficult, not impossible, for an attacker to walk off with - stolen credentials and then use them from a "safe" location. -authorization-data - The authorization-data field is used to pass authorization data from - the principal on whose behalf a ticket was issued to the application - service. If no authorization data is included, this field will be left - out. Experience has shown that the name of this field is confusing, - and that a better name for this field would be restrictions. - Unfortunately, it is not possible to change the name of this field at - this time. - - This field contains restrictions on any authority obtained on the - basis of authentication using the ticket. It is possible for any - principal in posession of credentials to add entries to the - authorization data field since these entries further restrict what can - be done with the ticket. Such additions can be made by specifying the - additional entries when a new ticket is obtained during the TGS - exchange, or they may be added during chained delegation using the - authorization data field of the authenticator. - - Because entries may be added to this field by the holder of - credentials, except when an entry is separately authenticated by - encapulation in the kdc-issued element, it is not allowable for the - presence of an entry in the authorization data field of a ticket to - amplify the priveleges one would obtain from using a ticket. - - The data in this field may be specific to the end service; the field - will contain the names of service specific objects, and the rights to - those objects. The format for this field is described in section 5.2. - Although Kerberos is not concerned with the format of the contents of - the sub-fields, it does carry type information (ad-type). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - By using the authorization_data field, a principal is able to issue a - proxy that is valid for a specific purpose. For example, a client - wishing to print a file can obtain a file server proxy to be passed to - the print server. By specifying the name of the file in the - authorization_data field, the file server knows that the print server - can only use the client's rights when accessing the particular file to - be printed. - - A separate service providing authorization or certifying group - membership may be built using the authorization-data field. In this - case, the entity granting authorization (not the authorized entity), - may obtain a ticket in its own name (e.g. the ticket is issued in the - name of a privelege server), and this entity adds restrictions on its - own authority and delegates the restricted authority through a proxy - to the client. The client would then present this authorization - credential to the application server separately from the - authentication exchange. Alternatively, such authorization credentials - may be embedded in the ticket authenticating the authorized entity, - when the authorization is separately authenticated using the - kdc-issued authorization data element (see B.4). - - Similarly, if one specifies the authorization-data field of a proxy - and leaves the host addresses blank, the resulting ticket and session - key can be treated as a capability. See [Neu93] for some suggested - uses of this field. - - The authorization-data field is optional and does not have to be - included in a ticket. - -5.3.2. Authenticators - -An authenticator is a record sent with a ticket to a server to certify the -client's knowledge of the encryption key in the ticket, to help the server -detect replays, and to help choose a "true session key" to use with the -particular session. The encoding is encrypted in the ticket's session key -shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - - -authenticator-vno - This field specifies the version number for the format of the - authenticator. This document specifies version 5. -crealm and cname - These fields are the same as those described for the ticket in section - 5.3.1. -cksum - This field contains a checksum of the the applica- tion data that - accompanies the KRB_AP_REQ. -cusec - This field contains the microsecond part of the client's timestamp. - Its value (before encryption) ranges from 0 to 999999. It often - appears along with ctime. The two fields are used together to specify - a reasonably accurate timestamp. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -ctime - This field contains the current time on the client's host. -subkey - This field contains the client's choice for an encryption key which is - to be used to protect this specific application session. Unless an - application specifies otherwise, if this field is left out the session - key from the ticket will be used. -seq-number - This optional field includes the initial sequence number to be used by - the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to - detect replays (It may also be used by application specific messages). - When included in the authenticator this field specifies the initial - sequence number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number is that - for messages from the server to the client. When used in KRB_PRIV or - KRB_SAFE messages, it is incremented by one after each message is - sent. Sequence numbers fall in the range of 0 through 2^32 - 1 and - wrap to zero following the value 2^32 - 1. - - For sequence numbers to adequately support the detection of replays - they should be non-repeating, even across connection boundaries. The - initial sequence number should be random and uniformly distributed - across the full space of possible sequence numbers, so that it cannot - be guessed by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. -authorization-data - This field is the same as described for the ticket in section 5.3.1. - It is optional and will only appear when additional restrictions are - to be placed on the use of a ticket, beyond those carried in the - ticket itself. - -5.4. Specifications for the AS and TGS exchanges - -This section specifies the format of the messages used in the exchange -between the client and the Kerberos server. The format of possible error -messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - -The KRB_KDC_REQ message has no type of its own. Instead, its type is one of -KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an -initial ticket or an additional ticket. In either case, the message is sent -from the client to the Authentication Server to request credentials for a -service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - etype[8] SEQUENCE OF INTEGER, - -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData - -- encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -The fields in this message are: - -pvno - This field is included in each message, and specifies the protocol - version number. This document specifies protocol version 5. -msg-type - This field indicates the type of a protocol message. It will almost - always be the same as the application identifier associated with a - message. It is included to make the identifier more readily accessible - to the application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. -padata - The padata (pre-authentication data) field contains a sequence of - authentication information which may be needed before credentials can - be issued or decrypted. In the case of requests for additional tickets - (KRB_TGS_REQ), this field will include an element with padata-type of - PA-TGS-REQ and data of an authentication header (ticket-granting - ticket and authenticator). The checksum in the authenticator (which - must be collision-proof) is to be computed over the KDC-REQ-BODY - encoding. In most requests for initial authentication (KRB_AS_REQ) and - most replies (KDC-REP), the padata field will be left out. - - This field may also contain information needed by certain extensions - to the Kerberos protocol. For example, it might be used to initially - verify the identity of a client before any response is returned. When - this field is used to authenticate or pre-authenticate a request, it - should contain a keyed checksum over the KDC-REQ-BODY to bind the - pre-authentication data to rest of the request. The KDC, as a matter - of policy, may decide whether to honor a KDC-REQ which includes any - pre-authentication data that does not contain the checksum field. - PA-ENC-TIMESTAMP defines a pre-authentication data type that is used - for authenticating a client by way of an encrypted timestamp. This is - accomplished with a padata field with padata-type equal to - PA-ENC-TIMESTAMP and padata-value defined as follows (query: the - checksum is new in this definition. If the optional field will break - things we can keep the old PA-ENC-TS-ENC, and define a new alternate - form that includes the checksum). : - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL, - pachecksum[2] checksum OPTIONAL - -- keyed checksum of -KDC-REQ-BODY - } - - with patimestamp containing the client's time and pausec containing - the microseconds which may be omitted if a client will not generate - more than one request per second. The ciphertext (padata-value) - consists of the PA-ENC-TS-ENC sequence, encrypted using the client's - secret key. - - [use-specified-kvno item is here for discussion and may be removed] It - may also be used by the client to specify the version of a key that is - being used for accompanying preauthentication, and/or which should be - used to encrypt the reply from the KDC. - - PA-USE-SPECIFIED-KVNO ::= Integer - - The KDC should only accept and abide by the value of the - use-specified-kvno preauthentication data field when the specified key - is still valid and until use of a new key is confirmed. This situation - is likely to occur primarily during the period during which an updated - key is propagating to other KDC's in a realm. - - The padata field can also contain information needed to help the KDC - or the client select the key needed for generating or decrypting the - response. This form of the padata is useful for supporting the use of - certain token cards with Kerberos. The details of such extensions are - specified in separate documents. See [Pat92] for additional uses of - this field. -padata-type - The padata-type element of the padata field indicates the way that the - padata-value element is to be interpreted. Negative values of - padata-type are reserved for unregistered use; non-negative values are - used for a registered interpretation of the element type. -req-body - This field is a placeholder delimiting the extent of the remaining - fields. If a checksum is to be calculated over the request, it is - calculated over an encoding of the KDC-REQ-BODY sequence which is - enclosed within the req-body field. -kdc-options - This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the - KDC and indicates the flags that the client wants set on the tickets - as well as other information that is to modify the behavior of the - KDC. Where appropriate, the name of an option may be the same as the - flag that is set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, this is not - guaranteed, so it is not acceptable to simply copy the options field - to the flags field. There are various checks that must be made before - honoring an option anyway. - - The kdc_options field is a bit-field, where the selected options are - indicated by the bit being set (1), and the unselected options and - reserved fields being reset (0). The encoding of the bits is specified - in section 5.2. The options are described in more detail above in - section 2. The meanings of the options are: - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - Bit(s) Name Description - 0 RESERVED - Reserved for future expansion of -this - field. - - 1 FORWARDABLE - The FORWARDABLE option indicates -that - the ticket to be issued is to have -its - forwardable flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based is also -for- - wardable. - - 2 FORWARDED - The FORWARDED option is only -specified - in a request to the -ticket-granting - server and will only be honored if -the - ticket-granting ticket in the -request - has its FORWARDABLE bit set. -This - option indicates that this is a -request - for forwarding. The address(es) of -the - host from which the resulting ticket -is - to be valid are included in -the - addresses field of the request. - - 3 PROXIABLE - The PROXIABLE option indicates that -the - ticket to be issued is to have its -prox- - iable flag set. It may only be set -on - the initial request, or in a -subsequent - request if the ticket-granting ticket -on - which it is based is also proxiable. - - 4 PROXY - The PROXY option indicates that this -is - a request for a proxy. This option -will - only be honored if the -ticket-granting - ticket in the request has its -PROXIABLE - bit set. The address(es) of the -host - from which the resulting ticket is to -be - valid are included in the -addresses - field of the request. - - 5 ALLOW-POSTDATE - The ALLOW-POSTDATE option indicates -that - the ticket to be issued is to have -its - MAY-POSTDATE flag set. It may only -be - set on the initial request, or in a -sub- - sequent request if the -ticket-granting - ticket on which it is based also has -its - MAY-POSTDATE flag set. - - 6 POSTDATED - The POSTDATED option indicates that -this - is a request for a postdated -ticket. - This option will only be honored if -the - ticket-granting ticket on which it -is - based has its MAY-POSTDATE flag -set. - The resulting ticket will also have -its - INVALID flag set, and that flag may -be - reset by a subsequent request to the -KDC - after the starttime in the ticket -has - been reached. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 7 UNUSED - This option is presently unused. - - 8 RENEWABLE - The RENEWABLE option indicates that -the - ticket to be issued is to have -its - RENEWABLE flag set. It may only be -set - on the initial request, or when -the - ticket-granting ticket on which -the - request is based is also renewable. -If - this option is requested, then the -rtime - field in the request contains -the - desired absolute expiration time for -the - ticket. - - 9 RESERVED - Reserved for PK-Cross - - 10-13 UNUSED - These options are presently unused. - - 14 REQUEST-ANONYMOUS - The REQUEST-ANONYMOUS option -indicates - that the ticket to be issued is not -to - identify the user to which it -was - issued. Instead, the principal -identif- - ier is to be generic, as specified -by - the policy of the realm (e.g. -usually - anonymous@realm). The purpose of -the - ticket is only to securely distribute -a - session key, and not to identify -the - user. The ANONYMOUS flag on the -ticket - to be returned should be set. If -the - local realms policy does not -permit - anonymous credentials, the request is -to - be rejected. - - 15 CANONICALIZE - The CANONICALIZE option indicates that - the client will accept the return of a - true server name instead of the name - specified in the request. In addition - the client will be able to process - any TGT referrals that will direct - the client to another realm to locate - the requested server. If a KDC does - not support name- canonicalization, - the option is ignored and the - appropriate - KDC_ERR_C_PRINCIPAL_UNKNOWN or - KDC_ERR_S_PRINCIPAL_UNKNOWN error is - returned. [JBrezak] - - 16-25 RESERVED - Reserved for future use. - - 26 DISABLE-TRANSITED-CHECK - By default the KDC will check the - transited field of a ticket-granting- - ticket against the policy of the local - realm before it will issue derivative - tickets based on the ticket granting - ticket. If this flag is set in the - request, checking of the transited -field - is disabled. Tickets issued without -the - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - performance of this check will be -noted - by the reset (0) value of the - TRANSITED-POLICY-CHECKED flag, - indicating to the application server - that the tranisted field must be -checked - locally. KDC's are encouraged but not - required to honor the - DISABLE-TRANSITED-CHECK option. - - 27 RENEWABLE-OK - The RENEWABLE-OK option indicates that -a - renewable ticket will be acceptable if -a - ticket with the requested life -cannot - otherwise be provided. If a ticket -with - the requested life cannot be -provided, - then a renewable ticket may be -issued - with a renew-till equal to the -the - requested endtime. The value of -the - renew-till field may still be limited -by - local limits, or limits selected by -the - individual principal or server. - - 28 ENC-TKT-IN-SKEY - This option is used only by the -ticket- - granting service. The -ENC-TKT-IN-SKEY - option indicates that the ticket for -the - end server is to be encrypted in -the - session key from the additional -ticket- - granting ticket provided. - - 29 RESERVED - Reserved for future use. - - 30 RENEW - This option is used only by the -ticket- - granting service. The RENEW -option - indicates that the present request -is - for a renewal. The ticket provided -is - encrypted in the secret key for -the - server on which it is valid. -This - option will only be honored if -the - ticket to be renewed has its -RENEWABLE - flag set and if the time in its -renew- - till field has not passed. The -ticket - to be renewed is passed in the -padata - field as part of the -authentication - header. - - 31 VALIDATE - This option is used only by the -ticket- - granting service. The VALIDATE -option - indicates that the request is to -vali- - date a postdated ticket. It will -only - be honored if the ticket presented -is - postdated, presently has its -INVALID - flag set, and would be otherwise -usable - at this time. A ticket cannot be -vali- - dated before its starttime. The -ticket - presented for validation is encrypted -in - the key of the server for which it -is - valid and is passed in the padata -field - as part of the authentication header. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -cname and sname - These fields are the same as those described for the ticket in section - 5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is - specified. If absent, the name of the server is taken from the name of - the client in the ticket passed as additional-tickets. -enc-authorization-data - The enc-authorization-data, if present (and it can only be present in - the TGS_REQ form), is an encoding of the desired authorization-data - encrypted under the sub-session key if present in the Authenticator, - or alternatively from the session key in the ticket-granting ticket, - both from the padata field in the KRB_AP_REQ. -realm - This field specifies the realm part of the server's principal - identifier. In the AS exchange, this is also the realm part of the - client's principal identifier. If the CANONICALIZE option is set, the - realm is used as a hint to the KDC for its database lookup. -from - This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket - requests when the requested ticket is to be postdated. It specifies - the desired start time for the requested ticket. If this field is - omitted then the KDC should use the current time instead. -till - This field contains the expiration date requested by the client in a - ticket request. It is optional and if omitted the requested ticket is - to have the maximum endtime permitted according to KDC policy for the - parties to the authentication exchange as limited by expiration date - of the ticket granting ticket or other preauthentication credentials. -rtime - This field is the requested renew-till time sent from a client to the - KDC in a ticket request. It is optional. -nonce - This field is part of the KDC request and response. It it intended to - hold a random number generated by the client. If the same number is - included in the encrypted response from the KDC, it provides evidence - that the response is fresh and has not been replayed by an attacker. - Nonces must never be re-used. Ideally, it should be generated - randomly, but if the correct time is known, it may suffice[25]. -etype - This field specifies the desired encryption algorithm to be used in - the response. -addresses - This field is included in the initial request for tickets, and - optionally included in requests for additional tickets from the - ticket-granting server. It specifies the addresses from which the - requested ticket is to be valid. Normally it includes the addresses - for the client's host. If a proxy is requested, this field will - contain other addresses. The contents of this field are usually copied - by the KDC into the caddr field of the resulting ticket. -additional-tickets - Additional tickets may be optionally included in a request to the - ticket-granting server. If the ENC-TKT-IN-SKEY option has been - specified, then the session key from the additional ticket will be - used in place of the server's key to encrypt the new ticket. When he - ENC-TKT-IN-SKEY option is used for user-to-user authentication, this - addional ticket may be a TGT issued by the local realm or an - inter-realm TGT issued for the current KDC's realm by a remote KDC. If - more than one option which requires additional tickets has been - specified, then the additional tickets are used in the order specified - by the ordering of the options bits (see kdc-options, above). - -The application code will be either ten (10) or twelve (12) depending on -whether the request is for an initial ticket (AS-REQ) or for an additional -ticket (TGS-REQ). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -The optional fields (addresses, authorization-data and additional-tickets) -are only included if necessary to perform the operation specified in the -kdc-options field. - -It should be noted that in KRB_TGS_REQ, the protocol version number appears -twice and two different message types appear: the KRB_TGS_REQ message -contains these fields as does the authentication header (KRB_AP_REQ) that -is passed in the padata field. - -5.4.2. KRB_KDC_REP definition - -The KRB_KDC_REP message format is used for the reply from the KDC for -either an initial (AS) request or a subsequent (TGS) request. There is no -message type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP -or KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply -depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in -the client's secret key, and the client's key version number is included in -the key version number for the encrypted data. For KRB_TGS_REP, the -ciphertext is encrypted in the sub-session key from the Authenticator, or -if absent, the session key from the ticket-granting ticket used in the -request. In that case, no version number will be present in the -EncryptedData sequence. - -The KRB_KDC_REP message contains the following fields: - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -EncASRepPart ::= [APPLICATION 25[27]] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is either - KRB_AS_REP or KRB_TGS_REP. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -padata - This field is described in detail in section 5.4.1. One possible use - for this field is to encode an alternate "mix-in" string to be used - with a string-to-key algorithm (such as is described in section - 6.3.2). This ability is useful to ease transitions if a realm name - needs to change (e.g. when a company is acquired); in such a case all - existing password-derived entries in the KDC database would be flagged - as needing a special mix-in string until the next password change. -crealm, cname, srealm and sname - These fields are the same as those described for the ticket in section - 5.3.1. -ticket - The newly-issued ticket, from section 5.3.1. -enc-part - This field is a place holder for the ciphertext and related - information that forms the encrypted part of a message. The - description of the encrypted part of the message follows each - appearance of this field. The encrypted part is encoded as described - in section 6.1. -key - This field is the same as described for the ticket in section 5.3.1. -last-req - This field is returned by the KDC and specifies the time(s) of the - last request by a principal. Depending on what information is - available, this might be the last time that a request for a - ticket-granting ticket was made, or the last time that a request based - on a ticket-granting ticket was successful. It also might cover all - servers for a realm, or just the particular server. Some - implementations may display this information to the user to aid in - discovering unauthorized use of one's identity. It is similar in - spirit to the last login time displayed when logging into timesharing - systems. -nonce - This field is described above in section 5.4.1. -key-expiration - The key-expiration field is part of the response from the KDC and - specifies the time that the client's secret key is due to expire. The - expiration might be the result of password aging or an account - expiration. This field will usually be left out of the TGS reply since - the response to the TGS request is encrypted in a session key and no - client information need be retrieved from the KDC database. It is up - to the application client (usually the login program) to take - appropriate action (such as notifying the user) if the expiration time - is imminent. -flags, authtime, starttime, endtime, renew-till and caddr - These fields are duplicates of those found in the encrypted portion of - the attached ticket (see section 5.3.1), provided so the client may - verify they match the intended request and to assist in proper ticket - caching. If the message is of type KRB_TGS_REP, the caddr field will - only be filled in if the request was for a proxy or forwarded ticket, - or if the user is substituting a subset of the addresses from the - ticket granting ticket. If the client-requested addresses are not - present or not used, then the addresses contained in the ticket will - be the same as those included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - -This section specifies the format of the messages used for the -authentication of the client to the application server. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.5.1. KRB_AP_REQ definition - -The KRB_AP_REQ message contains the Kerberos protocol version number, the -message type KRB_AP_REQ, an options field to indicate any options in use, -and the ticket and authenticator themselves. The KRB_AP_REQ message is -often referred to as the 'authentication header'. - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REQ. -ap-options - This field appears in the application request (KRB_AP_REQ) and affects - the way the request is processed. It is a bit-field, where the - selected options are indicated by the bit being set (1), and the - unselected options and reserved fields being reset (0). The encoding - of the bits is specified in section 5.2. The meanings of the options - are: - - Bit(s) Name Description - - 0 RESERVED - Reserved for future expansion of this - field. - - 1 USE-SESSION-KEY - The USE-SESSION-KEY option indicates - that the ticket the client is presenting - to a server is encrypted in the session - key from the server's ticket-granting - ticket. When this option is not speci- - fied, the ticket is encrypted in the - server's secret key. - - 2 MUTUAL-REQUIRED - The MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must respond - with a KRB_AP_REP message. - - 3-31 RESERVED - Reserved for future use. - -ticket - This field is a ticket authenticating the client to the server. -authenticator - This contains the authenticator, which includes the client's choice of - a subkey. Its encoding is described in section 5.3.2. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.5.2. KRB_AP_REP definition - -The KRB_AP_REP message contains the Kerberos protocol version number, the -message type, and an encrypted time- stamp. The message is sent in in -response to an application request (KRB_AP_REQ) where the mutual -authentication option has been selected in the ap-options field. - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27[29]] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL -} - -The encoded EncAPRepPart is encrypted in the shared session key of the -ticket. The optional subkey field can be used in an application-arranged -negotiation to choose a per association session key. - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_AP_REP. -enc-part - This field is described above in section 5.4.2. -ctime - This field contains the current time on the client's host. -cusec - This field contains the microsecond part of the client's timestamp. -subkey - This field contains an encryption key which is to be used to protect - this specific application session. See section 3.2.6 for specifics on - how this field is used to negotiate a key. Unless an application - specifies otherwise, if this field is left out, the sub-session key - from the authenticator, or if also left out, the session key from the - ticket will be used. - -5.5.3. Error message reply - -If an error occurs while processing the application request, the KRB_ERROR -message will be sent in response. See section 5.9.1 for the format of the -error message. The cname and crealm fields may be left out if the server -cannot determine their appropriate values from the corresponding KRB_AP_REQ -message. If the authenticator was decipherable, the ctime and cusec fields -will contain the values from it. - -5.6. KRB_SAFE message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to send a tamper-proof message to -its peer. It presumes that a session key has previously been exchanged (for -example, by using the KRB_AP_REQ/KRB_AP_REP messages). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.6.1. KRB_SAFE definition - -The KRB_SAFE message contains user data along with a collision-proof -checksum keyed with the last encryption key negotiated via subkeys, or the -session key if no negotiation has occured. The message fields are: - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_SAFE. -safe-body - This field is a placeholder for the body of the KRB-SAFE message. -cksum - This field contains the checksum of the application data. Checksum - details are described in section 6.4. The checksum is computed over - the encoding of the KRB-SAFE sequence. First, the cksum is zeroed and - the checksum is computed over the encoding of the KRB-SAFE sequence, - then the checksum is set to the result of that computation, and - finally the KRB-SAFE sequence is encoded again. -user-data - This field is part of the KRB_SAFE and KRB_PRIV messages and contain - the application specific data that is being passed from the sender to - the recipient. -timestamp - This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents - are the current time as known by the sender of the message. By - checking the timestamp, the recipient of the message is able to make - sure that it was recently generated, and is not a replay. -usec - This field is part of the KRB_SAFE and KRB_PRIV headers. It contains - the microsecond part of the timestamp. -seq-number - This field is described above in section 5.3.2. -s-address - This field specifies the address in use by the sender of the message. - It may be omitted if not required by the application protocol. The - application designer considering omission of this field is warned, - that the inclusion of this address prevents some kinds of replay - attacks (e.g., reflection attacks) and that it is only acceptable to - omit this address if there is sufficient information in the integrity - protected part of the application message for the recipient to - unambiguously determine if it was the intended recipient. -r-address - This field specifies the address in use by the recipient of the - message. It may be omitted for some uses (such as broadcast - protocols), but the recipient may arbitrarily reject such messages. - This field along with s-address can be used to help detect messages - which have been incorrectly or maliciously delivered to the wrong - recipient. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.7. KRB_PRIV message specification - -This section specifies the format of a message that can be used by either -side (client or server) of an application to securely and privately send a -message to its peer. It presumes that a session key has previously been -exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - -The KRB_PRIV message contains user data encrypted in the Session Key. The -message fields are: - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData -} - -EncKrbPrivPart ::= [APPLICATION 28[31]] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's -addr - r-address[5] HostAddress OPTIONAL -- recip's -addr -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_PRIV. -enc-part - This field holds an encoding of the EncKrbPrivPart sequence encrypted - under the session key[32]. This encrypted encoding is used for the - enc-part field of the KRB-PRIV message. See section 6 for the format - of the ciphertext. -user-data, timestamp, usec, s-address and r-address - These fields are described above in section 5.6.1. -seq-number - This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - -This section specifies the format of a message that can be used to send -Kerberos credentials from one principal to another. It is presented here to -encourage a common mechanism to be used by applications when forwarding -tickets or providing proxies to subordinate servers. It presumes that a -session key has already been exchanged perhaps by using the -KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - -The KRB_CRED message contains a sequence of tickets to be sent and -information needed to use the tickets, including the session key from each. -The information needed to use the tickets is encrypted under an encryption -key previously exchanged or transferred alongside the KRB_CRED message. The -message fields are: - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_CRED. -tickets - These are the tickets obtained from the KDC specifically for use by - the intended recipient. Successive tickets are paired with the - corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED - message. -enc-part - This field holds an encoding of the EncKrbCredPart sequence encrypted - under the session key shared between the sender and the intended - recipient. This encrypted encoding is used for the enc-part field of - the KRB-CRED message. See section 6 for the format of the ciphertext. -nonce - If practical, an application may require the inclusion of a nonce - generated by the recipient of the message. If the same value is - included as the nonce in the message, it provides evidence that the - message is fresh and has not been replayed by an attacker. A nonce - must never be re-used; it should be generated randomly by the - recipient of the message and provided to the sender of the message in - an application specific manner. -timestamp and usec - These fields specify the time that the KRB-CRED message was generated. - The time is used to provide assurance that the message is fresh. -s-address and r-address - These fields are described above in section 5.6.1. They are used - optionally to provide additional assurance of the integrity of the - KRB-CRED message. -key - This field exists in the corresponding ticket passed by the KRB-CRED - message and is used to pass the session key from the sender to the - intended recipient. The field's encoding is described in section 6.2. - -The following fields are optional. If present, they can be associated with -the credentials in the remote ticket file. If left out, then it is assumed -that the recipient of the credentials already knows their value. - -prealm and pname - The name and realm of the delegated principal identity. -flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr - These fields contain the values of the correspond- ing fields from the - ticket found in the ticket field. Descriptions of the fields are - identical to the descriptions in the KDC-REP message. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -5.9. Error message specification - -This section specifies the format for the KRB_ERROR message. The fields -included in the message are intended to return as much information as -possible about an error. It is not expected that all the information -required by the fields will be available for all types of errors. If the -appropriate information is not available when the message is composed, the -corresponding field will be left out of the message. - -Note that since the KRB_ERROR message is only optionally integrity -protected, it is quite possible for an intruder to synthesize or modify -such a message. In particular, this means that unless appropriate integrity -protection mechanisms have been applied to the KRB_ERROR message, the -client should not use any fields in this message for security-critical -purposes, such as setting a system clock or generating a fresh -authenticator. The message can be useful, however, for advising a user on -the reason for some failure. - -5.9.1. KRB_ERROR definition - -The KRB_ERROR message consists of the following fields: - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL, - e-cksum[13] Checksum OPTIONAL, -} - - - -pvno and msg-type - These fields are described above in section 5.4.1. msg-type is - KRB_ERROR. -ctime - This field is described above in section 5.4.1. -cusec - This field is described above in section 5.5.2. -stime - This field contains the current time on the server. It is of type - KerberosTime. -susec - This field contains the microsecond part of the server's timestamp. - Its value ranges from 0 to 999999. It appears along with stime. The - two fields are used in conjunction to specify a reasonably accurate - timestamp. -error-code - This field contains the error code returned by Kerberos or the server - when a request fails. To interpret the value of this field see the - list of error codes in section 8. Implementations are encouraged to - provide for national language support in the display of error - messages. -crealm, cname, srealm and sname - These fields are described above in section 5.3.1. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - -e-text - This field contains additional text to help explain the error code - associated with the failed request (for example, it might include a - principal name which was unknown). -e-data - This field contains additional data about the error for use by the - application to help it recover from or handle the error. If present, - this field will contain the encoding of a sequence of TypedData - (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED, - in which case it will contain the encoding of a sequence of of padata - fields (METHOD-DATA below), each corresponding to an acceptable - pre-authentication method and optionally containing data for the - method: - - TYPED-DATA ::= SEQUENCE of TypeData - METHOD-DATA ::= SEQUENCE of PA-DATA - - TypedData ::= SEQUENCE { - data-type[0] INTEGER, - data-value[1] OCTET STRING OPTIONAL - } - - Note that e-data-types have been reserved for all PA data types - defined prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, - when using new PA data types defined in July 1999 or later, the - METHOD-DATA sequence must itself be encapsulated in an TypedData - element of type TD-PADATA. All new implementations interpreting the - METHOD-DATA field for the KDC_ERR_PREAUTH_REQUIRED message must accept - a type of TD-PADATA, extract the typed data field and interpret the - use any elements encapsulated in the TD-PADATA elements as if they - were present in the METHOD-DATA sequence. -e-cksum - This field contains an optional checksum for the KRB-ERROR message. - The checksum is calculated over the Kerberos ASN.1 encoding of the - KRB-ERROR message with the checksum absent. The checksum is then added - to the KRB-ERROR structure and the message is re-encoded. The Checksum - should be calculated using the session key from the ticket granting - ticket or service ticket, where available. If the error is in response - to a TGS or AP request, the checksum should be calculated uing the the - session key from the client's ticket. If the error is in response to - an AS request, then the checksum should be calulated using the - client's secret key ONLY if there has been suitable preauthentication - to prove knowledge of the secret key by the client[33]. If a checksum - can not be computed because the key to be used is not available, no - checksum will be included. - - 6. Encryption and Checksum Specifications - - The Kerberos protocols described in this document are designed to use - stream encryption ciphers, which can be simulated using commonly - available block encryption ciphers, such as the Data Encryption - Standard [DES77], and triple DES variants, in conjunction with block - chaining and checksum methods [DESM80]. Encryption is used to prove - the identities of the network entities participating in message - exchanges. The Key Distribution Center for each realm is trusted by - all principals registered in that realm to store a secret key in - confidence. Proof of knowledge of this secret key is used to verify - the authenticity of a principal. - - The KDC uses the principal's secret key (in the AS exchange) or a - shared session key (in the TGS exchange) to encrypt responses to - ticket requests; the ability to obtain the secret key or session key - implies the knowledge of the appropriate keys and the identity of the - KDC. The ability of a principal to decrypt the KDC response and - present a Ticket and a properly formed Authenticator (generated with - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - the session key from the KDC response) to a service verifies the - identity of the principal; likewise the ability of the service to - extract the session key from the Ticket and prove its knowledge - thereof in a response verifies the identity of the service. - - The Kerberos protocols generally assume that the encryption used is - secure from cryptanalysis; however, in some cases, the order of fields - in the encrypted portions of messages are arranged to minimize the - effects of poorly chosen keys. It is still important to choose good - keys. If keys are derived from user-typed passwords, those passwords - need to be well chosen to make brute force attacks more difficult. - Poorly chosen keys still make easy targets for intruders. - - The following sections specify the encryption and checksum mechanisms - currently defined for Kerberos. The encodings, chaining, and padding - requirements for each are described. For encryption methods, it is - often desirable to place random information (often referred to as a - confounder) at the start of the message. The requirements for a - confounder are specified with each encryption mechanism. - - Some encryption systems use a block-chaining method to improve the the - security characteristics of the ciphertext. However, these chaining - methods often don't provide an integrity check upon decryption. Such - systems (such as DES in CBC mode) must be augmented with a checksum of - the plain-text which can be verified at decryption and used to detect - any tampering or damage. Such checksums should be good at detecting - burst errors in the input. If any damage is detected, the decryption - routine is expected to return an error indicating the failure of an - integrity check. Each encryption type is expected to provide and - verify an appropriate checksum. The specification of each encryption - method sets out its checksum requirements. - - Finally, where a key is to be derived from a user's password, an - algorithm for converting the password to a key of the appropriate type - is included. It is desirable for the string to key function to be - one-way, and for the mapping to be different in different realms. This - is important because users who are registered in more than one realm - will often use the same password in each, and it is desirable that an - attacker compromising the Kerberos server in one realm not obtain or - derive the user's key in another. - - For an discussion of the integrity characteristics of the candidate - encryption and checksum methods considered for Kerberos, the reader is - referred to [SG92]. - - 6.1. Encryption Specifications - - The following ASN.1 definition describes all encrypted messages. The - enc-part field which appears in the unencrypted part of messages in - section 5 is a sequence consisting of an encryption type, an optional - key version number, and the ciphertext. - - EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext - } - - - - etype - This field identifies which encryption algorithm was used to - encipher the cipher. Detailed specifications for selected - encryption types appear later in this section. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - kvno - This field contains the version number of the key under which - data is encrypted. It is only present in messages encrypted under - long lasting keys, such as principals' secret keys. - cipher - This field contains the enciphered text, encoded as an OCTET - STRING. - The cipher field is generated by applying the specified encryption - algorithm to data composed of the message and algorithm-specific - inputs. Encryption mechanisms defined for use with Kerberos must take - sufficient measures to guarantee the integrity of the plaintext, and - we recommend they also take measures to protect against precomputed - dictionary attacks. If the encryption algorithm is not itself capable - of doing so, the protections can often be enhanced by adding a - checksum and a confounder. - - The suggested format for the data to be encrypted includes a - confounder, a checksum, the encoded plaintext, and any necessary - padding. The msg-seq field contains the part of the protocol message - described in section 5 which is to be encrypted. The confounder, - checksum, and padding are all untagged and untyped, and their length - is exactly sufficient to hold the appropriate item. The type and - length is implicit and specified by the particular encryption type - being used (etype). The format for the data to be encrypted for some - methods is described in the following diagram, but other methods may - deviate from this layour - so long as the definition of the method - defines the layout actually in use. - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED[35] OCTET STRING(conf_length) -OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) -OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL - } - - One generates a random confounder of the appropriate length, placing - it in confounder; zeroes out check; calculates the appropriate - checksum over confounder, check, and msg-seq, placing the result in - check; adds the necessary padding; then encrypts using the specified - encryption type and the appropriate key. - - Unless otherwise specified, a definition of an encryption algorithm - that specifies a checksum, a length for the confounder field, or an - octet boundary for padding uses this ciphertext format[36]. Those - fields which are not specified will be omitted. - - In the interest of allowing all implementations using a particular - encryption type to communicate with all others using that type, the - specification of an encryption type defines any checksum that is - needed as part of the encryption process. If an alternative checksum - is to be used, a new encryption type must be defined. - - Some cryptosystems require additional information beyond the key and - the data to be encrypted. For example, DES, when used in - cipher-block-chaining mode, requires an initialization vector. If - required, the description for each encryption type must specify the - source of such additional information. 6.2. Encryption Keys - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - - keytype - This field specifies the type of encryption that is to be - performed using the key that follows in the keyvalue field. It - will always correspond to the etype to be used to generate or - decode the EncryptedData. In cases when multiple algorithms use a - common kind of key (e.g., if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a - different chaining mechanism), the keytype provides information - needed to determine which algorithm is to be used. - keyvalue - This field contains the key itself, encoded as an octet string. - All negative values for the encryption key type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpreta- tions. - - 6.3. Encryption Systems - - 6.3.1. The NULL Encryption System (null) - - If no encryption is in use, the encryption system is said to be the - NULL encryption system. In the NULL encryption system there is no - checksum, confounder or padding. The ciphertext is simply the - plaintext. The NULL Key is used by the null encryption system and is - zero octets in length, with keytype zero (0). - - 6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - - The des-cbc-crc encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. A CRC-32 checksum (described in ISO 3309 [ISO3309]) is - applied to the confounder and message sequence (msg-seq) and placed in - the cksum field. DES blocks are 8 bytes. As a result, the data to be - encrypted (the concatenation of confounder, checksum, and message) - must be padded to an 8 byte boundary before encryption. The details of - the encryption of this data are identical to those for the des-cbc-md5 - encryption mode. - - Note that, since the CRC-32 checksum is not collision-proof, an - attacker could use a probabilistic chosen-plaintext attack to generate - a valid message even if a confounder is used [SG92]. The use of - collision-proof checksums is recommended for environments where such - attacks represent a significant threat. The use of the CRC-32 as the - checksum for ticket or authenticator is no longer mandated as an - interoperability requirement for Kerberos Version 5 Specification 1 - (See section 9.1 for specific details). - - 6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - - The des-cbc-md4 encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. An MD4 checksum (described in [MD492]) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be encrypted - (the concatenation of confounder, checksum, and message) must be - padded to an 8 byte boundary before encryption. The details of the - encryption of this data are identical to those for the des-cbc-md5 - encryption mode. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - - The des-cbc-md5 encryption mode encrypts information under the Data - Encryption Standard [DES77] using the cipher block chaining mode - [DESM80]. An MD5 checksum (described in [MD5-92].) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be encrypted - (the concatenation of confounder, checksum, and message) must be - padded to an 8 byte boundary before encryption. - - Plaintext and DES ciphtertext are encoded as blocks of 8 octets which - are concatenated to make the 64-bit inputs for the DES algorithms. The - first octet supplies the 8 most significant bits (with the octet's - MSbit used as the DES input block's MSbit, etc.), the second octet the - next 8 bits, ..., and the eighth octet supplies the 8 least - significant bits. - - Encryption under DES using cipher block chaining requires an - additional input in the form of an initialization vector. Unless - otherwise specified, zero should be used as the initialization vector. - Kerberos' use of DES requires an 8 octet confounder. - - The DES specifications identify some 'weak' and 'semi-weak' keys; - those keys shall not be used for encrypting messages for use in - Kerberos. Additionally, because of the way that keys are derived for - the encryption of checksums, keys shall not be used that yield 'weak' - or 'semi-weak' keys when eXclusive-ORed with the hexadecimal constant - F0F0F0F0F0F0F0F0. - - A DES key is 8 octets of data, with keytype one (1). This consists of - 56 bits of key, and 8 parity bits (one per octet). The key is encoded - as a series of 8 octets written in MSB-first order. The bits within - the key are also encoded in MSB order. For example, if the encryption - key is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) - where B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 - are the parity bits, the first octet of the key would be - B1,B2,...,B7,P1 (with B1 as the MSbit). [See the FIPS 81 introduction - for reference.] - - String to key transformation - - To generate a DES key from a text string (password), a "salt" is - concatenated to the text string, and then padded with ASCII nulls to - an 8 byte boundary. This "salt" is normally the realm and each - component of the principal's name appended. However, sometimes - different salts are used --- for example, when a realm is renamed, or - if a user changes her username, or for compatibility with Kerberos V4 - (whose string-to-key algorithm uses a null string for the salt). This - string is then fan-folded and eXclusive-ORed with itself to form an 8 - byte DES key. Before eXclusive-ORing a block, every byte is shifted - one bit to the left to leave the lowest bit zero. The key is the - "corrected" by correcting the parity on the key, and if the key - matches a 'weak' or 'semi-weak' key as described in the DES - specification, it is eXclusive-ORed with the constant - 00000000000000F0. This key is then used to generate a DES CBC checksum - on the initial string (with the salt appended). The result of the CBC - checksum is the "corrected" as described above to form the result - which is return as the key. Pseudocode follows: - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - name_to_default_salt(realm, name) { - s = realm - for(each component in name) { - s = s + component; - } - return s; - } - - key_correction(key) { - fixparity(key); - if (is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - string_to_key(string,salt) { - - odd = 1; - s = string + salt; - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - left shift every byte in 8byteblock one bit; - tempkey = tempkey XOR 8byteblock; - } - tempkey = key_correction(tempkey); - key = key_correction(DES-CBC-check(s,tempkey)); - return(key); - } - - 6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with and - without Key Derivation [Original draft by Marc Horowitz, revisions by - David Miller] - - There are still a few pieces of this specification to be included - by falue, rather than by reference. This will be done before the - Pittsburgh IETF. - This encryption type is based on the Triple DES cryptosystem, the - HMAC-SHA1 [Krawczyk96] message authentication algorithm, and key - derivation for Kerberos V5 [HorowitzB96]. Key derivation may or may - not be used in conjunction with the use of Triple DES keys. - - Algorithm Identifiers - - The des3-cbc-hmac-sha1 encryption type has been assigned the value 7. - The des3-cbc-hmac-sha1-kd encryption type, specifying the key - derivation variant of the encryption type, has been assigned the value - 16. The hmac-sha1-des3 checksum type has been assigned the value 13. - The hmac-sha1-des3-kd checksum type, specifying the key derivation - variant of the checksum, has been assigned the value 12. - - Triple DES Key Production - - The EncryptionKey value is 24 octets long. The 7 most significant bits - of each octet contain key bits, and the least significant bit is the - inverse of the xor of the key bits. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - For the purposes of key derivation, the block size is 64 bits, and the - key size is 168 bits. The 168 bits output by key derivation are - converted to an EncryptionKey value as follows. First, the 168 bits - are divided into three groups of 56 bits, which are expanded - individually into 64 bits as follows: - - 1 2 3 4 5 6 7 p - 9 10 11 12 13 14 15 p - 17 18 19 20 21 22 23 p - 25 26 27 28 29 30 31 p - 33 34 35 36 37 38 39 p - 41 42 43 44 45 46 47 p - 49 50 51 52 53 54 55 p - 56 48 40 32 24 16 8 p - - The "p" bits are parity bits computed over the data bits. The output - of the three expansions are concatenated to form the EncryptionKey - value. - - When the HMAC-SHA1 of a string is computed, the key is used in the - EncryptedKey form. - - The string-to-key function is used to tranform UNICODE passwords into - DES3 keys. The DES3 string-to-key function relies on the "N-fold" - algorithm, which is detailed in [9]. The description of the N-fold - algorithm in that document is as follows: - o To n-fold a number X, replicate the input value to a length that - is the least common multiple of n and the length of X. Before - each repetition, the input is rotated to the right by 13 bit - positions. The successive n-bit chunks are added together using - 1's-complement addition (that is, addition with end-around carry) - to yield an n-bit result" - o The n-fold algorithm, as with DES string-to-key, is applied to - the password string concatenated with a salt value. The salt - value is derived in the same was as for the DES string-to-key - algorithm. For 3-key triple DES then, the operation will involve - a 168-fold of the input password string. The remainder of the - string-to-key function for DES3 is shown here in pseudocode: - - DES3string-to-key(passwordString, key) - - salt = name_to_default_salt(realm, name) - s = passwordString + salt - tmpKey1 = 168-fold(s) - parityFix(tmpKey1); - if not weakKey(tmpKey1) - /* - * Encrypt temp key in itself with a - * zero initialization vector - * - * Function signature is DES3encrypt(plain, key, iv) - * with cipher as the return value - */ - tmpKey2 = DES3encrypt(tmpKey1, tmpKey1, zeroIvec) - /* - * Encrypt resultant temp key in itself with third component - * of first temp key as initialization vector - */ - key = DES3encrypt(tmpKey2, tmpKey1, tmpKey1[2]) - parityFix(key) - if not weakKey(key) - return SUCCESS - else - return FAILURE - else - return FAILURE - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - The weakKey function above is the same weakKey function used with DES - keys, but applied to each of the three single DES keys that comprise - the triple DES key. - - The lengths of UNICODE encoded character strings include the trailing - terminator character (0). - - Encryption Types des3-cbc-hmac-sha1 and des3-cbc-hmac-sha1-kd - - EncryptedData using this type must be generated as described in - [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC - mode. The checksum algorithm is HMAC-SHA1. If the key derivation - variant of the encryption type is used, encryption key values are - modified according to the method under the Key Derivation section - below. - - Unless otherwise specified, a zero IV must be used. - - If the length of the input data is not a multiple of the block size, - zero octets must be used to pad the plaintext to the next eight-octet - boundary. The counfounder must be eight random octets (one block). - - Checksum Types hmac-sha1-des3 and hmac-sha1-des3-kd - - Checksums using this type must be generated as described in - [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. If the key - derivation variant of the checksum type is used, checksum key values - are modified according to the method under the Key Derivation section - below. - - Key Derivation - - In the Kerberos protocol, cryptographic keys are used in a number of - places. In order to minimize the effect of compromising a key, it is - desirable to use a different key for each of these places. Key - derivation [Horowitz96] can be used to construct different keys for - each operation from the keys transported on the network. For this to - be possible, a small change to the specification is necessary. - - This section specifies a profile for the use of key derivation - [Horowitz96] with Kerberos. For each place where a key is used, a - ``key usage'' must is specified for that purpose. The key, key usage, - and encryption/checksum type together describe the transformation from - plaintext to ciphertext, or plaintext to checksum. - - Key Usage Values - - This is a complete list of places keys are used in the kerberos - protocol, with key usage values and RFC 1510 section numbers: - - 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the - client key (section 5.4.1) - 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or - application session key), encrypted with the service key - (section 5.4.2) - 3. AS-REP encrypted part (includes tgs session key or application - session key), encrypted with the client key (section 5.4.2) - 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - session key (section 5.4.1) - 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs - authenticator subkey (section 5.4.1) - 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed - with the tgs session key (sections 5.3.2, 5.4.1) - 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs - authenticator subkey), encrypted with the tgs session key - (section 5.3.2) - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 8. TGS-REP encrypted part (includes application session key), - encrypted with the tgs session key (section 5.4.2) - 9. TGS-REP encrypted part (includes application session key), - encrypted with the tgs authenticator subkey (section 5.4.2) - 10. AP-REQ Authenticator cksum, keyed with the application session - key (section 5.3.2) - 11. AP-REQ Authenticator (includes application authenticator - subkey), encrypted with the application session key (section - 5.3.2) - 12. AP-REP encrypted part (includes application session subkey), - encrypted with the application session key (section 5.5.2) - 13. KRB-PRIV encrypted part, encrypted with a key chosen by the - application (section 5.7.1) - 14. KRB-CRED encrypted part, encrypted with a key chosen by the - application (section 5.6.1) - 15. KRB-SAVE cksum, keyed with a key chosen by the application - (section 5.8.1) - 18. KRB-ERROR checksum (e-cksum in section 5.9.1) - 19. AD-KDCIssued checksum (ad-checksum in appendix B.1) - 20. Checksum for Mandatory Ticket Extensions (appendix B.6) - 21. Checksum in Authorization Data in Ticket Extensions (appendix B.7) - - Key usage values between 1024 and 2047 (inclusive) are reserved for - application use. Applications should use even values for encryption - and odd values for checksums within this range. - - A few of these key usages need a little clarification. A service which - receives an AP-REQ has no way to know if the enclosed Ticket was part - of an AS-REP or TGS-REP. Therefore, key usage 2 must always be used - for generating a Ticket, whether it is in response to an AS- REQ or - TGS-REQ. - - There might exist other documents which define protocols in terms of - the RFC1510 encryption types or checksum types. Such documents would - not know about key usages. In order that these documents continue to - be meaningful until they are updated, key usages 1024 and 1025 must be - used to derive keys for encryption and checksums, respectively. New - protocols defined in terms of the Kerberos encryption and checksum - types should use their own key usages. Key usages may be registered - with IANA to avoid conflicts. Key usages must be unsigned 32 bit - integers. Zero is not permitted. - - Defining Cryptosystems Using Key Derivation - - Kerberos requires that the ciphertext component of EncryptedData be - tamper-resistant as well as confidential. This implies encryption and - integrity functions, which must each use their own separate keys. So, - for each key usage, two keys must be generated, one for encryption - (Ke), and one for integrity (Ki): - - Ke = DK(protocol key, key usage | 0xAA) - Ki = DK(protocol key, key usage | 0x55) - - where the protocol key is from the EncryptionKey from the wire - protocol, and the key usage is represented as a 32 bit integer in - network byte order. The ciphertest must be generated from the - plaintext as follows: - - ciphertext = E(Ke, confounder | plaintext | padding) | - H(Ki, confounder | plaintext | padding) - - The confounder and padding are specific to the encryption algorithm E. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - When generating a checksum only, there is no need for a confounder or - padding. Again, a new key (Kc) must be used. Checksums must be - generated from the plaintext as follows: - - Kc = DK(protocol key, key usage | 0x99) - MAC = H(Kc, plaintext) - - Note that each enctype is described by an encryption algorithm E and a - keyed hash algorithm H, and each checksum type is described by a keyed - hash algorithm H. HMAC, with an appropriate hash, is required for use - as H. - - Key Derivation from Passwords - - The well-known constant for password key derivation must be the byte - string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values - correspond to the ASCII encoding for the string "kerberos". - - 6.4. Checksums - - The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - - cksumtype - This field indicates the algorithm used to generate the - accompanying checksum. - checksum - This field contains the checksum itself, encoded as an octet - string. - Detailed specification of selected checksum types appear later in this - section. Negative values for the checksum type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpretations. - - Checksums used by Kerberos can be classified by two properties: - whether they are collision-proof, and whether they are keyed. It is - infeasible to find two plaintexts which generate the same checksum - value for a collision-proof checksum. A key is required to perturb or - initialize the algorithm in a keyed checksum. To prevent - message-stream modification by an active attacker, unkeyed checksums - should only be used when the checksum and message will be subsequently - encrypted (e.g. the checksums defined as part of the encryption - algorithms covered earlier in this section). - - Collision-proof checksums can be made tamper-proof if the checksum - value is encrypted before inclusion in a message. In such cases, the - composition of the checksum and the encryption algorithm must be - considered a separate checksum algorithm (e.g. RSA-MD5 encrypted using - DES is a new checksum algorithm of type RSA-MD5-DES). For most keyed - checksums, as well as for the encrypted forms of unkeyed - collision-proof checksums, Kerberos prepends a confounder before the - checksum is calculated. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 6.4.1. The CRC-32 Checksum (crc32) - - The CRC-32 checksum calculates a checksum based on a cyclic redundancy - check as described in ISO 3309 [ISO3309]. The resulting checksum is - four (4) octets in length. The CRC-32 is neither keyed nor - collision-proof. The use of this checksum is not recommended. An - attacker using a probabilistic chosen-plaintext attack as described in - [SG92] might be able to generate an alternative message that satisfies - the checksum. The use of collision-proof checksums is recommended for - environments where such attacks represent a significant threat. - - 6.4.2. The RSA MD4 Checksum (rsa-md4) - - The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm - [MD4-92]. The algorithm takes as input an input message of arbitrary - length and produces as output a 128-bit (16 octet) checksum. RSA-MD4 - is believed to be collision-proof. - - 6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des) - - The RSA-MD4-DES checksum calculates a keyed collision-proof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD4 checksum algorithm, and encrypting the confounder and the checksum - using DES in cipher-block-chaining (CBC) mode using a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - constant F0F0F0F0F0F0F0F0[39]. The initialization vector should be - zero. The resulting checksum is 24 octets long (8 octets of which are - redundant). This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some weak keys' and 'semi-weak keys'; - those keys shall not be used for generating RSA-MD4 checksums for use - in Kerberos. - - The format for the checksum is described in the follow- ing diagram: - - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - | des-cbc(confounder + rsa-md4(confounder+msg),key=var(key),iv=0) -| - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - 6.4.4. The RSA MD5 Checksum (rsa-md5) - - The RSA-MD5 checksum calculates a checksum using the RSA MD5 - algorithm. [MD5-92]. The algorithm takes as input an input message of - arbitrary length and produces as output a 128-bit (16 octet) checksum. - RSA-MD5 is believed to be collision-proof. - - 6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des) - - The RSA-MD5-DES checksum calculates a keyed collision-proof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD5 checksum algorithm, and encrypting the confounder and the checksum - using DES in cipher-block-chaining (CBC) mode using a variant of the - key, where the variant is computed by eXclusive-ORing the key with the - hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector - should be zero. The resulting checksum is 24 octets long (8 octets of - which are redundant). This checksum is tamper-proof and believed to be - collision-proof. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - The DES specifications identify some 'weak keys' and 'semi-weak keys'; - those keys shall not be used for encrypting RSA-MD5 checksums for use - in Kerberos. - - The format for the checksum is described in the following diagram: - - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - | des-cbc(confounder + rsa-md5(confounder+msg),key=var(key),iv=0) -| - -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - 6.4.6. DES cipher-block chained checksum (des-mac) - - The DES-MAC checksum is computed by prepending an 8 octet confounder - to the plaintext, performing a DES CBC-mode encryption on the result - using the key and an initialization vector of zero, taking the last - block of the ciphertext, prepending the same confounder and encrypting - the pair using DES in cipher-block-chaining (CBC) mode using a a - variant of the key, where the variant is computed by eXclusive-ORing - the key with the hexadecimal constant F0F0F0F0F0F0F0F0. The - initialization vector should be zero. The resulting checksum is 128 - bits (16 octets) long, 64 bits of which are redundant. This checksum - is tamper-proof and collision-proof. - - The format for the checksum is described in the following diagram: - - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - | des-cbc(confounder + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) -| - -+--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) - } - - The DES specifications identify some 'weak' and 'semi-weak' keys; - those keys shall not be used for generating DES-MAC checksums for use - in Kerberos, nor shall a key be used whose variant is 'weak' or - 'semi-weak'. - - 6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative - (rsa-md4-des-k) - - The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum - by applying the RSA MD4 checksum algorithm and encrypting the results - using DES in cipher-block-chaining (CBC) mode using a DES key as both - key and initialization vector. The resulting checksum is 16 octets - long. This checksum is tamper-proof and believed to be - collision-proof. Note that this checksum type is the old method for - encoding the RSA-MD4-DES checksum and it is no longer recommended. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 6.4.8. DES cipher-block chained checksum alternative (des-mac-k) - - The DES-MAC-K checksum is computed by performing a DES CBC-mode - encryption of the plaintext, and using the last block of the - ciphertext as the checksum value. It is keyed with an encryption key - and an initialization vector; any uses which do not specify an - additional initialization vector will use the key as both key and - initialization vector. The resulting checksum is 64 bits (8 octets) - long. This checksum is tamper-proof and collision-proof. Note that - this checksum type is the old method for encoding the DES-MAC checksum - and it is no longer recommended. The DES specifications identify some - 'weak keys' and 'semi-weak keys'; those keys shall not be used for - generating DES-MAC checksums for use in Kerberos. - - 7. Naming Constraints - - 7.1. Realm Names - - Although realm names are encoded as GeneralStrings and although a - realm can technically select any name it chooses, interoperability - across realm boundaries requires agreement on how realm names are to - be assigned, and what information they imply. - - To enforce these conventions, each realm must conform to the - conventions itself, and it must require that any realms with which - inter-realm keys are shared also conform to the conventions and - require the same from its neighbors. - - Kerberos realm names are case sensitive. Realm names that differ only - in the case of the characters are not equivalent. There are presently - four styles of realm names: domain, X500, other, and reserved. - Examples of each style follow: - - domain: ATHENA.MIT.EDU (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - - Domain names must look like domain names: they consist of components - separated by periods (.) and they contain neither colons (:) nor - slashes (/). Though domain names themselves are case insensitive, in - order for realms to match, the case must match as well. When - establishing a new realm name based on an internet domain name it is - recommended by convention that the characters be converted to upper - case. - - X.500 names contain an equal (=) and cannot contain a colon (:) before - the equal. The realm names for X.500 names will be string - representations of the names with components separated by slashes. - Leading and trailing slashes will not be included. - - Names that fall into the other category must begin with a prefix that - contains no equal (=) or period (.) and the prefix must be followed by - a colon (:) and the rest of the name. All prefixes must be assigned - before they may be used. Presently none are assigned. - - The reserved category includes strings which do not fall into the - first three categories. All names in this category are reserved. It is - unlikely that names will be assigned to this category unless there is - a very strong argument for not using the 'other' category. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - These rules guarantee that there will be no conflicts between the - various name styles. The following additional constraints apply to the - assignment of realm names in the domain and X.500 categories: the name - of a realm for the domain or X.500 formats must either be used by the - organization owning (to whom it was assigned) an Internet domain name - or X.500 name, or in the case that no such names are registered, - authority to use a realm name may be derived from the authority of the - parent realm. For example, if there is no domain name for E40.MIT.EDU, - then the administrator of the MIT.EDU realm can authorize the creation - of a realm with that name. - - This is acceptable because the organization to which the parent is - assigned is presumably the organization authorized to assign names to - its children in the X.500 and domain name systems as well. If the - parent assigns a realm name without also registering it in the domain - name or X.500 hierarchy, it is the parent's responsibility to make - sure that there will not in the future exists a name identical to the - realm name of the child unless it is assigned to the same entity as - the realm name. - - 7.2. Principal Names - - As was the case for realm names, conventions are needed to ensure that - all agree on what information is implied by a principal name. The - name-type field that is part of the principal name indicates the kind - of information implied by the name. The name-type should be treated as - a hint. Ignoring the name type, no two names can be the same (i.e. at - least one of the components, or the realm, must be different). The - following name types are defined: - - name-type value meaning - - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 General principal name (e.g. username, DCE -principal) - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance (telnet, rcmds) - NT-SRV-XHST 4 Service with slash-separated host name components - NT-UID 5 Unique ID - NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 1779] - NT-SMTP-NAME 7 Name in form of SMTP email name (e.g. -user@foo.com) - - When a name implies no information other than its uniqueness at a - particular time the name type PRINCIPAL should be used. The principal - name type should be used for users, and it might also be used for a - unique server. If the name is a unique machine generated ID that is - guaranteed never to be reassigned then the name type of UID should be - used (note that it is generally a bad idea to reassign names of any - type since stale entries might remain in access control lists). - - If the first component of a name identifies a service and the - remaining components identify an instance of the service in a server - specified manner, then the name type of SRV-INST should be used. An - example of this name type is the Kerberos ticket-granting service - whose name has a first component of krbtgt and a second component - identifying the realm for which the ticket is valid. - - If instance is a single component following the service name and the - instance identifies the host on which the server is running, then the - name type SRV-HST should be used. This type is typically used for - Internet services such as telnet and the Berkeley R commands. If the - separate components of the host name appear as successive components - following the name of the service, then the name type SRV-XHST should - be used. This type might be used to identify servers on hosts with - X.500 names where the slash (/) might otherwise be ambiguous. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - A name type of NT-X500-PRINCIPAL should be used when a name from an - X.509 certificiate is translated into a Kerberos name. The encoding of - the X.509 name as a Kerberos principal shall conform to the encoding - rules specified in RFC 2253. - - A name type of SMTP allows a name to be of a form that resembles a - SMTP email name. This name type can be used in conjunction with - name-canonicalization to allow a free-form of username to be specified - as a client name and allow the KDC to determine the Kerberos principal - name for the requested name. [JBrezak] - - A name type of UNKNOWN should be used when the form of the name is not - known. When comparing names, a name of type UNKNOWN will match - principals authenticated with names of any type. A principal - authenticated with a name of type UNKNOWN, however, will only match - other names of type UNKNOWN. - - Names of any type with an initial component of 'krbtgt' are reserved - for the Kerberos ticket granting service. See section 8.2.3 for the - form of such names. - - 7.2.1. Name of server principals - - The principal identifier for a server on a host will generally be - composed of two parts: (1) the realm of the KDC with which the server - is registered, and (2) a two-component name of type NT-SRV-HST if the - host name is an Internet domain name or a multi-component name of type - NT-SRV-XHST if the name of the host is of a form such as X.500 that - allows slash (/) separators. The first component of the two- or - multi-component name will identify the service and the latter - components will identify the host. Where the name of the host is not - case sensitive (for example, with Internet domain names) the name of - the host must be lower case. If specified by the application protocol - for services such as telnet and the Berkeley R commands which run with - system privileges, the first component may be the string 'host' - instead of a service specific identifier. When a host has an official - name and one or more aliases, the official name of the host must be - used when constructing the name of the server principal. - - 8. Constants and other defined values - - 8.1. Host address types - - All negative values for the host address type are reserved for local - use. All non-negative values are reserved for officially assigned type - fields and interpretations. - - The values of the types for the following addresses are chosen to - match the defined address family constants in the Berkeley Standard - Distributions of Unix. They can be found in with symbolic names AF_xxx - (where xxx is an abbreviation of the address family name). - - Internet (IPv4) Addresses - - Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in - MSB order. The type of IPv4 addresses is two (2). - - Internet (IPv6) Addresses [Westerlund] - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB - order. The type of IPv6 addresses is twenty-four (24). [RFC1883] - [RFC1884]. The following addresses (see [RFC1884]) MUST not appear in - any Kerberos packet: - o the Unspecified Address - o the Loopback Address - o Link-Local addresses - IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2. - - CHAOSnet addresses - - CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB - order. The type of CHAOSnet addresses is five (5). - - ISO addresses - - ISO addresses are variable-length. The type of ISO addresses is seven - (7). - - Xerox Network Services (XNS) addresses - - XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. - The type of XNS addresses is six (6). - - AppleTalk Datagram Delivery Protocol (DDP) addresses - - AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit - network number. The first octet of the address is the node number; the - remaining two octets encode the network number in MSB order. The type - of AppleTalk DDP addresses is sixteen (16). - - DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. - The type of DECnet Phase IV addresses is twelve (12). - - Netbios addresses - - Netbios addresses are 16-octet addresses typically composed of 1 to 15 - characters, trailing blank (ascii char 20) filled, with a 16th octet - of 0x0. The type of Netbios addresses is 20 (0x14). - - 8.2. KDC messages - - 8.2.1. UDP/IP transport - - When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request - using UDP IP transport, the client shall send a UDP datagram - containing only an encoding of the request to port 88 (decimal) at the - KDC's IP address; the KDC will respond with a reply datagram - containing only an encoding of the reply message (either a KRB_ERROR - or a KRB_KDC_REP) to the sending port at the sender's IP address. - Kerberos servers supporting IP transport must accept UDP requests on - port 88 (decimal). The response to a request made through UDP/IP - transport must also use UDP/IP transport. - - 8.2.2. TCP/IP transport [Westerlund,Danielsson] - - Kerberos servers (KDC's) should accept TCP requests on port 88 - (decimal) and clients should support the sending of TCP requests on - port 88 (decimal). When the KRB_KDC_REQ message is sent to the KDC - over a TCP stream, a new connection will be established for each - authentication exchange (request and response). The KRB_KDC_REP or - KRB_ERROR message will be returned to the client on the same TCP - stream that was established for the request. The response to a request - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - made through TCP/IP transport must also use TCP/IP transport. - Implementors should note that some extentions to the Kerberos protocol - will not work if any implementation not supporting the TCP transport - is involved (client or KDC). Implementors are strongly urged to - support the TCP transport on both the client and server and are - advised that the current notation of "should" support will likely - change in the future to must support. The KDC may close the TCP stream - after sending a response, but may leave the stream open if it expects - a followup - in which case it may close the stream at any time if - resource constratints or other factors make it desirable to do so. - Care must be taken in managing TCP/IP connections with the KDC to - prevent denial of service attacks based on the number of TCP/IP - connections with the KDC that remain open. If multiple exchanges with - the KDC are needed for certain forms of preauthentication, multiple - TCP connections may be required. A client may close the stream after - receiving response, and should close the stream if it does not expect - to send followup messages. The client must be prepared to have the - stream closed by the KDC at anytime, in which case it must simply - connect again when it is ready to send subsequent messages. - - The first four octets of the TCP stream used to transmit the request - request will encode in network byte order the length of the request - (KRB_KDC_REQ), and the length will be followed by the request itself. - The response will similarly be preceeded by a 4 octet encoding in - network byte order of the length of the KRB_KDC_REP or the KRB_ERROR - message and will be followed by the KRB_KDC_REP or the KRB_ERROR - response. If the sign bit is set on the integer represented by the - first 4 octets, then the next 4 octets will be read, extending the - length of the field by another 4 octets (less the sign bit which is - reserved for future expansion). - - 8.2.3. OSI transport - - During authentication of an OSI client to an OSI server, the mutual - authentication of an OSI server to an OSI client, the transfer of - credentials from an OSI client to an OSI server, or during exchange of - private or integrity checked messages, Kerberos protocol messages may - be treated as opaque objects and the type of the authentication - mechanism will be: - - OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), -security(5),kerberosv5(2)} - - Depending on the situation, the opaque object will be an - authentication header (KRB_AP_REQ), an authentication reply - (KRB_AP_REP), a safe message (KRB_SAFE), a private message (KRB_PRIV), - or a credentials message (KRB_CRED). The opaque data contains an - application code as specified in the ASN.1 description for each - message. The application code may be used by Kerberos to determine the - message type. - - 8.2.3. Name of the TGS - - The principal identifier of the ticket-granting service shall be - composed of three parts: (1) the realm of the KDC issuing the TGS - ticket (2) a two-part name of type NT-SRV-INST, with the first part - "krbtgt" and the second part the name of the realm which will accept - the ticket-granting ticket. For example, a ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm), - ("krbtgt", "MIT.EDU") (name). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - 8.3. Protocol constants and associated values - - The following tables list constants used in the protocol and defines - their meanings. Ranges are specified in the "specification" section - that limit the values of constants for which values are defined here. - This allows implementations to make assumptions about the maximum - values that will be received for these constants. Implementation - receiving values outside the range specified in the "specification" - section may reject the request, but they must recover cleanly. - - Encryption type etype value block size minimum pad confounder -size - NULL 0 1 0 0 - des-cbc-crc 1 8 4 8 - des-cbc-md4 2 8 0 8 - des-cbc-md5 3 8 0 8 - reserved 4 - des3-cbc-md5 5 8 0 8 - reserved 6 - des3-cbc-sha1 7 8 0 8 - dsaWithSHA1-CmsOID 9 -(pkinit) - md5WithRSAEncryption-CmsOID 10 -(pkinit) - sha1WithRSAEncryption-CmsOID 11 -(pkinit) - rc2CBC-EnvOID 12 -(pkinit) - rsaEncryption-EnvOID 13 (pkinit from PKCS#1 -v1.5) - rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 -v2.0) - des-ede3-cbc-Env-OID 15 -(pkinit) - des3-cbc-sha1-kd 16 (Tom -Yu) - rc4-hmac 23 -(swift) - rc4-hmac-exp 24 -(swift) - - reserved 0x8003 - - Checksum type sumtype value checksum size - CRC32 1 4 - rsa-md4 2 16 - rsa-md4-des 3 24 - des-mac 4 16 - des-mac-k 5 8 - rsa-md4-des-k 6 16 (drop rsa ?) - rsa-md5 7 16 (drop rsa ?) - rsa-md5-des 8 24 (drop rsa ?) - rsa-md5-des3 9 24 (drop rsa ?) - hmac-sha1-des3-kd 12 20 - hmac-sha1-des3 13 20 - sha1 (unkeyed) 14 20 - - padata type padata-type value - - PA-TGS-REQ 1 - PA-ENC-TIMESTAMP 2 - PA-PW-SALT 3 - reserved 4 - PA-ENC-UNIX-TIME 5 (depricated) - PA-SANDIA-SECUREID 6 - PA-SESAME 7 - PA-OSF-DCE 8 - PA-CYBERSAFE-SECUREID 9 - PA-AFS3-SALT 10 - PA-ETYPE-INFO 11 - PA-SAM-CHALLENGE 12 (sam/otp) - PA-SAM-RESPONSE 13 (sam/otp) - PA-PK-AS-REQ 14 (pkinit) - PA-PK-AS-REP 15 (pkinit) - PA-USE-SPECIFIED-KVNO 20 - PA-SAM-REDIRECT 21 (sam/otp) - PA-GET-FROM-TYPED-DATA 22 - PA-SAM-ETYPE-INFO 23 (sam/otp) - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - data-type value form of typed-data - - reserved 1-21 - TD-PADATA 22 - TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS - TD-KRB-PRINCIPAL 102 - TD-KRB-REALM 103 - TD-TRUSTED-CERTIFIERS 104 - TD-CERTIFICATE-INDEX 105 - TD-APP-DEFINED-ERROR 106 - - authorization data type ad-type value - AD-IF-RELEVANT 1 - AD-INTENDED-FOR-SERVER 2 - AD-INTENDED-FOR-APPLICATION-CLASS 3 - AD-KDC-ISSUED 4 - AD-OR 5 - AD-MANDATORY-TICKET-EXTENSIONS 6 - AD-IN-TICKET-EXTENSIONS 7 - reserved values 8-63 - OSF-DCE 64 - SESAME 65 - AD-OSF-DCE-PKI-CERTID 66 (hemsath@us.ibm.com) - AD-WIN200-PAC 128 -(jbrezak@exchange.microsoft.com) - - Ticket Extension Types - - TE-TYPE-NULL 0 Null ticket extension - TE-TYPE-EXTERNAL-ADATA 1 Integrity protected authorization -data - reserved 2 TE-TYPE-PKCROSS-KDC - TE-TYPE-PKCROSS-CLIENT 3 PKCROSS cross realm key ticket - TE-TYPE-CYBERSAFE-EXT 4 Assigned to CyberSafe Corp - reserved 5 TE-TYPE-DEST-HOST - - alternate authentication type method-type value - reserved values 0-63 - ATT-CHALLENGE-RESPONSE 64 - - transited encoding type tr-type value - DOMAIN-X500-COMPRESS 1 - reserved values all others - - Label Value Meaning or MIT code - - pvno 5 current Kerberos protocol version number - - message types - - KRB_AS_REQ 10 Request for initial authentication - KRB_AS_REP 11 Response to KRB_AS_REQ request - KRB_TGS_REQ 12 Request for authentication based on TGT - KRB_TGS_REP 13 Response to KRB_TGS_REQ request - KRB_AP_REQ 14 application request to server - KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL - KRB_SAFE 20 Safe (checksummed) application message - KRB_PRIV 21 Private (encrypted) application message - KRB_CRED 22 Private (encrypted) message to forward -credentials - KRB_ERROR 30 Error response - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - name types - - KRB_NT_UNKNOWN 0 Name type not known - KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or -for users - KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) - KRB_NT_SRV_HST 3 Service with host name as instance (telnet, -rcommands) - KRB_NT_SRV_XHST 4 Service with host as remaining components - KRB_NT_UID 5 Unique ID - KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] - - error codes - - KDC_ERR_NONE 0 No error - KDC_ERR_NAME_EXP 1 Client's entry in database has -expired - KDC_ERR_SERVICE_EXP 2 Server's entry in database has -expired - KDC_ERR_BAD_PVNO 3 Requested protocol version number -not supported - KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old -master key - KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old -master key - KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos -database - KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos -database - KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in -database - KDC_ERR_NULL_KEY 9 The client or server has a null key - KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating - KDC_ERR_NEVER_VALID 11 Requested start time is later than -end time - KDC_ERR_POLICY 12 KDC policy rejects request - KDC_ERR_BADOPTION 13 KDC cannot accommodate requested -option - KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption -type - KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum -type - KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type - KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited -type - KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been -revoked - KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been -revoked - KDC_ERR_TGT_REVOKED 20 TGT has been revoked - KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again -later - KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again -later - KDC_ERR_KEY_EXPIRED 23 Password has expired - change -password to reset - KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was -invalid - KDC_ERR_PREAUTH_REQUIRED 25 Additional -pre-authenticationrequired [40] - KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't -match - KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for -user2user only - KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path - KDC_ERR_SVC_UNAVAILABLE 29 A service is not available - KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field -failed - KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired - KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid - KRB_AP_ERR_REPEAT 34 Request is a replay - KRB_AP_ERR_NOT_US 35 The ticket isn't for us - KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't -match - KRB_AP_ERR_SKEW 37 Clock skew too great - KRB_AP_ERR_BADADDR 38 Incorrect net address - KRB_AP_ERR_BADVERSION 39 Protocol version mismatch - KRB_AP_ERR_MSG_TYPE 40 Invalid msg type - KRB_AP_ERR_MODIFIED 41 Message stream modified - KRB_AP_ERR_BADORDER 42 Message out of order - KRB_AP_ERR_BADKEYVER 44 Specified version of key is not -available - KRB_AP_ERR_NOKEY 45 Service key not available - KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed - KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction - KRB_AP_ERR_METHOD 48 Alternative authentication method -required - KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in -message - KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in -message - KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path - KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry -with TCP - KRB_ERR_GENERIC 60 Generic error (description in -e-text) - KRB_ERR_FIELD_TOOLONG 61 Field is too long for this -implementation - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - KDC_ERROR_CLIENT_NOT_TRUSTED 62 (pkinit) - KDC_ERROR_KDC_NOT_TRUSTED 63 (pkinit) - KDC_ERROR_INVALID_SIG 64 (pkinit) - KDC_ERR_KEY_TOO_WEAK 65 (pkinit) - KDC_ERR_CERTIFICATE_MISMATCH 66 (pkinit) - KRB_AP_ERR_NO_TGT 67 (user-to-user) - KDC_ERR_WRONG_REALM 68 (user-to-user) - KRB_AP_ERR_USER_TO_USER_REQUIRED 69 (user-to-user) - KDC_ERR_CANT_VERIFY_CERTIFICATE 70 (pkinit) - KDC_ERR_INVALID_CERTIFICATE 71 (pkinit) - KDC_ERR_REVOKED_CERTIFICATE 72 (pkinit) - KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 (pkinit) - KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 (pkinit) - KDC_ERR_CLIENT_NAME_MISMATCH 75 (pkinit) - KDC_ERR_KDC_NAME_MISMATCH 76 (pkinit) - - 9. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of options. Among - these are multiple encryption and checksum types, alternative encoding - schemes for the transited field, optional mechanisms for - pre-authentication, the handling of tickets with no addresses, options - for mutual authentication, user to user authentication, support for - proxies, forwarding, postdating, and renewing tickets, the format of - realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it is necessary to - define a minimal configuration which must be supported by all - implementations. This minimal configuration is subject to change as - technology does. For example, if at some later date it is discovered - that one of the required encryption or checksum algorithms is not - secure, it will be replaced. - - 9.1. Specification 2 - - This section defines the second specification of these options. - Implementations which are configured in this way can be said to - support Kerberos Version 5 Specification 2 (5.1). Specification 1 - (depricated) may be found in RFC1510. - - Transport - - TCP/IP and UDP/IP transport must be supported by KDCs claiming - conformance to specification 2. Kerberos clients claiming conformance - to specification 2 must support UDP/IP transport for messages with the - KDC and should support TCP/IP transport. - - Encryption and checksum methods - - The following encryption and checksum mechanisms must be supported. - Implementations may support other mechanisms as well, but the - additional mechanisms may only be used when communicating with - principals known to also support them: This list is to be determined. - - Encryption: DES-CBC-MD5, one triple des variant (tbd) - Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 (tbd) - - Realm Names - - All implementations must understand hierarchical realms in both the - Internet Domain and the X.500 style. When a ticket granting ticket for - an unknown realm is requested, the KDC must be able to determine the - names of the intermediate realms between the KDCs realm and the - requested realm. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - Transited field encoding - - DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported. - Alternative encodings may be supported, but they may be used only when - that encoding is supported by ALL intermediate realms. - - Pre-authentication methods - - The TGS-REQ method must be supported. The TGS-REQ method is not used - on the initial request. The PA-ENC-TIMESTAMP method must be supported - by clients but whether it is enabled by default may be determined on a - realm by realm basis. If not used in the initial request and the error - KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an - acceptable method, the client should retry the initial request using - the PA-ENC-TIMESTAMP preauthentication method. Servers need not - support the PA-ENC-TIMESTAMP method, but if not supported the server - should ignore the presence of PA-ENC-TIMESTAMP pre-authentication in a - request. - - Mutual authentication - - Mutual authentication (via the KRB_AP_REP message) must be supported. - - Ticket addresses and flags - - All KDC's must pass on tickets that carry no addresses (i.e. if a TGT - contains no addresses, the KDC will return derivative tickets), but - each realm may set its own policy for issuing such tickets, and each - application server will set its own policy with respect to accepting - them. - - Proxies and forwarded tickets must be supported. Individual realms and - application servers can set their own policy on when such tickets will - be accepted. - - All implementations must recognize renewable and postdated tickets, - but need not actually implement them. If these options are not - supported, the starttime and endtime in the ticket shall specify a - ticket's entire useful life. When a postdated ticket is decoded by a - server, all implementations shall make the presence of the postdated - flag visible to the calling server. - - User-to-user authentication - - Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC - option) must be provided by implementations, but individual realms may - decide as a matter of policy to reject such requests on a - per-principal or realm-wide basis. - - Authorization data - - Implementations must pass all authorization data subfields from - ticket-granting tickets to any derivative tickets unless directed to - suppress a subfield as part of the definition of that registered - subfield type (it is never incorrect to pass on a subfield, and no - registered subfield types presently specify suppression at the KDC). - - Implementations must make the contents of any authorization data - subfields available to the server when a ticket is used. - Implementations are not required to allow clients to specify the - contents of the authorization data fields. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - Constant ranges - - All protocol constants are constrained to 32 bit (signed) values - unless further constrained by the protocol definition. This limit is - provided to allow implementations to make assumptions about the - maximum values that will be received for these constants. - Implementation receiving values outside this range may reject the - request, but they must recover cleanly. - - 9.2. Recommended KDC values - - Following is a list of recommended values for a KDC implementation, - based on the list of suggested configuration constants (see section - 4.4). - - minimum lifetime 5 minutes - maximum renewable lifetime 1 week - maximum ticket lifetime 1 day - empty addresses only when suitable restrictions appear - in authorization data - proxiable, etc. Allowed. - - 10. REFERENCES - - [NT94] B. Clifford Neuman and Theodore Y. Ts'o, "An Authenti- - cation Service for Computer Networks," IEEE Communica- - tions Magazine, Vol. 32(9), pp. 33-38 (September 1994). - - [MNSS87] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. - Saltzer, Section E.2.1: Kerberos Authentication and - Authorization System, M.I.T. Project Athena, Cambridge, - Massachusetts (December 21, 1987). - - [SNS88] J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Ker- - beros: An Authentication Service for Open Network Sys- - tems," pp. 191-202 in Usenix Conference Proceedings, - Dallas, Texas (February, 1988). - - [NS78] Roger M. Needham and Michael D. Schroeder, "Using - Encryption for Authentication in Large Networks of Com- - puters," Communications of the ACM, Vol. 21(12), - pp. 993-999 (December, 1978). - - [DS81] Dorothy E. Denning and Giovanni Maria Sacco, "Time- - stamps in Key Distribution Protocols," Communications - of the ACM, Vol. 24(8), pp. 533-536 (August 1981). - - [KNT92] John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, - "The Evolution of the Kerberos Authentication Service," - in an IEEE Computer Society Text soon to be published - (June 1992). - - [Neu93] B. Clifford Neuman, "Proxy-Based Authorization and - Accounting for Distributed Systems," in Proceedings of - the 13th International Conference on Distributed Com- - puting Systems, Pittsburgh, PA (May, 1993). - - [DS90] Don Davis and Ralph Swick, "Workstation Services and - Kerberos Authentication at Project Athena," Technical - Memorandum TM-424, MIT Laboratory for Computer Science - (February 1990). - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - [LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E. Som- - merfeld, and K. Raeburn, Section E.1: Service Manage- - ment System, M.I.T. Project Athena, Cambridge, Mas- - sachusetts (1987). - - [X509-88] CCITT, Recommendation X.509: The Directory Authentica- - tion Framework, December 1988. - - [Pat92]. J. Pato, Using Pre-Authentication to Avoid Password - Guessing Attacks, Open Software Foundation DCE Request - for Comments 26 (December 1992). - - [DES77] National Bureau of Standards, U.S. Department of Com- - merce, "Data Encryption Standard," Federal Information - Processing Standards Publication 46, Washington, DC - (1977). - - [DESM80] National Bureau of Standards, U.S. Department of Com- - merce, "DES Modes of Operation," Federal Information - Processing Standards Publication 81, Springfield, VA - (December 1980). - - [SG92] Stuart G. Stubblebine and Virgil D. Gligor, "On Message - Integrity in Cryptographic Protocols," in Proceedings - of the IEEE Symposium on Research in Security and - Privacy, Oakland, California (May 1992). - - [IS3309] International Organization for Standardization, "ISO - Information Processing Systems - Data Communication - - High-Level Data Link Control Procedure - Frame Struc- - ture," IS 3309 (October 1984). 3rd Edition. - - [MD4-92] R. Rivest, "The MD4 Message Digest Algorithm," RFC - 1320, MIT Laboratory for Computer Science (April - 1992). - - [MD5-92] R. Rivest, "The MD5 Message Digest Algorithm," RFC - 1321, MIT Laboratory for Computer Science (April - 1992). - - [KBC96] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed- - Hashing for Message Authentication," Working Draft - draft-ietf-ipsec-hmac-md5-01.txt, (August 1996). - - [Horowitz96] Horowitz, M., "Key Derivation for Authentication, - Integrity, and Privacy", -draft-horowitz-key-derivation-02.txt, - August 1998. - - [HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft- - horowitz-kerb-key-derivation-01.txt, September 1998. - - [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC: - Keyed-Hashing for Message Authentication", -draft-ietf-ipsec-hmac- - md5-01.txt, August, 1996. - - A. Pseudo-code for protocol processing - - This appendix provides pseudo-code describing how the messages are to - be constructed and interpreted by clients and servers. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - A.1. KRB_AS_REQ generation - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", -"localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - A.2. KRB_AS_REQ verification and KRB_AS_REP generation - - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable -skew) then - error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.MAY-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - else - omit new_tkt.starttime; /* treated as authtime when omitted -*/ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -new_tkt.starttime+client.max_rlife, - -new_tkt.starttime+server.max_rlife, - -new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE -*/ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, -server.p_kvno; - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - - A.3. KRB_AS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) -then - set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, -resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - - A.4. KRB_AS_REP and KRB_TGS_REP common checks - - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that all -that */ - /* should be are set -*/ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) -then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - A.5. KRB_TGS_REQ generation - - /* Note that make_application_request might have to recursivly -*/ - /* call this routine to get the appropriate ticket-granting -ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or -servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - - /* note that reading the application request requires first - determining the server for which a ticket was issued, and -choosing the - correct key for decryption. The name of the server appears in -the - plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is -operating is - determined by the instance from the ticket-granting ticket. -The realm - in the ticket-granting ticket is the realm under which the -ticket - granting ticket was issued. It is possible for a single -Kerberos - server to support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not -req.sname) then - error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof -and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(req.sname)) then - server := best_intermediate_tgs(req.sname); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.ALLOW-POSTDATE is set) then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - if (tgt.flags.MAY-POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.MAY-POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.MAY-POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket -would */ - /* have been rejected in the initial authentication stage, so -*/ - /* there is no need to check again here -*/ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till < kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - -new_tkt.starttime+client.max_life, - -new_tkt.starttime+server.max_life, - -new_tkt.starttime+max_life_for_realm, - tgt.endtime); - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later -processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - -new_tkt.starttime+client.max_rlife, - -new_tkt.starttime+server.max_rlife, - -new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; /* leave the renew-till -field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data into -decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := -req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + -tgt.realm) - /* Don't check tranited field if TGT for foreign realm, - * or requested not to check */ - if (is_not_foreign_tgt_name(new_tkt.server) - && req.kdc-options.DISABLE-TRANSITED-CHECK not set) -then - /* Check it, so end-server does not have to - * but don't fail, end-server may still accept -it */ - if (check_transited_field(new_tkt.transited) == -OK) - set -new_tkt.flags.TRANSITED-POLICY-CHECKED; - endif - endif - endif - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), -second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, -server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING using use_etype, -tgt.key; - - send(resp); - - A.7. KRB_TGS_REP verification - - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key -from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := decode of decrypt of -resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := decode of decrypt of -resp.enc-part - using resp.enc-part.etype and tgt's -session key; - if (common_as_rep_tgs_rep_checks fail) then - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - - A.8. Authenticator generation - - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - A.9. KRB_AP_REQ generation - - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator using -session_key; - - A.10. KRB_AP_REQ verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - retrieve service key for - -packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - endif - decrypt packet.ticket.enc-part into decr_ticket using retrieved -key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) -then - error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) -then - error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - if (decr_ticket.transited) then - /* caller may ignore the TRANSITED-POLICY-CHECKED and do - * check anyway */ - if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) -then - if (check_transited_field(decr_ticket.transited) then - error_out(KDC_AP_PATH_NOT_ACCPETED); - endif - endif - endif - /* caller must check decr_ticket.flags for any pertinent -details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - - A.11. KRB_AP_REP generation - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - - body.ctime := packet.ctime; - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - body.cusec := packet.cusec; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - - A.12. KRB_AP_REP verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) using ticket's session -key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - - A.13. KRB_SAFE generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - - A.14. KRB_SAFE verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof and -keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - - A.15. KRB_SAFE and KRB_PRIV common checks - - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it -*/ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) -then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) -then - error_out(KRB_AP_ERR_REPEAT); - endif - - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) -then - error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and packet.seq-number not -present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - A.16. KRB_PRIV generation - - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - - A.17. KRB_PRIV verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, -PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - - A.18. KRB_CRED generation - - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - - A.19. KRB_CRED verification - - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it -*/ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) -then - error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - - A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - B. Definition of common authorization data elements - - This appendix contains the definitions of common authorization data - elements. These common authorization data elements are recursivly - defined, meaning the ad-data for these types will itself contain a - sequence of authorization data whose interpretation is affected by the - encapsulating element. Depending on the meaning of the encapsulating - element, the encapsulated elements may be ignored, might be - interpreted as issued directly by the KDC, or they might be stored in - a separate plaintext part of the ticket. The types of the - encapsulating elements are specified as part of the Kerberos - specification because the behavior based on these values should be - understood across implementations whereas other elements need only be - understood by the applications which they affect. - - In the definitions that follow, the value of the ad-type for the - element will be specified in the subsection number, and the value of - the ad-data will be as shown in the ASN.1 structure that follows the - subsection heading. - - B.1. If relevant - - AD-IF-RELEVANT AuthorizationData - - AD elements encapsulated within the if-relevant element are intended - for interpretation only by application servers that understand the - particular ad-type of the embedded element. Application servers that - do not understand the type of an element embedded within the - if-relevant element may ignore the uninterpretable element. This - element promotes interoperability across implementations which may - have local extensions for authorization. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - B.2. Intended for server - - AD-INTENDED-FOR-SERVER SEQUENCE { - intended-server[0] SEQUENCE OF PrincipalName - elements[1] AuthorizationData - } - - AD elements encapsulated within the intended-for-server element may be - ignored if the application server is not in the list of principal - names of intended servers. Further, a KDC issuing a ticket for an - application server can remove this element if the application server - is not in the list of intended servers. - - Application servers should check for their principal name in the - intended-server field of this element. If their principal name is not - found, this element should be ignored. If found, then the encapsulated - elements should be evaluated in the same manner as if they were - present in the top level authorization data field. Applications and - application servers that do not implement this element should reject - tickets that contain authorization data elements of this type. - - B.3. Intended for application class - - AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { - intended-application-class[0] SEQUENCE OF GeneralString elements[1] - AuthorizationData } AD elements encapsulated within the - intended-for-application-class element may be ignored if the - application server is not in one of the named classes of application - servers. Examples of application server classes include "FILESYSTEM", - and other kinds of servers. - - This element and the elements it encapulates may be safely ignored by - applications, application servers, and KDCs that do not implement this - element. - - B.4. KDC Issued - - AD-KDCIssued SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData. - } - - ad-checksum - A checksum over the elements field using a cryptographic checksum - method that is identical to the checksum used to protect the - ticket itself (i.e. using the same hash function and the same - encryption algorithm used to encrypt the ticket) and using a key - derived from the same key used to protect the ticket. - i-realm, i-sname - The name of the issuing principal if different from the KDC - itself. This field would be used when the KDC can verify the - authenticity of elements signed by the issuing principal and it - allows this KDC to notify the application server of the validity - of those elements. - elements - A sequence of authorization data elements issued by the KDC. - The KDC-issued ad-data field is intended to provide a means for - Kerberos principal credentials to embed within themselves privilege - attributes and other mechanisms for positive authorization, amplifying - the priveleges of the principal beyond what can be done using a - credentials without such an a-data element. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - This can not be provided without this element because the definition - of the authorization-data field allows elements to be added at will by - the bearer of a TGT at the time that they request service tickets and - elements may also be added to a delegated ticket by inclusion in the - authenticator. - - For KDC-issued elements this is prevented because the elements are - signed by the KDC by including a checksum encrypted using the server's - key (the same key used to encrypt the ticket - or a key derived from - that key). Elements encapsulated with in the KDC-issued element will - be ignored by the application server if this "signature" is not - present. Further, elements encapsulated within this element from a - ticket granting ticket may be interpreted by the KDC, and used as a - basis according to policy for including new signed elements within - derivative tickets, but they will not be copied to a derivative ticket - directly. If they are copied directly to a derivative ticket by a KDC - that is not aware of this element, the signature will not be correct - for the application ticket elements, and the field will be ignored by - the application server. - - This element and the elements it encapulates may be safely ignored by - applications, application servers, and KDCs that do not implement this - element. - - B.5. And-Or - - AD-AND-OR SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData - } - - When restrictive AD elements encapsulated within the and-or element - are encountered, only the number specified in condition-count of the - encapsulated conditions must be met in order to satisfy this element. - This element may be used to implement an "or" operation by setting the - condition-count field to 1, and it may specify an "and" operation by - setting the condition count to the number of embedded elements. - Application servers that do not implement this element must reject - tickets that contain authorization data elements of this type. - - B.6. Mandatory ticket extensions - - AD-Mandatory-Ticket-Extensions SEQUENCE { - te-type[0] INTEGER, - te-checksum[0] Checksum - } - - An authorization data element of type mandatory-ticket-extensions - specifies the type and a collision-proof checksum using the same hash - algorithm used to protect the integrity of the ticket itself. This - checksum will be calculated over an individual extension field of the - type indicated. If there are more than one extension, multiple - Mandatory-Ticket-Extensions authorization data elements may be - present, each with a checksum for a different extension field. This - restriction indicates that the ticket should not be accepted if a - ticket extension is not present in the ticket for which the type and - checksum do not match that checksum specified in the authorization - data element. Note that although the type is redundant for the - purposes of the comparison, it makes the comparison easier when - multiple extensions are present. Application servers that do not - implement this element must reject tickets that contain authorization - data elements of this type. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - B.7. Authorization Data in ticket extensions - - AD-IN-Ticket-Extensions Checksum - - An authorization data element of type in-ticket-extensions specifies a - collision-proof checksum using the same hash algorithm used to protect - the integrity of the ticket itself. This checksum is calculated over a - separate external AuthorizationData field carried in the ticket - extensions. Application servers that do not implement this element - must reject tickets that contain authorization data elements of this - type. Application servers that do implement this element will search - the ticket extensions for authorization data fields, calculate the - specified checksum over each authorization data field and look for one - matching the checksum in this in-ticket-extensions element. If not - found, then the ticket must be rejected. If found, the corresponding - authorization data elements will be interpreted in the same manner as - if they were contained in the top level authorization data field. - - Note that if multiple external authorization data fields are present - in a ticket, each will have a corresponding element of type - in-ticket-extensions in the top level authorization data field, and - the external entries will be linked to the corresponding element by - their checksums. - - C. Definition of common ticket extensions - - This appendix contains the definitions of common ticket extensions. - Support for these extensions is optional. However, certain extensions - have associated authorization data elements that may require rejection - of a ticket containing an extension by application servers that do not - implement the particular extension. Other extensions have been defined - beyond those described in this specification. Such extensions are - described elswhere and for some of those extensions the reserved - number may be found in the list of constants. - - It is known that older versions of Kerberos did not support this - field, and that some clients will strip this field from a ticket when - they parse and then reassemble a ticket as it is passed to the - application servers. The presence of the extension will not break such - clients, but any functionaly dependent on the extensions will not work - when such tickets are handled by old clients. In such situations, some - implementation may use alternate methods to transmit the information - in the extensions field. - - C.1. Null ticket extension - - TE-NullExtension OctetString -- The empty Octet String - - The te-data field in the null ticket extension is an octet string of - lenght zero. This extension may be included in a ticket granting - ticket so that the KDC can determine on presentation of the ticket - granting ticket whether the client software will strip the extensions - field. - - C.2. External Authorization Data - - TE-ExternalAuthorizationData AuthorizationData - - The te-data field in the external authorization data ticket extension - is field of type AuthorizationData containing one or more - authorization data elements. If present, a corresponding authorization - data element will be present in the primary authorization data for the - ticket and that element will contain a checksum of the external - authorization data ticket extension. - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - ---------------------------------------------------------------------- - [TM] Project Athena, Athena, and Kerberos are trademarks of the - Massachusetts Institute of Technology (MIT). No commercial use of - these trademarks may be made without prior written permission of MIT. - - [1] Note, however, that many applications use Kerberos' functions only - upon the initiation of a stream-based network connection. Unless an - application subsequently provides integrity protection for the data - stream, the identity verification applies only to the initiation of - the connection, and does not guarantee that subsequent messages on the - connection originate from the same principal. - - [2] Secret and private are often used interchangeably in the - literature. In our usage, it takes two (or more) to share a secret, - thus a shared DES key is a secret key. Something is only private when - no one but its owner knows it. Thus, in public key cryptosystems, one - has a public and a private key. - - [3] Of course, with appropriate permission the client could arrange - registration of a separately-named prin- cipal in a remote realm, and - engage in normal exchanges with that realm's services. However, for - even small numbers of clients this becomes cumbersome, and more - automatic methods as described here are necessary. - - [4] Though it is permissible to request or issue tick- ets with no - network addresses specified. - - [5] The password-changing request must not be honored unless the - requester can provide the old password (the user's current secret - key). Otherwise, it would be possible for someone to walk up to an - unattended ses- sion and change another user's password. - - [6] To authenticate a user logging on to a local system, the - credentials obtained in the AS exchange may first be used in a TGS - exchange to obtain credentials for a local server. Those credentials - must then be verified by a local server through successful completion - of the Client/Server exchange. - - [7] "Random" means that, among other things, it should be impossible - to guess the next session key based on knowledge of past session keys. - This can only be achieved in a pseudo-random number generator if it is - based on cryptographic principles. It is more desirable to use a truly - random number generator, such as one based on measurements of random - physical phenomena. - - [8] Tickets contain both an encrypted and unencrypted portion, so - cleartext here refers to the entire unit, which can be copied from one - message and replayed in another without any cryptographic skill. - - [9] Note that this can make applications based on unreliable - transports difficult to code correctly. If the transport might deliver - duplicated messages, either a new authenticator must be generated for - each retry, or the application server must match requests and replies - and replay the first reply in response to a detected duplicate. - - [10] This is used for user-to-user authentication as described in [8]. - - [11] Note that the rejection here is restricted to authenticators from - the same principal to the same server. Other client principals - communicating with the same server principal should not be have their - authenticators rejected if the time and microsecond fields happen to - match some other client's authenticator. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - [12] In the Kerberos version 4 protocol, the timestamp in the reply - was the client's timestamp plus one. This is not necessary in version - 5 because version 5 messages are formatted in such a way that it is - not possible to create the reply by judicious message surgery (even in - encrypted form) without knowledge of the appropriate encryption keys. - - [13] Note that for encrypting the KRB_AP_REP message, the sub-session - key is not used, even if present in the Authenticator. - - [14] Implementations of the protocol may wish to provide routines to - choose subkeys based on session keys and random numbers and to - generate a negotiated key to be returned in the KRB_AP_REP message. - - [15]This can be accomplished in several ways. It might be known - beforehand (since the realm is part of the principal identifier), it - might be stored in a nameserver, or it might be obtained from a - configura- tion file. If the realm to be used is obtained from a - nameserver, there is a danger of being spoofed if the nameservice - providing the realm name is not authenti- cated. This might result in - the use of a realm which has been compromised, and would result in an - attacker's ability to compromise the authentication of the application - server to the client. - - [16] If the client selects a sub-session key, care must be taken to - ensure the randomness of the selected sub- session key. One approach - would be to generate a random number and XOR it with the session key - from the ticket-granting ticket. - - [17] This allows easy implementation of user-to-user authentication - [8], which uses ticket-granting ticket session keys in lieu of secret - server keys in situa- tions where such secret keys could be easily - comprom- ised. - - [18] For the purpose of appending, the realm preceding the first - listed realm is considered to be the null realm (""). - - [19] For the purpose of interpreting null subfields, the client's - realm is considered to precede those in the transited field, and the - server's realm is considered to follow them. - - [20] This means that a client and server running on the same host and - communicating with one another using the KRB_SAFE messages should not - share a common replay cache to detect KRB_SAFE replays. - - [21] The implementation of the Kerberos server need not combine the - database and the server on the same machine; it is feasible to store - the principal database in, say, a network name service, as long as the - entries stored therein are protected from disclosure to and - modification by unauthorized parties. However, we recommend against - such strategies, as they can make system management and threat - analysis quite complex. - - [22] See the discussion of the padata field in section 5.4.2 for - details on why this can be useful. - - [23] Warning for implementations that unpack and repack data - structures during the generation and verification of embedded - checksums: Because any checksums applied to data structures must be - checked against the original data the length of bit strings must be - preserved within a data structure between the time that a checksum is - generated through transmission to the time that the checksum is - verified. - - -Neuman, Ts'o, Kohl Expires: 14 January -2001 - -^L - -INTERNET-DRAFT draft-ietf-cat-kerberos-revisions-06 July 14, -2000 - - [24] It is NOT recommended that this time value be used to adjust the - workstation's clock since the workstation cannot reliably determine - that such a KRB_AS_REP actually came from the proper KDC in a timely - manner. - - [25] Note, however, that if the time is used as the nonce, one must - make sure that the workstation time is monotonically increasing. If - the time is ever reset backwards, there is a small, but finite, - probability that a nonce will be reused. - - [27] An application code in the encrypted part of a message provides - an additional check that the message was decrypted properly. - - [29] An application code in the encrypted part of a message provides - an additional check that the message was decrypted properly. - - [31] An application code in the encrypted part of a message provides - an additional check that the message was decrypted properly. - - [32] If supported by the encryption method in use, an initialization - vector may be passed to the encryption procedure, in order to achieve - proper cipher chaining. The initialization vector might come from the - last block of the ciphertext from the previous KRB_PRIV message, but - it is the application's choice whether or not to use such an - initialization vector. If left out, the default initialization vector - for the encryption algorithm will be used. - - [33] This prevents an attacker who generates an incorrect AS request - from obtaining verifiable plaintext for use in an off-line password - guessing attack. - - [35] In the above specification, UNTAGGED OCTET STRING(length) is the - notation for an octet string with its tag and length removed. It is - not a valid ASN.1 type. The tag bits and length must be removed from - the confounder since the purpose of the confounder is so that the - message starts with random data, but the tag and its length are fixed. - For other fields, the length and tag would be redundant if they were - included because they are specified by the encryption type. [36] The - ordering of the fields in the CipherText is important. Additionally, - messages encoded in this format must include a length as part of the - msg-seq field. This allows the recipient to verify that the message - has not been truncated. Without a length, an attacker could use a - chosen plaintext attack to generate a message which could be - truncated, while leaving the checksum intact. Note that if the msg-seq - is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length - is part of that encoding. - - [37] In some cases, it may be necessary to use a different "mix-in" - string for compatibility reasons; see the discussion of padata in - section 5.4.2. - - [38] In some cases, it may be necessary to use a different "mix-in" - string for compatibility reasons; see the discussion of padata in - section 5.4.2. - - [39] A variant of the key is used to limit the use of a key to a - particular function, separating the functions of generating a checksum - from other encryption performed using the session key. The constant - F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The - properties of DES precluded the use of the complement. The same - constant is used for similar purpose in the Message Integrity Check in - the Privacy Enhanced Mail standard. - - [40] This error carries additional information in the e- data field. - The contents of the e-data field for this message is described in - section 5.9.1. - - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt deleted file mode 100644 index 6f7dae0dea70..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt +++ /dev/null @@ -1,325 +0,0 @@ - -INTERNET-DRAFT Mike Swift -draft-ietf-cat-kerberos-set-passwd-02.txt Microsoft -March 2000 Jonathan Trostle - Cisco Systems - John Brezak - Microsoft - Bill Gossman - Cybersafe - - Kerberos Set/Change Password: Version 2 - - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Comments and suggestions on this document are encouraged. Comments - on this document should be sent to the CAT working group discussion - list: - ietf-cat-wg@stanford.edu - -1. Abstract - - The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]), - does not allow for an administrator to set a password for a new user. - This functionality is useful in some environments, and this proposal - extends [4] to allow password setting. The changes are: adding new - fields to the request message to indicate the principal which is - having its password set, not requiring the initial flag in the service - ticket, using a new protocol version number, and adding three new - result codes. We also extend the set/change protocol to allow a - client to send a sequence of keys to the KDC instead of a cleartext - password. If in the cleartext password case, the cleartext password - fails to satisfy password policy, the server should use the result - code KRB5_KPASSWD_POLICY_REJECT. - -2. Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. The Protocol - - The service must accept requests on UDP port 464 and TCP port 464 as - well. The protocol consists of a single request message followed by - a single reply message. For UDP transport, each message must be fully - contained in a single UDP packet. - - For TCP transport, there is a 4 octet header in network byte order - precedes the message and specifies the length of the message. This - requirement is consistent with the TCP transport header in 1510bis. - -Request Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REQ length | AP-REQ data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - All 16 bit fields are in network byte order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0002 (network - byte order). - - AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REQ data: (see [3]) The AP-REQ message must be for the service - principal kadmin/changepw@REALM, where REALM is the REALM of the user - who wishes to change/set his password. The ticket in the AP-REQ must - must include a subkey in the Authenticator. To enable setting of - passwords/keys, it is not required that the initial flag be set in the - Kerberos service ticket. The initial flag is required for change requests, - but not for set password requests. We have the following definitions: - - old passwd initial flag target principal can be - in request? required? distinct from - authenticating principal? - - change password: yes yes no - - set password: no no yes - - set key: no policy yes - determined - - KRB-PRIV message (see [3]) This KRB-PRIV message must be generated - using the subkey from the authenticator in the AP-REQ data. - - The user-data component of the message consists of the following ASN.1 - structure encoded as an OCTET STRING: - - ChangePasswdData :: = SEQUENCE { - newpasswdorkeys[0] NewPasswdOrKeys, - targname[1] PrincipalName OPTIONAL, - -- only present in set password: the principal - -- which will have its password set - targrealm[2] Realm OPTIONAL, - -- only present in set password: the realm for - -- the principal which will have its password set - - } - - NewPasswdOrKeys :: = CHOICE { - passwords[0] PasswordSequence, - keyseq[1] KeySequences - } - - KeySequences :: = SEQUENCE OF KeySequence - - KeySequence :: = SEQUENCE { - key[0] EncryptionKey, - salt[1] OCTET STRING OPTIONAL, - salt-type[2] INTEGER OPTIONAL - } - - PasswordSequence :: = SEQUENCE { - newpasswd[0] OCTET STRING, - oldpasswd[1] OCTET STRING OPTIONAL - -- oldpasswd always present for change password - -- but not present for set password - } - - The server must verify the AP-REQ message, check whether the client - principal in the ticket is authorized to set or change the password - (either for that principal, or for the principal in the targname - field if present), and decrypt the new password/keys. The server - also checks whether the initial flag is required for this request, - replying with status 0x0007 if it is not set and should be. An - authorization failure is cause to respond with status 0x0005. For - forward compatibility, the server should be prepared to ignore fields - after targrealm in the structure that it does not understand. - - The newpasswdorkeys field contains either the new cleartext password - (with the old cleartext password for a change password operation), - or a sequence of encryption keys with their respective salts. - - In the cleartext password case, if the old password is sent in the - request, the request is defined to be a change password request. If - the old password is not present in the request, the request is a set - password request. The server should apply policy checks to the old - and new password after verifying that the old password is valid. - The server can check validity by obtaining a key from the old - password with a keytype that is present in the KDC database for the - user and comparing the keys for equality. The server then generates - the appropriate keytypes from the password and stores them in the KDC - - database. If all goes well, status 0x0000 is returned to the client - in the reply message (see below). For a change password operation, - the initial flag in the service ticket MUST be set. - - In the key sequence case, the sequence of keys is sent to the set - password service. For a principal that can act as a server, its - preferred keytype should be sent as the first key in the sequence, - but the KDC is not required to honor this preference. Application - servers should use the key sequence option for changing/setting their - keys. The set password service should check that all keys are in the - proper format, returning the KRB5_KPASSWD_MALFORMED error otherwise. - -Reply Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REP length | AP-REP data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - All 16 bit fields are in network byte order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0002 (network - byte order). (The reply message has the same format as in [4]). - - AP-REP length: length of AP-REP data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REP data: the AP-REP is the response to the AP-REQ in the request - packet. - - KRB-PRIV from [4]: This KRB-PRIV message must be generated using the - subkey in the authenticator in the AP-REQ data. - - The server will respond with a KRB-PRIV message unless it cannot - validate the client AP-REQ or KRB-PRIV message, in which case it will - respond with a KRB-ERROR message. NOTE: Unlike change password version - 1, the KRB-ERROR message will be sent back without any encapsulation. - - The user-data component of the KRB-PRIV message, or e-data component - of the KRB-ERROR message, must consist of the following data. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | result code | result string / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | edata / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - result code (16 bits) (result codes 0-4 are from [4]): - The result code must have one of the following values (network - byte order): - KRB5_KPASSWD_SUCCESS 0 request succeeds (This value is not - allowed in a KRB-ERROR message) - KRB5_KPASSWD_MALFORMED 1 request fails due to being malformed - KRB5_KPASSWD_HARDERROR 2 request fails due to "hard" error in - processing the request (for example, - there is a resource or other problem - causing the request to fail) - KRB5_KPASSWD_AUTHERROR 3 request fails due to an error in - authentication processing - KRB5_KPASSWD_SOFTERROR 4 request fails due to a soft error - in processing the request - KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized - KRB5_KPASSWD_BAD_VERSION 6 protocol version unsupported - KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required - KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy; - the result string should include a text message to be presented - to the user. - KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist - (only in response to a set password request). - KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence - containing at least one etype that is not supported by the KDC. - The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO - type that specifies the etypes that the KDC supports: - - KERB-ETYPE-INFO-ENTRY :: = SEQUENCE { - encryption-type[0] INTEGER, - salt[1] OCTET STRING OPTIONAL -- not sent - } - - PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY - - The client should retry the request using only etypes (keytypes) - that are contained within the PKERB-ETYPE-INFO structure in the - previous response. - 0xFFFF if the request fails for some other reason. - The client must interpret any non-zero result code as a failure. - result string - from [4]: - This field is a UTF-8 encoded string which should be displayed - to the user by the client. Specific reasons for a password - set/change policy failure is one use for this string. - edata: used to convey additional information as defined by the - result code. - -4. References - - [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - [3] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5), Request for Comments 1510. - - [4] M. Horowitz. Kerberos Change Password Protocol, - ftp://ds.internic.net/internet-drafts/ - draft-ietf-cat-kerb-chg-password-02.txt - -5. Expiration Date - - This draft expires in September 2000. - -6. Authors' Addresses - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - - Mike Swift - 1 Microsoft Way - Redmond, WA 98052 - Email: mikesw@microsoft.com - - John Brezak - 1 Microsoft Way - Redmond, WA 98052 - Email: jbrezak@microsoft.com - - Bill Gossman - Cybersafe Corporation - 1605 NW Sammamish Rd. - Issaquah, WA 98027-5378 - Email: bill.gossman@cybersafe.com - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt deleted file mode 100644 index 0319f8bf347c..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt +++ /dev/null @@ -1,345 +0,0 @@ - -INTERNET-DRAFT Mike Swift -draft-ietf-cat-kerberos-set-passwd-03.txt Microsoft -April 2000 Jonathan Trostle - Cisco Systems - John Brezak - Microsoft - Bill Gossman - Cybersafe - - Kerberos Set/Change Password: Version 2 - - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Comments and suggestions on this document are encouraged. Comments - on this document should be sent to the CAT working group discussion - list: - ietf-cat-wg@stanford.edu - -1. Abstract - - The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]), - does not allow for an administrator to set a password for a new user. - This functionality is useful in some environments, and this proposal - extends [4] to allow password setting. The changes are: adding new - fields to the request message to indicate the principal which is - having its password set, not requiring the initial flag in the service - ticket, using a new protocol version number, and adding three new - result codes. We also extend the set/change protocol to allow a - client to send a sequence of keys to the KDC instead of a cleartext - password. If in the cleartext password case, the cleartext password - fails to satisfy password policy, the server should use the result - code KRB5_KPASSWD_POLICY_REJECT. - -2. Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. The Protocol - - The service must accept requests on UDP port 464 and TCP port 464 as - well. The protocol consists of a single request message followed by - a single reply message. For UDP transport, each message must be fully - contained in a single UDP packet. - - For TCP transport, there is a 4 octet header in network byte order - precedes the message and specifies the length of the message. This - requirement is consistent with the TCP transport header in 1510bis. - -Request Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REQ length | AP-REQ data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - All 16 bit fields are in network byte order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0002 (network - byte order). - - AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REQ data: (see [3]) For a change password/key request, the AP-REQ - message service ticket sname, srealm principal identifier is - kadmin/changepw@REALM where REALM is the realm of the change password - service. The same applies to a set password/key request except the - principal identifier is kadmin/setpw@REALM. The ticket in the AP-REQ - must include a subkey in the Authenticator. To enable setting of - passwords/keys, it is not required that the initial flag be set in the - Kerberos service ticket. The initial flag is required for change requests, - but not for set requests. We have the following definitions: - - old passwd initial flag target principal can be - in request? required? distinct from - authenticating principal? - - change password: yes yes no - - set password: no policy (*) yes - - set key: no policy (*) yes - - change key: no yes no - - policy (*): implementations SHOULD allow administrators to set the - initial flag required for set requests policy to either yes or no. - Clients MUST be able to retry set requests that fail due to error 7 - (initial flag required) with an initial ticket. Clients SHOULD NOT - cache service tickets targetted at kadmin/changepw. - - KRB-PRIV message (see [3]) This KRB-PRIV message must be generated - using the subkey from the authenticator in the AP-REQ data. - - The user-data component of the message consists of the following ASN.1 - structure encoded as an OCTET STRING: - - ChangePasswdData :: = SEQUENCE { - newpasswdorkeys[0] NewPasswdOrKeys, - targname[1] PrincipalName OPTIONAL, - -- only present in set password/key: the principal - -- which will have its password or keys set. Not - -- present in a set request if the client principal - -- from the ticket is the principal having its - -- passwords or keys set. - targrealm[2] Realm OPTIONAL, - -- only present in set password/key: the realm for - -- the principal which will have its password or - -- keys set. Not present in a set request if the - -- client principal from the ticket is the principal - -- having its passwords or keys set. - } - - NewPasswdOrKeys :: = CHOICE { - passwords[0] PasswordSequence, -- change/set passwd - keyseq[1] KeySequences -- change/set key - } - - KeySequences :: = SEQUENCE OF KeySequence - - KeySequence :: = SEQUENCE { - key[0] EncryptionKey, - salt[1] OCTET STRING OPTIONAL, - salt-type[2] INTEGER OPTIONAL - } - - PasswordSequence :: = SEQUENCE { - newpasswd[0] OCTET STRING, - oldpasswd[1] OCTET STRING OPTIONAL - -- oldpasswd always present for change password - -- but not present for set password, set key, or - -- change key - } - - The server must verify the AP-REQ message, check whether the client - principal in the ticket is authorized to set or change the password - (either for that principal, or for the principal in the targname - field if present), and decrypt the new password/keys. The server - also checks whether the initial flag is required for this request, - replying with status 0x0007 if it is not set and should be. An - authorization failure is cause to respond with status 0x0005. For - forward compatibility, the server should be prepared to ignore fields - after targrealm in the structure that it does not understand. - - The newpasswdorkeys field contains either the new cleartext password - (with the old cleartext password for a change password operation), - or a sequence of encryption keys with their respective salts. - - In the cleartext password case, if the old password is sent in the - request, the request MUST be a change password request. If the old - password is not present in the request, the request MUST be a set - password request. The server should apply policy checks to the old - and new password after verifying that the old password is valid. - The server can check validity by obtaining a key from the old - password with a keytype that is present in the KDC database for the - user and comparing the keys for equality. The server then generates - the appropriate keytypes from the password and stores them in the KDC - database. If all goes well, status 0x0000 is returned to the client - in the reply message (see below). For a change password operation, - the initial flag in the service ticket MUST be set. - - In the key sequence case, the sequence of keys is sent to the change - or set password service (kadmin/changepw or kadmin/setpw respectively). - For a principal that can act as a server, its preferred keytype should - be sent as the first key in the sequence, but the KDC is not required - to honor this preference. Application servers should use the key - sequence option for changing/setting their keys. The change/set password - services should check that all keys are in the proper format, returning - the KRB5_KPASSWD_MALFORMED error otherwise. - -Reply Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REP length | AP-REP data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - All 16 bit fields are in network byte order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0002 (network - byte order). (The reply message has the same format as in [4]). - - AP-REP length: length of AP-REP data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REP data: the AP-REP is the response to the AP-REQ in the request - packet. - - KRB-PRIV from [4]: This KRB-PRIV message must be generated using the - subkey in the authenticator in the AP-REQ data. - - The server will respond with a KRB-PRIV message unless it cannot - validate the client AP-REQ or KRB-PRIV message, in which case it will - respond with a KRB-ERROR message. NOTE: Unlike change password version - 1, the KRB-ERROR message will be sent back without any encapsulation. - - The user-data component of the KRB-PRIV message, or e-data component - of the KRB-ERROR message, must consist of the following data. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | result code | result string / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | edata / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - result code (16 bits) (result codes 0-4 are from [4]): - The result code must have one of the following values (network - byte order): - KRB5_KPASSWD_SUCCESS 0 request succeeds (This value is not - allowed in a KRB-ERROR message) - KRB5_KPASSWD_MALFORMED 1 request fails due to being malformed - KRB5_KPASSWD_HARDERROR 2 request fails due to "hard" error in - processing the request (for example, - there is a resource or other problem - causing the request to fail) - KRB5_KPASSWD_AUTHERROR 3 request fails due to an error in - authentication processing - KRB5_KPASSWD_SOFTERROR 4 request fails due to a soft error - in processing the request - KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized - KRB5_KPASSWD_BAD_VERSION 6 protocol version unsupported - KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required - KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy; - the result string should include a text message to be presented - to the user. - KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist - (only in response to a set password request). - KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence - containing at least one etype that is not supported by the KDC. - The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO - type that specifies the etypes that the KDC supports: - - KERB-ETYPE-INFO-ENTRY :: = SEQUENCE { - encryption-type[0] INTEGER, - salt[1] OCTET STRING OPTIONAL -- not sent - } - - PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY - - The client should retry the request using only etypes (keytypes) - that are contained within the PKERB-ETYPE-INFO structure in the - previous response. - 0xFFFF if the request fails for some other reason. - The client must interpret any non-zero result code as a failure. - result string - from [4]: - This field is a UTF-8 encoded string which should be displayed - to the user by the client. Specific reasons for a password - - set/change policy failure is one use for this string. - edata: used to convey additional information as defined by the - result code. - -4. Acknowledgements - - The authors thank Tony Andrea for his input to the document. - -5. References - - [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - [3] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5), Request for Comments 1510. - - [4] M. Horowitz. Kerberos Change Password Protocol, - ftp://ds.internic.net/internet-drafts/ - draft-ietf-cat-kerb-chg-password-02.txt - -6. Expiration Date - - This draft expires in October 2000. - -7. Authors' Addresses - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - - Mike Swift - 1 Microsoft Way - Redmond, WA 98052 - Email: mikesw@microsoft.com - - John Brezak - 1 Microsoft Way - Redmond, WA 98052 - Email: jbrezak@microsoft.com - - Bill Gossman - Cybersafe Corporation - 1605 NW Sammamish Rd. - Issaquah, WA 98027-5378 - Email: bill.gossman@cybersafe.com - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt deleted file mode 100644 index e76a0e402ad1..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt +++ /dev/null @@ -1,250 +0,0 @@ -INTERNET-DRAFT Ken Hornstein - NRL -June 21, 1999 Jeffrey Altman -Expires: December 21, 1999 Columbia University - - Distributing Kerberos KDC and Realm Information with DNS - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Distribution of this memo is unlimited. It is filed as , and expires on December 21, 1999. Please - send comments to the authors. - -Abstract - - Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto- - col [RFC????] describe any mechanism for clients to learn critical - configuration information necessary for proper operation of the pro- - tocol. Such information includes the location of Kerberos key dis- - tribution centers or a mapping between DNS domains and Kerberos - realms. - - Current Kerberos implementations generally store such configuration - information in a file on each client machine. Experience has shown - this method of storing configuration information presents problems - with out-of-date information and scaling problems, especially when - -Hornstein, Altman [Page 1] - -RFC DRAFT June 21, 1999 - - using cross-realm authentication. - - This memo describes a method for using the Domain Name System - [RFC1035] for storing such configuration information. Specifically, - methods for storing KDC location and hostname/domain name to realm - mapping information are discussed. - -Overview - KDC location information - - KDC location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kerberos is always "_kerberos". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_udp" record MUST be included. If the Kerberos implementa- - tion supports TCP transport, a "_tcp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Example - KDC location information - - These are DNS records for a Kerberos realm ASDF.COM. It has two Ker- - beros servers, kdc1.asdf.com and kdc2.asdf.com. Queries should be - directed to kdc1.asdf.com first as per the specified priority. - Weights are not used in these records. - - _kerberos._udp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - _kerberos._udp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. - -Overview - KAdmin location information - - Kadmin location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kadmin is always "_kadmin". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_tcp" record MUST be included. If the Kadmin implementation - supports UDP transport, a "_udp" record SHOULD be included. - -Hornstein, Altman [Page 2] - -RFC DRAFT June 21, 1999 - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Example - Kadmin location information - - These are DNS records for a Kerberos realm ASDF.COM. It has one Kad- - min server, kdc1.asdf.com. - - _kadmin._tcp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - -Overview - Hostname/domain name to Kerberos realm mapping - - Information on the mapping of DNS hostnames and domain names to Ker- - beros realms is stored using DNS TXT records [RFC 1035]. These - records have the following format. - - Service.Name TTL Class TXT Realm - - The Service field is always "_kerberos", and prefixes all entries of - this type. - - The Name is a DNS hostname or domain name. This is explained in - greater detail below. - - TTL, Class, and TXT have the standard DNS meaning as defined in RFC - 1035. - - The Realm is the data for the TXT RR, and consists simply of the Ker- - beros realm that corresponds to the Name specified. - - When a Kerberos client wishes to utilize a host-specific service, it - will perform a DNS TXT query, using the hostname in the Name field of - the DNS query. If the record is not found, the first label of the - name is stripped and the query is retried. - - Compliant implementations MUST query the full hostname and the most - specific domain name (the hostname with the first label removed). - Compliant implementations SHOULD try stripping all subsequent labels - until a match is found or the Name field is empty. - -Example - Hostname/domain name to Kerberos realm mapping - - For the previously mentioned ASDF.COM realm and domain, some sample - records might be as follows: - - _kerberos.asdf.com. IN TXT "ASDF.COM" - -Hornstein, Altman [Page 3] - -RFC DRAFT June 21, 1999 - - _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" - _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM" - - Let us suppose that in this case, a Kerberos client wishes to use a - Kerberized service on the host foo.asdf.com. It would first query: - - _kerberos.foo.asdf.com. IN TXT - - Finding no match, it would then query: - - _kerberos.asdf.com. IN TXT - - And find an answer of ASDF.COM. This would be the realm that - foo.asdf.com resides in. - - If another Kerberos client wishes to use a Kerberized service on the - host salesserver.asdf.com, it would query: - - _kerberos.salesserver.asdf.com IN TXT - - And find an answer of SALES.ASDF.COM. - -Security considerations - - As DNS is deployed today, it is an unsecure service. Thus the infor- - mation returned by it cannot be trusted. However, the use of DNS to - store this configuration information does not introduce any new secu- - rity risks to the Kerberos protocol. - - Current practice is to use hostnames to indicate KDC hosts (stored in - some implementation-dependent location, but generally a local config - file). These hostnames are vulnerable to the standard set of DNS - attacks (denial of service, spoofed entries, etc). The design of the - Kerberos protocol limits attacks of this sort to denial of service. - However, the use of SRV records does not change this attack in any - way. They have the same vulnerabilities that already exist in the - common practice of using hostnames for KDC locations. - - The same holds true for the TXT records used to indicate the domain - name to realm mapping. Current practice is to configure these map- - pings locally. But this again is vulnerable to spoofing via CNAME - records that point to hosts in other domains. This has the same - effect as a spoofed TXT record. - - While the described protocol does not introduce any new security - risks to the best of our knowledge, implementations SHOULD provide a - way of specifying this information locally without the use of DNS. - However, to make this feature worthwhile a lack of any configuration - -Hornstein, Altman [Page 4] - -RFC DRAFT June 21, 1999 - - information on a client should be interpretted as permission to use - DNS. - -Expiration - - This Internet-Draft expires on December 21, 1999. - -References - - [RFC1510] - The Kerberos Network Authentication System; Kohl, Newman; Sep- - tember 1993. - - [RFC1035] - Domain Names - Implementation and Specification; Mockapetris; - November 1987 - - [RFC2052] - A DNS RR for specifying the location of services (DNS SRV); Gul- - brandsen, Vixie; October 1996 - -Authors' Addresses - - Ken Hornstein - US Naval Research Laboratory - Bldg A-49, Room 2 - 4555 Overlook Avenue - Washington DC 20375 USA - - Phone: +1 (202) 404-4765 - EMail: kenh@cmf.nrl.navy.mil - - Jeffrey Altman - The Kermit Project - Columbia University - 612 West 115th Street #716 - New York NY 10025-7799 USA - - Phone: +1 (212) 854-1344 - EMail: jaltman@columbia.edu - -Hornstein, Altman [Page 5] diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt deleted file mode 100644 index bd31750a15af..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt +++ /dev/null @@ -1,339 +0,0 @@ - - - - - - -INTERNET-DRAFT Ken Hornstein - NRL -March 10, 2000 Jeffrey Altman -Expires: September 10, 2000 Columbia University - - - - Distributing Kerberos KDC and Realm Information with DNS - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Distribution of this memo is unlimited. It is filed as , and expires on September 10, 2000. Please - send comments to the authors. - -Abstract - - Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto- - col [RFC????] describe any mechanism for clients to learn critical - configuration information necessary for proper operation of the pro- - tocol. Such information includes the location of Kerberos key dis- - tribution centers or a mapping between DNS domains and Kerberos - realms. - - Current Kerberos implementations generally store such configuration - information in a file on each client machine. Experience has shown - this method of storing configuration information presents problems - with out-of-date information and scaling problems, especially when - - - -Hornstein, Altman [Page 1] - -RFC DRAFT March 10, 2000 - - - using cross-realm authentication. - - This memo describes a method for using the Domain Name System - [RFC1035] for storing such configuration information. Specifically, - methods for storing KDC location and hostname/domain name to realm - mapping information are discussed. - -DNS vs. Kerberos - Case Sensitivity of Realm Names - - In Kerberos, realm names are case sensitive. While it is strongly - encouraged that all realm names be all upper case this recommendation - has not been adopted by all sites. Some sites use all lower case - names and other use mixed case. DNS on the other hand is case insen- - sitive for queries but is case preserving for responses to TXT - queries. Since "MYREALM", "myrealm", and "MyRealm" are all different - it is necessary that the DNS entries be distinguishable. - - Since the recommend realm names are all upper case, we will not - require any quoting to be applied to upper case names. If the realm - name contains lower case characters each character is to be quoted by - a '=' character. So "MyRealm" would be represented as "M=yR=e=a=l=m" - and "myrealm" as "=m=y=r=e=a=l=m". If the realm name contains the - '=' character it will be represented as "==". - - -Overview - KDC location information - - KDC location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kerberos is always "_kerberos". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_udp" record MUST be included. If the Kerberos implementa- - tion supports TCP transport, a "_tcp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Example - KDC location information - - These are DNS records for a Kerberos realm ASDF.COM. It has two Ker- - beros servers, kdc1.asdf.com and kdc2.asdf.com. Queries should be - directed to kdc1.asdf.com first as per the specified priority. - - - -Hornstein, Altman [Page 2] - -RFC DRAFT March 10, 2000 - - - Weights are not used in these records. - - _kerberos._udp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - _kerberos._udp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. - -Overview - Kerberos password changing server location information - - Kerberos password changing server [KERB-CHG] location is to be stored - using the DNS SRV RR [RFC 2052]. The format of this RR is as fol- - lows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for the password server is always "_kpasswd". - - The Proto MUST be "_udp". - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Overview - Kerberos admin server location information - - Kerberos admin location information is to be stored using the DNS SRV - RR [RFC 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for the admin server is always "_kerberos-adm". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_tcp" record MUST be included. If the Kerberos admin imple- - mentation supports UDP transport, a "_udp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - - Note that there is no formal definition of a Kerberos admin protocol, - so the use of this record is optional and implementation-dependent. - -Example - Kerberos administrative server location information - - These are DNS records for a Kerberos realm ASDF.COM. It has one - administrative server, kdc1.asdf.com. - - - - -Hornstein, Altman [Page 3] - -RFC DRAFT March 10, 2000 - - - _kerberos-adm._tcp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - -Overview - Hostname/domain name to Kerberos realm mapping - - Information on the mapping of DNS hostnames and domain names to Ker- - beros realms is stored using DNS TXT records [RFC 1035]. These - records have the following format. - - Service.Name TTL Class TXT Realm - - The Service field is always "_kerberos", and prefixes all entries of - this type. - - The Name is a DNS hostname or domain name. This is explained in - greater detail below. - - TTL, Class, and TXT have the standard DNS meaning as defined in RFC - 1035. - - The Realm is the data for the TXT RR, and consists simply of the Ker- - beros realm that corresponds to the Name specified. - - When a Kerberos client wishes to utilize a host-specific service, it - will perform a DNS TXT query, using the hostname in the Name field of - the DNS query. If the record is not found, the first label of the - name is stripped and the query is retried. - - Compliant implementations MUST query the full hostname and the most - specific domain name (the hostname with the first label removed). - Compliant implementations SHOULD try stripping all subsequent labels - until a match is found or the Name field is empty. - -Example - Hostname/domain name to Kerberos realm mapping - - For the previously mentioned ASDF.COM realm and domain, some sample - records might be as follows: - - _kerberos.asdf.com. IN TXT "ASDF.COM" - _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" - _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM" - - Let us suppose that in this case, a Kerberos client wishes to use a - Kerberized service on the host foo.asdf.com. It would first query: - - _kerberos.foo.asdf.com. IN TXT - - Finding no match, it would then query: - - - - -Hornstein, Altman [Page 4] - -RFC DRAFT March 10, 2000 - - - _kerberos.asdf.com. IN TXT - - And find an answer of ASDF.COM. This would be the realm that - foo.asdf.com resides in. - - If another Kerberos client wishes to use a Kerberized service on the - host salesserver.asdf.com, it would query: - - _kerberos.salesserver.asdf.com IN TXT - - And find an answer of SALES.ASDF.COM. - -Security considerations - - As DNS is deployed today, it is an unsecure service. Thus the infor- - mation returned by it cannot be trusted. - - Current practice for REALM to KDC mapping is to use hostnames to - indicate KDC hosts (stored in some implementation-dependent location, - but generally a local config file). These hostnames are vulnerable - to the standard set of DNS attacks (denial of service, spoofed - entries, etc). The design of the Kerberos protocol limits attacks of - this sort to denial of service. However, the use of SRV records does - not change this attack in any way. They have the same vulnerabili- - ties that already exist in the common practice of using hostnames for - KDC locations. - - Current practice for HOSTNAME to REALM mapping is to provide a local - configuration of mappings of hostname or domain name to realm which - are then mapped to KDCs. But this again is vulnerable to spoofing - via CNAME records that point to hosts in other domains. This has the - same effect as when a TXT record is spoofed. In a realm with no - cross-realm trusts this is a DoS attack. However, when cross-realm - trusts are used it is possible to redirect a client to use a comprom- - ised realm. - - This is not an exploit of the Kerberos protocol but of the Kerberos - trust model. The same can be done to any application that must - resolve the hostname in order to determine which domain a non-FQDN - belongs to. - - Implementations SHOULD provide a way of specifying this information - locally without the use of DNS. However, to make this feature - worthwhile a lack of any configuration information on a client should - be interpretted as permission to use DNS. - - - - - - -Hornstein, Altman [Page 5] - -RFC DRAFT March 10, 2000 - - -Expiration - - This Internet-Draft expires on September 10, 2000. - -References - - - [RFC1510] - The Kerberos Network Authentication System; Kohl, Newman; Sep- - tember 1993. - - [RFC1035] - Domain Names - Implementation and Specification; Mockapetris; - November 1987 - - [RFC2782] - A DNS RR for specifying the location of services (DNS SRV); Gul- - brandsen, Vixie; Feburary 2000 - - [KERB-CHG] - Kerberos Change Password Protocol; Horowitz; - ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerb-chg- - password-02.txt - -Authors' Addresses - - Ken Hornstein - US Naval Research Laboratory - Bldg A-49, Room 2 - 4555 Overlook Avenue - Washington DC 20375 USA - - Phone: +1 (202) 404-4765 - EMail: kenh@cmf.nrl.navy.mil - - Jeffrey Altman - The Kermit Project - Columbia University - 612 West 115th Street #716 - New York NY 10025-7799 USA - - Phone: +1 (212) 854-1344 - EMail: jaltman@columbia.edu - - - - - - - - -Hornstein, Altman [Page 6] - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt deleted file mode 100644 index 11e5dc9f9548..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt +++ /dev/null @@ -1,1333 +0,0 @@ - -INTERNET-DRAFT Tom Yu -Common Authentication Technology WG MIT -draft-ietf-cat-krb5gss-mech2-03.txt 04 March 2000 - - The Kerberos Version 5 GSSAPI Mechanism, Version 2 - -Status of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Comments on this document should be sent to - "ietf-cat-wg@lists.stanford.edu", the IETF Common Authentication - Technology WG discussion list. - -Abstract - - This document defines protocols, procedures, and conventions to be - employed by peers implementing the Generic Security Service - Application Program Interface (as specified in RFC 2743) when using - Kerberos Version 5 technology (as specified in RFC 1510). This - obsoletes RFC 1964. - -Acknowledgements - - Much of the material in this specification is based on work done for - Cygnus Solutions by Marc Horowitz. - -Table of Contents - - Status of This Memo ............................................ 1 - Abstract ....................................................... 1 - Acknowledgements ............................................... 1 - Table of Contents .............................................. 1 - 1. Introduction ............................................... 3 - 2. Token Formats .............................................. 3 - 2.1. Packet Notation ....................................... 3 - -Yu Document Expiration: 04 Sep 2000 [Page 1] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - 2.2. Mechanism OID ......................................... 4 - 2.3. Context Establishment ................................. 4 - 2.3.1. Option Format .................................... 4 - 2.3.1.1. Delegated Credentials Option ................ 5 - 2.3.1.2. Null Option ................................. 5 - 2.3.2. Initial Token .................................... 6 - 2.3.2.1. Data to be Checksummed in APREQ ............. 8 - 2.3.3. Response Token ................................... 10 - 2.4. Per-message Tokens .................................... 12 - 2.4.1. Sequence Number Usage ............................ 12 - 2.4.2. MIC Token ........................................ 12 - 2.4.2.1. Data to be Checksummed in MIC Token ......... 13 - 2.4.3. Wrap Token ....................................... 14 - 2.4.3.1. Wrap Token With Integrity Only .............. 14 - 2.4.3.2. Wrap Token With Integrity and Encryption - ............................................. 15 - 2.4.3.2.1. Data to be Encrypted in Wrap Token ..... 16 - 3. ASN.1 Encoding of Octet Strings ............................ 17 - 4. Name Types ................................................. 18 - 4.1. Mandatory Name Forms .................................. 18 - 4.1.1. Kerberos Principal Name Form ..................... 18 - 4.1.2. Exported Name Object Form for Kerberos5 - Mechanism ........................................ 19 - 5. Credentials ................................................ 20 - 6. Parameter Definitions ...................................... 20 - 6.1. Minor Status Codes .................................... 20 - 6.1.1. Non-Kerberos-specific codes ...................... 21 - 6.1.2. Kerberos-specific-codes .......................... 21 - 7. Kerberos Protocol Dependencies ............................. 22 - 8. Security Considerations .................................... 22 - 9. References ................................................. 22 - 10. Author's Address .......................................... 23 - - - - - - - - - - - - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 2] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -1. Introduction - - The original Kerberos 5 GSSAPI mechanism[RFC1964] has a number of - shortcomings. This document attempts to remedy them by defining a - completely new Kerberos 5 GSSAPI mechanism. - - The context establishment token format requires that the - authenticator of AP-REQ messages contain a cleartext data structure - in its checksum field, which is a needless and potentially confusing - overloading of that field. This is implemented by a special checksum - algorithm whose purpose is to copy the input data directly into the - checksum field of the authenticator. - - The number assignments for checksum algorithms and for encryption - types are inconsistent between the Kerberos protocol and the original - GSSAPI mechanism. If new encryption or checksum algorithms are added - to the Kerberos protocol at some point, the GSSAPI mechanism will - need to be separately updated to use these new algorithms. - - The original mechanism specifies a crude method of key derivation (by - using the XOR of the context key with a fixed constant), which is - incompatible with newer cryptosystems which specify key derivation - procedures themselves. The original mechanism also assumes that both - checksums and cryptosystem blocksizes are eight bytes. - - Defining all GSSAPI tokens for the new Kerberos 5 mechanism in terms - of the Kerberos protocol specification ensures that new encryption - types and checksum types may be automatically used as they are - defined for the Kerberos protocol. - -2. Token Formats - - All tokens, not just the initial token, are framed as the - InitialContextToken described in RFC 2743 section 3.1. The - innerContextToken element of the token will not itself be encoded in - ASN.1, with the exception of caller-provided application data. - - One rationale for avoiding the use of ASN.1 in the inner token is - that some implementors may wish to implement this mechanism in a - kernel or other similarly constrained application where handling of - full ASN.1 encoding may be cumbersome. Also, due to the poor - availability of the relevant standards documents, ASN.1 encoders and - decoders are difficult to implement completely correctly, so keeping - ASN.1 usage to a minimum decreases the probability of bugs in the - implementation of the mechanism. In particular, bit strings need to - be transferred at certain points in this mechanism. There are many - conflicting common misunderstandings of how to encode and decode - ASN.1 bit strings, which have led difficulties in the implementaion - of the Kerberos protocol. - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 3] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -2.1. Packet Notation - - The order of transmission of this protocol is described at the octet - level. Packet diagrams depict bits in the order of transmission, - assuming that individual octets are transmitted with the most - significant bit (MSB) first. The diagrams read from left to right - and from top to bottom, as in printed English. In each octet, bit - number 7 is the MSB and bit number 0 is the LSB. - - Numbers prefixed by the characters "0x" are in hexadecimal notation, - as in the C programming language. Even though packet diagrams are - drawn 16 bits wide, no padding should be used to align the ends of - variable-length fields to a 32-bit or 16-bit boundary. - - All integer fields are in network byte order. All other fields have - the size shown in the diagrams, with the exception of variable length - fields. - -2.2. Mechanism OID - - The Object Identifier (OID) of the new krb5 v2 mechanism is: - - {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2) - krb5v2(3)} - - -2.3. Context Establishment - -2.3.1. Option Format - - Context establishment tokens, i.e., the initial ones that the - GSS_Init_sec_context() and the GSS_Accept_sec_context() calls emit - while a security context is being set up, may contain options that - influence the subsequent behavior of the context. This document - describes only a small set of options, but additional types may be - added by documents intended to supplement this one. The generic - format is as follows: - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | option type | - +-------------------------------+-------------------------------+ - 2 | | - +-- option length (32 bits) --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | . | - / option data (variable length) / - | . | - +-------------------------------+-------------------------------+ - - - - -Yu Document Expiration: 04 Sep 2000 [Page 4] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - option type (16 bits) - The type identifier of the following option. - - option length (32 bits) - The length in bytes of the following option. - - option data (variable length) - The actual option data. - - Any number of options may appear in an initator or acceptor token. - The final option in a token must be the null option, in order to mark - the end of the list. Option type 0xffff is reserved. - - The initiator and acceptor shall ignore any options that they do not - understand. - -2.3.1.1. Delegated Credentials Option - - Only the initiator may use this option. The format of the delegated - credentials option is as follows: - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | option type = 0x00001 | - +-------------------------------+-------------------------------+ - 2 | | - +-- KRB-CRED length --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | . | - / KRB-CRED message / - | . | - +-------------------------------+-------------------------------+ - - - option type (16 bits) - The option type for this option shall be 0x0001. - - KRB-CRED length (32 bits) - The length in bytes of the following KRB-CRED message. - - KRB-CRED message (variable length) - The option data for this option shall be the KRB-CRED message - that contains the credentials being delegated (forwarded) to the - context acceptor. Only the initiator may use this option. - -2.3.1.2. Null Option - - The Null option terminates the option list, and must be used by both - the initiator and the acceptor. Its format is as follows: - - - - -Yu Document Expiration: 04 Sep 2000 [Page 5] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | option type = 0 | - +-------------------------------+-------------------------------+ - 2 | | - +-- length = 0 --+ - 4 | | - +-------------------------------+-------------------------------+ - - - option type (16 bits) - The option type of this option must be zero. - - option length (32 bits) - The length of this option must be zero. - -2.3.2. Initial Token - - This is the initial token sent by the context initiator, generated by - GSS_Init_sec_context(). - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | initial token id = 0x0101 | - +-------------------------------+-------------------------------+ - 2 | | - +-- reserved flag bits +-----------------------+ - 4 | | I | C | S | R | M | D | - +-------------------------------+-------------------------------+ - 6 | checksum type count | - +-------------------------------+-------------------------------+ - 8 | . | - / checksum type list / - | . | - +-------------------------------+-------------------------------+ - n | . | - / options / - | . | - +-------------------------------+-------------------------------+ - m | | - +-- AP-REQ length --+ - m+2 | | - +-------------------------------+-------------------------------+ - m+4 | . | - / AP-REQ data / - | . | - +-------------------------------+-------------------------------+ - - - initial token ID (16 bits) - Contains the integer 0x0101, which identifies this as the - initial token in the context setup. - - -Yu Document Expiration: 04 Sep 2000 [Page 6] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - reserved flag bits (26 bits) - These bits are reserved for future expansion. They must be set - to zero by the initiator and be ignored by the acceptor. - - I flag (1 bit) - 0x00000020 -- GSS_C_INTEG_FLAG - - C flag (1 bit) - 0x00000010 -- GSS_C_CONF_FLAG - - S flag (1 bit) - 0x00000008 -- GSS_C_SEQUENCE_FLAG - - R flag (1 bit) - 0x00000004 -- GSS_C_REPLAY_FLAG - - M flag (1 bit) - 0x00000002 -- GSS_C_MUTUAL_FLAG - - D flag (1 bit) - 0x00000001 -- GSS_C_DELEG_FLAG; This flag must be set if the - "delegated credentials" option is included. - - checksum type count (16 bits) - The number of checksum types supported by the initiator. - - checksum type list (variable length) - A list of Kerberos checksum types, as defined in RFC 1510 - section 6.4. These checksum types must be collision-proof and - keyed with the context key; no checksum types that are - incompatible with the encryption key shall be used. Each - checksum type number shall be 32 bits wide. This list should - contain all the checksum types supported by the initiator. If - mutual authentication is not used, then this list shall contain - only one checksum type. - - options (variable length) - The context initiation options, described in section 2.3.1. - - AP-REQ length (32 bits) - The length of the following KRB_AP_REQ message. - - AP-REQ data (variable length) - The AP-REQ message as described in RFC 1510. The checksum in - the authenticator will be computed over the items listed in the - next section. - - The optional sequence number field shall be used in the AP-REQ. The - initiator should generate a subkey in the authenticator, and the - acceptor should generate a subkey in the AP-REP. The key used for - the per-message tokens will be the AP-REP subkey, or if that is not - present, the authenticator subkey, or if that is not present, the - session key. When subkeys are generated, it is strongly recommended - -Yu Document Expiration: 04 Sep 2000 [Page 7] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - that they be of the same type as the associated session key. - - XXX The above is not secure. There should be an algorithmic process - to arrive at a subsession key which both sides of the authentication - exchange can perform based on the ticket sessions key and data known - to both parties, and this should probably be part of the revised - Kerberos protocol rather than bound to the GSSAPI mechanism. - -2.3.2.1. Data to be Checksummed in AP-REQ - - The checksum in the AP-REQ message is calculated over the following - items. Like in the actual tokens, no padding should be added to - force integer fields to align on 32 bit boundaries. This particular - set of data should not be sent as a part of any token; it merely - specifies what is to be checksummed in the AP-REQ. The items in this - encoding that precede the initial token ID correspond to the channel - bindings passed to GSS_Init_sec_context(). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 8] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | | - +-- initiator address type --+ - 2 | | - +-------------------------------+-------------------------------+ - 4 | initiator address length | - +-------------------------------+-------------------------------+ - 6 | . | - / initiator address / - | . | - +-------------------------------+-------------------------------+ - n | | - +-- acceptor address type --+ - | | - +-------------------------------+-------------------------------+ - n+4 | acceptor address length | - +-------------------------------+-------------------------------+ - n+6 | . | - / acceptor address / - | . | - +-------------------------------+-------------------------------+ - m | . | - / application data / - | . | - +-------------------------------+-------------------------------+ - k | initial token id = 0x0101 | - +-------------------------------+-------------------------------+ - k+2 | | - +-- flags --+ - k+4 | | - +-------------------------------+-------------------------------+ - k+6 | checksum type count | - +-------------------------------+-------------------------------+ - k+8 | . | - / checksum type list / - | . | - +-------------------------------+-------------------------------+ - j | . | - / options / - | . | - +-------------------------------+-------------------------------+ - - - initiator address type (32 bits) - The initiator address type, as defined in the Kerberos protocol - specification. If no initiator address is provided, this must - be zero. - - initiator address length (16 bits) - The length in bytes of the following initiator address. If - there is no inititator address provided, this must be zero. - - -Yu Document Expiration: 04 Sep 2000 [Page 9] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - initiator address (variable length) - The actual initiator address, in network byte order. - - acceptor address type (32 bits) - The acceptor address type, as defined in the Kerberos protocol - specification. If no acceptor address is provided, this must be - zero. - - acceptor address length (16 bits) - The length in bytes of the following acceptor address. This - must be zero is there is no acceptor address provided. - - initiator address (variable length) - The actual acceptor address, in network byte order. - - applicatation data (variable length) - The application data, if provided, encoded as a ASN.1 octet - string using DER. If no application data are passed as input - channel bindings, this shall be a zero-length ASN.1 octet - string. - - initial token ID (16 bits) - The initial token ID from the initial token. - - flags (32 bits) - The context establishment flags from the initial token. - - checksum type count (16 bits) - The number of checksum types supported by the initiator. - - checksum type list (variable length) - The same list of checksum types contained in the initial token. - - options (variable length) - The options list from the initial token. - -2.3.3. Response Token - - This is the reponse token sent by the context acceptor, if mutual - authentication is enabled. - - - - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 10] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | response token id = 0x0202 | - +-------------------------------+-------------------------------+ - 2 | | - +-- reserved flag bits +-------+ - 4 | | D | E | - +-------------------------------+-------------------------------+ - 6 | | - +-- checksum type --+ - 8 | | - +-------------------------------+-------------------------------+ - 10 | . | - / options / - | . | - +-------------------------------+-------------------------------+ - n | | - +-- AP-REP or KRB-ERROR length --+ - n+2 | | - +-------------------------------+-------------------------------+ - n+4 | . | - / AP-REP or KRB-ERROR data / - | . | - +-------------------------------+-------------------------------+ - m | . | - / MIC data / - | . | - +-------------------------------+-------------------------------+ - - - response token id (16 bits) - Contains the integer 0x0202, which identifies this as the - response token in the context setup. - - reserved flag bits (30 bits) - These bits are reserved for future expansion. They must be set - to zero by the acceptor and be ignored by the initiator. - - D flag -- delegated creds accepted (1 bit) - 0x00000002 -- If this flag is set, the acceptor processed the - delegated credentials, and GSS_C_DELEG_FLAG should be returned - to the caller. - - E flag -- error (1 bit) - 0x00000001 -- If this flag is set, a KRB-ERROR message shall be - present, rather than an AP-REP message. If this flag is not - set, an AP-REP message shall be present. - - checksum type count (16 bits) - The number of checksum types supported by both the initiator and - the acceptor. - - - -Yu Document Expiration: 04 Sep 2000 [Page 11] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - checksum type (32 bits) - A Kerberos checksum type, as defined in RFC 1510 section 6.4. - This checksum type must be among the types listed by the - initiator, and will be used in for subsequent checksums - generated during this security context. - - options (variable length) - The option list, as described earlier. At this time, no options - are defined for the acceptor, but an implementation might make - use of these options to acknowledge an option from the initial - token. After all the options are specified, a null option must - be used to terminate the list. - - AP-REP or KRB-ERROR length (32 bits) - Depending on the value of the error flag, length in bytes of the - AP-REP or KRB-ERROR message. - - AP-REP or KRB-ERROR data (variable length) - Depending on the value of the error flag, the AP-REP or - KRB-ERROR message as described in RFC 1510. If this field - contains an AP-REP message, the sequence number field in the - AP-REP shall be filled. If this is a KRB-ERROR message, no - further fields will be in this message. - - MIC data (variable length) - A MIC token, as described in section 2.4.2, computed over the - concatentation of the response token ID, flags, checksum length - and type fields, and all option fields. This field and the - preceding length field must not be present if the error flag is - set. - -2.4. Per-message Tokens - -2.4.1. Sequence Number Usage - - Sequence numbers for per-message tokens are 31 bit unsigned integers, - which are incremented by 1 after each token. An overflow condition - should result in a wraparound of the sequence number to zero. The - initiator and acceptor each keep their own sequence numbers per - connection. - - The intial sequence number for tokens sent from the initiator to the - acceptor shall be the least significant 31 bits of sequence number in - the AP-REQ message. The initial sequence number for tokens sent from - the acceptor to the initiator shall be the least significant 31 bits - of the sequence number in the AP-REP message if mutual authentication - is used; if mutual authentication is not used, the initial sequence - number from acceptor to initiator shall be the least significant 31 - bits of the sequence number in the AP-REQ message. - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 12] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -2.4.2. MIC Token - - Use of the GSS_GetMIC() call yields a token, separate from the user - data being protected, which can be used to verify the integrity of - that data when it is received. The MIC token has the following - format: - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | MIC token id = 0x0303 | - +-------------------------------+-------------------------------+ - 2 | D | | - +---+ sequence number --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | checksum length | - +-------------------------------+-------------------------------+ - 8 | . | - / checksum data / - | . | - +-------------------------------+-------------------------------+ - - - MIC token id (16 bits) - Contains the integer 0x0303, which identifies this as a MIC - token. - - D -- direction bit (1 bit) - This bit shall be zero if the message is sent from the context - initiator. If the message is sent from the context acceptor, - this bit shall be one. - - sequence number (31 bits) - The sequence number. - - checksum length (16 bits) - The number of bytes in the following checksum data field. - - checksum data (variable length) - The checksum itself, as defined in RFC 1510 section 6.4. The - checksum is calculated over the encoding described in the - following section. The key usage GSS_TOK_MIC -- 22 [XXX need to - register this] shall be used in cryptosystems that support key - derivation. - - The mechanism implementation shall only use the checksum type - returned by the acceptor in the case of mutual authentication. If - mutual authentication is not requested, then only the checksum type - in the initiator token shall be used. - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 13] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -2.4.2.1. Data to be Checksummed in MIC Token - - The checksum in the MIC token shall be calculated over the following - elements. This set of data is not actually included in the token as - is; the description only appears for the purpose of specifying the - method of calculating the checksum. - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | MIC token id = 0x0303 | - +-------------------------------+-------------------------------+ - 2 | D | | - +---+ sequence number --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | . | - / application data / - | . | - +-------------------------------+-------------------------------+ - - - MIC token ID (16 bits) - The MIC token ID from the MIC message. - - D -- direction bit (1 bit) - This bit shall be zero if the message is sent from the context - initiator. If the message is sent from the context acceptor, - this bit shall be one. - - sequence number (31 bits) - The sequence number. - - application data (variable length) - The application-supplied data, encoded as an ASN.1 octet string - using DER. - -2.4.3. Wrap Token - - Use of the GSS_Wrap() call yields a token which encapsulates the - input user data (optionally encrypted) along with associated - integrity check quantities. - -2.4.3.1. Wrap Token With Integrity Only - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 14] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | integrity wrap token id = 0x0404 | - +-------------------------------+-------------------------------+ - 2 | D | | - +---+ sequence number --+ - 4 | | - +-------------------------------+-------------------------------+ - 6 | . | - / application data / - | . | - +-------------------------------+-------------------------------+ - n | checksum length | - +-------------------------------+-------------------------------+ - n+2 | . | - / checksum data / - | . | - +-------------------------------+-------------------------------+ - - - integrity wrap token id (16 bits) - Contains the integer 0x0404, which identifies this as a Wrap - token with integrity only. - - D -- direction bit (1 bit) - This bit shall be zero if the message is sent from the context - initiator. If the message is sent from the context acceptor, - this bit shall be one. - - sequence number (31 bits) - The sequence number. - - application data (variable length) - The application-supplied data, encoded as an ASN.1 octet string - using DER. - - checksum length (16 bits) - The number of bytes in the following checksum data field. - - checksum data (variable length) - The checksum itself, as defined in RFC 1510 section 6.4, - computed over the concatenation of the token ID, sequence - number, direction field, application data length, and - application data, as in the MIC token checksum in the previous - section. The key usage GSS_TOK_WRAP_INTEG -- 23 [XXX need to - register this] shall be used in cryptosystems that support key - derivation. - - The mechanism implementation should only use checksum types which it - knows to be valid for both peers, as described for MIC tokens. - - - - -Yu Document Expiration: 04 Sep 2000 [Page 15] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -2.4.3.2. Wrap Token With Integrity and Encryption - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - | encrypted wrap token id = 0x0505 | - +-------------------------------+-------------------------------+ - 2 | . | - / encrypted data / - | . | - +-------------------------------+-------------------------------+ - - - encrypted wrap token id (16 bits) - Contains the integer 0x0505, which identifies this as a Wrap - token with integrity and encryption. - - encrypted data (variable length) - The encrypted data itself, as defined in RFC 1510 section 6.3, - encoded as an ASN.1 octet string using DER. Note that this is - not the ASN.1 type EncryptedData as defined in RFC 1510 - section 6.1, but rather the ciphertext without encryption type - or kvno information. The encryption is performed using the - key/enctype exchanged during context setup. The confounder and - checksum are as specified in the Kerberos protocol - specification. The key usage GSS_TOK_WRAP_PRIV -- 24 [XXX need - to register this] shall be used in cryptosystems that support - key derivation. The actual data to be encrypted are specified - below. - -2.4.3.2.1. Data to be Encrypted in Wrap Token - - bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | -byte +-------------------------------+-------------------------------+ - 0 | D | | - +---+ sequence number --+ - 2 | | - +-------------------------------+-------------------------------+ - 4 | . | - / application data / - | . | - +-------------------------------+-------------------------------+ - - - D -- direction bit (1 bit) - This bit shall be zero if the message is sent from the context - initiator. If the message is sent from the context acceptor, - this bit shall be one. - - sequence number (31 bits) - The sequence number. - - application data (variable length) - The application-supplied data, encoded as an ASN.1 octet string - -Yu Document Expiration: 04 Sep 2000 [Page 16] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - using DER. - -3. ASN.1 Encoding of Octet Strings - - In order to encode arbitirarly-sized application data, ASN.1 octet - string encoding is in this protocol. The Distinguished Encoding - Rules (DER) shall always be used in such cases. For reference - purposes, the DER encoding of an ASN.1 octet string, adapted from - ITU-T X.690, follows: - - +--------+-------//-------+-------//-------+ - |00000100| length octets |contents octets | - +--------+-------//-------+-------//-------+ - | - +-- identifier octet = 0x04 = [UNIVERSAL 4] - - - In this section only, the bits in each octet shall be numbered as in - the ASN.1 specification, from 8 to 1, with bit 8 being the MSB of the - octet, and with bit 1 being the LSB of the octet. - - identifier octet (8 bits) - Contains the constant 0x04, the tag for primitive encoding of an - octet string with the default (UNIVERSAL 4) tag. - - length octets (variable length) - Contains the length of the contents octets, in definite form - (since this encoding uses DER). - - contents octets (variable length) - The contents of the octet string. - - The length octets shall consist of either a short form (one byte - only), which is to be used only if the number of octets in the - contents octets is less than or equal to 127, or a long form, which - is to be used in all other cases. The short form shall consist of a - single octet with bit 8 (the MSB) equal to zero, and the remaining - bits encoding the number of contents octets (which may be zero) as an - unsigned binary integer. - - The long form shall consist of an initial octet and one or more - subsequent octets. The first octet shall have bit 8 (the MSB) set to - one, and the remaining bits shall encode the number of subsequent - octets in the length encoding as an unsigned binary integer. The - length must be encoded in the minimum number of octets. An initial - octet of 0xFF is reserved by the ASN.1 specification. Bits 8 to 1 of - the first subsequent octet, followed by bits 8 to 1 of each - subsequent octet in order, shall be the encoding of an unsigned - binary integer, with bit 8 of the first octet being the most - significant bit. Thus, the length encoding within is in network byte - order. - - - -Yu Document Expiration: 04 Sep 2000 [Page 17] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - An initial length octet of 0x80 shall not be used, as that is - reserved by the ASN.1 specification for indefinite lengths in - conjunction with constructed contents encodings, which are not to be - used with DER. - -4. Name Types - - This section discusses the name types which may be passed as input to - the Kerberos 5 GSSAPI mechanism's GSS_Import_name() call, and their - associated identifier values. It defines interface elements in - support of portability, and assumes use of C language bindings per - RFC 2744. In addition to specifying OID values for name type - identifiers, symbolic names are included and recommended to GSSAPI - implementors in the interests of convenience to callers. It is - understood that not all implementations of the Kerberos 5 GSSAPI - mechanism need support all name types in this list, and that - additional name forms will likely be added to this list over time. - Further, the definitions of some or all name types may later migrate - to other, mechanism-independent, specifications. The occurrence of a - name type in this specification is specifically not intended to - suggest that the type may be supported only by an implementation of - the Kerberos 5 mechanism. In particular, the occurrence of the - string "_KRB5_" in the symbolic name strings constitutes a means to - unambiguously register the name strings, avoiding collision with - other documents; it is not meant to limit the name types' usage or - applicability. - - For purposes of clarification to GSSAPI implementors, this section's - discussion of some name forms describes means through which those - forms can be supported with existing Kerberos technology. These - discussions are not intended to preclude alternative implementation - strategies for support of the name forms within Kerberos mechanisms - or mechanisms based on other technologies. To enhance application - portability, implementors of mechanisms are encouraged to support - name forms as defined in this section, even if their mechanisms are - independent of Kerberos 5. - -4.1. Mandatory Name Forms - - This section discusses name forms which are to be supported by all - conformant implementations of the Kerberos 5 GSSAPI mechanism. - -4.1.1. Kerberos Principal Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) us(840) mit(113554) infosys(1) gssapi(2) krb5(2) - krb5_name(1)}. The recommended symbolic name for this type is - "GSS_KRB5_NT_PRINCIPAL_NAME". - - This name type corresponds to the single-string representation of a - Kerberos name. (Within the MIT Kerberos 5 implementation, such names - are parseable with the krb5_parse_name() function.) The elements - included within this name representation are as follows, proceeding - -Yu Document Expiration: 04 Sep 2000 [Page 18] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - from the beginning of the string: - - (1) One or more principal name components; if more than one - principal name component is included, the components are - separated by '/'. Arbitrary octets may be included within - principal name components, with the following constraints and - special considerations: - - (1a) Any occurrence of the characters '@' or '/' within a - name component must be immediately preceded by the '\' - quoting character, to prevent interpretation as a component - or realm separator. - - (1b) The ASCII newline, tab, backspace, and null characters - may occur directly within the component or may be - represented, respectively, by '\n', '\t', '\b', or '\0'. - - (1c) If the '\' quoting character occurs outside the contexts - described in (1a) and (1b) above, the following character is - interpreted literally. As a special case, this allows the - doubled representation '\\' to represent a single occurrence - of the quoting character. - - (1d) An occurrence of the '\' quoting character as the last - character of a component is illegal. - - (2) Optionally, a '@' character, signifying that a realm name - immediately follows. If no realm name element is included, the - local realm name is assumed. The '/' , ':', and null characters - may not occur within a realm name; the '@', newline, tab, and - backspace characters may be included using the quoting - conventions described in (1a), (1b), and (1c) above. - -4.1.2. Exported Name Object Form for Kerberos 5 Mechanism - - When generated by the Kerberos 5 mechanism, the Mechanism OID within - the exportable name shall be that of the original Kerberos 5 - mechanism[RFC1964]. The Mechanism OID for the original Kerberos 5 - mechanism is: - - {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2) - krb5(2)} - - The name component within the exportable name shall be a contiguous - string with structure as defined for the Kerberos Principal Name - Form. - - In order to achieve a distinguished encoding for comparison purposes, - the following additional constraints are imposed on the export - operation: - - (1) all occurrences of the characters '@', '/', and '\' within - principal components or realm names shall be quoted with an - -Yu Document Expiration: 04 Sep 2000 [Page 19] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - immediately-preceding '\'. - - (2) all occurrences of the null, backspace, tab, or newline - characters within principal components or realm names will be - represented, respectively, with '\0', '\b', '\t', or '\n'. - - (3) the '\' quoting character shall not be emitted within an - exported name except to accomodate cases (1) and (2). - -5. Credentials - - The Kerberos 5 protocol uses different credentials (in the GSSAPI - sense) for initiating and accepting security contexts. Normal - clients receive a ticket-granting ticket (TGT) and an associated - session key at "login" time; the pair of a TGT and its corresponding - session key forms a credential which is suitable for initiating - security contexts. A ticket-granting ticket, its session key, and - any other (ticket, key) pairs obtained through use of the - ticket-granting-ticket, are typically stored in a Kerberos 5 - credentials cache, sometimes known as a ticket file. - - The encryption key used by the Kerberos server to seal tickets for a - particular application service forms the credentials suitable for - accepting security contexts. These service keys are typically stored - in a Kerberos 5 key table (keytab), or srvtab file (the Kerberos 4 - terminology). In addition to their use as accepting credentials, - these service keys may also be used to obtain initiating credentials - for their service principal. - - The Kerberos 5 mechanism's credential handle may contain references - to either or both types of credentials. It is a local matter how the - Kerberos 5 mechanism implementation finds the appropriate Kerberos 5 - credentials cache or key table. - - However, when the Kerberos 5 mechanism attempts to obtain initiating - credentials for a service principal which are not available in a - credentials cache, and the key for that service principal is - available in a Kerberos 5 key table, the mechanism should use the - service key to obtain initiating credentials for that service. This - should be accomplished by requesting a ticket-granting-ticket from - the Kerberos Key Distribution Center (KDC), and decrypting the KDC's - reply using the service key. - -6. Parameter Definitions - - This section defines parameter values used by the Kerberos V5 GSSAPI - mechanism. It defines interface elements in support of portability, - and assumes use of C language bindings per RFC 2744. - -6.1. Minor Status Codes - - This section recommends common symbolic names for minor_status values - to be returned by the Kerberos 5 GSSAPI mechanism. Use of these - -Yu Document Expiration: 04 Sep 2000 [Page 20] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - definitions will enable independent implementors to enhance - application portability across different implementations of the - mechanism defined in this specification. (In all cases, - implementations of GSS_Display_status() will enable callers to - convert minor_status indicators to text representations.) Each - implementation should make available, through include files or other - means, a facility to translate these symbolic names into the concrete - values which a particular GSSAPI implementation uses to represent the - minor_status values specified in this section. - - It is recognized that this list may grow over time, and that the need - for additional minor_status codes specific to particular - implementations may arise. It is recommended, however, that - implementations should return a minor_status value as defined on a - mechanism-wide basis within this section when that code is accurately - representative of reportable status rather than using a separate, - implementation-defined code. - -6.1.1. Non-Kerberos-specific codes - - These symbols should likely be incorporated into the generic GSSAPI - C-bindings document, since they really are more general. - -GSS_KRB5_S_G_BAD_SERVICE_NAME - /* "No @ in SERVICE-NAME name string" */ -GSS_KRB5_S_G_BAD_STRING_UID - /* "STRING-UID-NAME contains nondigits" */ -GSS_KRB5_S_G_NOUSER - /* "UID does not resolve to username" */ -GSS_KRB5_S_G_VALIDATE_FAILED - /* "Validation error" */ -GSS_KRB5_S_G_BUFFER_ALLOC - /* "Couldn't allocate gss_buffer_t data" */ -GSS_KRB5_S_G_BAD_MSG_CTX - /* "Message context invalid" */ -GSS_KRB5_S_G_WRONG_SIZE - /* "Buffer is the wrong size" */ -GSS_KRB5_S_G_BAD_USAGE - /* "Credential usage type is unknown" */ -GSS_KRB5_S_G_UNKNOWN_QOP - /* "Unknown quality of protection specified" */ - - -6.1.2. Kerberos-specific-codes - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 21] - -Internet-Draft krb5-gss-mech2-03 March 2000 - -GSS_KRB5_S_KG_CCACHE_NOMATCH - /* "Principal in credential cache does not match desired name" */ -GSS_KRB5_S_KG_KEYTAB_NOMATCH - /* "No principal in keytab matches desired name" */ -GSS_KRB5_S_KG_TGT_MISSING - /* "Credential cache has no TGT" */ -GSS_KRB5_S_KG_NO_SUBKEY - /* "Authenticator has no subkey" */ -GSS_KRB5_S_KG_CONTEXT_ESTABLISHED - /* "Context is already fully established" */ -GSS_KRB5_S_KG_BAD_SIGN_TYPE - /* "Unknown signature type in token" */ -GSS_KRB5_S_KG_BAD_LENGTH - /* "Invalid field length in token" */ -GSS_KRB5_S_KG_CTX_INCOMPLETE - /* "Attempt to use incomplete security context" */ - - -7. Kerberos Protocol Dependencies - - This protocol makes several assumptions about the Kerberos protocol, - which may require changes to the successor of RFC 1510. - - Sequence numbers, checksum types, and address types are assumed to be - no wider than 32 bits. The Kerberos protocol specification might - need to be modified to accomodate this. This obviously requires some - further discussion. - - Key usages need to be registered within the Kerberos protocol for use - with GSSAPI per-message tokens. The current specification of the - Kerberos protocol does not include descriptions of key derivations or - key usages, but planned revisions to the protocol will include them. - - This protocol also makes the assumption that any cryptosystem used - with the session key will include integrity protection, i.e., it - assumes that no "raw" cryptosystems will be used. - -8. Security Considerations - - The GSSAPI is a security protocol; therefore, security considerations - are discussed throughout this document. The original Kerberos 5 - GSSAPI mechanism's constraints on possible cryptosystems and checksum - types do not permit it to be readily extended to accomodate more - secure cryptographic technologies with larger checksums or encryption - block sizes. Sites are strongly encouraged to adopt the mechanism - specified in this document in the light of recent publicity about the - deficiencies of DES. - -9. References - - [X.680] ISO/IEC, "Information technology -- Abstract Syntax Notation - One (ASN.1): Specification of basic notation", ITU-T X.680 (1997) | - ISO/IEC 8824-1:1998 - -Yu Document Expiration: 04 Sep 2000 [Page 22] - -Internet-Draft krb5-gss-mech2-03 March 2000 - - [X.690] ISO/IEC, "Information technology -- ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), Canonical Encoding Rules - (CER) and Distinguished Encoding Rules (DER)", ITU-T X.690 (1997) | - ISO/IEC 8825-1:1998. - - [RFC1510] Kohl, J., Neumann, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510. - - [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", - RFC 1964. - - [RFC2743] Linn, J., "Generic Security Service Application Program - Interface, Version 2, Update 1", RFC 2743. - - [RFC2744] Wray, J., "Generic Security Service API Version 2: - C-bindings", RFC 2744. - -10. Author's Address - - Tom Yu - Massachusetts Institute of Technology - Room E40-345 - 77 Massachusetts Avenue - Cambridge, MA 02139 - USA - - email: tlyu@mit.edu - phone: +1 617 253 1753 - - - - - - - - - - - - - - - - - - - - - - - - - - -Yu Document Expiration: 04 Sep 2000 [Page 23] - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt b/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt deleted file mode 100644 index 885cf4967679..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt +++ /dev/null @@ -1,3415 +0,0 @@ -FTPEXT Working Group R. Elz -Internet Draft University of Melbourne -Expiration Date: April 2000 - P. Hethmon - Hethmon Brothers - - October 1999 - - - Extensions to FTP - - - draft-ietf-ftpext-mlst-08.txt - -Status of this Memo - - This document is an Internet-Draft and is NOT offered in accordance - with Section 10 of RFC2026, and the author does not provide the IETF - with any rights other than to publish as an Internet-Draft. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - To view the list Internet-Draft Shadow Directories, see - http://www.ietf.org/shadow.html. - - This entire section has been prepended to this document automatically - during formatting without any direct involvement by the author(s) of - this draft. - - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 1] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -Abstract - - In order to overcome the problems caused by the undefined format of - the current FTP LIST command output, a new command is needed to - transfer standardized listing information from Server-FTP to User- - FTP. Commands to enable this are defined in this document. - - In order to allow consenting clients and servers to interact more - freely, a quite basic, and optional, virtual file store structure is - defined. - - This proposal also extends the FTP protocol to allow character sets - other than US-ASCII[1] by allowing the transmission of 8-bit - characters and the recommended use of UTF-8[2] encoding. - - Much implemented, but long undocumented, mechanisms to permit - restarts of interrupted data transfers in STREAM mode, are also - included here. - - Lastly, the HOST command has been added to allow a style of "virtual - site" to be constructed. - - Changed in this version of this document: Minor corrections as - discussed on the mailing list, including fixing many typographical - errors; Additional examples. This paragraph will be deleted from the - final version of this document. - - - - - - - - - - - - - - - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 2] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - - -Table of Contents - - Abstract ................................................ 2 - 1 Introduction ............................................ 4 - 2 Document Conventions .................................... 4 - 2.1 Basic Tokens ............................................ 5 - 2.2 Pathnames ............................................... 5 - 2.3 Times ................................................... 7 - 2.4 Server Replies .......................................... 8 - 3 File Modification Time (MDTM) ........................... 8 - 3.1 Syntax .................................................. 9 - 3.2 Error responses ......................................... 9 - 3.3 FEAT response for MDTM .................................. 9 - 3.4 MDTM Examples ........................................... 10 - 4 File SIZE ............................................... 11 - 4.1 Syntax .................................................. 11 - 4.2 Error responses ......................................... 11 - 4.3 FEAT response for SIZE .................................. 12 - 4.4 Size Examples ........................................... 12 - 5 Restart of Interrupted Transfer (REST) .................. 13 - 5.1 Restarting in STREAM Mode ............................... 13 - 5.2 Error Recovery and Restart .............................. 14 - 5.3 Syntax .................................................. 14 - 5.4 FEAT response for REST .................................. 16 - 5.5 REST Example ............................................ 16 - 6 Virtual FTP servers ..................................... 16 - 6.1 The HOST command ........................................ 18 - 6.2 Syntax of the HOST command .............................. 18 - 6.3 HOST command semantics .................................. 19 - 6.4 HOST command errors ..................................... 21 - 6.5 FEAT response for HOST command .......................... 22 - 7 A Trivial Virtual File Store (TVFS) ..................... 23 - 7.1 TVFS File Names ......................................... 23 - 7.2 TVFS Path Names ......................................... 24 - 7.3 FEAT Response for TVFS .................................. 25 - 7.4 OPTS for TVFS ........................................... 26 - 7.5 TVFS Examples ........................................... 26 - 8 Listings for Machine Processing (MLST and MLSD) ......... 28 - 8.1 Format of MLSx Requests ................................. 29 - 8.2 Format of MLSx Response ................................. 29 - 8.3 Filename encoding ....................................... 32 - 8.4 Format of Facts ......................................... 33 - 8.5 Standard Facts .......................................... 33 - 8.6 System Dependent and Local Facts ........................ 41 - 8.7 MLSx Examples ........................................... 42 - 8.8 FEAT response for MLSx .................................. 50 - - - -Elz & Hethmon [Expires April 2000] [Page 3] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - 8.9 OPTS parameters for MLST ................................ 51 - 9 Impact On Other FTP Commands ............................ 55 - 10 Character sets and Internationalization ................. 56 - 11 IANA Considerations ..................................... 56 - 11.1 The OS specific fact registry ........................... 56 - 11.2 The OS specific filetype registry ....................... 57 - 12 Security Considerations ................................. 57 - 13 References .............................................. 58 - Acknowledgments ......................................... 59 - Copyright ............................................... 60 - Editors' Addresses ...................................... 60 - - - - -1. Introduction - - This document amends the File Transfer Protocol (FTP) [3]. Five new - commands are added: "SIZE", "HOST", "MDTM", "MLST", and "MLSD". The - existing command "REST" is modified. Of those, the "SIZE" and "MDTM" - commands, and the modifications to "REST" have been in wide use for - many years. The others are new. - - These commands allow a client to restart an interrupted transfer in - transfer modes not previously supported in any documented way, to - support the notion of virtual hosts, and to obtain a directory - listing in a machine friendly, predictable, format. - - An optional structure for the server's file store (NVFS) is also - defined, allowing servers that support such a structure to convey - that information to clients in a standard way, thus allowing clients - more certainty in constructing and interpreting path names. - -2. Document Conventions - - This document makes use of the document conventions defined in BCP14 - [4]. That provides the interpretation of capitalized imperative - words like MUST, SHOULD, etc. - - This document also uses notation defined in STD 9 [3]. In - particular, the terms "reply", "user", "NVFS", "file", "pathname", - "FTP commands", "DTP", "user-FTP process", "user-PI", "user-DTP", - "server-FTP process", "server-PI", "server-DTP", "mode", "type", - "NVT", "control connection", "data connection", and "ASCII", are all - used here as defined there. - - Syntax required is defined using the Augmented BNF defined in [5]. - Some general ABNF definitions are required throughout the document, - - - -Elz & Hethmon [Expires April 2000] [Page 4] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - those will be defined later in this section. At first reading, it - may be wise to simply recall that these definitions exist here, and - skip to the next section. - -2.1. Basic Tokens - - This document imports the core definitions given in Appendix A of - [5]. There definitions will be found for basic ABNF elements like - ALPHA, DIGIT, SP, etc. To that, the following terms are added for - use in this document. - - TCHAR = VCHAR / SP / HTAB ; visible plus white space - RCHAR = ALPHA / DIGIT / "," / "." / ":" / "!" / - "@" / "#" / "$" / "%" / "^" / - "&" / "(" / ")" / "-" / "_" / - "+" / "?" / "/" / "\" / "'" / - DQUOTE ; <"> -- double quote character (%x22) - - The VCHAR (from [5]), TCHAR, and RCHAR types give basic character - types from varying sub-sets of the ASCII character set for use in - various commands and responses. - - token = 1*RCHAR - - A "token" is a string whose precise meaning depends upon the context - in which it is used. In some cases it will be a value from a set of - possible values maintained elsewhere. In others it might be a string - invented by one party to an FTP conversation from whatever sources it - finds relevant. - - Note that in ABNF, string literals are case insensitive. That - convention is preserved in this document, and implies that FTP - commands added by this specification have names that can be - represented in any case. That is, "MDTM" is the same as "mdtm", - "Mdtm" and "MdTm" etc. However note that ALPHA, in particular, is - case sensitive. That implies that a "token" is a case sensitive - value. That implication is correct. - -2.2. Pathnames - - Various FTP commands take pathnames as arguments, or return pathnames - in responses. When the MLST command is supported, as indicated in - the response to the FEAT command [6], pathnames are to be transferred - in one of the following two formats. - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 5] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - pathname = utf-8-name / raw - utf-8-name = - raw = - - Which format is used is at the option of the user-PI or server-PI - sending the pathname. UTF-8 encodings [2] contain enough internal - structure that it is always, in practice, possible to determine - whether a UTF-8 or raw encoding has been used, in those cases where - it matters. While it is useful for the user-PI to be able to - correctly display a pathname received from the server-PI to the user, - it is far more important for the user-PI to be able to retain and - retransmit the identical pathname when required. Implementations are - advised against converting a UTF-8 pathname to a local encoding, and - then attempting to invert the encoding later. Note that ASCII is a - subset of UTF-8. - - Unless otherwise specified, the pathname is terminated by the CRLF - that terminates the FTP command, or by the CRLF that ends a reply. - Any trailing spaces preceding that CRLF form part of the name. - Exactly one space will precede the pathname and serve as a separator - from the preceding syntax element. Any additional spaces form part - of the pathname. See [7] for a fuller explanation of the character - encoding issues. All implementations supporting MLST MUST support - [7]. - - Implementations should also beware that the control connection uses - Telnet NVT conventions [8], and that the Telnet IAC character, if - part of a pathname sent over the control connection, MUST be - correctly escaped as defined by the Telnet protocol. - - Implementors should also be aware that although Telnet NVT - conventions are used over the control connections, Telnet option - negotiation MUST NOT be attempted. See section 4.1.2.12 of [9]. - -2.2.1. Pathname Syntax - - Except where TVFS is supported (see section 7) this specification - imposes no syntax upon pathnames. Nor does it restrict the character - set from which pathnames are created. This does not imply that the - NVFS is required to make sense of all possible pathnames. Server-PIs - may restrict the syntax of valid pathnames in their NVFS in any - manner appropriate to their implementation or underlying file system. - Similarly, a server-PI may parse the pathname, and assign meaning to - the components detected. - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 6] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -2.2.2. Wildcarding - - For the commands defined in this specification, all pathnames are to - be treated literally. That is, for a pathname given as a parameter - to a command, the file whose name is identical to the pathname given - is implied. No characters from the pathname may be treated as - special or "magic", thus no pattern matching (other than for exact - equality) between the pathname given and the files present in the - NVFS of the Server-FTP is permitted. - - Clients that desire some form of pattern matching functionality must - obtain a listing of the relevant directory, or directories, and - implement their own filename selection procedures. - -2.3. Times - - The syntax of a time value is: - - time-val = 14DIGIT [ "." 1*DIGIT ] - - The leading, mandatory, fourteen digits are to be interpreted as, in - order from the leftmost, four digits giving the year, with a range of - 1000-9999, two digits giving the month of the year, with a range of - 01-12, two digits giving the day of the month, with a range of 01-31, - two digits giving the hour of the day, with a range of 00-23, two - digits giving minutes past the hour, with a range of 00-59, and - finally, two digits giving seconds past the minute, with a range of - 00-60 (with 60 being used only at a leap second). Years in the tenth - century, and earlier, cannot be expressed. This is not considered a - serious defect of the protocol. - - The optional digits, which are preceded by a period, give decimal - fractions of a second. These may be given to whatever precision is - appropriate to the circumstance, however implementations MUST NOT add - precision to time-vals where that precision does not exist in the - underlying value being transmitted. - - Symbolically, a time-val may be viewed as - - YYYYMMDDHHMMSS.sss - - The "." and subsequent digits ("sss") are optional. However the "." - MUST NOT appear unless at least one following digit also appears. - - Time values are always represented in UTC (GMT), and in the Gregorian - calendar regardless of what calendar may have been in use at the date - and time indicated at the location of the server-PI. - - - - -Elz & Hethmon [Expires April 2000] [Page 7] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The technical differences between GMT, TAI, UTC, UT1, UT2, etc, are - not considered here. A server-FTP process should always use the same - time reference, so the times it returns will be consistent. Clients - are not expected to be time synchronized with the server, so the - possible difference in times that might be reported by the different - time standards is not considered important. - -2.4. Server Replies - - Section 4.2 of [3] defines the format and meaning of replies by the - server-PI to FTP commands from the user-PI. Those reply conventions - are used here without change. - - error-response = error-code SP *TCHAR CRLF - error-code = ("4" / "5") 2DIGIT - - Implementors should note that the ABNF syntax (which was not used in - [3]) used in this document, and other FTP related documents, - sometimes shows replies using the one line format. Unless otherwise - explicitly stated, that is not intended to imply that multi-line - responses are not permitted. Implementors should assume that, unless - stated to the contrary, any reply to any FTP command (including QUIT) - may be of the multi-line format described in [3]. - - Throughout this document, replies will be identified by the three - digit code that is their first element. Thus the term "500 reply" - means a reply from the server-PI using the three digit code "500". - -3. File Modification Time (MDTM) - - The FTP command, MODIFICATION TIME (MDTM), can be used to determine - when a file in the server NVFS was last modified. This command has - existed in many FTP servers for many years, as an adjunct to the REST - command for STREAM mode, thus is widely available. However, where - supported, the "modify" fact which can be provided in the result from - the new MLST command is recommended as a superior alternative. - - When attempting to restart a RETRieve, if the User-FTP makes use of - the MDTM command, or "modify" fact, it can check and see if the - modification time of the source file is more recent than the - modification time of the partially transferred file. If it is, then - most likely the source file has changed and it would be unsafe to - restart the previously incomplete file transfer. - - When attempting to restart a STORe, the User FTP can use the MDTM - command to discover the modification time of the partially - transferred file. If it is older than the modification time of the - file that is about to be STORed, then most likely the source file has - - - -Elz & Hethmon [Expires April 2000] [Page 8] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - changed and it would be unsafe to restart the file transfer. - - Note that using MLST (described below) where available, can provide - this information, and much more, thus giving an even better - indication that a file has changed, and that restarting a transfer - would not give valid results. - - Note that this is applicable to any RESTart attempt, regardless of - the mode of the file transfer. - -3.1. Syntax - - The syntax for the MDTM command is: - - mdtm = "MdTm" SP pathname CRLF - - As with all FTP commands, the "MDTM" command label is interpreted in - a case insensitive manner. - - The "pathname" specifies an object in the NVFS which may be the - object of a RETR command. Attempts to query the modification time of - files that are unable to be retrieved generate undefined responses. - - The server-PI will respond to the MDTM command with a 213 reply - giving the last modification time of the file whose pathname was - supplied, or a 550 reply if the file does not exist, the modification - time is unavailable, or some other error has occurred. - - mdtm-response = "213" SP time-val CRLF / - error-response - -3.2. Error responses - - Where the command is correctly parsed, but the modification time is - not available, either because the pathname identifies no existing - entity, or because the information is not available for the entity - named, then a 550 reply should be sent. Where the command cannot be - correctly parsed, a 500 or 501 reply should be sent, as specified in - [3]. - -3.3. FEAT response for MDTM - - When replying to the FEAT command [6], an FTP server process that - supports the MDTM command MUST include a line containing the single - word "MDTM". This MAY be sent in upper or lower case, or a mixture - of both (it is case insensitive) but SHOULD be transmitted in upper - case only. That is, the response SHOULD be - - - - -Elz & Hethmon [Expires April 2000] [Page 9] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - C> Feat - S> 211- - S> ... - S> MDTM - S> ... - S> 211 End - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6]. - -3.4. MDTM Examples - - If we assume the existence of three files, A B and C, and a directory - D, and no other files at all, then the MTDM command may behave as - indicated. The "C>" lines are commands from user-PI to server-PI, - the "S>" lines are server-PI replies. - - C> MDTM A - S> 213 19980615100045.014 - C> MDTM B - S> 213 19980615100045.014 - C> MDTM C - S> 213 19980705132316 - C> MDTM D - S> 550 D is not retrievable - C> MDTM E - S> 550 No file named "E" - C> mdtm file6 - S> 213 19990929003355 - C> MdTm 19990929043300 File6 - S> 213 19991005213102 - C> MdTm 19990929043300 file6 - S> 550 19990929043300 file6: No such file or directory. - - From that we can conclude that both A and B were last modified at the - same time (to the nearest millisecond), and that C was modified 21 - days and several hours later. - - The times are in GMT, so file A was modified on the 15th of June, - 1998, at approximately 11am in London (summer time was then in - effect), or perhaps at 8pm in Melbourne, Australia, or at 6am in New - York. All of those represent the same absolute time of course. The - location where the file was modified, and consequently the local wall - clock time at that location, is not available. - - There is no file named "E" in the current directory, but there are - files named both "file6" and "19990929043300 File6". The - - - -Elz & Hethmon [Expires April 2000] [Page 10] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - modification times of those files were obtained. There is no file - named "19990929043300 file6". - -4. File SIZE - - The FTP command, SIZE OF FILE (SIZE), is used to obtain the transfer - size of a file from the server-FTP process. That is, the exact - number of octets (8 bit bytes) which would be transmitted over the - data connection should that file be transmitted. This value will - change depending on the current STRUcture, MODE and TYPE of the data - connection, or a data connection which would be created were one - created now. Thus, the result of the SIZE command is dependent on - the currently established STRU, MODE and TYPE parameters. - - The SIZE command returns how many octets would be transferred if the - file were to be transferred using the current transfer structure, - mode and type. This command is normally used in conjunction with the - RESTART (REST) command. The server-PI might need to read the - partially transferred file, do any appropriate conversion, and count - the number of octets that would be generated when sending the file in - order to correctly respond to this command. Estimates of the file - transfer size MUST NOT be returned, only precise information is - acceptable. - -4.1. Syntax - - The syntax of the SIZE command is: - - size = "Size" SP pathname CRLF - - The server-PI will respond to the SIZE command with a 213 reply - giving the transfer size of the file whose pathname was supplied, or - an error response if the file does not exist, the size is - unavailable, or some other error has occurred. The value returned is - in a format suitable for use with the RESTART (REST) command for mode - STREAM, provided the transfer mode and type are not altered. - - size-response = "213" SP 1*DIGIT CRLF / - error-response - -4.2. Error responses - - Where the command is correctly parsed, but the size is not available, - either because the pathname identifies no existing entity, or because - the entity named cannot be transferred in the current MODE and TYPE - (or at all), then a 550 reply should be sent. Where the command - cannot be correctly parsed, a 500 or 501 reply should be sent, as - specified in [3]. - - - -Elz & Hethmon [Expires April 2000] [Page 11] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -4.3. FEAT response for SIZE - - When replying to the FEAT command [6], an FTP server process that - supports the SIZE command MUST include a line containing the single - word "SIZE". This word is case insensitive, and MAY be sent in any - mixture of upper or lower case, however it SHOULD be sent in upper - case. That is, the response SHOULD be - - C> FEAT - S> 211- - S> ... - S> SIZE - S> ... - S> 211 END - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6]. - -4.4. Size Examples - - Consider a text file "Example" stored on a Unix(TM) server where each - end of line is represented by a single octet. Assume the file - contains 112 lines, and 1830 octets total. Then the SIZE command - would produce: - - C> TYPE I - S> 200 Type set to I. - C> size Example - S> 213 1830 - C> TYPE A - S> 200 Type set to A. - C> Size Example - S> 213 1942 - - Notice that with TYPE=A the SIZE command reports an extra 112 octets. - Those are the extra octets that need to be inserted, one at the end - of each line, to provide correct end of line semantics for a transfer - using TYPE=A. Other systems might need to make other changes to the - transfer format of files when converting between TYPEs and MODEs. - The SIZE command takes all of that into account. - - Since calculating the size of a file with this degree of precision - may take considerable effort on the part of the server-PI, user-PIs - should not used this command unless this precision is essential (such - as when about to restart an interrupted transfer). For other uses, - the "Size" fact of the MLST command (see section 8.5.7) ought be - requested. - - - -Elz & Hethmon [Expires April 2000] [Page 12] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -5. Restart of Interrupted Transfer (REST) - - To avoid having to resend the entire file if the file is only - partially transferred, both sides need some way to be able to agree - on where in the data stream to restart the data transfer. - - The FTP specification [3] includes three modes of data transfer, - Stream, Block and Compressed. In Block and Compressed modes, the - data stream that is transferred over the data connection is - formatted, allowing the embedding of restart markers into the stream. - The sending DTP can include a restart marker with whatever - information it needs to be able to restart a file transfer at that - point. The receiving DTP can keep a list of these restart markers, - and correlate them with how the file is being saved. To restart the - file transfer, the receiver just sends back that last restart marker, - and both sides know how to resume the data transfer. Note that there - are some flaws in the description of the restart mechanism in RFC 959 - [3]. See section 4.1.3.4 of RFC 1123 [9] for the corrections. - -5.1. Restarting in STREAM Mode - - In Stream mode, the data connection contains just a stream of - unformatted octets of data. Explicit restart markers thus cannot be - inserted into the data stream, they would be indistinguishable from - data. For this reason, the FTP specification [3] did not provide the - ability to do restarts in stream mode. However, there is not really - a need to have explicit restart markers in this case, as restart - markers can be implied by the octet offset into the data stream. - - Because the data stream defines the file in STREAM mode, a different - data stream would represent a different file. Thus, an offset will - always represent the same position within a file. On the other hand, - in other modes than STREAM, the same file can be transferred using - quite different octet sequences, and yet be reconstructed into the - one identical file. Thus an offset into the data stream in transfer - modes other than STREAM would not give an unambiguous restart point. - - If the data representation TYPE is IMAGE, and the STRUcture is File, - for many systems the file will be stored exactly in the same format - as it is sent across the data connection. It is then usually very - easy for the receiver to determine how much data was previously - received, and notify the sender of the offset where the transfer - should be restarted. In other representation types and structures - more effort will be required, but it remains always possible to - determine the offset with finite, but perhaps non-negligible, effort. - In the worst case an FTP process may need to open a data connection - to itself, set the appropriate transfer type and structure, and - actually transmit the file, counting the transmitted octets. - - - -Elz & Hethmon [Expires April 2000] [Page 13] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - If the user-FTP process is intending to restart a retrieve, it will - directly calculate the restart marker, and send that information in - the RESTart command. However, if the user-FTP process is intending - to restart sending the file, it needs to be able to determine how - much data was previously sent, and correctly received and saved. A - new FTP command is needed to get this information. This is the - purpose of the SIZE command, as documented in section 4. - -5.2. Error Recovery and Restart - - STREAM MODE transfers with FILE STRUcture may be restarted even - though no restart marker has been transferred in addition to the data - itself. This is done by using the SIZE command, if needed, in - combination with the RESTART (REST) command, and one of the standard - file transfer commands. - - When using TYPE ASCII or IMAGE, the SIZE command will return the - number of octets that would actually be transferred if the file were - to be sent between the two systems. I.e. with type IMAGE, the SIZE - normally would be the number of octets in the file. With type ASCII, - the SIZE would be the number of octets in the file including any - modifications required to satisfy the TYPE ASCII CR-LF end of line - convention. - -5.3. Syntax - - The syntax for the REST command when the current transfer mode is - STREAM is: - - rest = "Rest" SP 1*DIGIT CRLF - - The numeric value gives the number of octets of the immediately - following transfer to not actually send, effectively causing the - transmission to be restarted at a later point. A value of zero - effectively disables restart, causing the entire file to be - transmitted. The server-PI will respond to the REST command with a - 350 reply, indicating that the REST parameter has been saved, and - that another command, which should be either RETR or STOR, should - then follow to complete the restart. - - rest-response = "350" SP *TCHAR CRLF / - error-response - - Server-FTP processes may permit transfer commands other than RETR and - STOR, such as APPE and STOU, to complete a restart, however, this is - not recommended. STOU (store unique) is undefined in this usage, as - storing the remainder of a file into a unique filename is rarely - going to be useful. If APPE (append) is permitted, it MUST act - - - -Elz & Hethmon [Expires April 2000] [Page 14] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - identically to STOR when a restart marker has been set. That is, in - both cases, octets from the data connection are placed into the file - at the location indicated by the restart marker value. - - The REST command is intended to complete a failed transfer. Use with - RETR is comparatively well defined in all cases, as the client bears - the responsibility of merging the retrieved data with the partially - retrieved file. If it chooses to use the data obtained other than to - complete an earlier transfer, or if it chooses to re-retrieve data - that had been retrieved before, that is its choice. With STOR, - however, the server must insert the data into the file named. The - results are undefined if a client uses REST to do other than restart - to complete a transfer of a file which had previously failed to - completely transfer. In particular, if the restart marker set with a - REST command is not at the end of the data currently stored at the - server, as reported by the server, or if insufficient data are - provided in a STOR that follows a REST to extend the destination file - to at least its previous size, then the effects are undefined. - - The REST command must be the last command issued before the data - transfer command which is to cause a restarted rather than complete - file transfer. The effect of issuing a REST command at any other - time is undefined. The server-PI may react to a badly positioned - REST command by issuing an error response to the following command, - not being a restartable data transfer command, or it may save the - restart value and apply it to the next data transfer command, or it - may silently ignore the inappropriate restart attempt. Because of - this, a user-PI that has issued a REST command, but which has not - successfully transmitted the following data transfer command for any - reason, should send another REST command before the next data - transfer command. If that transfer is not to be restarted, then - "REST 0" should be issued. - - An error-response will follow a REST command only when the server - does not implement the command, or the restart marker value is - syntactically invalid for the current transfer mode. That is, in - STREAM mode, if something other than one or more digits appears in - the parameter to the REST command. Any other errors, including such - problems as restart marker out of range, should be reported when the - following transfer command is issued. Such errors will cause that - transfer request to be rejected with an error indicating the invalid - restart attempt. - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 15] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -5.4. FEAT response for REST - - Where a server-FTP process supports RESTart in STREAM mode, as - specified here, it MUST include in the response to the FEAT command - [6], a line containing exactly the string "REST STREAM". This string - is not case sensitive, but SHOULD be transmitted in upper case. - Where REST is not supported at all, or supported only in block or - compressed modes, the REST line MUST NOT be included in the FEAT - response. Where required, the response SHOULD be - - C> feat - S> 211- - S> ... - S> REST STREAM - S> ... - S> 211 end - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6]. - -5.5. REST Example - - Assume that the transfer of a largish file has previously been - interrupted after 802816 octets had been received, that the previous - transfer was with TYPE=I, and that it has been verified that the file - on the server has not since changed. - - C> TYPE I - S> 200 Type set to I. - C> PORT 127,0,0,1,15,107 - S> 200 PORT command successful. - C> REST 802816 - S> 350 Restarting at 802816. Send STORE or RETRIEVE - C> RETR cap60.pl198.tar - S> 150 Opening BINARY mode data connection - [...] - S> 226 Transfer complete. - -6. Virtual FTP servers - - It has become common in the Internet for many domain names to be - allocated to a single IP address. This has introduced the concept of - a "virtual host", where a host appears to exist as an independent - entity, but in reality shares all of its resources with one, or more, - other such hosts. - - - - - -Elz & Hethmon [Expires April 2000] [Page 16] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - Such an arrangement presents some problems for FTP Servers, as all - the FTP Server can detect is an incoming FTP connection to a - particular IP address. That is, all domain names which share the IP - address also share the FTP server, and more importantly, its NVFS. - This means that the various virtual hosts cannot offer different - virtual file systems to clients, nor can they offer different - authentication systems. - - No scheme can overcome this without modifications of some kind to the - user-PI and the user-FTP process. That process is the only entity - that knows which virtual host is required. It has performed the - domain name to IP address translation, and thus has the original - domain name available. - - One method which could be used to allow a style of virtual host would - be for the client to simply send a "CWD" command after connecting, - using the virtual host name as the argument to the CWD command. This - would allow the server-FTP process to implement the file stores of - the virtual hosts as sub-directories in its NVFS. This is simple, - and supported by essentially all server-FTP implementations without - requiring any code changes. - - While that method is simple to describe, and to implement, it suffers - from several drawbacks. First, the "CWD" command is available only - after the user-PI has authenticated itself to the server-FTP process. - Thus, all virtual hosts would be required to share a common - authentication scheme. Second, either the server-FTP process needs - to be modified to understand the special nature of this first CWD - command, negating most of the advantage of this scheme, or all users - must see the same identical NVFS view upon connecting (they must - connect in the same initial directory) or the NVFS must implement the - full set of virtual host directories at each possible initial - directory for any possible user, or the virtual host will not be - truly transparent. Third, and again unless the server is specially - modified, a user connecting this way to a virtual host would be able - to trivially move to any other virtual host supported at the same - server-FTP process, exposing the nature of the virtual host. - - Other schemes overloading other existing FTP commands have also been - proposed. None of those have sufficient merit to be worth - discussion. - - The conclusion from the examination of the possibilities seems to be - that to obtain an adequate emulation of "real" FTP servers, server - modifications to support virtual hosts are required. A new command - seems most likely to provide the support required. - - - - - -Elz & Hethmon [Expires April 2000] [Page 17] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -6.1. The HOST command - - A new command "HOST" is added to the FTP command set to allow - server-FTP process to determine to which of possibly many virtual - hosts the client wishes to connect. This command is intended to be - issued before the user is authenticated, allowing the authentication - scheme, and set of legal users, to be dependent upon the virtual host - chosen. Server-FTP processes may, if they desire, permit the HOST - command to be issued after the user has been authenticated, or may - treat that as an erroneous sequence of commands. The behavior of the - server-FTP process which does allow late HOST commands is undefined. - One reasonable interpretation would be for the user-PI to be returned - to the state that existed after the TCP connection was first - established, before user authentication. - - Servers should note that the response to the HOST command is a - sensible time to send their "welcome" message. This allows the - message to be personalized for any virtual hosts that are supported, - and also allows the client to have determined supported languages, or - representations, for the message, and other messages, via the FEAT - response, and selected an appropriate one via the LANG command. See - [7] for more information. - -6.2. Syntax of the HOST command - - The HOST command is defined as follows. - - host-command = "Host" SP hostname CRLF - hostname = 1*DNCHAR 1*( "." 1*DNCHAR ) [ "." ] - DNCHAR = ALPHA / DIGIT / "-" / "_" / "$" / - "!" / "%" / "[" / "]" / ":" - host-response = host-ok / error-response - host-ok = "220" [ SP *TCHAR ] CRLF - - As with all FTP commands, the "host" command word is case - independent, and may be specified in any character case desired. - - The "hostname" given as a parameter specifies the virtual host to - which access is desired. It should normally be the same name that - was used to obtain the IP address to which the FTP control connection - was made, after any client conversions to convert an abbreviated or - local alias to a complete (fully qualified) domain name, but before - resolving a DNS alias (owner of a CNAME resource record) to its - canonical name. - - If the client was given a network literal address, and consequently - was not required to derive it from a hostname, it should send the - HOST command with the network address, as specified to it, enclosed - - - -Elz & Hethmon [Expires April 2000] [Page 18] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - in brackets (after eliminating any syntax, which might also be - brackets, but is not required to be, from which the server deduced - that a literal address had been specified.) That is, for example - - HOST [10.1.2.3] - - should be sent if the client had been instructed to connect to - "10.1.2.3", or "[10.1.2.3]", or perhaps even IPv4:10.1.2.3. The - method of indicating to a client that a literal address is to be used - is beyond the scope of this specification. - - The parameter is otherwise to be treated as a "complete domain name", - as that term is defined in section 3.1 of RFC 1034 [10]. That - implies that the name is to be treated as a case independent string, - in that upper case ASCII characters are to be treated as equivalent - to the corresponding lower case ASCII characters, but otherwise - preserved as given. It also implies some limits on the length of the - parameter and of the components that create its internal structure. - Those limits are not altered in any way here. - - RFC 1034 imposes no other restrictions upon what kinds of names can - be stored in the DNS. Nor does RFC 1035. This specification, - however, allows only a restricted set of names for the purposes of - the HOST command. Those restrictions can be inferred from the ABNF - grammar given for the "hostname". - -6.3. HOST command semantics - - Upon receiving the HOST command, before authenticating the user-PI, a - server-FTP process should validate that the hostname given represents - a valid virtual host for that server, and if so, establish the - appropriate environment for that virtual host. The meaning of that - is not specified here, and may range from doing nothing at all, or - performing a simple change of working directory, to much more - elaborate state changes, as required. - - If the hostname specified is unknown at the server, or if the server - is otherwise unwilling to treat the particular connection as a - connection to the hostname specified, the server will respond with a - 504 reply. - - Note: servers may require that the name specified is in some sense - equivalent to the particular network address that was used to reach - the server. - - If the hostname specified would normally be acceptable, but for any - reason is temporarily unavailable, the server SHOULD reply to the - HOST command with a 434 reply. - - - -Elz & Hethmon [Expires April 2000] [Page 19] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The "220" reply code for the HOST command is the same as the code - used on the initial connection established "welcome" message. This - is done deliberately so as to allow the implementation to implement - the front end FTP server as a wrapper which simply waits for the HOST - command, and then invokes an older, RFC959 compliant, server in the - appropriate environment for the particular hostname received. - -6.3.1. The REIN command - - As specified in [3], the REIN command returns the state of the - connection to that it was immediately after the transport connection - was opened. That is not changed here. The effect of a HOST command - will be lost if a REIN command is performed, a new HOST command must - be issued. - - Implementors of user-FTP should be aware that server-FTP - implementations which implement the HOST command as a wrapper around - older implementations will be unable to correctly implement the REIN - command. In such an implementation, REIN will typically return the - server-FTP to the state that existed immediately after the HOST - command was issued, instead of to the state immediately after the - connection was opened. - -6.3.2. User-PI usage of HOST - - A user-PI that conforms to this specification, MUST send the HOST - command after opening the transport connection, or after any REIN - command, before attempting to authenticate the user with the USER - command. - - The following state diagram shows a typical sequence of flow of - control, where the "B" (begin) state is assumed to occur after the - transport connection has opened, or a REIN command has succeeded. - Other commands (such as FEAT [6]) which require no authentication may - have intervened. This diagram is modeled upon (and largely borrowed - from) the similar diagram in section 6 of [3]. - - In this diagram, a three digit reply indicates that precise server - reply code, a single digit on a reply path indicates any server reply - beginning with that digit, other than any three digit replies that - might take another path. - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 20] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - - +---+ HOST +---+ 1,3,5 - | B |---------->| W |----------------- - +---+ +---+ | - | | | - 2,500,502 | | 4,501,503,504 | - -------------- ------------- | - | | | - V 1 | V - +---+ USER +---+-------------->+---+ - | |---------->| W | 2 ----->| E | - +---+ +---+------ | --->+---+ - | | | | | | - 3 | | 4,5 | | | | - -------------- ----- | | | | - | | | | | | - | | | | | | - | --------- | | - | 1| | | | | - V | | | | | - +---+ PASS +---+ 2 | ------->+---+ - | |---------->| W |-------------->| S | - +---+ +---+ ----------->+---+ - | | | | | | - 3 | |4,5| | | | - -------------- -------- | | - | | | | | ---- - | | | | | | - | ----------- | - | 1,3| | | | | - V | 2| | | V - +---+ ACCT +---+-- | ------>+---+ - | |---------->| W | 4,5 --------->| F | - +---+ +---+-------------->+---+ - -6.4. HOST command errors - - The server-PI shall reply with a 500 or 502 reply if the HOST command - is unrecognized or unimplemented. A 503 reply may be sent if the - HOST command is given after a previous HOST command, or after a user - has been authenticated. Alternately, the server may accept the - command at such a time, with server defined behavior. A 501 reply - should be sent if the hostname given is syntactically invalid, and a - 504 reply if a syntactically valid hostname is not a valid virtual - host name for the server. - - In all such cases the server-FTP process should act as if no HOST - command had been given. - - - -Elz & Hethmon [Expires April 2000] [Page 21] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - A user-PI receiving a 500 or 502 reply should assume that the - server-PI does not implement the HOST command style virtual server. - It may then proceed to login as if the HOST command had succeeded, - and perhaps, attempt a CWD command to the hostname after - authenticating the user. - - A user-PI receiving some other error reply should assume that the - virtual HOST is unavailable, and terminate communications. - - A server-PI that receives a USER command, beginning the - authentication sequence, without having received a HOST command - SHOULD NOT reject the USER command. Clients conforming to earlier - FTP specifications do not send HOST commands. In this case the - server may act as if some default virtual host had been explicitly - selected, or may enter an environment different from that of all - supported virtual hosts, perhaps one in which a union of all - available accounts exists, and which presents a NVFS which appears to - contain sub-directories containing the NVFS for all virtual hosts - supported. - -6.5. FEAT response for HOST command - - A server-FTP process that supports the host command, and virtual FTP - servers, MUST include in the response to the FEAT command [6], a - feature line indicating that the HOST command is supported. This - line should contain the single word "HOST". This MAY be sent in - upper or lower case, or a mixture of both (it is case insensitive) - but SHOULD be transmitted in upper case only. That is, the response - SHOULD be - - C> Feat - S> 211- - S> ... - S> HOST - S> ... - S> 211 End - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6]. - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 22] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -7. A Trivial Virtual File Store (TVFS) - - Traditionally, FTP has placed almost no constraints upon the file - store (NVFS) provided by a server. This specification does not alter - that. However, it has become common for servers to attempt to - provide at least file system naming conventions modeled loosely upon - those of the UNIX(TM) file system. That is, a tree structured file - system, built of directories, each of which can contain other - directories, or other kinds of files, or both. Each file and - directory has a file name relative to the directory that contains it, - except for the directory at the root of the tree, which is contained - in no other directory, and hence has no name of its own. - - That which has so far been described is perfectly consistent with the - standard FTP NVFS and access mechanisms. The "CWD" command is used - to move from one directory to an embedded directory. "CDUP" may be - provided to return to the parent directory, and the various file - manipulation commands ("RETR", "STOR", the rename commands, etc) are - used to manipulate files within the current directory. - - However, it is often useful to be able to reference files other than - by changing directories, especially as FTP provides no guaranteed - mechanism to return to a previous directory. The Trivial Virtual - File Store (TVFS), if implemented, provides that mechanism. - -7.1. TVFS File Names - - Where a server implements the TVFS, no elementary filename shall - contain the character "/". Where the underlying natural file store - permits files, or directories, to contain the "/" character in their - names, a server-PI implementing TVFS must encode that character in - some manner whenever file or directory names are being returned to - the user-PI, and reverse that encoding whenever such names are being - accepted from the user-PI. - - The encoding method to be used is not specified here. Where some - other character is illegal in file and directory names in the - underlying file store, a simple transliteration may be sufficient. - Where there is no suitable substitute character a more complex - encoding scheme, possibly using an escape character, is likely to be - required. - - With the one exception of the unnamed root directory, a TVFS file - name may not be empty. That is, all other file names contain at - least one character. - - With the sole exception of the "/" character, any valid IS10646 - character [11] may be used in a TVFS filename. When transmitted, - - - -Elz & Hethmon [Expires April 2000] [Page 23] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - file name characters are encoded using the UTF-8 encoding [2]. - -7.2. TVFS Path Names - - A TVFS "Path Name" combines the file or directory name of a target - file or directory, with the directory names of zero or more enclosing - directories, so as to allow the target file or directory to be - referenced other than when the server's "current working directory" - is the directory directly containing the target file or directory. - - By definition, every TVFS file or directory name is also a TVFS path - name. Such a path name is valid to reference the file from the - directory containing the name, that is, when that directory is the - server-FTP's current working directory. - - Other TVFS path names are constructed by prefixing a path name by a - name of a directory from which the path is valid, and separating the - two with the "/" character. Such a path name is valid to reference - the file or directory from the directory containing the newly added - directory name. - - Where a path name has been extended to the point where the directory - added is the unnamed root directory, the path name will begin with - the "/" character. Such a path is known as a fully qualified path - name. Fully qualified paths may, obviously, not be further extended, - as, by definition, no directory contains the root directory. Being - unnamed, it cannot be represented in any other directory. A fully - qualified path name is valid to reference the named file or directory - from any location (that is, regardless of what the current working - directory may be) in the virtual file store. - - Any path name which is not a fully qualified path name may be - referred to as a "relative path name" and will only correctly - reference the intended file when the current working directory of the - server-FTP is a directory from which the relative path name is valid. - - As a special case, the path name "/" is defined to be a fully - qualified path name referring to the root directory. That is, the - root directory does not have a directory (or file) name, but does - have a path name. This special path name may be used only as is as a - reference to the root directory. It may not be combined with other - path names using the rules above, as doing so would lead to a path - name containing two consecutive "/" characters, which is an undefined - sequence. - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 24] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -7.2.1. Notes - - + It is not required, or expected, that there be only one fully - qualified path name that will reference any particular file or - directory. - + As a caveat, though the TVFS file store is basically tree - structured, there is no requirement that any file or directory - have only one parent directory. - + As defined, no TVFS path name will ever contain two consecutive - "/" characters. Such a name is not illegal however, and may be - defined by the server for any purpose that suits it. Clients - implementing this specification should not assume any semantics - at all for such names. - + Similarly, other than the special case path that refers to the - root directory, no TVFS path name constructed as defined here - will ever end with the "/" character. Such names are also not - illegal, but are undefined. - + While any legal IS10646 character is permitted to occur in a TVFS - file or directory name, other than "/", server FTP - implementations are not required to support all possible IS10646 - characters. The subset supported is entirely at the discretion - of the server. The case (where it exists) of the characters that - make up file, directory, and path names may be significant. - Unless determined otherwise by means unspecified here, clients - should assume that all such names are comprised of characters - whose case is significant. Servers are free to treat case (or - any other attribute) of a name as irrelevant, and hence map two - names which appear to be distinct onto the same underlying file. - + There are no defined "magic" names, like ".", ".." or "C:". - Servers may implement such names, with any semantics they choose, - but are not required to do so. - + TVFS imposes no particular semantics or properties upon files, - guarantees no access control schemes, or any of the other common - properties of a file store. Only the naming scheme is defined. - -7.3. FEAT Response for TVFS - - In response to the FEAT command [6] a server that wishes to indicate - support for the TVFS as defined here will include a line that begins - with the four characters "TVFS" (in any case, or mixture of cases, - upper case is not required). Servers SHOULD send upper case. - - Such a response to the FEAT command MUST NOT be returned unless the - server implements TVFS as defined here. - - Later specifications may add to the TVFS definition. Such additions - should be notified by means of additional text appended to the TVFS - feature line. Such specifications, if any, will define the extra - - - -Elz & Hethmon [Expires April 2000] [Page 25] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - text. - - Until such a specification is defined, servers should not include - anything after "TVFS" in the TVFS feature line. Clients, however, - should be prepared to deal with arbitrary text following the four - defined characters, and simply ignore it if unrecognized. - - A typical response to the FEAT command issued by a server - implementing only this specification would be: - - C> feat - S> 211- - S> ... - S> TVFS - S> ... - S> 211 end - - The ellipses indicate place holders where other features may be - included, and are not required. The one space indentation of the - feature lines is mandatory [6], and is not counted as one of the - first four characters for the purposes of this feature listing. - - The TVFS feature adds no new commands to the FTP command repertoire. - -7.4. OPTS for TVFS - - There are no options in this TVFS specification, and hence there is - no OPTS command defined. - -7.5. TVFS Examples - - Assume a TVFS file store is comprised of a root directory, which - contains two directories (A and B) and two non-directory files (X and - Y). The A directory contains two directories (C and D) and one other - file (Z). The B directory contains just two non-directory files (P - and Q) and the C directory also two non-directory files (also named P - and Q, by chance). The D directory is empty, that is, contains no - files or directories. - - - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 26] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - This structure may depicted graphically as... - - (unnamed root) - / | \ \ - / | \ \ - A X B Y - /|\ / \ - / | \ / \ - C D Z P Q - / \ - / \ - P Q - - Given this structure, the following fully qualified path names exist. - - / - /A - /B - /X - /Y - /A/C - /A/D - /A/Z - /A/C/P - /A/C/Q - /B/P - /B/Q - - It is clear that none of the paths / /A /B or /A/D refer to the same - directory, as the contents of each is different. Nor do any of / /A - /A/C or /A/D. However /A/C and /B might be the same directory, there - is insufficient information given to tell. Any of the other path - names (/X /Y /A/Z /A/C/P /A/C/Q /B/P and /B/Q) may refer to the same - underlying files, in almost any combination. - - If the current working directory of the server-FTP is /A then the - following path names, in addition to all the fully qualified path - names, are valid - - C - D - Z - C/P - C/Q - - These all refer to the same files or directories as the corresponding - fully qualified path with "/A/" prepended. - - - - -Elz & Hethmon [Expires April 2000] [Page 27] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - That those path names all exist does not imply that the TVFS sever - will necessarily grant any kind of access rights to the named paths, - or that access to the same file via different path names will - necessarily be granted equal rights. - - None of the following relative paths are valid when the current - directory is /A - - A - B - X - Y - B/P - B/Q - P - Q - - Any of those could be made valid by changing the server-FTP's current - working directory to the appropriate directory. Note that the paths - "P" and "Q" might refer to different files depending upon which - directory is selected to cause those to become valid TVFS relative - paths. - -8. Listings for Machine Processing (MLST and MLSD) - - The MLST and MLSD commands are intended to standardize the file and - directory information returned by the Server-FTP process. These - commands differ from the LIST command in that the format of the - replies is strictly defined although extensible. - - Two commands are defined, MLST which provides data about exactly the - object named on its command line, and no others. MLSD on the other - hand will list the contents of a directory if a directory is named, - otherwise a 501 reply will be returned. In either case, if no object - is named, the current directory is assumed. That will cause MLST to - send a one line response, describing the current directory itself, - and MLSD to list the contents of the current directory. - - In the following, the term MLSx will be used wherever either MLST or - MLSD may be inserted. - - The MLST and MLSD commands also extend the FTP protocol as presented - in RFC 959 [3] and RFC 1123 [9] to allow that transmission of 8-bit - data over the control connection. Note this is not specifying - character sets which are 8-bit, but specifying that FTP - implementations are to specifically allow the transmission and - reception of 8-bit bytes, with all bits significant, over the control - connection. That is, all 256 possible octet values are permitted. - - - -Elz & Hethmon [Expires April 2000] [Page 28] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The MLSx command allows both UTF-8/Unicode and "raw" forms as - arguments, and in responses both to the MLST and MLSD commands, and - all other FTP commands which take pathnames as arguments. - -8.1. Format of MLSx Requests - - The MLST and MLSD commands each allow a single optional argument. - This argument may be either a directory name or, for MLST only, a - filename. For these purposes, a "filename" is the name of any entity - in the server NVFS which is not a directory. Where TVFS is - supported, any TVFS relative path name valid in the current working - directory, or any TVFS fully qualified path name, may be given. If a - directory name is given then MLSD must return a listing of the - contents of the named directory, otherwise it issues a 501 reply, and - does not open a data connection. In all cases for MLST, a single set - of fact lines (usually a single fact line) containing the information - about the named file or directory shall be returned over the control - connection, without opening a data connection. - - If no argument is given then MLSD must return a listing of the - contents of the current working directory, and MLST must return a - listing giving information about the current working directory - itself. For these purposes, the contents of a directory are whatever - filenames (not pathnames) the server-PI will allow to be referenced - when the current working directory is the directory named, and which - the server-PI desires to reveal to the user-PI. - - No title, header, or summary, lines, or any other formatting, other - than as is specified below, is ever returned in the output of an MLST - or MLSD command. - - If the Client-FTP sends an invalid argument, the Server-FTP MUST - reply with an error code of 501. - - The syntax for the MLSx command is: - - mlst = "MLst" [ SP pathname ] CRLF - mlsd = "MLsD" [ SP pathname ] CRLF - -8.2. Format of MLSx Response - - The format of a response to an MLSx command is as follows: - - mlst-response = control-response / error-response - mlsd-response = ( initial-response final-response ) / - error-response - - - - - -Elz & Hethmon [Expires April 2000] [Page 29] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - control-response = "250-" [ response-message ] CRLF - 1*( SP entry CRLF ) - "250" [ SP response-message ] CRLF - - initial-response = "150" [ SP response-message ] CRLF - final-response = "226" SP response-message CRLF - - response-message = *TCHAR - - data-response = *( entry CRLF ) - - entry = [ facts ] SP pathname - facts = 1*( fact ";" ) - fact = factname "=" value - factname = "Size" / "Modify" / "Create" / - "Type" / "Unique" / "Perm" / - "Lang" / "Media-Type" / "CharSet" / - os-depend-fact / local-fact - os-depend-fact = "." token - local-fact = "X." token - value = *RCHAR - - Upon receipt of a MLSx command, the server will verify the parameter, - and if invalid return an error-response. For this purpose, the - parameter should be considered to be invalid if the client issuing - the command does not have permission to perform the request - operation. - - If valid, then for an MLST command, the server-PI will send the first - (leading) line of the control response, the entry for the pathname - given, or the current directory if no pathname was provided, and the - terminating line. Normally exactly one entry would be returned, more - entries are permitted only when required to represent a file that is - to have multiple "Type" facts returned. - - Note that for MLST the fact set is preceded by a space. That is - provided to guarantee that the fact set cannot be accidentally - interpreted as the terminating line of the control response, but is - required even when that would not be possible. Exactly one space - exists between the set of facts and the pathname. Where no facts are - present, there will be exactly two leading spaces before the - pathname. No spaces are permitted in the facts, any other spaces in - the response are to be treated as being a part of the pathname. - - If the command was an MLSD command, the server will open a data - connection as indicated in section 3.2 of RFC959 [3]. If that fails, - the server will return an error-response. If all is OK, the server - will return the initial-response, send the appropriate data-response - - - -Elz & Hethmon [Expires April 2000] [Page 30] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - over the new data connection, close that connection, and then send - the final-response over the control connection. The grammar above - defines the format for the data-response, which defines the format of - the data returned over the data connection established. - - The data connection opened for a MLSD response shall be a connection - as if the "TYPE L 8", "MODE S", and "STRU F" commands had been given, - whatever FTP transfer type, mode and structure had actually been set, - and without causing those settings to be altered for future commands. - That is, this transfer type shall be set for the duration of the data - connection established for this command only. While the content of - the data sent can be viewed as a series of lines, implementations - should note that there is no maximum line length defined. - Implementations should be prepared to deal with arbitrarily long - lines. - - The facts part of the specification would contain a series of "file - facts" about the file or directory named on the same line. Typical - information to be presented would include file size, last - modification time, creation time, a unique identifier, and a - file/directory flag. - - The complete format for a successful reply to the MLSD command would - be: - - facts SP pathname CRLF - facts SP pathname CRLF - facts SP pathname CRLF - ... - - Note that the format is intended for machine processing, not human - viewing, and as such the format is very rigid. Implementations MUST - NOT vary the format by, for example, inserting extra spaces for - readability, replacing spaces by tabs, including header or title - lines, or inserting blank lines, or in any other way alter this - format. Exactly one space is always required after the set of facts - (which may be empty). More spaces may be present on a line if, and - only if, the file name presented contains significant spaces. The - set of facts must not contain any spaces anywhere inside it. Facts - should be provided in each output line only if they both provide - relevant information about the file named on the same line, and they - are in the set requested by the user-PI. There is no requirement - that the same set of facts be provided for each file, or that the - facts presented occur in the same order for each file. - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 31] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -8.3. Filename encoding - - An FTP implementation supporting the MLSx commands must be 8-bit - clean. This is necessary in order to transmit UTF-8 encoded - filenames. This specification recommends the use of UTF-8 encoded - filenames. FTP implementations SHOULD use UTF-8 whenever possible to - encourage the maximum interoperability. - - Filenames are not restricted to UTF-8, however treatment of arbitrary - character encodings is not specified by this standard. Applications - are encouraged to treat non-UTF-8 encodings of filenames as octet - sequences. - - Note that this encoding is unrelated to that of the contents of the - file, even if the file contains character data. - - Further information about filename encoding for FTP may be found in - "Internationalization of the File Transfer Protocol" [7]. - -8.3.1. Notes about the Filename - - The filename returned in the MLST response should be the same name as - was specified in the MLST command, or, where TVFS is supported, a - fully qualified TVFS path naming the same file. Where no argument - was given to the MLST command, the server-PI may either include an - empty filename in the response, or it may supply a name that refers - to the current directory, if such a name is available. Where TVFS is - supported, a fully qualified path name of the current directory - SHOULD be returned. - - Filenames returned in the output from an MLSD command SHOULD be - unqualified names within the directory named, or the current - directory if no argument was given. That is, the directory named in - the MLSD command SHOULD NOT appear as a component of the filenames - returned. - - If the server-FTP process is able, and the "type" fact is being - returned, it MAY return in the MLSD response, an entry whose type is - "cdir", which names the directory from which the contents of the - listing were obtained. Where TVFS is supported, the name MAY be the - fully qualified path name of the directory, or MAY be any other path - name which is valid to refer to that directory from the current - working directory of the server-FTP. Where more than one name - exists, multiple of these entries may be returned. In a sense, the - "cdir" entry can be viewed as a heading for the MLSD output. - However, it is not required to be the first entry returned, and may - occur anywhere within the listing. - - - - -Elz & Hethmon [Expires April 2000] [Page 32] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - When TVFS is supported, a user-PI can refer to any file or directory - in the listing by combining a type "cdir" name, with the appropriate - name from the directory listing using the procedure defined in - section 7.2. - - Alternatively, whether TVFS is supported or not, the user-PI can - issue a CWD command ([3]) giving a name of type "cdir" from the - listing returned, and from that point reference the files returned in - the MLSD response from which the cdir was obtained by using the - filename components of the listing. - -8.4. Format of Facts - - The "facts" for a file in a reply to a MLSx command consist of - information about that file. The facts are a series of keyword=value - pairs each followed by semi-colon (";") characters. An individual - fact may not contain a semi-colon in its name or value. The complete - series of facts may not contain the space character. See the - definition or "RCHAR" in section 2.1 for a list of the characters - that can occur in a fact value. Not all are applicable to all facts. - - A sample of a typical series of facts would be: (spread over two - lines for presentation here only) - - size=4161;lang=en-US;modify=19970214165800;create=19961001124534; - type=file;x.myfact=foo,bar; - -8.5. Standard Facts - - This document defines a standard set of facts as follows: - - size -- Size in octets - modify -- Last modification time - create -- Creation time - type -- Entry type - unique -- Unique id of file/directory - perm -- File permissions, whether read, write, execute is - allowed for the login id. - lang -- Language of the filename per IANA[12] registry. - media-type -- MIME media-type of file contents per IANA registry. - charset -- Character set per IANA registry (if not UTF-8) - - Fact names are case-insensitive. Size, size, SIZE, and SiZe are the - same fact. - - Further operating system specific keywords could be specified by - using the IANA operating system name as a prefix (examples only): - - - - -Elz & Hethmon [Expires April 2000] [Page 33] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - OS/2.ea -- OS/2 extended attributes - MACOS.rf -- MacIntosh resource forks - UNIX.mode -- Unix file modes (permissions) - - Implementations may define keywords for experimental, or private use. - All such keywords MUST begin with the two character sequence "x.". - As type names are case independent, "x." and "X." are equivalent. - For example: - - x.ver -- Version information - x.desc -- File description - x.type -- File type - -8.5.1. The type Fact - - The type fact needs a special description. Part of the problem with - current practices is deciding when a file is a directory. If it is a - directory, is it the current directory, a regular directory, or a - parent directory? The MLST specification makes this unambiguous - using the type fact. The type fact given specifies information about - the object listed on the same line of the MLST response. - - Five values are possible for the type fact: - - file -- a file entry - cdir -- the listed directory - pdir -- a parent directory - dir -- a directory or sub-directory - OS.name=type -- an OS or file system dependent file type - - The syntax is defined to be: - - type-fact = type-label "=" type-val - type-label = "Type" - type-val = "File" / "cdir" / "pdir" / "dir" / - os-type - -8.5.1.1. type=file - - The presence of the type=file fact indicates the listed entry is a - file containing non-system data. That is, it may be transferred from - one system to another of quite different characteristics, and perhaps - still be meaningful. - -8.5.1.2. type=cdir - - The type=cdir fact indicates the listed entry contains a pathname of - the directory whose contents are listed. An entry of this type will - - - -Elz & Hethmon [Expires April 2000] [Page 34] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - only be returned as a part of the result of an MLSD command when the - type fact is included, and provides a name for the listed directory, - and facts about that directory. In a sense, it can be viewed as - representing the title of the listing, in a machine friendly format. - It may appear at any point of the listing, it is not restricted to - appearing at the start, though frequently may do so, and may occur - multiple times. It MUST NOT be included if the type fact is not - included, or there would be no way for the user-PI to distinguish the - name of the directory from an entry in the directory. - - Where TVFS is supported by the server-FTP, this name may be used to - construct path names with which to refer to the files and directories - returned in the same MLSD output (see section 7.2). These path names - are only expected to work when the server-PI's position in the NVFS - file tree is the same as its position when the MLSD command was - issued, unless a fully qualified path name results. - - Where TVFS is not supported, the only defined semantics associated - with a "type=cdir" entry are that, provided the current working - directory of the server-PI has not been changed, a pathname of type - "cdir" may be used as an argument to a CWD command, which will cause - the current directory of the server-PI to change so that the - directory which was listed in its current working directory. - -8.5.1.3. type=dir - - If present, the type=dir entry gives the name of a directory. Such - an entry typically cannot be transferred from one system to another - using RETR, etc, but should (permissions permitting) be able to be - the object of an MLSD command. - -8.5.1.4. type=pdir - - If present, which will occur only in the response to a MLSD command - when the type fact is included, the type=pdir entry represents a - pathname of the parent directory of the listed directory. As well as - having the properties of a type=dir, a CWD command that uses the - pathname from this entry should change the user to a parent directory - of the listed directory. If the listed directory is the current - directory, a CDUP command may also have the effect of changing to the - named directory. User-FTP processes should note not all responses - will include this information, and that some systems may provide - multiple type=pdir responses. - - Where TVFS is supported, a "type=pdir" name may be a relative path - name, or a fully qualified path name. A relative path name will be - relative to the directory being listed, not to the current directory - of the server-PI at the time. - - - -Elz & Hethmon [Expires April 2000] [Page 35] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - For the purposes of this type value, a "parent directory" is any - directory in which there is an entry of type=dir which refers to the - directory in which the type=pdir entity was found. Thus it is not - required that all entities with type=pdir refer to the same - directory. The "unique" fact (if supported) can be used to determine - whether there is a relationship between the type=pdir entries or not. - -8.5.1.5. System defined types - - Files types that are specific to a specific operating system, or file - system, can be encoded using the "OS." type names. The format is: - - os-type = "OS." os-name "=" os-type - os-name = - os-type = token - - The "os-name" indicates the specific system type which supports the - particular localtype. OS specific types are registered by the IANA - using the procedures specified in section 11. The "os-type" provides - the system dependent information as to the type of the file listed. - The os-name and os-type strings in an os-type are case independent. - "OS.unix=block" and "OS.Unix=BLOCK" represent the same type (or - would, if such a type were registered.) - - Note: Where the underlying system supports a file type which is - essentially an indirect pointer to another file, the NVFS - representation of that type should normally be to represent the file - which the reference indicates. That is, the underlying basic file - will appear more than once in the NVFS, each time with the "unique" - fact (see immediately following section) containing the same value, - indicating that the same file is represented by all such names. - User-PIs transferring the file need then transfer it only once, and - then insert their own form of indirect reference to construct - alternate names where desired, or perhaps even copy the local file if - that is the only way to provide two names with the same content. A - file which would be a reference to another file, if only the other - file actually existed, may be represented in any OS dependent manner - appropriate, or not represented at all. - -8.5.1.6. Multiple types - - Where a file is such that it may validly, and sensibly, treated by - the server-PI as being of more than one of the above types, then - multiple entries should be returned, each with its own "Type" fact of - the appropriate type, and each containing the same pathname. This - may occur, for example, with a structured file, which may contain - sub-files, and where the server-PI permits the structured file to be - treated as a unit, or treated as a directory allowing the sub-files - - - -Elz & Hethmon [Expires April 2000] [Page 36] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - within it to be referenced. - -8.5.2. The unique Fact - - The unique fact is used to present a unique identifier for a file or - directory in the NVFS accessed via a server-FTP process. The value - of this fact should be the same for any number of pathnames that - refer to the same underlying file. The fact should have different - values for names which reference distinct files. The mapping between - files, and unique fact tokens should be maintained, and remain - consistent, for at least the lifetime of the control connection from - user-PI to server-PI. - - unique-fact = "Unique" "=" token - - This fact would be expected to be used by Server-FTPs whose host - system allows things such as symbolic links so that the same file may - be represented in more than one directory on the server. The only - conclusion that should be drawn is that if two different names each - have the same value for the unique fact, they refer to the same - underlying object. The value of the unique fact (the token) should - be considered an opaque string for comparison purposes, and is a case - dependent value. The tokens "A" and "a" do not represent the same - underlying object. - -8.5.3. The modify Fact - - The modify fact is used to determine the last time the content of the - file (or directory) indicated was modified. Any change of substance - to the file should cause this value to alter. That is, if a change - is made to a file such that the results of a RETR command would - differ, then the value of the modify fact should alter. User-PIs - should not assume that a different modify fact value indicates that - the file contents are necessarily different than when last retrieved. - Some systems may alter the value of the modify fact for other - reasons, though this is discouraged wherever possible. Also a file - may alter, and then be returned to its previous content, which would - often be indicated as two incremental alterations to the value of the - modify fact. - - For directories, this value should alter whenever a change occurs to - the directory such that different filenames would (or might) be - included in MLSD output of that directory. - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 37] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - modify-fact = "Modify" "=" time-val - -8.5.4. The create Fact - - The create fact indicates when a file, or directory, was first - created. Exactly what "creation" is for this purpose is not - specified here, and may vary from server to server. About all that - can be said about the value returned is that it can never indicate a - later time than the modify fact. - - create-fact = "Create" "=" time-val - - Implementation Note: Implementors of this fact on UNIX(TM) systems - should note that the unix "stat" "st_ctime" field does not give - creation time, and that unix file systems do not record creation - time at all. Unix (and POSIX) implementations will normally not - include this fact. - -8.5.5. The perm Fact - - The perm fact is used to indicate access rights the current FTP user - has over the object listed. Its value is always an unordered - sequence of alphabetic characters. - - perm-fact = "Perm" "=" *pvals - pvals = "a" / "c" / "d" / "e" / "f" / - "l" / "m" / "p" / "r" / "w" - - There are ten permission indicators currently defined. Many are - meaningful only when used with a particular type of object. The - indicators are case independent, "d" and "D" are the same indicator. - - The "a" permission applies to objects of type=file, and indicates - that the APPE (append) command may be applied to the file named. - - The "c" permission applies to objects of type=dir (and type=pdir, - type=cdir). It indicates that files may be created in the directory - named. That is, that a STOU command is likely to succeed, and that - STOR and APPE commands might succeed if the file named did not - previously exist, but is to be created in the directory object that - has the "c" permission. It also indicates that the RNTO command is - likely to succeed for names in the directory. - - The "d" permission applies to all types. It indicates that the - object named may be deleted, that is, that the RMD command may be - applied to it if it is a directory, and otherwise that the DELE - command may be applied to it. - - - - -Elz & Hethmon [Expires April 2000] [Page 38] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The "e" permission applies to the directory types. When set on an - object of type=dir, type=cdir, or type=pdir it indicates that a CWD - command naming the object should succeed, and the user should be able - to enter the directory named. For type=pdir it also indicates that - the CDUP command may succeed (if this particular pathname is the one - to which a CDUP would apply.) - - The "f" permission for objects indicates that the object named may be - renamed - that is, may be the object of an RNFR command. - - The "l" permission applies to the directory file types, and indicates - that the listing commands, LIST, NLST, and MLSD may be applied to the - directory in question. - - The "m" permission applies to directory types, and indicates that the - MKD command may be used to create a new directory within the - directory under consideration. - - The "p" permission applies to directory types, and indicates that - objects in the directory may be deleted, or (stretching naming a - little) that the directory may be purged. Note: it does not indicate - that the RMD command may be used to remove the directory named - itself, the "d" permission indicator indicates that. - - The "r" permission applies to type=file objects, and for some - systems, perhaps to other types of objects, and indicates that the - RETR command may be applied to that object. - - The "w" permission applies to type=file objects, and for some - systems, perhaps to other types of objects, and indicates that the - STOR command may be applied to the object named. - - Note: That a permission indicator is set can never imply that the - appropriate command is guaranteed to work - just that it might. - Other system specific limitations, such as limitations on - available space for storing files, may cause an operation to - fail, where the permission flags may have indicated that it was - likely to succeed. The permissions are a guide only. - - Implementation note: The permissions are described here as they apply - to FTP commands. They may not map easily into particular - permissions available on the server's operating system. Servers - are expected to synthesize these permission bits from the - permission information available from operating system. For - example, to correctly determine whether the "D" permission bit - should be set on a directory for a server running on the - UNIX(TM) operating system, the server should check that the - directory named is empty, and that the user has write permission - - - -Elz & Hethmon [Expires April 2000] [Page 39] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - on both the directory under consideration, and its parent - directory. - - Some systems may have more specific permissions than those - listed here, such systems should map those to the flags defined - as best they are able. Other systems may have only more broad - access controls. They will generally have just a few possible - permutations of permission flags, however they should attempt to - correctly represent what is permitted. - -8.5.6. The lang Fact - - The lang fact describes the natural language of the filename for use - in display purposes. Values used here should be taken from the - language registry of the IANA. See [13] for the syntax, and - procedures, related to language tags. - - lang-fact = "Lang" "=" token - - Server-FTP implementations MUST NOT guess language values. Language - values must be determined in an unambiguous way such as file system - tagging of language or by user configuration. Note that the lang - fact provides no information at all about the content of a file, only - about the encoding of its name. - -8.5.7. The size Fact - - The size fact applies to non-directory file types and should always - reflect the approximate size of the file. This should be as accurate - as the server can make it, without going to extraordinary lengths, - such as reading the entire file. The size is expressed in units of - octets of data in the file. - - Given limitations in some systems, Client-FTP implementations must - understand this size may not be precise and may change between the - time of a MLST and RETR operation. - - Clients that need highly accurate size information for some - particular reason should use the SIZE command as defined in section - 4. The most common need for this accuracy is likely to be in - conjunction with the REST command described in section 5. The size - fact, on the other hand, should be used for purposes such as - indicating to a human user the approximate size of the file to be - transferred, and perhaps to give an idea of expected transfer - completion time. - - - - - - -Elz & Hethmon [Expires April 2000] [Page 40] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - size-fact = "Size" "=" 1*DIGIT - -8.5.8. The media-type Fact - - The media-type fact represents the IANA media type of the file named, - and applies only to non-directory types. The list of values used - must follow the guidelines set by the IANA registry. - - media-type = "Media-Type" "=" - - Server-FTP implementations MUST NOT guess media type values. Media - type values must be determined in an unambiguous way such as file - system tagging of media-type or by user configuration. This fact - gives information about the content of the file named. Both the - primary media type, and any appropriate subtype should be given, - separated by a slash "/" as is traditional. - -8.5.9. The charset Fact - - The charset fact provides the IANA character set name, or alias, for - the encoded pathnames in a MLSx response. The default character set - is UTF-8 unless specified otherwise. FTP implementations SHOULD use - UTF-8 if possible to encourage maximum interoperability. The value - of this fact applies to the pathname only, and provides no - information about the contents of the file. - - charset-type = "Charset" "=" token - -8.5.10. Required facts - - Servers are not required to support any particular set of the - available facts. However, servers SHOULD, if conceivably possible, - support at least the type, perm, size, unique, and modify facts. - -8.6. System Dependent and Local Facts - - By using an system dependent fact, or a local fact, a server-PI may - communicate to the user-PI information about the file named which is - peculiar to the underlying file system. - -8.6.1. System Dependent Facts - - System dependent fact names are labeled by prefixing a label - identifying the specific information returned by the name of the - appropriate operating system from the IANA maintained list of - operating system names. - - - - - -Elz & Hethmon [Expires April 2000] [Page 41] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The value of an OS dependent fact may be whatever is appropriate to - convey the information available. It must be encoded as a "token" as - defined in section 2.1 however. - - In order to allow reliable interoperation between users of system - dependent facts, the IANA will maintain a registry of system - dependent fact names, their syntax, and the interpretation to be - given to their values. Registrations of system dependent facts are - to be accomplished according to the procedures of section 11. - -8.6.2. Local Facts - - Implementations may also make available other facts of their own - choosing. As the method of interpretation of such information will - generally not be widely understood, server-PIs should be aware that - clients will typically ignore any local facts provided. As there is - no registration of locally defined facts, it is entirely possible - that different servers will use the same local fact name to provide - vastly different information. Hence user-PIs should be hesitant - about making any use of any information in a locally defined fact - without some other specific assurance that the particular fact is one - that they do comprehend. - - Local fact names all begin with the sequence "X.". The rest of the - name is a "token" (see section 2.1). The value of a local fact can - be anything at all, provided it can be encoded as a "token". - -8.7. MLSx Examples - - The following examples are all taken from dialogues between existing - FTP clients and servers. Because of this, not all possible - variations of possible response formats are shown in the examples. - This should not be taken as limiting the options of other server - implementors. Where the examples show OS dependent information, that - is to be treated as being purely for the purposes of demonstration of - some possible OS specific information that could be defined. As at - the time of the writing of this document, no OS specific facts or - file types have been defined, the examples shown here should not be - treated as in any way to be preferred over other possible similar - definitions. Consult the IANA registries to determine what types and - facts have been defined. - - In the examples shown, only relevant commands and responses have been - included. This is not to imply that other commands (including - authentication, directory modification, PORT or PASV commands, or - similar) would not be present in an actual connection, or were not, - in fact, actually used in the examples before editing. Note also - that the formats shown are those that are transmitted between client - - - -Elz & Hethmon [Expires April 2000] [Page 42] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - and server, not formats which would normally ever be reported to the - user of the client. - - In the examples, lines that begin "C> " were sent over the control - connection from the client to the server, lines that begin "S> " were - sent over the control connection from the server to the client, and - lines that begin "D> " were sent from the server to the client over a - data connection created just to send those lines and closed - immediately after. No examples here show data transferred over a - data connection from the client to the server. In all cases, the - prefixes shown above, including the one space, have been added for - the purposes of this document, and are not a part of the data - exchanged between client and server. - -8.7.1. Simple MLST - - C> PWD - S> 257 "/tmp" is current directory. - C> MLst cap60.pl198.tar.gz - S> 250- Listing cap60.pl198.tar.gz - S> Type=file;Size=1024990;Perm=r; /tmp/cap60.pl198.tar.gz - S> 250 End - - The client first asked to be told the current directory of the - server. This was purely for the purposes of clarity of this example. - The client then requested facts about a specific file. The server - returned the "250-" first control-response line, followed by a single - line of facts about the file, followed by the terminating "250 " - line. The text on the control-response line and the terminating line - can be anything the server decides to send. Notice that the fact - line is indented by a single space. Notice also that there are no - spaces in the set of facts returned, until the single space before - the filename. The filename returned on the fact line is a fully - qualified pathname of the file listed. The facts returned show that - the line refers to a file, that file contains approximately 1024990 - bytes, though more or less than that may be transferred if the file - is retrieved, and a different number may be required to store the - file at the client's file store, and the connected user has - permission to retrieve the file but not to do anything else - particularly interesting. - -8.7.2. MLST of a directory - - C> PWD - S> 257 "/" is current directory. - C> MLst tmp - S> 250- Listing tmp - S> Type=dir;Modify=19981107085215;Perm=el; /tmp - - - -Elz & Hethmon [Expires April 2000] [Page 43] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - S> 250 End - - Again the PWD is just for the purposes of demonstration for the - example. The MLST fact line this time shows that the file listed is - a directory, that it was last modified at 08:52:15 on the 7th of - November, 1998 UTC, and that the user has permission to enter the - directory, and to list its contents, but not to modify it in any way. - Again, the fully qualified path name of the directory listed is - given. - -8.7.3. MLSD of a directory - - C> MLSD tmp - S> 150 BINARY connection open for MLSD tmp - D> Type=cdir;Modify=19981107085215;Perm=el; tmp - D> Type=cdir;Modify=19981107085215;Perm=el; /tmp - D> Type=pdir;Modify=19990112030508;Perm=el; .. - D> Type=file;Size=25730;Modify=19940728095854;Perm=; capmux.tar.z - D> Type=file;Size=1830;Modify=19940916055648;Perm=r; hatch.c - D> Type=file;Size=25624;Modify=19951003165342;Perm=r; MacIP-02.txt - D> Type=file;Size=2154;Modify=19950501105033;Perm=r; uar.netbsd.patch - D> Type=file;Size=54757;Modify=19951105101754;Perm=r; iptnnladev.1.0.sit.hqx - D> Type=file;Size=226546;Modify=19970515023901;Perm=r; melbcs.tif - D> Type=file;Size=12927;Modify=19961025135602;Perm=r; tardis.1.6.sit.hqx - D> Type=file;Size=17867;Modify=19961025135602;Perm=r; timelord.1.4.sit.hqx - D> Type=file;Size=224907;Modify=19980615100045;Perm=r; uar.1.2.3.sit.hqx - D> Type=file;Size=1024990;Modify=19980130010322;Perm=r; cap60.pl198.tar.gz - S> 226 MLSD completed - - In this example notice that there is no leading space on the fact - lines returned over the data connection. Also notice that two lines - of "type=cdir" have been given. These show two alternate names for - the directory listed, one a fully qualified pathname, and the other a - local name relative to the servers current directory when the MLSD - was performed. Note that all other filenames in the output are - relative to the directory listed, though the server could, if it - chose, give a fully qualified path name for the "type=pdir" line. - This server has chosen not to. The other files listed present a - fairly boring set of files that are present in the listed directory. - Note that there is no particular order in which they are listed. - They are not sorted by filename, by size, or by modify time. Note - also that the "perm" fact has an empty value for the file - "capmux.tar.z" indicating that the connected user has no permissions - at all for that file. This server has chosen to present the "cdir" - and "pdir" lines before the lines showing the content of the - directory, it is not required to do so. The "size" fact does not - provide any meaningful information for a directory, so is not - included in the fact lines for the directory types shown. - - - -Elz & Hethmon [Expires April 2000] [Page 44] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -8.7.4. A more complex example - - C> MLst test - S> 250- Listing test - S> Type=dir;Perm=el;Unique=keVO1+ZF4 test - S> 250 End - C> MLSD test - S> 150 BINARY connection open for MLSD test - D> Type=cdir;Perm=el;Unique=keVO1+ZF4; test - D> Type=pdir;Perm=e;Unique=keVO1+d?3; .. - D> Type=OS.unix=slink:/foobar;Perm=;Unique=keVO1+4G4; foobar - D> Type=OS.unix=chr-13/29;Perm=;Unique=keVO1+5G4; device - D> Type=OS.unix=blk-11/108;Perm=;Unique=keVO1+6G4; block - D> Type=file;Perm=awr;Unique=keVO1+8G4; writable - D> Type=dir;Perm=cpmel;Unique=keVO1+7G4; promiscuous - D> Type=dir;Perm=;Unique=keVO1+1t2; no-exec - D> Type=file;Perm=r;Unique=keVO1+EG4; two words - D> Type=file;Perm=r;Unique=keVO1+IH4; leading space - D> Type=file;Perm=r;Unique=keVO1+1G4; file1 - D> Type=dir;Perm=cpmel;Unique=keVO1+7G4; incoming - D> Type=file;Perm=r;Unique=keVO1+1G4; file2 - D> Type=file;Perm=r;Unique=keVO1+1G4; file3 - D> Type=file;Perm=r;Unique=keVO1+1G4; file4 - S> 226 MLSD completed - C> MLSD test/incoming - S> 150 BINARY connection open for MLSD test/incoming - D> Type=cdir;Perm=cpmel;Unique=keVO1+7G4; test/incoming - D> Type=pdir;Perm=el;Unique=keVO1+ZF4; .. - D> Type=file;Perm=awdrf;Unique=keVO1+EH4; bar - D> Type=file;Perm=awdrf;Unique=keVO1+LH4; - D> Type=file;Perm=rf;Unique=keVO1+1G4; file5 - D> Type=file;Perm=rf;Unique=keVO1+1G4; file6 - D> Type=dir;Perm=cpmdelf;Unique=keVO1+!s2; empty - S> 226 MLSD completed - - For the purposes of this example the fact set requested has been - modified to delete the "size" and "modify" facts, and add the - "unique" fact. First, facts about a filename have been obtained via - MLST. Note that no fully qualified path name was given this time. - That was because the server was unable to determine that information. - Then having determined that the filename represents a directory, that - directory has been listed. That listing also shows no fully - qualified path name, for the same reason, thus has but a single - "type=cdir" line. This directory (which was created especially for - the purpose) contains several interesting files. There are some with - OS dependent file types, several sub-directories, and several - ordinary files. - - - - -Elz & Hethmon [Expires April 2000] [Page 45] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - Not much can be said here about the OS dependent file types, as none - of the information shown there should be treated as any more than - possibilities. It can be seen that the OS type of the server is - "unix" though, which is one of the OS types in the IANA registry of - Operating System names. - - Of the three directories listed, "no-exec" has no permission granted - to this user to access at all. From the "Unique" fact values, it can - be determined that "promiscuous" and "incoming" in fact represent the - same directory. Its permissions show that the connected user has - permission to do essentially anything other than to delete the - directory. That directory was later listed. It happens that the - directory can not be deleted because it is not empty. - - Of the normal files listed, two contain spaces in their names. The - file called " leading space" actually contains two spaces in its - name, one before the "l" and one between the "g" and the "s". The - two spaces that separate the facts from the visible part of the path - name make that clear. The file "writable" has the "a" and "w" - permission bits set, and consequently the connected user should be - able to STOR or APPE to that file. - - The other four file names, "file1", "file2", "file3", and "file4" all - represent the same underlying file, as can be seen from the values of - the "unique" facts of each. It happens that "file1" and "file2" are - Unix "hard" links, and that "file3" and "file4" are "soft" or - "symbolic" links to the first two. None of that information is - available via standard MLST facts, it is sufficient for the purposes - of FTP to note that all represent the same file, and that the same - data would be fetched no matter which of them was retrieved, and that - all would be simultaneously modified were data stored in any. - - Finally, the sub-directory "incoming" is listed. Since "promiscuous" - is the same directory there would be no point listing it as well. In - that directory, the files "file5" and "file6" represent still more - names for the "file1" file we have seen before. Notice the entry - between that for "bar" and "file5". Though it is not possible to - easily represent it in this document, that shows a file with a name - comprising exactly three spaces (" "). A client will have no - difficulty determining that name from the output presented to it - however. The directory "empty" is, as its name implies, empty, - though that is not shown here. It can, however, be deleted, as can - file "bar" and the file whose name is three spaces. All the files - that reside in this directory can be renamed. This is a consequence - of the UNIX semantics of the directory that contains them being - modifiable. - - - - - -Elz & Hethmon [Expires April 2000] [Page 46] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -8.7.5. More accurate time information - - C> MLst file1 - S> 250- Listing file1 - S> Type=file;Modify=19990929003355.237; file1 - S> 250 End - - In this example, the server-FTP is indicating that "file1" was last - modified 237 milliseconds after 00:33:55 UTC on the 29th of - September, 1999. - -8.7.6. A different server - - C> MLST - S> 250-Begin - S> type=dir;unique=AQkAAAAAAAABCAAA; / - S> 250 End. - C> MLSD . - S> 150 Opening ASCII mode data connection for MLS. - D> type=cdir;unique=AQkAAAAAAAABCAAA; / - D> type=dir;unique=AQkAAAAAAAABEAAA; bin - D> type=dir;unique=AQkAAAAAAAABGAAA; etc - D> type=dir;unique=AQkAAAAAAAAB8AwA; halflife - D> type=dir;unique=AQkAAAAAAAABoAAA; incoming - D> type=dir;unique=AQkAAAAAAAABIAAA; lib - D> type=dir;unique=AQkAAAAAAAABWAEA; linux - D> type=dir;unique=AQkAAAAAAAABKAEA; ncftpd - D> type=dir;unique=AQkAAAAAAAABGAEA; outbox - D> type=dir;unique=AQkAAAAAAAABuAAA; quake2 - D> type=dir;unique=AQkAAAAAAAABQAEA; winstuff - S> 226 Listing completed. - C> MLSD linux - S> 150 Opening ASCII mode data connection for MLS. - D> type=cdir;unique=AQkAAAAAAAABWAEA; /linux - D> type=pdir;unique=AQkAAAAAAAABCAAA; / - D> type=dir;unique=AQkAAAAAAAABeAEA; firewall - D> type=file;size=12;unique=AQkAAAAAAAACWAEA; helo_world - D> type=dir;unique=AQkAAAAAAAABYAEA; kernel - D> type=dir;unique=AQkAAAAAAAABmAEA; scripts - D> type=dir;unique=AQkAAAAAAAABkAEA; security - S> 226 Listing completed. - C> MLSD linux/kernel - S> 150 Opening ASCII mode data connection for MLS. - D> type=cdir;unique=AQkAAAAAAAABYAEA; /linux/kernel - D> type=pdir;unique=AQkAAAAAAAABWAEA; /linux - D> type=file;size=6704;unique=AQkAAAAAAAADYAEA; k.config - D> type=file;size=7269221;unique=AQkAAAAAAAACYAEA; linux-2.0.36.tar.gz - D> type=file;size=12514594;unique=AQkAAAAAAAAEYAEA; linux-2.1.130.tar.gz - - - -Elz & Hethmon [Expires April 2000] [Page 47] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - S> 226 Listing completed. - - Note that this server returns its "unique" fact value in quite a - different format. It also returns fully qualified path names for the - "pdir" entry. - -8.7.7. Some IANA files - - C> MLSD . - S> 150 BINARY connection open for MLSD . - D> Type=cdir;Modify=19990219183438; /iana/assignments - D> Type=pdir;Modify=19990112030453; .. - D> Type=dir;Modify=19990219073522; media-types - D> Type=dir;Modify=19990112033515; character-set-info - D> Type=dir;Modify=19990112033529; languages - D> Type=file;Size=44242;Modify=19990217230400; character-sets - D> Type=file;Size=1947;Modify=19990209215600; operating-system-names - S> 226 MLSD completed - C> MLSD media-types - S> 150 BINARY connection open for MLSD media-types - D> Type=cdir;Modify=19990219073522; media-types - D> Type=cdir;Modify=19990219073522; /iana/assignments/media-types - D> Type=pdir;Modify=19990219183438; .. - D> Type=dir;Modify=19990112033045; text - D> Type=dir;Modify=19990219183442; image - D> Type=dir;Modify=19990112033216; multipart - D> Type=dir;Modify=19990112033254; video - D> Type=file;Size=30249;Modify=19990218032700; media-types - S> 226 MLSD completed - C> MLSD character-set-info - S> 150 BINARY connection open for MLSD character-set-info - D> Type=cdir;Modify=19990112033515; character-set-info - D> Type=cdir;Modify=19990112033515; /iana/assignments/character-set-info - D> Type=pdir;Modify=19990219183438; .. - D> Type=file;Size=1234;Modify=19980903020400; windows-1251 - D> Type=file;Size=4557;Modify=19980922001400; tis-620 - D> Type=file;Size=801;Modify=19970324130000; ibm775 - D> Type=file;Size=552;Modify=19970320130000; ibm866 - D> Type=file;Size=922;Modify=19960505140000; windows-1258 - S> 226 MLSD completed - C> MLSD languages - S> 150 BINARY connection open for MLSD languages - D> Type=cdir;Modify=19990112033529; languages - D> Type=cdir;Modify=19990112033529; /iana/assignments/languages - D> Type=pdir;Modify=19990219183438; .. - D> Type=file;Size=2391;Modify=19980309130000; default - D> Type=file;Size=943;Modify=19980309130000; tags - D> Type=file;Size=870;Modify=19971026130000; navajo - - - -Elz & Hethmon [Expires April 2000] [Page 48] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - D> Type=file;Size=699;Modify=19950911140000; no-bok - S> 226 MLSD completed - C> PWD - S> 257 "/iana/assignments" is current directory. - - This example shows some of the IANA maintained files that are - relevant for this specification in MLSD format. Note that these - listings have been edited by deleting many entries, the actual - listings are much longer. - -8.7.8. A stress test of case (in)dependence - - The following example is intended to make clear some cases where case - dependent strings are permitted in the MLSx commands, and where case - independent strings are required. - - C> MlsD . - S> 150 BINARY connection open for MLSD . - D> Type=pdir;Modify=19990929011228;Perm=el;Unique=keVO1+ZF4; .. - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Bd8; FILE2 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+aG8; file3 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+ag8; FILE3 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; file1 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; file2 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Ag8; File3 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; File1 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Bd8; File2 - D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bd8; FILE1 - S> 226 MLSD completed - - Note first that the "MLSD" command, shown here as "MlsD" is case - independent. Clients may issue this command in any case, or - combination of cases, they desire. This is the case for all FTP - commands. - - Next, notice the labels of the facts. These are also case - independent strings, Server-FTP is permitted to return them in any - case they desire. User-FTP must be prepared to deal with any case, - though it may do this by mapping the labels to a common case if - desired. - - Then, notice that there are nine objects of "type" file returned. In - a case independent NVFS these would represent three different file - names, "file1", "file2", and "file3". With a case dependent NVFS all - nine represent different file names. Either is possible, server-FTPs - may implement a case dependent or a case independent NVFS. User-FTPs - must allow for case dependent selection of files to manipulate on the - server. - - - -Elz & Hethmon [Expires April 2000] [Page 49] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - Lastly, notice that the value of the "unique" fact is case dependent. - In the example shown, "file1", "File1", and "file2" all have the same - "unique" fact value "keVO1+bD8", and thus all represent the same - underlying file. On the other hand, "FILE1" has a different "unique" - fact value ("keVO1+bd8") and hence represents a different file. - Similarly, "FILE2" and "File2" are two names for the same underlying - file, whereas "file3", "File3" and "FILE3" all represent different - underlying files. - - That the approximate sizes ("size" fact) and last modification times - ("modify" fact) are the same in all cases might be no more than a - coincidence. - - It is not suggested that the operators of server-FTPs create NVFS - which stress the protocols to this extent, however both user and - server implementations must be prepared to deal with such extreme - examples. - -8.8. FEAT response for MLSx - - When responding to the FEAT command, a server-FTP process that - supports MLST, and MLSD, plus internationalization of pathnames, MUST - indicate that this support exists. It does this by including a MLST - feature line. As well as indicating the basic support, the MLST - feature line indicates which MLST facts are available from the - server, and which of those will be returned if no subsequent "OPTS - MLST" command is sent. - - mlst-feat = SP "MLST" [SP factlist] CRLF - factlist = 1*( factname ["*"] ";" ) - - The initial space shown in the mlst-feat response is that required by - the FEAT command, two spaces are not permitted. If no factlist is - given, then the server-FTP process is indicating that it supports - MLST, but implements no facts. Only pathnames can be returned. This - would be a minimal MLST implementation, and useless for most - practical purposes. Where the factlist is present, the factnames - included indicate the facts supported by the server. Where the - optional asterisk appears after a factname, that fact will be - included in MLST format responses, until an "OPTS MLST" is given to - alter the list of facts returned. After that, subsequent FEAT - commands will return the asterisk to show the facts selected by the - most recent "OPTS MLST". - - Note that there is no distinct FEAT output for MLSD. The presence of - the MLST feature indicates that both MLST and MLSD are supported. - - - - - -Elz & Hethmon [Expires April 2000] [Page 50] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -8.8.1. Examples - - C> Feat - S> 211- Features supported - S> REST STREAM - S> MDTM - S> SIZE - S> TVFS - S> UTF8 - S> MLST Type*;Size*;Modify*;Perm*;Unique*;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - - Aside from some features irrelevant here, this server indicates that - it supports MLST including several, but not all, standard facts, all - of which it will send by default. It also supports two OS dependent - facts, and one locally defined fact. The latter three must be - requested expressly by the client for this server to supply them. - - C> Feat - S> 211-Extensions supported: - S> CLNT - S> MDTM - S> MLST type*;size*;modify*;UNIX.mode*;UNIX.owner;UNIX.group;unique; - S> PASV - S> REST STREAM - S> SIZE - S> TVFS - S> Compliance Level: 19981201 (IETF mlst-05) - S> 211 End. - - Again, in addition to some irrelevant features here, this server - indicates that it supports MLST, four of the standard facts, one of - which ("unique") is not enabled by default, and several OS dependent - facts, one of which is provided by the server by default. This - server actually supported more OS dependent facts. Others were - deleted for the purposes of this document to comply with document - formatting restrictions. - -8.9. OPTS parameters for MLST - - For the MLSx commands, the Client-FTP may specify a list of facts it - wishes to be returned in all subsequent MLSx commands until another - OPTS MLST command is sent. The format is specified by: - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 51] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - mlst-opts = "OPTS" SP "MLST" - [ SP 1*( factname ";" ) ] - - By sending the "OPTS MLST" command, the client requests the server to - include only the facts listed as arguments to the command in - subsequent output from MLSx commands. Facts not included in the - "OPTS MLST" command MUST NOT be returned by the server. Facts that - are included should be returned for each entry returned from the MLSx - command where they meaningfully apply. Facts requested that are not - supported, or which are inappropriate to the file or directory being - listed should simply be omitted from the MLSx output. This is not an - error. Note that where no factname arguments are present, the client - is requesting that only the file names be returned. In this case, - and in any other case where no facts are included in the result, the - space that separates the fact names and their values from the file - name is still required. That is, the first character of the output - line will be a space, (or two characters will be spaces when the line - is returned over the control connection,) and the file name will - start immediately thereafter. - - Clients should note that generating values for some facts can be - possible, but very expensive, for some servers. It is generally - acceptable to retrieve any of the facts that the server offers as its - default set before any "OPTS MLST" command has been given, however - clients should use particular caution before requesting any facts not - in that set. That is, while other facts may be available from the - server, clients should refrain from requesting such facts unless - there is a particular operational requirement for that particular - information, which ought be more significant than perhaps simply - improving the information displayed to an end user. - - Note, there is no "OPTS MLSD" command, the fact names set with the - "OPTS MLST" command apply to both MLST and MLSD commands. - - Servers are not required to accept "OPTS MLST" commands before - authentication of the user-PI, but may choose to permit them. - -8.9.1. OPTS MLST Response - - The "response-message" from [6] to a successful OPTS MLST command has - the following syntax. - - mlst-opt-resp = "MLST OPTS" [ SP 1*( factname ";" ) ] - - This defines the "response-message" as used in the "opts-good" - message in RFC2389 [6]. - - - - - -Elz & Hethmon [Expires April 2000] [Page 52] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - The facts named in the response are those which the server will now - include in MLST (and MLSD) response, after the processing of the - "OPTS MLST" command. Any facts from the request not supported by the - server will be omitted from this response message. If no facts will - be included, the list of facts will be empty. Note that the list of - facts returned will be the same as those marked by a trailing - asterisk ("*") in a subsequent FEAT command response. There is no - requirement that the order of the facts returned be the same as that - in which they were requested, or that in which they will be listed in - a FEAT command response, or that in which facts are returned in MLST - responses. The fixed string "MLST OPTS" in the response may be - returned in any case, or mixture of cases. - -8.9.2. Examples - - C> Feat - S> 211- Features supported - S> MLST Type*;Size;Modify*;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> OptS Mlst Type;UNIX.mode;Perm; - S> 201 MLST OPTS Type;Perm;UNIX.mode; - C> Feat - S> 211- Features supported - S> MLST Type*;Size;Modify;Perm*;Unique;UNIX.mode*;UNIX.chgd;X.hidden; - S> 211 End - C> opts MLst lang;type;charset;create; - S> 201 MLST OPTS Type; - C> Feat - S> 211- Features supported - S> MLST Type*;Size;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> OPTS mlst size;frogs; - S> 201 MLST OPTS Size; - C> Feat - S> 211- Features supported - S> MLST Type;Size*;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> opts MLst unique type; - S> 501 Invalid MLST options - C> Feat - S> 211- Features supported - S> MLST Type;Size*;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - - For the purposes of this example, features other than MLST have been - deleted from the output to avoid clutter. The example shows the - initial default feature output for MLST. The facts requested are - then changed by the client. The first change shows facts that are - - - -Elz & Hethmon [Expires April 2000] [Page 53] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - available from the server being selected. Subsequent FEAT output - shows the altered features as being returned. The client then - attempts to select some standard features which the server does not - support. This is not an error, however the server simply ignores the - requests for unsupported features, as the FEAT output that follows - shows. Then, the client attempts to request a non-standard, and - unsupported, feature. The server ignores that, and selects only the - supported features requested. Lastly, the client sends a request - containing a syntax error (spaces cannot appear in the factlist.) The - server-FTP sends an error response and completely ignores the - request, leaving the fact set selected as it had been previously. - - Note that in all cases, except the error response, the response lists - the facts that have been selected. - - C> Feat - S> 211- Features supported - S> MLST Type*;Size*;Modify*;Perm*;Unique*;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> Opts MLST - S> 201 MLST OPTS - C> Feat - S> 211- Features supported - S> MLST Type;Size;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden; - S> 211 End - C> MLst tmp - S> 250- Listing tmp - S> /tmp - S> 250 End - C> OPTS mlst unique;size; - S> 201 MLST OPTS Size;Unique; - C> MLst tmp - S> 250- Listing tmp - S> Unique=keVO1+YZ5; /tmp - S> 250 End - C> OPTS mlst unique;type;modify; - S> 201 MLST OPTS Type;Modify;Unique; - C> MLst tmp - S> 250- Listing tmp - S> Type=dir;Modify=19990930152225;Unique=keVO1+YZ5; /tmp - S> 250 End - C> OPTS mlst fish;cakes; - S> 201 MLST OPTS - C> MLst tmp - S> 250- Listing tmp - S> /tmp - S> 250 End - C> OptS Mlst Modify;Unique; - - - -Elz & Hethmon [Expires April 2000] [Page 54] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - S> 201 MLST OPTS Modify;Unique; - C> MLst tmp - S> 250- Listing tmp - S> Modify=19990930152225;Unique=keVO1+YZ5; /tmp - S> 250 End - C> opts MLst fish cakes; - S> 501 Invalid MLST options - C> MLst tmp - S> 250- Listing tmp - S> Modify=19990930152225;Unique=keVO1+YZ5; /tmp - S> 250 End - - This example shows the effect of changing the facts requested upon - subsequent MLST commands. Notice that a syntax error leaves the set - of selected facts unchanged. Also notice exactly two spaces - preceding the pathname when no facts were selected, either - deliberately, or because none of the facts requested were available. - -9. Impact On Other FTP Commands - - Along with the introduction of MLST, traditional FTP commands must be - extended to allow for the use of more than US-ASCII or EBCDIC - character sets. In general, the support of MLST requires support for - arbitrary character sets wherever filenames and directory names are - allowed. This applies equally to both arguments given to the - following commands and to the replies from them, as appropriate. - - CWD - RETR - STOR - STOU - APPE - RNFR - RNTO - DELE - RMD - MKD - PWD - STAT - - The arguments to all of these commands should be processed the same - way that MLST commands and responses are processed with respect to - handling embedded spaces, CRs and NULs. See section 2.2. - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 55] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -10. Character sets and Internationalization - - FTP commands are protocol elements, and are always expressed in - ASCII. FTP responses are composed of the numeric code, which is a - protocol element, and a message, which is often expected to convey - information to the user. It is not expected that users normally - interact directly with the protocol elements, rather the user FTP- - process constructs the commands, and interprets the results, in the - manner best suited for the particular user. Explanatory text in - responses generally has no particular meaning to the protocol. The - numeric codes provide all necessary information. Server-PIs are free - to provide the text in any language that can be adequately - represented in ASCII, or where an alternative language and - representation has been negotiated (see [7]) in that language and - representation. - - Pathnames are expected to be encoded in UTF-8 allowing essentially - any character to be represented in a pathname. Meaningful pathnames - are defined by the server NVFS. - - No restrictions at all are placed upon the contents of files - transferred using the FTP protocols. Unless the "media-type" fact is - provided in a MLSx response nor is any advice given here which would - allow determining the content type. That information is assumed to - be obtained via other means. - -11. IANA Considerations - - This specification makes use of some lists of values currently - maintained by the IANA, and creates two new lists for the IANA to - maintain. It does not add any values to any existing registries. - - The existing IANA registries used by this specification are modified - using mechanisms specified elsewhere. - -11.1. The OS specific fact registry - - A registry of OS specific fact names shall be maintained by the IANA. - The OS names for the OS portion of the fact name must be taken from - the IANA's list of registered OS names. To add a fact name to this - OS specific registry of OS specific facts, an applicant must send to - the IANA a request, in which is specified the OS name, the OS - specific fact name, a definition of the syntax of the fact value, - which must conform to the syntax of a token as given in this - document, and a specification of the semantics to be associated with - the particular fact and its values. Upon receipt of such an - application, and if the combination of OS name and OS specific fact - name has not been previously defined, the IANA will add the - - - -Elz & Hethmon [Expires April 2000] [Page 56] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - specification to the registry. - - Any examples of OS specific facts found in this document are to be - treated as examples of possible OS specific facts, and do not form a - part of the IANA's registry merely because of being included in this - document. - -11.2. The OS specific filetype registry - - A registry of OS specific file types shall be maintained by the IANA. - The OS names for the OS portion of the fact name must be taken from - the IANA's list of registered OS names. To add a file type to this - OS specific registry of OS specific file types, an applicant must - send to the IANA a request, in which is specified the OS name, the OS - specific file type, a definition of the syntax of the fact value, - which must conform to the syntax of a token as given in this - document, and a specification of the semantics to be associated with - the particular fact and its values. Upon receipt of such an - application, and if the combination of OS name and OS specific file - type has not been previously defined, the IANA will add the - specification to the registry. - - Any examples of OS specific file types found in this document are to - be treated as potential OS specific file types only, and do not form - a part of the IANA's registry merely because of being included in - this document. - -12. Security Considerations - - This memo does not directly concern security. It is not believed - that any of the mechanisms documented here impact in any particular - way upon the security of FTP. - - Implementing the SIZE command, and perhaps some of the facts of the - MDLx commands, may impose a considerable load on the server, which - could lead to denial of service attacks. Servers have, however, - implemented this for many years, without significant reported - difficulties. - - With the introduction of virtual hosts to FTP, and the possible - accompanying multiple authentication environments, server - implementors will need to take some care to ensure that integrity is - maintained. - - The FEAT and OPTS commands may be issued before the FTP - authentication has occurred [6]. This allows unauthenticated clients - to determine which of the features defined here are supported, and to - negotiate the fact list for MLSx output. No actual MLSx commands may - - - -Elz & Hethmon [Expires April 2000] [Page 57] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - be issued however, and no problems with permitting the selection of - the format prior to authentication are foreseen. - - A general discussion of issues related to the security of FTP can be - found in [14]. - -13. References - - [1] Coded Character Set--7-bit American Standard Code for Information - Interchange, ANSI X3.4-1986. - - [2] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO - 10646", RFC 2044, October 1996. - - [3] Postel, J., Reynolds, J., "File Transfer Protocol (FTP)", - STD 9, RFC 959, October 1985 - - [4] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997 - - [5] Crocker, D., Overell, P., "Augmented BNF for Syntax - Specifications: ABNF", RFC 2234, November 1997 - - [6] Hethmon, P., Elz, R., "Feature negotiation mechanism for the - File Transfer Protocol", RFC 2389, August 1998 - - [7] Curtin, W., "Internationalization of the File Transfer Protocol", - RFC 2640, July 1999 - - [8] Postel, J., Reynolds, J., "Telnet protocol Specification" - STD 8, RFC 854, May 1983 - - [9] Braden, R,. "Requirements for Internet Hosts -- Application - and Support", STD 3, RFC 1123, October 1989 - - [10] Mockapetris, P., "Domain Names - Concepts and Facilities" - STD 13, RFC 1034, November 1987 - - [11] ISO/IEC 10646-1:1993 "Universal multiple-octet coded character set - (UCS) -- Part 1: Architecture and basic multilingual plane", - International Standard -- Information Technology, 1993 - - [12] Internet Assigned Numbers Authority. http://www.iana.org - Email: iana@iana.org. - - [13] Alvestrand, H., "Tags for the Identification of Languages" - RFC 1766, March 1995 - - - - -Elz & Hethmon [Expires April 2000] [Page 58] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - - [14] Allman, M., Ostermann, S., "FTP Security Considerations" - RFC 2577, May 1999 - -Acknowledgments - - This document is a product of the FTPEXT working group of the IETF. - - The following people are among those who have contributed to this - document: - - Alex Belits - D. J. Bernstein - Dave Cridland - Martin J. Duerst - Mike Gleason - Mark Harris - Alun Jones - James Matthews - Luke Mewburn - Jan Mikkelsen - Keith Moore - Buz Owen - Mark Symons - Stephen Tihor - and the entire FTPEXT working group of the IETF. - - Apologies are offered to any inadvertently omitted. - - Bernhard Rosenkraenzer suggested the HOST command, and initially - described it. - - The description of the modifications to the REST command and the MDTM - and SIZE commands comes from a set of modifications suggested for - RFC959 by Rick Adams in 1989. A draft containing just those - commands, edited by David Borman, has been merged with this document. - - Mike Gleason provided access to the FTP server used in some of the - examples. - - All of the examples in this document are taken from actual - client/server exchanges, though some have been edited for brevity, or - to meet document formatting requirements. - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 59] - - -Internet Draft draft-ietf-ftpext-mlst-08.txt October 1999 - - -Copyright - - This document is in the public domain. Any and all copyright - protection that might apply in any jurisdiction is expressly - disclaimed. - -Editors' Addresses - - Robert Elz - University of Melbourne - Department of Computer Science - Parkville, Vic 3052 - Australia - - Email: kre@munnari.OZ.AU - - - Paul Hethmon - Hethmon Brothers - 2305 Chukar Road - Knoxville, TN 37923 USA - - Phone: +1 423 690 8990 - Email: phethmon@hethmon.com - - - - - - - - - - - - - - - - - - - - - - - - - - - -Elz & Hethmon [Expires April 2000] [Page 60] diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt deleted file mode 100644 index 5845995f2d9c..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt +++ /dev/null @@ -1,725 +0,0 @@ - - -Kerberos Working Group M. Swift -Internet Draft University of WA -Document: draft-ietf-krb-wg-kerberos-referrals-00.txt J. Brezak -Category: Standards Track Microsoft - J. Trostle - Cisco Systems - K. Raeburn - MIT - February 2001 - - - Generating KDC Referrals to locate Kerberos realms - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. Internet-Drafts are draft documents valid for a maximum of - six months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The draft documents a new method for a Kerberos Key Distribution - Center (KDC) to respond to client requests for kerberos tickets when - the client does not have detailed configuration information on the - realms of users or services. The KDC will handle requests for - principals in other realms by returning either a referral error or a - cross-realm TGT to another realm on the referral path. The clients - will use this referral information to reach the realm of the target - principal and then receive the ticket. - -2. Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. Introduction - - - - -Swift Category - Standards Track 1 - - - - - - - - - KDC Referrals February 2001 - - - Current implementations of the Kerberos AS and TGS protocols, as - defined in RFC 1510 [3], use principal names constructed from a - known user or service name and realm. A service name is typically - constructed from a name of the service and the DNS host name of the - computer that is providing the service. Many existing deployments of - Kerberos use a single Kerberos realm where all users and services - would be using the same realm. However in an environment where there - are multiple trusted Kerberos realms, the client needs to be able to - determine what realm a particular user or service is in before - making an AS or TGS request. Traditionally this requires client - configuration to make this possible. - - When having to deal with multiple trusted realms, users are forced - to know what realm they are in before they can obtain a ticket - granting ticket (TGT) with an AS request. However, in many cases the - user would like to use a more familiar name that is not directly - related to the realm of their Kerberos principal name. A good - example of this is an RFC-822 style email name. This document - describes a mechanism that would allow a user to specify a user - principal name that is an alias for the user's Kerberos principal - name. In practice this would be the name that the user specifies to - obtain a TGT from a Kerberos KDC. The user principal name no longer - has a direct relationship with the Kerberos principal or realm. Thus - the administrator is able to move the user's principal to other - realms without the user having to know that it happened. - - Once a user has a TGT, they would like to be able to access services - in any trusted Kerberos realm. To do this requires that the client - be able to determine what realm the target service's host is in - before making the TGS request. Current implementations of Kerberos - typically have a table that maps DNS host names to corresponding - Kerberos realms. In order for this to work on the client, each - application canonicalizes the host name of the service by doing a - DNS lookup followed by a reverse lookup using the returned IP - address. The returned primary host name is then used in the - construction of the principal name for the target service. In order - for the correct realm to be added for the target host, the mapping - table [domain_to_realm] is consulted for the realm corresponding to - the DNS host name. The corresponding realm is then used to complete - the target service principal name. - - This traditional mechanism requires that each client have very - detailed configuration information about the hosts that are - providing services and their corresponding realms. Having client - side configuration information can be very costly from an - administration point of view - especially if there are many realms - and computers in the environment. - - Current implementations of Kerberos also have difficulty with - services on hosts that can have multiple host names (multi-homed - hosts). Traditionally, each host name would need to have a distinct - principal and a corresponding key. An extreme example of this would - be a Web server with multiple host names for each domain that it is - -Swift Category - Standards Track 2 - - - - - - - - - KDC Referrals February 2001 - - - supporting. Principal aliases allow multi-homed hosts to have a - single Kerberos principal (with a single key) that can have - identities for each distinct host name. This mechanism allows the - Kerberos client to request a service ticket for the distinct - hostname and allows the KDC to return a ticket for the single - principal that the host is using. This canonical principal name - allows the host to only have to manage a single key for all of the - identities that it supports. In addition, the client only needs to - know the realm of the canonical service name, not all of the - identities. - - This draft proposes a solution for these problems and simplifies - administration by minimizing the configuration information needed on - each computer using Kerberos. Specifically it describes a mechanism - to allow the KDC to handle Canonicalization of names, provide for - principal aliases for users and services and provide a mechanism for - the KDC to determine the trusted realm authentication path by being - able to generate referrals to other realms in order to locate - principals. - - To rectify these problems, this draft introduces three new kinds of - KDC referrals: - - 1. AS ticket referrals, in which the client doesn't know which realm - contains a user account. - 2. TGS ticket referrals, in which the client doesn't know which - realm contains a server account. - 3. Cross realm shortcut referrals, in which the KDC chooses the next - path on a referral chain - -4. Realm Organization Model - - This draft assumes that the world of principals is arranged on - multiple levels: the realm, the enterprise, and the world. A KDC may - issue tickets for any principal in its realm or cross-realm tickets - for realms with which it has a direct trust relationship. The KDC - also has access to a trusted name service that can resolve any name - from within its enterprise into a realm. This trusted name service - removes the need to use an untrusted DNS lookup for name resolution. - - For example, consider the following configuration, where lines - indicate trust relationships: - - MS.COM - / \ - / \ - OFFICE.MS.COM NT.MS.COM - - In this configuration, all users in the MS.COM enterprise could have - a principal name such as alice@MS.COM, with the same realm portion. - In addition, servers at MS.COM should be able to have DNS host names - from any DNS domain independent of what Kerberos realm their - principal resides in. - -Swift Category - Standards Track 3 - - - - - - - - - KDC Referrals February 2001 - - - -5. Principal Names - -5.1 Service Principal Names - - The standard Kerberos model in RFC 1510 [3] gives each Kerberos - principal a single name. However, if a service is reachable by - several addresses, it is useful for a principal to have multiple - names. Consider a service running on a multi-homed machine. Rather - than requiring a separate principal and password for each name it - exports, a single account with multiple names could be used. - - Multiple names are also useful for services in that clients need not - perform DNS lookups to resolve a host name into a full DNS address. - Instead, the service may have a name for each of its supported host - names, including its IP address. Nonetheless, it is still convenient - for the service to not have to be aware of all these names. Thus a - new name may be added to DNS for a service by updating DNS and the - KDC database without having to notify the service. In addition, it - implies that these aliases are globally unique: they do not include - a specifier dictating what realm contains the principal. Thus, an - alias for a server is of the form "class/instance/name" and may be - transmitted as any name type. - -5.2 Client Principal Names - - Similarly, a client account may also have multiple principal names. - More useful, though, is a globally unique name that allows - unification of email and security principal names. For example, all - users at MS may have a client principal name of the form - "joe@MS.COM" even though the principals are contained in multiple - realms. This global name is again an alias for the true client - principal name, which is indicates what realm contains the - principal. Thus, accounts "alice" in the realm ntdev.MS.COM and - "bob" in office.MS.COM may logon as "alice@MS.COM" and "bob@MS.COM". - This requires a new client principal name type, as the AS-REQ - message only contains a single realm field, and the realm portion of - this name doesn't correspond to any Kerberos realm. Thus, the entire - name "alice@MS.COM" is transmitted in the client name field of the - AS-REQ message, with a name type of KRB-NT-ENTERPRISE-PRINCIPAL. - - KRB-NT-ENTERPRISE-PRINCIPAL 10 - -5.3 Name Canonicalization - - In order to support name aliases, the Kerberos client must - explicitly request the name-canonicalization KDC option (bit 15) in - the ticket flags for the TGS-REQ. This flag indicates to the KDC - that the client is prepared to receive a reply with a different - client or server principal name than the request. Thus, the - KDCOptions types is redefined as: - - KDCOptions ::= BIT STRING { - -Swift Category - Standards Track 4 - - - - - - - - - KDC Referrals February 2001 - - - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - name-canonicalize(15), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) - } - -6. Client Referrals - - The simplest form of ticket referral is for a user requesting a - ticket using an AS-REQ. In this case, the client machine will send - the AS request to a convenient trusted realm, either the realm of - the client machine or the realm of the client name. In the case of - the name Alice@MS.COM, the client may optimistically choose to send - the request to MS.COM. - - The client will send the string "alice@MS.COM" in the client - principal name field using the KRB-NT-ENTERPRISE-PRINCIPAL name type - with the crealm set to MS.COM. The KDC will try to lookup the name - in its local account database. If the account is present in the - crealm of the request, it MUST return a KDC reply structure with the - appropriate ticket. If the account is not present in the crealm - specified in the request and the name-canonicalize flag in the - KDCoptions is set, the KDC will try to lookup the entire name, - Alice@MS.COM, using a name service. If this lookup is unsuccessful, - it MUST return the error KDC_ERR_C_PRINCIPAL_UNKNOWN. If the lookup - is successful, it MUST return an error KDC_ERR_WRONG_REALM (0x44) - and in the error message the cname and crealm field MUST contain the - client name and the true realm of the client. If the KDC contains - the account locally, it MUST return a normal ticket. The client name - and realm portions of the ticket and KDC reply message MUST be the - client's true name in the realm, not the globally unique name. - - If the client receives a KDC_ERR_WRONG_REALM error, it will issue a - new AS request with the same client principal name used to generate - the first referral to the realm specified by the crealm field of the - kerberos error message from the first request. This request MUST - produce a valid AS response with a ticket for the canonical user - name. The ticket MUST also include the ticket extension containing - the TE-REFERRAL-DATA with the referred-names set to the name from - - -Swift Category - Standards Track 5 - - - - - - - - - KDC Referrals February 2001 - - - the AS request. Any other error or referral will terminate the - request and result in a failed AS request. - -7. Server Referrals - - The server referral mechanism is a bit more complex than the client - referral mechanism. The primary problem is that the KDC must return - a referral ticket rather than an error message, so it will include - in the TGS response information about what realm contains the - service. This is done by returning information about the server name - in the pre-auth data field of the KDC reply. - - If the KDC resolves the server principal name into a principal in - its realm, it may return a normal ticket. If the name-canonicalize - flag in the KDCoptions is not set, then the KDC MUST only look up - the name as a normal principal name. Otherwise, it MUST search all - aliases as well. The server principal name in both the ticket and - the KDC reply MUST be the true server principal name instead of one - of the aliases. This frees the application server from needing to - know about all its aliases. - - If the name-canonicalize flag in the KDCoptions is set and the KDC - doesn't find the principal locally, the KDC can return a cross-realm - ticket granting ticket to the next hop on the trust path towards a - realm that may be able to resolve the principal name. - - If the KDC can determine the service principal's realm, it can - return the server realm as ticket extension data. The ticket - extension MUST be encrypted using the session key from the ticket, - and the same etype as is used to protect the TGS reply body. - - The data itself is an ASN.1 encoded structure containing the - server's realm, and if known, canonical principal name and alias - names. The first name in the sequence is the canonical principal - name. - - TE-REFERRAL-INFO 20 - - TE-REFERRAL-DATA ::= SEQUENCE { - referred-server-realm[0] KERB-REALM - referred-names[1] SEQUENCE OF - PrincipalNames OPTIONAL - } - - - The client can use this information to request a chain of cross- - realm ticket granting tickets until it reaches the realm of the - server, and can then expect to receive a valid service ticket. - - In order to facilitate cross-realm interoperability, a client SHOULD - NOT send short names in TGS requests to the KDC. A short name is - defined as a Kerberos name that includes a DNS name that is not - fully qualified. The client MAY use forward DNS lookups to obtain - -Swift Category - Standards Track 6 - - - - - - - - - KDC Referrals February 2001 - - - the long name that corresponds to the user entered short name (the - short name will be a prefix of the corresponding long name). - - The client may use the referred-names field to tell if it already - has a ticket to the server in its ticket cache. - - The client can use this information to request a chain of cross- - realm ticket granting tickets until it reaches the realm of the - server, and can then expect to receive a valid service ticket. - However an implementation should limit the number of referrals that - it processes to avoid infinite referral loops. A suggested limit is - 5 referrals before giving up. - -8. Cross Realm Routing - - The current Kerberos protocol requires the client to explicitly - request a cross-realm TGT for each pair of realms on a referral - chain. As a result, the client machines need to be aware of the - trust hierarchy and of any short-cut trusts (those that aren't - parent-child trusts). This requires more configurations on the - client. Instead, the client should be able to request a TGT to the - target realm from each realm on the route. The KDC will determine - the best path for the client and return a cross-realm TGT. The - client has to be aware that a request for a cross-realm TGT may - return a TGT for a realm different from the one requested. - -9. Security Considerations - - The original Kerberos specification stated that the server principal - name in the KDC reply was the same as the server name in the - request. These protocol changes break that assumption, so the client - may be vulnerable to a denial of service attack by an attacker that - replays replies from previous requests. It can verify that the - request was one of its own by checking the client-address field or - authtime field, though, so the damage is limited and detectable. - - For the AS exchange case, it is important that the logon mechanism - not trust a name that has not been used to authenticate the user. - For example, the name that the user enters as part of a logon - exchange may not be the name that the user authenticates as, given - that the KDC_ERR_WRONG_REALM error may have been returned. The - relevant Kerberos naming information for logon (if any), is the - client name and client realm in the service ticket targeted at the - workstation that was obtained using the user's initial TGT. - - How the client name and client realm is mapped into a local account - for logon is a local matter, but the client logon mechanism MUST use - additional information such as the client realm and/or authorization - attributes from the service ticket presented to the workstation by - the user, when mapping the logon credentials to a local account on - the workstation. - -10. Discussion - -Swift Category - Standards Track 7 - - - - - - - - - KDC Referrals February 2001 - - - - This section contains issues and suggestions that need to be - incorporated into this draft. From Ken Raeburn [raeburn@mit.edu]: - - 1) No means to do name canonicalization if you're not - authenticating. Is it okay to require credentials in order to do - canonicalization? If so, how about this: Send a TGS_REQ for the - service name you have. If you get back a TGS_REP for a service, - great; pull out the name and throw out the credentials. If you - get back a TGS_REP for a TGT service, ask again in the specified - realm. If you get back a KRB_ERROR because policy prohibits you - from authenticating to that service, we can add to the - specification that the {realm,sname} in the KRB_ERROR must be the - canonical name, and the checksum must be used. As long as the - checksum is present, it's still a secure exchange with the KDC. - - If we have to be able to do name canonicalization without any - sort of credentials, either client-side (tickets) or server-side - (tickets automatically acquired via service key), I think we just - lose. But maybe GSSAPI should be changed if that's the case. - - 2) Can't refer to another realm and specify a different service name - to give to that realm's KDC. The local KDC can tell you a - different service name or a different realm name, but not both. - This comes up in the "gnuftp.raeburn.org CNAME ftp.gnu.org" type - of case I've mentioned. - - Except ... the KDC-REP structure includes padata and ticket - extensions fields that are extensible. We could add a required - value to one of them -- perhaps only in the case where you return - a TGT when not asked -- that contains signed information about - the principal name to ask for in the other realm. (It would have - to be required, otherwise a man-in-the-middle could make it go - away.) Signing would be done using the session key for the TGS. - - 3) Secure canonicalization of service name in AS_REQ. If the - response is an AS_REP, we need a way to tell that the altered - server name wasn't a result of a MITM attack on the AS_REQ - message. Again, the KDC-REP extensible fields could have a new - required value added when name canonicalization happens, - indicating what the original principal name (in the AS_REQ - message) was, and signed using the same key as protects the - AS_REP. If it doesn't match what the client requested, the - messages were altered in transit. - - 4) Client name needs referral to another realm, and server name - needs canonicalization of some sort. The above fixes wouldn't - work for this case, and I'm not even sure which KDC should be - doing the canonicalization anyways. - - - The other-principal-name datum would probably look something like: - - -Swift Category - Standards Track 8 - - - - - - - - - KDC Referrals February 2001 - - - PrincipalAndNonce ::= SEQUENCE { - name[0] PrincipalName, - nonce[1] INTEGER -- copied from KDC_REQ - } - SignedPrincipal ::= SEQUENCE { - name-and-nonce[0] PrincipalAndNonce, - cksum[1] Checksum - } - {PA,TE}-ORIGINAL-SERVER-PRINCIPAL ::= SignedPrincipal - {PA,TE}-REMOTE-SERVER-PRINCIPAL ::= SignedPrincipal - - with the checksum computed over the encoding of the 'name-and-nonce' - field, and appropriate PA- or TE- numbers assigned. I don't have a - strong opinion on whether it'd be a pa-data or ticket extension; - conceptually it seems like an abuse of either, but, well, I think - I'd rather abuse them than leave the facility both in and - inadequate. - - The nonce is needed because multiple exchanges may be made with the - same key, and these extension fields aren't packed in with the other - encrypted data in the same response, so a MITM could pick apart - multiple messages and mix-and-match components. (In a TGS_REQ - exchange, a subsession key would help, but it's not required.) - - The extension field would be required to prevent a MITM from - discarding the field from a response; a flag bit in a protected part - of the message (probably in 'flags' in EncKDCRepPart) could also let - us know of a cases where the information can be omitted, namely, - when no name change is done. Perhaps the bit should be set to - indicate that a name change *was* done, and clear if it wasn't, - making the no-change case more directly compatible with RFC1510. - -11. References - - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - -12. Author's Addresses - - Michael Swift - University of Washington - Seattle, Washington - Email: mikesw@cs.washington.edu - - John Brezak - -Swift Category - Standards Track 9 - - - - - - - - - KDC Referrals February 2001 - - - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@Microsoft.com - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - - Kenneth Raeburn - Massachusetts Institute of Technology 77 - Massachusetts Avenue - Cambridge, Massachusetts 02139 - Email: raeburn@mit.edu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Standards Track 10 - - - - - - - - - KDC Referrals February 2001 - - - Full Copyright Statement - - Copyright (C) The Internet Society (1999). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Standards Track 11 - - - - - - - diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt deleted file mode 100644 index a6dec9d1e076..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt +++ /dev/null @@ -1,339 +0,0 @@ - - - - - - -INTERNET-DRAFT Ken Hornstein - NRL -February 28, 2001 Jeffrey Altman -Expires: August 28, 2001 Columbia University - - - - Distributing Kerberos KDC and Realm Information with DNS - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Distribution of this memo is unlimited. It is filed as , and expires on August 28, 2001. - Please send comments to the authors. - -Abstract - - Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto- - col [RFC????] describe any mechanism for clients to learn critical - configuration information necessary for proper operation of the pro- - tocol. Such information includes the location of Kerberos key dis- - tribution centers or a mapping between DNS domains and Kerberos - realms. - - Current Kerberos implementations generally store such configuration - information in a file on each client machine. Experience has shown - this method of storing configuration information presents problems - with out-of-date information and scaling problems, especially when - - - -Hornstein, Altman [Page 1] - -RFC DRAFT February 28, 2001 - - - using cross-realm authentication. - - This memo describes a method for using the Domain Name System - [RFC1035] for storing such configuration information. Specifically, - methods for storing KDC location and hostname/domain name to realm - mapping information are discussed. - -DNS vs. Kerberos - Case Sensitivity of Realm Names - - In Kerberos, realm names are case sensitive. While it is strongly - encouraged that all realm names be all upper case this recommendation - has not been adopted by all sites. Some sites use all lower case - names and other use mixed case. DNS on the other hand is case insen- - sitive for queries but is case preserving for responses to TXT - queries. Since "MYREALM", "myrealm", and "MyRealm" are all different - it is necessary that only one of the possible combinations of upper - and lower case characters be used. This restriction may be lifted in - the future as the DNS naming scheme is expanded to support non-ASCII - names. - -Overview - KDC location information - - KDC location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kerberos is always "_kerberos". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_udp" record MUST be included. If the Kerberos implementa- - tion supports TCP transport, a "_tcp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, and Target have the standard mean- - ing as defined in RFC 2052. - - As per RFC 2052 the Port number should be the value assigned to "ker- - beros" by the Internet Assigned Number Authority (88). - -Example - KDC location information - - These are DNS records for a Kerberos realm ASDF.COM. It has two Ker- - beros servers, kdc1.asdf.com and kdc2.asdf.com. Queries should be - directed to kdc1.asdf.com first as per the specified priority. - Weights are not used in these records. - - - - -Hornstein, Altman [Page 2] - -RFC DRAFT February 28, 2001 - - - _kerberos._udp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - _kerberos._udp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. - -Overview - Kerberos password changing server location information - - Kerberos password changing server [KERB-CHG] location is to be stored - using the DNS SRV RR [RFC 2052]. The format of this RR is as fol- - lows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for the password server is always "_kpasswd". - - The Proto MUST be "_udp". - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, and Target have the standard mean- - ing as defined in RFC 2052. - - As per RFC 2052 the Port number should be the value assigned to - "kpasswd" by the Internet Assigned Number Authority (464). - -Overview - Kerberos admin server location information - - Kerberos admin location information is to be stored using the DNS SRV - RR [RFC 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for the admin server is always "_kerberos-adm". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_tcp" record MUST be included. If the Kerberos admin imple- - mentation supports UDP transport, a "_udp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, and Target have the standard mean- - ing as defined in RFC 2052. - - As per RFC 2052 the Port number should be the value assigned to - "kerberos-adm" by the Internet Assigned Number Authority (749). - - Note that there is no formal definition of a Kerberos admin protocol, - so the use of this record is optional and implementation-dependent. - - - - - -Hornstein, Altman [Page 3] - -RFC DRAFT February 28, 2001 - - -Example - Kerberos administrative server location information - - These are DNS records for a Kerberos realm ASDF.COM. It has one - administrative server, kdc1.asdf.com. - - _kerberos-adm._tcp.ASDF.COM. IN SRV 0 0 749 kdc1.asdf.com. - -Overview - Hostname/domain name to Kerberos realm mapping - - Information on the mapping of DNS hostnames and domain names to Ker- - beros realms is stored using DNS TXT records [RFC 1035]. These - records have the following format. - - Service.Name TTL Class TXT Realm - - The Service field is always "_kerberos", and prefixes all entries of - this type. - - The Name is a DNS hostname or domain name. This is explained in - greater detail below. - - TTL, Class, and TXT have the standard DNS meaning as defined in RFC - 1035. - - The Realm is the data for the TXT RR, and consists simply of the Ker- - beros realm that corresponds to the Name specified. - - When a Kerberos client wishes to utilize a host-specific service, it - will perform a DNS TXT query, using the hostname in the Name field of - the DNS query. If the record is not found, the first label of the - name is stripped and the query is retried. - - Compliant implementations MUST query the full hostname and the most - specific domain name (the hostname with the first label removed). - Compliant implementations SHOULD try stripping all subsequent labels - until a match is found or the Name field is empty. - -Example - Hostname/domain name to Kerberos realm mapping - - For the previously mentioned ASDF.COM realm and domain, some sample - records might be as follows: - - _kerberos.asdf.com. IN TXT "ASDF.COM" - _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" - _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM" - - Let us suppose that in this case, a Kerberos client wishes to use a - Kerberized service on the host foo.asdf.com. It would first query: - - - -Hornstein, Altman [Page 4] - -RFC DRAFT February 28, 2001 - - - _kerberos.foo.asdf.com. IN TXT - - Finding no match, it would then query: - - _kerberos.asdf.com. IN TXT - - And find an answer of ASDF.COM. This would be the realm that - foo.asdf.com resides in. - - If another Kerberos client wishes to use a Kerberized service on the - host salesserver.asdf.com, it would query: - - _kerberos.salesserver.asdf.com IN TXT - - And find an answer of SALES.ASDF.COM. - -Security considerations - - As DNS is deployed today, it is an unsecure service. Thus the infor- - mation returned by it cannot be trusted. - - Current practice for REALM to KDC mapping is to use hostnames to - indicate KDC hosts (stored in some implementation-dependent location, - but generally a local config file). These hostnames are vulnerable - to the standard set of DNS attacks (denial of service, spoofed - entries, etc). The design of the Kerberos protocol limits attacks of - this sort to denial of service. However, the use of SRV records does - not change this attack in any way. They have the same vulnerabili- - ties that already exist in the common practice of using hostnames for - KDC locations. - - Current practice for HOSTNAME to REALM mapping is to provide a local - configuration of mappings of hostname or domain name to realm which - are then mapped to KDCs. But this again is vulnerable to spoofing - via CNAME records that point to hosts in other domains. This has the - same effect as when a TXT record is spoofed. In a realm with no - cross-realm trusts this is a DoS attack. However, when cross-realm - trusts are used it is possible to redirect a client to use a comprom- - ised realm. - - This is not an exploit of the Kerberos protocol but of the Kerberos - trust model. The same can be done to any application that must - resolve the hostname in order to determine which domain a non-FQDN - belongs to. - - Implementations SHOULD provide a way of specifying this information - locally without the use of DNS. However, to make this feature - worthwhile a lack of any configuration information on a client should - - - -Hornstein, Altman [Page 5] - -RFC DRAFT February 28, 2001 - - - be interpretted as permission to use DNS. - -Expiration - - This Internet-Draft expires on August 28, 2001. - -References - - - [RFC1510] - The Kerberos Network Authentication System; Kohl, Newman; Sep- - tember 1993. - - [RFC1035] - Domain Names - Implementation and Specification; Mockapetris; - November 1987 - - [RFC2782] - A DNS RR for specifying the location of services (DNS SRV); Gul- - brandsen, Vixie; Feburary 2000 - - [KERB-CHG] - Kerberos Change Password Protocol; Horowitz; - ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerb-chg- - password-02.txt - -Authors' Addresses - - Ken Hornstein - US Naval Research Laboratory - Bldg A-49, Room 2 - 4555 Overlook Avenue - Washington DC 20375 USA - - Phone: +1 (202) 404-4765 - EMail: kenh@cmf.nrl.navy.mil - - Jeffrey Altman - The Kermit Project - Columbia University - 612 West 115th Street #716 - New York NY 10025-7799 USA - - Phone: +1 (212) 854-1344 - EMail: jaltman@columbia.edu - - - - - - -Hornstein, Altman [Page 6] - diff --git a/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt b/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt deleted file mode 100644 index 24325fdbda74..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt +++ /dev/null @@ -1,281 +0,0 @@ -CAT Working Group K. Raeburn -Internet-draft MIT -Category: July 14, 2000 -Updates: RFC 1964 -Document: draft-raeburn-cat-gssapi-krb5-3des-00.txt - - Triple-DES Support for the Kerberos 5 GSSAPI Mechanism - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts - are working documents of the Internet Engineering Task Force - (IETF), its areas, and its working groups. Note that other groups - may also distribute working documents as - Internet-Drafts. Internet-Drafts are draft documents valid for a - maximum of six months and may be updated, replaced, or obsoleted by - other documents at any time. It is inappropriate to use - Internet-Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The MIT Kerberos 5 release version 1.2 includes support for - triple-DES with key derivation [KrbRev]. Recent work by the EFF - [EFF] has demonstrated the vulnerability of single-DES mechanisms - to brute-force attacks by sufficiently motivated and well-funded - parties. - - The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5] - specifically enumerates encryption and checksum types, - independently of how such schemes may be used in Kerberos. In the - long run, a new Kerberos-based mechanism, which does not require - separately enumerating for the GSSAPI mechanism each of the - encryption types defined by Kerberos, appears to be a better - approach. Efforts to produce such a specification are under way. - - In the interest of providing increased security in the interim, - however, MIT is proposing adding support for triple-DES to the - existing mechanism, as described here. - -2. Conventions Used in this Document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC 2119. - -3. New Algorithm Identifiers - - One new sealing algorithm is defined, for use in WRAP tokens: - - 02 00 - DES3-KD - - This algorithm uses triple-DES with key derivation, with a usage - value KG_USAGE_SEAL. Padding is still to 8-byte multiples, and the - IV for encrypting application data is zero. - - One new signing algorithm is defined, for use in MIC, Wrap, and - Delete tokens: - - 04 00 - HMAC SHA1 DES3-KD - - This algorithm generates an HMAC using SHA-1 and a derived DES3 key - with usage KG_USAGE_SIGN, as (ought to be described) in [KrbRev]. - - [XXX: The current [KrbRev] description refers to expired I-Ds from - Marc Horowitz. The text in [KrbRev] may be inadequate to produce - an interoperable implementation.] - - The checksum size for this algorithm is 20 octets. See section 5.3 - below for the use of checksum lengths of other than eight bytes. - -4. Key Derivation - - For purposes of key derivation, we add three new usage values to the - list defined in [KrbRev]; one for signing messages, one for - sealing messages, and one for encrypting sequence numbers: - - #define KG_USAGE_SEAL 22 - #define KG_USAGE_SIGN 23 - #define KG_USAGE_SEQ 24 - -5. Adjustments to Previous Definitions - -5.1. Quality of Protection - - The GSSAPI specification [GSSAPI] says that a zero QOP value - indicates the "default". The original specification for the - Kerberos 5 mechanism says that a zero QOP value (or a QOP value - with the appropriate bits clear) means DES encryption. - - Rather than continue to force the use of plain DES when the - application doesn't use mechanism-specific QOP values, the better - choice appears to be to redefine the DES QOP value as some non-zero - value, and define a triple-DES value as well. Then a zero value - continues to imply the default, which would be triple-DES - protection when given a triple-DES session key. - - Our values are: - - GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 0x0004 - /* SHA-1 checksum encrypted with key derivation */ - - GSS_KRB5_CONF_C_QOP_DES 0x0100 - /* plain DES encryption */ - GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 - /* triple-DES with key derivation */ - - Rather than open the question of whether to specify means for - deriving a key of one type given a key of another type, and the - security implications of whether to generate a long key from a - shorter one, our implementation will simply return an error if the - QOP value specified does not correspond to the session key type. - - [Implementation note: MIT's code does not implement QoP, and - returns an error for any non-zero QoP value.] - -5.2. MIC Sequence Number Encryption - - The sequence numbers are encrypted in the context key (as defined - in [GSSAPI-KRB5] -- this will be either the Kerberos session key or - asubkey provided by the context initiator), using whatever - encryption system is designated by the type of that context key. - The IV is formed from the first N bytes of the SGN_CKSUM field, - where N is the number of bytes needed for the IV. (With all - algorithms described here and in [GSSAPI-KRB5], the checksum is at - least as large as the IV.) - -5.3. Message Layout - - Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an - checksum field SGN_CKSUM. In [GSSAPI-KRB5], this field was - specified as being 8 bytes long. We now change this size to be - "defined by the checksum algorithm", and retroactively amend the - descriptions of all the checksum algorithms described in - [GSSAPI-KRB5] to explicitly specify 8-byte output. Application - data continues to immediately follow the checksum field in the Wrap - token. - - The revised message descriptions are thus: - - MIC: - - Byte no Name Description - 0..1 TOK_ID Identification field. - 2..3 SGN_ALG Integrity algorithm indicator. - 4..7 Filler Contains ff ff ff ff - 8..15 SND_SEQ Sequence number field. - 16..s+15 SGN_CKSUM Checksum of "to-be-signed data", - calculated according to algorithm - specified in SGN_ALG field. - - Wrap: - - Byte no Name Description - 0..1 TOK_ID Identification field. - Tokens emitted by GSS_Wrap() contain - the hex value 02 01 in this field. - 2..3 SGN_ALG Checksum algorithm indicator. - 4..5 SEAL_ALG Sealing algorithm indicator. - 6..7 Filler Contains ff ff - 8..15 SND_SEQ Encrypted sequence number field. - 16..s+15 SGN_CKSUM Checksum of plaintext padded data, - calculated according to algorithm - specified in SGN_ALG field. - s+16..last Data encrypted or plaintext padded data - - Where "s" indicates the size of the checksum. - - As indicated above in section 2, we define the HMAC SHA1 DES3-KD - checksum algorithm to produce a 20-byte output, so encrypted data - begins at byte 36. - -6. Backwards Compatibility Considerations - - The context initiator SHOULD request of the KDC credentials using - session-key cryptosystem types supported by that implementation; if - the only types returned by the KDC are not supported by the - mechanism implementation, it MUST indicate a failure. This may - seem obvious, but early implementations of both Kerberos and the - GSSAPI Kerberos mechanism supported only DES keys, so the - cryptosystem compatibility question was easy to overlook. - - Under the current mechanism, no negotiation of algorithm types - occurs, so server-side (acceptor) implementations cannot request - that clients not use algorithm types not understood by the server. - However, administration of the server's Kerberos data has to be - done in communication with the KDC, and it is from the KDC that the - client will request credentials. The KDC could therefore be tasked - with limiting session keys for a given service to types actually - supported by the Kerberos and GSSAPI software on the server. - - This does have a drawback for cases where a service principal name - is used both for GSSAPI-based and non-GSSAPI-based communication, - if the GSSAPI implementation does not understand triple-DES but the - Kerberos implementation does. It means that triple-DES session - keys cannot be issued for that service principal, which keeps the - protection of non-GSSAPI services weaker than necessary. However, - in the most recent MIT releases thus far, while triple-DES support - has been present, it has required additional work to enable, so it - is not likely to be in use for many services. - - It would also be possible to have clients attempt to get single-DES - session keys before trying to get triple-DES session keys, and have - the KDC refuse to issue the single-DES keys only for the most - critical of services, for which single-DES protection is considered - inadequate. However, that would eliminate the possibility of - connecting with the more secure cryptosystem to any service that - can be accessed with the weaker cryptosystem. - - We have chosen to go with the former approach, putting the burden - on the KDC administration and gaining the best protection possible - for GSSAPI services, possibly at the cost of protection of - non-GSSAPI Kerberos services running earlier versions of the - software. - -6. Security Considerations - - Various tradeoffs arise regarding the mixing of new and old - software, or GSSAPI-based and non-GSSAPI Kerberos authentication. - They are discussed in section 5. - -7. References - - [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of - Encryption Research, Wiretap Politics, and Chip Design", O'Reilly & - Associates, Inc., May, 1998. - - [GSSAPI] Linn, J., "Generic Security Service Application Program - Interface Version 2, Update 1", RFC 2743, January, 2000. - - [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", - RFC 1964, June, 1996. - - [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", - draft-ietf-cat-kerberos-revisions-05.txt, March 10, 2000. - - [RFC2026] Bradner, S., "The Internet Standards Process -- Revision - 3", RFC 2026, October, 1996. - -8. Author's Address - - Kenneth Raeburn - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139 - -9. Full Copyright Statement - - Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." diff --git a/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt b/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt deleted file mode 100644 index 64ca1ac498be..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt +++ /dev/null @@ -1,395 +0,0 @@ - - - - - - -Kerberos Working Group K. Raeburn -Category: Informational MIT -Document: draft-raeburn-krb-gssapi-krb5-3des-01.txt November 24, 2000 - - - Triple-DES Support for the Kerberos 5 GSSAPI Mechanism - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be updated, - replaced, or obsoleted by other documents at any time. It is - inappropriate to use Internet-Drafts as reference material or to cite - them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5] specifically - enumerates encryption and checksum types, independently of how such - schemes may be used in Kerberos. In the long run, a new Kerberos- - based mechanism, which does not require separately enumerating for - the GSSAPI mechanism each of the various encryption types defined by - Kerberos, is probably a better approach. Various people have - expressed interest in designing one, but the work has not yet been - completed. - - The MIT Kerberos 5 release version 1.2 includes support for triple- - DES with key derivation [KrbRev]. Recent work by the EFF [EFF] has - demonstrated the vulnerability of single-DES mechanisms to brute- - force attacks by sufficiently motivated and well-funded parties. So, - in the interest of providing increased security in the near term, MIT - is adding support for triple-DES to the existing mechanism - implementation we ship, as an interim measure. - - - - - - - - -Raeburn [Page 1] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - -2. New Algorithm Identifiers - - One new sealing algorithm is defined, for use in Wrap tokens. - - - +--------------------------------------------------------------------+ - | name octet values | - +--------------------------------------------------------------------+ - | DES3-KD 02 00 | - +--------------------------------------------------------------------+ - - This algorithm uses triple-DES with key derivation, with a usage - value KG_USAGE_SEAL. (Unlike the EncryptedData definition in - [KrbRev], no integrity protection is needed, so this is "raw" triple- - DES, with no checksum attached to the encrypted data.) Padding is - still to 8-byte multiples, and the IV for encrypting application data - is zero. - - One new signing algorithm is defined, for use in MIC, Wrap, and - Delete tokens. - - - +--------------------------------------------------------------------+ - | name octet values | - +--------------------------------------------------------------------+ - | HMAC SHA1 DES3-KD 04 00 | - +--------------------------------------------------------------------+ - - This algorithm generates an HMAC using SHA-1 and a derived DES3 key - with usage KG_USAGE_SIGN, as described in [KrbRev]. - - [N.B.: The current [KrbRev] description refers to expired I-Ds from - Marc Horowitz. The text in [KrbRev] may be inadequate to produce an - interoperable implementation.] - - The checksum size for this algorithm is 20 octets. See section 4.3 - below for the use of checksum lengths of other than eight bytes. - - - - - - - - - - - - - - -Raeburn [Page 2] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - -3. Key Derivation - - For purposes of key derivation, we add three new usage values to the - list defined in [KrbRev]; one for signing messages, one for sealing - messages, and one for encrypting sequence numbers: - - - +--------------------------------------------------------------------+ - | name value | - +--------------------------------------------------------------------+ - | KG_USAGE_SEAL 22 | - | KG_USAGE_SIGN 23 | - | KG_USAGE_SEQ 24 | - +--------------------------------------------------------------------+ - -4. Adjustments to Previous Definitions - -4.1. Quality of Protection - - The GSSAPI specification [GSSAPI] says that a zero QOP value - indicates the "default". The original specification for the Kerberos - 5 mechanism says that a zero QOP value (or a QOP value with the - appropriate bits clear) means DES encryption. - - Rather than forcing the use of plain DES when the application doesn't - use mechanism-specific QOP values, we redefine the explicit DES QOP - value as a non-zero value, and define a triple-DES value as well. - Then a zero value continues to imply the default, which would be - triple-DES protection when given a triple-DES session key. - - Our values are: - - +--------------------------------------------------------------------+ - | name value meaning | - +--------------------------------------------------------------------+ - | GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 0x0004 SHA-1 HMAC, using | - | key derivation | - | | - | GSS_KRB5_CONF_C_QOP_DES 0x0100 plain DES encryption | - | | - | GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 triple-DES with key | - | derivation | - +--------------------------------------------------------------------+ - - Rather than attempt to specify a generic mechanism for deriving a key - of one type given a key of another type, and evaluate the security - implications of using a short key to generate a longer key to satisfy - the requested quality of protection, our implementation will simply - - - -Raeburn [Page 3] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - - return an error if the nonzero QOP value specified does not - correspond to the session key type. - -4.2. MIC Sequence Number Encryption - - The sequence numbers are encrypted in the context key (as defined in - [GSSAPI-KRB5] -- this will be either the Kerberos session key or - asubkey provided by the context initiator), using whatever encryption - system is designated by the type of that context key. The IV is - formed from the first N bytes of the SGN_CKSUM field, where N is the - number of bytes needed for the IV. (With all algorithms described - here and in [GSSAPI-KRB5], the checksum is at least as large as the - IV.) - -4.3. Message Layout - - Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an - checksum field SGN_CKSUM. In [GSSAPI-KRB5], this field was specified - as being 8 bytes long. We now change this size to be "defined by the - checksum algorithm", and retroactively amend the descriptions of all - the checksum algorithms described in [GSSAPI-KRB5] to explicitly - specify 8-byte output. Application data continues to immediately - follow the checksum field in the Wrap token. - - The revised message descriptions are thus: - - MIC token: - - Byte # Name Description - ---------------------------------------------------------------------- - 0..1 TOK_ID Identification field. - 2..3 SGN_ALG Integrity algorithm indicator. - 4..7 Filler Contains ff ff ff ff - 8..15 SND_SEQ Sequence number field. - 16..s+15 SGN_CKSUM Checksum of "to-be-signed - data", calculated according to - algorithm specified in SGN_ALG - field. - - - - - - - - - - - - - -Raeburn [Page 4] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - - Wrap token: - - Byte # Name Description - ---------------------------------------------------------------------- - 0..1 TOK_ID Identification field. Tokens - emitted by GSS_Wrap() contain the - hex value 02 01 in this field. - 2..3 SGN_ALG Checksum algorithm indicator. - 4..5 SEAL_ALG Sealing algorithm indicator. - 6..7 Filler Contains ff ff - 8..15 SND_SEQ Encrypted sequence number field. - 16..s+15 SGN_CKSUM Checksum of plaintext padded data, - calculated according to algorithm - specified in SGN_ALG field. - s+16..last Data encrypted or plaintext padded data - - - Where "s" indicates the size of the checksum. - - As indicated above in section 2, we define the HMAC SHA1 DES3-KD - checksum algorithm to produce a 20-byte output, so encrypted data - begins at byte 36. - -5. Backwards Compatibility Considerations - - The context initiator should request of the KDC credentials using - session-key cryptosystem types supported by that implementation; if - the only types returned by the KDC are not supported by the mechanism - implementation, it should indicate a failure. This may seem obvious, - but early implementations of both Kerberos and the GSSAPI Kerberos - mechanism supported only DES keys, so the cryptosystem compatibility - question was easy to overlook. - - Under the current mechanism, no negotiation of algorithm types - occurs, so server-side (acceptor) implementations cannot request that - clients not use algorithm types not understood by the server. - However, administration of the server's Kerberos data (e.g., the - service key) has to be done in communication with the KDC, and it is - from the KDC that the client will request credentials. The KDC could - therefore be tasked with limiting session keys for a given service to - types actually supported by the Kerberos and GSSAPI software on the - server. - - This does have a drawback for cases where a service principal name is - used both for GSSAPI-based and non-GSSAPI-based communication (most - notably the "host" service key), if the GSSAPI implementation does - not understand triple-DES but the Kerberos implementation does. It - means that triple-DES session keys cannot be issued for that service - - - -Raeburn [Page 5] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - - principal, which keeps the protection of non-GSSAPI services weaker - than necessary. - - It would also be possible to have clients attempt to get single-DES - session keys before trying to get triple-DES session keys, and have - the KDC refuse to issue the single-DES keys only for the most - critical of services, for which single-DES protection is considered - inadequate. However, that would eliminate the possibility of - connecting with the more secure cryptosystem to any service that can - be accessed with the weaker cryptosystem. - - For MIT's 1.2 release, we chose to go with the former approach, - putting the burden on the KDC administration and gaining the best - protection possible for GSSAPI services, possibly at the cost of - weaker protection of non-GSSAPI Kerberos services running earlier - versions of the software. - -6. Security Considerations - - Various tradeoffs arise regarding the mixing of new and old software, - or GSSAPI-based and non-GSSAPI Kerberos authentication. They are - discussed in section 5. - -7. References - - [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of - Encryption Research, Wiretap Politics, and Chip Design", O'Reilly & - Associates, Inc., May, 1998. - - [GSSAPI] Linn, J., "Generic Security Service Application Program - Interface Version 2, Update 1", RFC 2743, January, 2000. - - [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", - RFC 1964, June, 1996. - - [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos- - revisions-06.txt, July 4, 2000. - -8. Author's Address - - Kenneth Raeburn Massachusetts Institute of Technology 77 - Massachusetts Avenue Cambridge, MA 02139 - -9. Full Copyright Statement - - Copyright (C) The Internet Society (2000). All Rights Reserved. - - - - -Raeburn [Page 6] - -INTERNET DRAFT Triple-DES for GSSAPI Kerberos November 2000 - - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." - -10. Document Change History - ->From -00 to -01: - - Converted master to GNU troff and tbl, rewriting tables in the - process. - - Specify informational category only. Modify some text to emphasize - that this document intends to describe MIT's extensions. - - Point out that while EncryptedData for 3des-kd includes a checksum, - DES3-KD GSS encryption does not. - - Shorten backwards-compatibility descriptions a little. - - Submit to Kerberos working group rather than CAT. - - - - - - - - - - - -Raeburn [Page 7] - diff --git a/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt b/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt deleted file mode 100644 index 321c5ba09986..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt +++ /dev/null @@ -1,929 +0,0 @@ - - -DHC Working Group S. Medvinsky -Internet Draft Motorola -Document: -Category: Standards Track P.Lalwaney -Expires: January 2001 Nokia - - July 2000 - - - Kerberos V Authentication Mode for Uninitialized Clients - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. Internet-Drafts are draft documents valid for a maximum of - six months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - The distribution of this memo is unlimited. It is filed as , and expires January 2001. Please - send comments to the authors. - - - -1. Abstract - - The Dynamic Host Configuration Protocol (DHCP) [1] includes an - option that allows authentication of all DHCP messages, as specified - in [2]. This document specifies a DHCP authentication mode based on - Kerberos V tickets. This provides mutual authentication between a - DHCP client and server, as well as authentication of all DHCP - messages. - - This document specifies Kerberos message exchanges between an - uninitialized client and the KDC (Key Distribution Center) using an - IAKERB proxy [7] so that the Kerberos key management phase is - decoupled from, and precedes the address allocation and network - configuration phase that uses the DHCP authentication option. In - order to make use of the IAKERB proxy, this document specifies a - transport mechanism that works with an uninitialized client (i.e. a - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - client without an assigned IP address). In addition, the document - specifies the format of the Kerberos authenticator to be used with - the DHCP authentication option. - -2. Conventions used in this document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119. - -3. Introduction - - 3.1 Terminology - - o "DHCP client" - - A DHCP client is an Internet host using DHCP to obtain configuration - parameters such as a network address. - - o "DHCP server" - - A DHCP server is an Internet host that returns configuration - parameters to DHCP clients. - - O "Ticket" - - A Kerberos term for a record that helps a client authenticate itself - to a server; it contains the client's identity, a session key, a - timestamp, and other information, all sealed using the server's - secret key. It only serves to authenticate a client when presented - along with a fresh Authenticator. - - o "Key Distribution Center" - - Key Distribution Center, a network service that supplies tickets and - temporary session keys; or an instance of that service or the host - on which it runs. The KDC services both initial ticket and Ticket- - Granting Ticket (TGT) requests. The initial ticket portion is - sometimes referred to as the Authentication Server (or service. The - Ticket-Granting Ticket portion is sometimes referred to as the - Ticket-Granting Server (or service). - - o "Realm" - - A Kerberos administrative domain that represents a group of - principals registered at a KDC. A single KDC may be responsible for - one or more realms. A fully qualified principal name includes a - realm name along with a principal name unique within that realm. - -3.2 Protocol Overview - - - -S. Medvinsky, P. Lalwaney -2- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - DHCP as defined in [1] defines the protocol exchanges for a client - to obtain its IP address and network configuration information from - a DHCP Server. Kerberos V5 as described in [6] defines the protocol - and message exchanges to mutually authenticate two parties. It is - our goal to provide authentication support for DHCP using Kerberos. - This implies that the Kerberos key management exchange has to take - place before a client gets its IP address from the DHCP Server. - Kerberos assumes that the client has a network address and can - contact the Key Distribution Center to obtain its credentials for - authenticated communication with an application server. - - In this specification we utilize the key exchange using an IAKERB - proxy described in [7]. This does not require any changes to either - the IAKERB or the Kerberos V5 specification. This document also - specifies a particular transport that allows an uninitialized client - to contact an IAKERB proxy. - - The Kerberos ticket returned from the key management exchange - discussed in Section 5 of this document is passed to the DHCP Server - inside the DHCP authentication option with the new Kerberos - authenticator type. This is described in Section 6 of this draft. - - -3.3 Related Work - - A prior Internet Draft [3] outlined the use of Kerberos-based - authentication for DHCP. The proposal tightly coupled the Kerberos - client state machines and the DHCP client state machines. As a - result, the Kerberos key management messages were carried in DHCP - messages, along with the Kerberos authenticators. In addition, the - first DHCP message exchange (request, offer) is not authenticated. - - We propose a protocol exchange where Kerberos key management is - decoupled from and precedes authenticated DHCP exchanges. This - implies that the Kerberos ticket returned in the initial key - management exchange could be used to authenticate servers assigning - addresses by non-DHCP address assignment mechanisms like RSIP [4] - and for service specific parameter provisioning mechanisms using SLP - [5]. - - - - - - - - - - - - - - -S. Medvinsky, P. Lalwaney -3- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - -4. System Architecture - - - Client - -------- -------- - | | 5.Authenticated DHCP | | - | DHCP |<------------------------>| DHCP | - | client | | server | - | | | | - | | | | - |Kerberos| | | - | Client | | | - -------- -------- - ^ - | - | - | - | ------- - ------------------------------>| | - Kerberos Key Mgmt | Proxy | - messages: | | - 1. AS Request / 2.AS Reply ------- - 3. TGS Request / 4.TGS Reply ^ - | Kerberos - | Key Mgmt messages - v (1, 2, 3, 4) - -------- - | | - | KDC | - | | - -------- - - Figure 1: System blocks and message interactions between them - - - In this architecture, the DHCP client obtains a Kerberos ticket from - the Key Distribution Center (KDC) using standard Kerberos messages, - as specified in [6]. The client, however, contacts the KDC via a - proxy server, according to the IAKERB mechanism, described in [7]. - The are several reasons why a client has to go through this proxy in - order to contact the KDC: - - a)The client may not know the host address of the KDC and may be - sending its first request message as a broadcast on a local - network. The KDC may not be located on the local network, and - even if it were - it will be unable to communicate with a client - without an IP address. This document describes a specific - mechanism that may be used by a client to communicate with the - Kerberos proxy. - - - -S. Medvinsky, P. Lalwaney -4- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - b)The client may not know its Kerberos realm name. The proxy is - able to fill in the missing client realm name in an AS Request - message, as specified in IAKERB. Note that in the case that - PKINIT pre-authenticator is used [8], the realm name in the AS - Request may be the KDC realm name and not the clientÆs realm name. - - c) The client does not know the realm name of the DHCP server. - - According to IAKERB, when the client sends a TGS Request with a - missing server realm name, the proxy will return to the client an - error message containing the missing realm name. - - Note that in this case the proxy could return the client a wrong - realm name and the client could be fooled into obtaining a ticket - for the wrong DHCP server (on the same local network). However, - the wrong DHCP server must still be a registered principal in a - KDC database. In some circumstances this may be an acceptable - compromise. Also, see the security considerations section. - - IAKERB describes the proxy as part of an application server - the - DHCP server in this case. However, in this document we are not - requiring the proxy to be integrated with the DHCP server. The - same IAKERB mechanisms apply in the more general case, where the - proxy is an independent application. This proxy, however, MUST be - reachable by a client via a local network broadcast. - - After a client has obtained a Kerberos ticket for the DHCP server, - it will use it as part of an authentication option in the DHCP - messages. The only extension to the DHCP protocol is the addition - of a new authenticator type based on Kerberos tickets. - -4.1 Cross-Realm Authentication - - Figure 1 shows a client communicating with a single KDC via a proxy. - However, the DHCP clientÆs realm may be different from the DHCP - serverÆs realm. In that case, the client may need to first contact - the KDC in its local realm to obtain a cross-realm TGT. Then, the - client would use the cross-realm TGT to contact the KDC in the DHCP - serverÆs realm, as specified in [6]. - - In the following example a client doesnÆt know its realm or the DHCP - serverÆs realm, which happens to be different from the clientÆs - realm. Here are the steps in obtaining the ticket for the DHCP - server (based on [6] and [7]): - - 1) The client sends AS Request with NULL realm to the proxy. - 2) The proxy fills in the realm and forwards the AS Request to - the KDC in the clientÆs realm. - 3) The KDC issues a TGT and sends back an AS Reply to the - proxy. - 4) The proxy forwards AS Reply to the client. - - -S. Medvinsky, P. Lalwaney -5- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - 5) The client sends TGS Request for a principal name "dhcpsrvr" - with NULL realm to the proxy. - 6) The proxy returns KRB_AP_ERR_REALM_REQUIRED error with the - DHCP serverÆs realm to the client. - 7) The client sends another TGS Request for a cross-realm TGT - to the proxy. - 8) The proxy forwards the TGS Request to the KDC in the - clientÆs realm. - 9) The KDC issues a cross-realm TGT and sends back a TGS Reply - to the proxy. - 10) The proxy forwards TGS Reply to the client. - 11) The client sends a TGS Request to the proxy for a principal - "dhcpsrvr" with the realm name filled in, using a cross-realm - TGT. - 12) The proxy forwards TGS Request to the KDC in the DHCP - server's realm. - 13) The KDC issues a ticket for the DHCP server and sends TGS - Reply back to the proxy. - 14) The proxy forwards TGS Reply to the client. - - In a most general case, the client may need to contact any number of - KDCs in different realms before it can get a ticket for the DHCP - server. In each case, the client would contact a KDC via the proxy - server, as specified in Section 5 of this document. - -4.2 Public Key Authentication - - This specification also allows clients to perform public key - authentication to the KDC, based on the PKINIT specification [8]. - In this case, the size of an AS Request and AS Reply messages is - likely to exceed the size of typical link MTU's. - - Here is an example, where PKINIT is used by a DHCP client that is - not a registered principal in the KDC principal database: - - 1) The client sends AS Request with a PKINIT Request pre- - authenticator to the proxy. This includes the clientÆs - signature and X.509 certificate. The KDC realm field is - left as NULL. - 2) The proxy fills in the realm and forwards the AS Request to - the KDC in the filled in realm. This is the realm of the - DHCP server. Here, the clientÆs realm is the name of a - Certification Authority - not the same as the KDC realm. - 3) The KDC issues a TGT and sends back an AS Reply with a - PKINIT Reply pre-authenticator to the proxy. - 4) The proxy forwards the AS Reply to the client. - 5) The client sends TGS Request for a principal name "dhcpsrvr" - with the realm found in the TGT to the proxy. - 6) The proxy forwards TGS Request to the KDC in the DHCP - serverÆs realm. - 7) The KDC issues a ticket for the DHCP server and sends TGS - Reply back to the proxy. - -S. Medvinsky, P. Lalwaney -6- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - 8) The proxy forwards TGS Reply to the client. - - - 5. Key Management Exchange that Precedes Network Address Allocation - - An uninitialized host (e.g. on power-on and reset) does not have a - network address. It does have a link layer address or hardware - address. At this time, the client may not have any information on - its realm or the realm of the address allocation server (DHCP - Server). - - In the Kerberos key management exchange, a client gets its ticket - granting ticket (TGT) by contacting the Authentication Server in the - KDC using the AS_Request / Reply messages (shown as messages 1 and 2 - in Figure 1). The client then contacts the Ticket Granting Server in - the KDC to get the DHCP server ticket (to be used for mutual - authentication with the DHCP server) using the TGS_REQ / TGS_REP - messages (shown as messages 3 and 4 in the above figure). It is - also possible for the client to obtain a DHCP server ticket directly - with the AS Request / Reply exchange, without the use of the TGT. - - In the use of Kerberos for DHCP authentication, the client (a) does - not have an IP/network address (b) does not know he KDCÆs IP address - (c) the KDC may not be on the local network and (d) the client may - not know the DHCP ServerÆs IP address and realm. We therefore - require a Kerberos proxy on the local network to accept broadcast - Kerberos request messages (AS_REQ and TGS_REQ) from uninitialized - clients and relay them to the appropriate KDC. - - The uninitialized client formulates a broadcast AS_REQ or TGS_REQ as - follows: - - The request payload contains the client hardware address in - addresses field with a negative value for the address type. Kerberos - v5 [6] allows for the usage of negative address types for "local" - use. Note that IAKERB [7] discourages the use of the addresses field - as network addresses may not be known or may change in situation - where proxies are used. In this draft we incorporate the negative - values permitted in the Kerberos transport in the address type field - of both the AS_REQ and TGS_REQ messages. The negative value SHOULD - be the negative number of the hardware address type "htype" value - (from assigned numbers RFC) used in RFC 2131. The address field of - the message contains the clients hardware address. - - The request payload is UDP encapsulated and addressed to port 88 on - the server/proxy. The UDP source port is selected by the client. The - source and destination network addresses are the all-zeroÆs address - and the broadcast address, respectively. For IPv4, the source IP - address is set to 0.0.0.0 and the destination IP address is set to - 255.255.255.255. The data link layer header source address - corresponds to the link layer/hardware address of the client. The - - -S. Medvinsky, P. Lalwaney -7- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - destination link layer address is the broadcast address at the link - layer (e.g. for Ethernet the address is ffffffff). - - In the case where AS_REQ message contains a PKINIT pre-authenticator - for public key-based client authentication (based on [8]), the - message will probably not fit into a single UDP packet given typical - link MTU's. - - It is assumed that the proxy server on a network is configured with - a list of KDCÆs, their realms and their IP addresses. The proxy - server will act as a client to the KDC and forward standard Kerberos - messages to/from the KDC using unicast UDP or TCP transport - mechanisms, according to [6]. - - Upon receiving a broadcast request from a client, the proxy MUST - record the clientÆs hardware address that appears as the source - address on the frame as well as in the addresses field of the - request message. Based on the realm of the KDC specified in the - request, the proxy determines the KDC to which this message is - relayed as a unicast message from the proxy to the KDC. In the case - that the client left the KDC realm name as NULL, it is up to the - proxy to first determine the correct realm name and fill it in the - request (according to [7]). - - On receiving a request, the KDC formulates a response (AS_REP or - TGS_REP). It includes the clientÆs addresses field in the encrypted - part of the ticket (according to [6]). This response is unicast to - the proxy. - - Upon receiving the reply, the proxy MUST first determine the - previously saved hardware address of the client. The proxy - broadcasts the reply on its local network. This is a network layer - broadcast. At the link level, it uses the hardware address obtained - from the addresses field of the request. - - The client on receiving the response (link layer destination address - as its hardware address, network layer address is the broadcast - address) must verify that the hardware address in the ticket - corresponds to its link layer address. - - Upon receiving a TGS_REP (or an AS_REP with the application server - ticket) from the proxy, the client will have enough information to - securely communicate with the application server (the DHCP Server in - this case), as specified in the following section. - - - - - - - - - -S. Medvinsky, P. Lalwaney -8- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - 6. Authenticated Message Exchange Between the DHCP Client and the - DHCP Server - - The ticket returned in the TGS response is used by the DHCP client - in the construction of the Kerberos authenticator. The Kerberos - ticket serves two purposes: to establish a shared session key with - the DHCP server, and is also included as part of a Kerberos - authenticator in the DHCP request. - - If the size of the authenticator is greater than 255 bytes, the DHCP - authentication option is repeated multiple times. When the values - of all the authentication options are concatenated together, they - will make up the complete authenticator. - - Once the session key is established, the Kerberos structure - containing the ticket (AP REQ) can be omitted from the authenticator - for subsequent messages sent by both the DHCP client and the DHCP - server. - - The Kerberos authenticator for a DHCP request message is specified - below: - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Code | Length | Protocol | Algorithm | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - + Replay Detection (64 bits) + - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - + Authentication token (n octets) ... + - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - The format of this authenticator is in accordance with [2]. The code - for the authentication option is TBD, and the length field contains - the length of the remainder of the option, starting with the - protocol field. - - The value of the protocol field for this authenticator MUST be set - to 2. - - The algorithm field MUST take one of the following values: - 1 - HMAC-MD5 - 2 - HMAC-SHA-1 - - Replay protection field is a monotonically increasing counter field. - When the Kerberos AP REQ structure is present in the authenticator - the counter may be set to any value. The AP REQ contains its own - replay protection mechanism in the form of a timestamp. - -S. Medvinsky, P. Lalwaney -9- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - - Once the session key has been established and the AP REQ is not - included in the authenticator, this field MUST be monotonically - increasing in the messages sent by the client. - - Kerberos authenticator token consists of type-length-value - attributes: - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type | Reserved | Payload Length | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | attribute value... - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - The following attributes are included in the Kerberos authenticator - token: - - Type Attribute Name Value - -------------------------------------------------------------------- - 0 Message Integrity Code Depends on the value of the - algorithm field. Its length is - 16 bytes for HMAC-MD5 [9, 10] - and 20 bytes for HMAC-SHA-1 - [11, 10]. The HMAC key must be - derived from Kerberos session - key found in the Kerberos - ticket according to the key - derivation rules in [6]: - - HMAC Key = DK(sess key, - key usage | 0x99) - - Here, DK is defined in [12] and - the key usage value for DHCP is - TBD. - - The HMAC is calculated over the - entire DHCP message. The - Message Integrity Code - attribute MUST be set to all 0s - for the computation of the - HMAC. Because a DHCP relay - agent may alter the values of - the 'giaddr' and 'hops' fields - in the DHCP message, the - contents of those two fields - MUST also be set to zero for - the computation of the HMAC. - Rules specified in Section 3 of - [2] for the exclusion and - -S. Medvinsky, P. Lalwaney -10- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - processing of the relay agent - information are applicable here - too. - - This field MUST always be - present in the Kerberos - authenticator. - - 1 AP_REQ ASN.1 encoding of a Kerberos - AP_REQ message, as specified - in [6]. This MUST be included - by the client when establishing - a new session key. In all - other cases, this attribute - MUST be omitted. - - AP_REQ contains the Kerberos ticket for the DHCP server and also - contains information needed by the DHCP server to authenticate the - client. After verifying the AP_REQ and decrypting the Kerberos - ticket, the DHCP server is able to extract a session key which it - now shares with the DHCP client. - - The Kerberos authenticator token contains its own replay protection - mechanism inside the AP_REQ structure. The AP_REQ contains a - timestamp that must be within an agreed upon time window at the DHCP - server. However, this does not require the DHCP clients to maintain - an accurate clock between reboots. Kerberos allows clients to - synchronize their clock with the KDC with the help of Kerberos - KRB_AP_ERR_SKEW error message, as specified in [6]. - - The DHCP server MUST save both the session key and its associated - expiration time found in the Kerberos ticket. Up until the - expiration time, the server must accept client requests with the - Kerberos authenticator that does not include the AP REQ, using the - saved session key in calculating HMAC values. - - The Kerberos authenticator inside all DHCP server responses MUST NOT - contain the AP REQ and MUST use the saved Kerberos session key in - calculating HMAC values. - - When the session key expires, it is the client's responsibility to - obtain a new ticket from the KDC and to include an AP REQ inside the - Kerberos authenticator for the next DHCP request message. - - - - - - - - - - -S. Medvinsky, P. Lalwaney -11- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - -7. Detailed message flows for Kerberos and DHCP message Exchanges - - The following flow depicts the Kerberos exchange in which a AS REQ - message is used to directly request the DHCP Server ticket. There - are no changes to transport mechanisms below when the additional - phase of using TGS requests/responses with TGTÆs is used. - - Client IAKERB Proxy KDC - - KB-client-------- AS_REQ ------> - - AS REQ Address type = - (htype) - AS REQ Address= hw address - - src UDP port = senders port - destination UDP port = 88 - - src IP = 0.0.0.0 - destination IP = 255.255.255.255 - - src link layer address = - clientÆs HW/link address [e.g Ethernet address] - - destination link layer address = - link broadcast address [e.g. ffffffff for Ethernet] - - - ---------------------------> - (unicast to UDP port 88) - - - - <-------------------------- - (unicast AS REP) - Encrypted portion of ticket - Includes clients HW address - - - <---------------AS_REP ----------- - - - Ticket includes clientÆs hardware address - - src UDP port = 88 - destination UDP port = copied from src port in AS_REQ - - src IP = ProxyÆs IP address - destination IP = 255.255.255.255 - - src link layer address = ProxyÆs HW/link address - destination link layer address = - ClientÆs link layer address from AS_REQ - - -S. Medvinsky, P. Lalwaney -12- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - - - - The client uses the ticket received from the KDC in the DHCP -Authentication option as described in Section 6. - - - Client - DHCP-client DHCP Server - - ------DHCPDISCOVER ----> - (Auth Protocol = 2, includes Kerberos - authenticator with AP REQ ) - ----------------------------------- - | HMAC | AP REQ | - ---------------------------------- - | Ticket| Client Authent | - -------------------------- - - 1. Server decrypts ticket - (inside AP REQ) with service - key - 2. Server decrypts client - authenticator (inside AP REQ) - and checks content and - checksum to validate the - client. - 3. Recompute HMAC with session - key and compare. - - - <-------DHCPOFFER---------- - (Auth Protocol = 2, no AP REQ ) - - - - ---------DHCPREQUEST-------> - (Auth Protocol = 2, no AP REQ) - - - <--------DHCPACK------------- - (Auth Protocol = 2, no AP REQ ) - - - - -8. Security Considerations - - DHCP clients that do not know the DHCP serverÆs realm name will get - it from the proxy, as specified in IAKERB [7]. Since the proxy is - not authenticated, a DHCP client can be fooled into obtaining a - ticket for the wrong DHCP server in the wrong realm. - -S. Medvinsky, P. Lalwaney -13- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - - This could happen when the client leaves out the server realm name - in a TGS Request message to the proxy. It is also possible, - however, for a client to directly request a DHCP server ticket with - an AS Request message. In those cases, the same situation occurs - when the client leaves out the realm name in an AS Request. - - This wrong DHCP server is still registered as a valid principal in a - database of a KDC that can be trusted by the client. In some - circumstances a client may assume that a DHCP server that is a - Kerberos principal registered with a trusted KDC will not attempt to - deliberately misconfigure a client. - - This specification provides a tradeoff between: - - 1) The DHCP clients knowing DHCP serverÆs realm ahead of time, - which provides for full 2-way authentication at the cost of - an additional configuration parameter. - 2) The DHCP clients not requiring any additional configuration - information, besides a password or a key (and a public key - certificate if PKINIT is used). This is at the cost of not - being able to fully authenticate the identity of the DHCP - server. - - - -9. References - - - [1]Droms, R., Arbaugh, W., "Dynamic Host Configuration Protocol", - RFC 2131, Bucknell University, March 1997. - - [2]Droms, R., Arbaugh, W., "Authentication for DHCP Messages", - draft-ietf-dhc-authentication-13.txt, June 2000. - - [3]Hornstein, K., Lemon, T., "DHCP Authentication Via Kerberos V", - draft-hornstein-dhc-kerbauth-02.txt, February 2000. - - [4]Borella, M., Grabelsky, D., Lo, J., Tuniguchi, K., "Realm - Specific IP: Protocol Specification ", draft-ietf-nat-rsip- - protocol-06.txt, March 2000. - - [5]Guttman, E., Perkins, C., Veizades, J., Day, M., "Service - Location Protocol, Version 2", RFC 2608, June 1999. - - [6]Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 05.txt, March 2000. - - - - - -S. Medvinsky, P. Lalwaney -14- - -Kerberos V Authentication Mode for Uninitialized Clients July 2000 - - - - [7]Swift, M., Trostle, J., "Initial Authentication and Pass Through - Authentication Using Kerberos V5 and the GSS-API (IAKERB)", - draft-ietf-cat-iakerb-03.txt, September 1999. - - [8]Tung, B., C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray, - J. Trostle, "Public Key Cryptography for Initial Authentication - in Kerberos", draft-ietf-cat-pk-init-11.txt, March 2000. - - [9]Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April - 1992. - - [10]Krawczyk H., M. Bellare and R. Canetti, "HMAC: Keyed-Hashing for - Message Authentication," RFC 2104, February 1997. - - [11]NIST, FIPS PUB 180-1, "Secure Hash Standard", April 1995. - - [12]Horowitz, M., "Key Derivation for Authentication, Integrity, and - Privacy", draft-horowitz-key-derivation-02.txt, August 1998. - - [13]Bradner, S. "The Internet Standards Process -- Revision 3", RFC - 2026. - - - - 10. Author's Addresses - - Sasha Medvinsky - Motorola - 6450 Sequence Drive - San Diego, CA 92121 - Email: smedvinsky@gi.com - - Poornima Lalwaney - Nokia - 12278 Scripps Summit Drive - San Diego, CA 92131 - Email: poornima.lalwaney@nokia.com - - -11. Expiration - - This memo is filed as , and - expires January 1, 2001. - - - -12. Intellectual Property Notices - - - - - - -S. Medvinsky, P. Lalwaney -15- - -Kerberos V Authentication Mode for Uninitialized Clients March 2000 - - - This section contains two notices as required by [13] for - standards track documents. Per [13], section 10.4(A): - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances - of licenses to be made available, or the result of an attempt made - to obtain a general license or permission for the use of such - proprietary rights by implementers or users of this specification - can be obtained from the IETF Secretariat. - - Per [13] section 10.4(D): - - The IETF has been notified of intellectual property rights - claimed in regard to some or all of the specification contained in - this document. For more information consult the online list of - claimed rights. - - 13. Full Copyright Statement - - Copyright (C) The Internet Society (1999). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. The limited permissions granted above are perpetual and - will not be revoked by the Internet Society or its successors or - assigns. This document and the information contained herein is - provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE - INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF - THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - - - - -S. Medvinsky, P. Lalwaney -16- - \ No newline at end of file diff --git a/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt deleted file mode 100644 index 85d745684b2a..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt +++ /dev/null @@ -1,5 +0,0 @@ -This Internet-Draft has expired and is no longer available. - -Unrevised documents placed in the Internet-Drafts directories have a -maximum life of six months. After that time, they must be updated, or -they will be deleted. This document was deleted on July 17, 2000. diff --git a/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt deleted file mode 100644 index 85d745684b2a..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt +++ /dev/null @@ -1,5 +0,0 @@ -This Internet-Draft has expired and is no longer available. - -Unrevised documents placed in the Internet-Drafts directories have a -maximum life of six months. After that time, they must be updated, or -they will be deleted. This document was deleted on July 17, 2000. diff --git a/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt b/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt deleted file mode 100644 index 68c170b499ed..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt +++ /dev/null @@ -1,1140 +0,0 @@ - - - - - - -INTERNET-DRAFT Kerberized USM Keying M. Thomas - Cisco Systems - K. McCloghrie - Cisco Systems - July 13, 2000 - - - - - - - Kerberized USM Keying - - draft-thomas-snmpv3-kerbusm-00.txt - - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -Abstract - - The KerbUSM MIB provides a means of leveraging a trusted third party - authentication and authorization mechanism using Kerberos for SNMP V3 - USM users and their associated VACM views. The MIB encodes the normal - Kerberos AP-REQ and AP-REP means of both authenticating and creating - a shared secret between the SNMP V3 Manager and Agent. - -The SNMP Management Framework - - The SNMP Management Framework presently consists of five major - components: An overall architecture, described in RFC 2571 - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 1] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - [RFC2571]. Mechanisms for describing and naming objects and events - for the purpose of management. The first version of this Structure - of Management Information (SMI) is called SMIv1 and described in STD - 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215 - [RFC1215]. The second version, called SMIv2, is described in STD 58, - RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 - [RFC2580]. Message protocols for transferring management - information. The first version of the SNMP message protocol is - called SNMPv1 and described in STD 15, RFC 1157 [RFC1157]. A second - version of the SNMP message protocol, which is not an Internet - standards track protocol, is called SNMPv2c and described in RFC 1901 - [RFC1901] and RFC 1906 [RFC1906]. The third version of the message - protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC - 2572 [RFC2572] and RFC 2574 [RFC2574]. Protocol operations for - accessing management information. The first set of protocol - operations and associated PDU formats is described in STD 15, RFC - 1157 [RFC1157]. A second set of protocol operations and associated - PDU formats is described in RFC 1905 [RFC1905]. A set of fundamental - applications described in RFC 2573 [RFC2573] and the view-based - access control mechanism described in RFC 2575 [RFC2575]. - - A more detailed introduction to the current SNMP Management Framework - can be found in RFC 2570 [RFC2570]. - - Managed objects are accessed via a virtual information store, termed - the Management Information Base or MIB. Objects in the MIB are - defined using the mechanisms defined in the SMI. - - This memo specifies a MIB module that is compliant to the SMIv2. A - MIB conforming to the SMIv1 can be produced through the appropriate - translations. The resulting translated MIB must be semantically - equivalent, except where objects or events are omitted because no - translation is possible (use of Counter64). Some machine readable - information in SMIv2 will be converted into textual descriptions in - SMIv1 during the translation process. However, this loss of machine - readable information is not considered to change the semantics of the - MIB. - - -Introduction - - The User based Security Model of SNMP V3 (USM) [2] provides a means - of associating different users with different access privileges of - the various MIB's that an agent supports. In conjunction with the - View based Access Control Model of SNMP V3 (VACM) [3], SNMP V3 - provides a means of providing resistance from various threats both - from outside attacks such as spoofing, and inside attacks such as an - user having, say, SET access to MIB variable for which they are not - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 2] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - authorized. - - SNMP V3, unfortunately, does not specify a means of doing key - distribution between the managers and the agents. For small numbers - of agents and managers, the O(n*m) manual keying is a cumbersome, but - possibly tractable problem. For a large number of agents with - distribution of managers, the key distribution quickly goes from - cumbersome to unmanageable. Also: there is always the lingering - concern of the security precautions taken for keys on either local - management stations, or even directories. - - Kerberos [1] provides a means of centralizing key management into an - authentication and authorization server known as a Key Distribution - Center (KDC). At a minimum, Kerberos changes the key distribution - problem from a O(n*m) problem to a O(n) problem since keys are shared - between the KDC and the Kerberos principals rather directly between - each host pair. Kerberos also provides a means to use public key - based authentication which can be used to further scale down the - number of pre-shared secrets required. Furthermore, a KDC is intended - and explicitly expected to be a standalone server which is managed - with a much higher level of security concern than a management - station or even a central directory which may host many services and - thus be exposed to many more possible vectors of attack. - - The MIB defined in this memo describes a means of using the desirable - properties of Kerberos within the context of SNMP V3. Kerberos - defines a standardized means of communicating with the KDC as well as - a standard format of Kerberos tickets which Kerberos principals - exchange in order to authenticate to one another. The actual means of - exchanging tickets, however, is left as application specific. This - MIB defines the SNMP MIB designed to transport Kerberos tickets and - by doing so set up SNMP V3 USM keys for authentication and privacy. - - It should be noted that using Kerberos does introduce reliance on a - key network element, the KDC. This flies in the face of one of SNMP's - dictums of working when the network is misbehaving. While this is a - valid concern, the risk of reliance on the KDC can be significantly - diminished with a few common sense actions. Since Kerberos tickets - can have long life times (days, weeks) a manager of key network - elements can and should maintain Kerberos tickets well ahead ticket - expiration so that likelihood of not being able to rekey a session - while the network is misbehaving is minimized. For non-critical, but - high fanout elements such as user CPE, etc, requiring a pre-fetched - ticket may not be practical, which puts the KDC into the critical - path. However, if all KDC's are unreachable, the non-critical network - elements are probably the least of the worries. - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 3] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - -Operation - - The normal Kerberos application ticket exchange is accomplished by a - client first fetching a service ticket from a KDC for the service - principal and then sending an AP-REQ to a server to authenticate - itself to the server. The server then sends a AP-REP to finish the - exchange. This MIB maps Kerberos' concept of client and server into - the SNMP V3 concept of Manager and Agent by designating that the - Kerberos Client is the SNMP V3 Agent. Although it could be argued - that an Agent is really a server, in practice there may be many, many - agents and relatively few managers. Also: Kerberos clients may make - use of public key authentication as defined in [4], and it is very - advantageous to take advantage of that capability for Agents rather - than Managers. - - The MIB is intended to be stateless and map USM users to Kerberos - principals. This mapping is explicitly done by putting a Kerberos - principal name into the usmUserSecurityName in the usmUser MIB and - instatiating the krbUsmMibEntry for the usmUserEntry. MIB variables - are accessed with INFORM's or TRAP PDU's and SET's to perform a - normal Kerberos AP-REQ/AP-REP exchange transaction which causes the - keys for a USM user to be derived and installed. The basic structure - of the MIB is a table which augements usmUserEntry's with a Kerberos - principal name as well as the transaction varbinds. In the normal - case, multiple varbinds should be sent in a single PDU which prevents - various race conditions, as well as increasing efficiency. - - It should be noted that this MIB is silent on the subject of how the - Agent and Manager find the KDC. In practice, this may be either - statically provisioned or use either DNS SRV records (RFC 2782) or - Service Location (RFC 2608). This MIB is does not provide for a means - of doing cipher suite negotiation either. It is expected that the - choices for ciphers in the USM MIB will reflect site specific choices - for ciphers. This matches well with the general philosophy of - centralized keying. - -Keying Transactions - - The following shows an error free transaction: - - Note: optional steps or parameters are shown like [ ] - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 4] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - - Agent Manager KDC - +-- --+ - | 1) <------------------------------- | - | SET (krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx; | - | [ krbUsmPrinTable[usmUserName].krbUsmMibTgt = | - | TGT[usmUserSecurityName] ]); | - | | - | 2) -------------------------------> | - | Response | - +-- (optional) --+ - - 3) ---------------------------------------------------------------> - TGS-REQ (krbUsmPrinTable[usmUserName].krbUsmMibMgrPrinName - [, krbUsmPrinTable[usmUserName].krbUsmMibTgt]); - - 4) <-------------------------------------------------------------- - Tick[usmUserSecurityName] = TGS-REP (); - - 5) ------------------------------> - INFORM (krbUsmPrinTable[usmUserName].krbUsmMibApReq = - AP_REQ[Tick[usmUserSecurityName]]; - [ krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx]); - - 6) <------------------------------ - SET (krbUsmPrinTable[usmUserName].krbUsmMibApRep = AP_REP[]); - - - 7) ------------------------------> - Response - - - The above flow translates to: - - - 1) This step is used when the Manager does not currently have a ses- - sion with the Agent but wishes to start one. The Manager MAY - place a ticket granting ticket into the krbUsmMibMgrTgt varbind - in the same PDU as the krbUsmMibNonce if it does not share a - secret with the KDC (as would be the case if the Manager used - PKinit to do initial authentication with the KDC). - - - 2) This step acknowledges the SET. There are no MIB specific errors - which can happen here. - - - 3) If the Agent is not already in possession of a service ticket for - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 5] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - the Manager in its ticket cache, it MUST request a service ticket - from the Agent's KDC for the service principal given by - krbUsmMibMgrPrinName in the row that the krbUsmMibNonce was SET - in, optionally adding a krbUsmMibMgrTgt. If the TGT is speci- - fied, the Manager's TGT must be placed in the additional-tickets - field with the ENC-TKT-IN-SKEY option set in the TGS-REQ to - obtain a service ticket (see section 3.3.3 of [1]). - - Note: a Kerberos TGS-REQ is but one way to obtain a service - ticket. An Agent may use any normal Kerberos means to - obtain the service ticket. This flow has also elided ini- - tial authentication (ie, AS-REQ) and any cross realm con- - siderations, though those may be necessary prerequisites - to obtaining the service ticket. - - 4) If step 3 was performed, this step receives the ticket or an - error from the KDC. - - - 5) This step sends a krbUsmMibApReq to the Manager via an INFORM or - TRAP PDU. If the message is the result of a request by the - Manager, krbUsmMibNonce received from the Manager MUST be sent in - the same PDU. If the Manager did not initiate the transaction, - the Agent MUST NOT send a krbUsmMibNonce varbind. The Agent also - MUST check krbUsmMibUnsolicitedNotify is not false, otherwise it - MUST abort the transaction. All krbUsmMibApReq's MUST contain a - sequence nonce so that the resulting krbUsmMibApRep can provide a - proof of the freshness of the message to prevent replay attacks. - - If the Agent encounters an error either generated by the KDC or - internally, the Agent MUST send an INFORM or TRAP PDU indicating - the error in the form of a KRB-ERROR placed in krbUsmMibApReq - with the same rules applied to krbUsmMibNonce and krbUsmMibUnsol- - icitedNotify above. If the Agent suspects that it is being - attacked by a purported Manager which is generating many failed - TGS-REQ's to the KDC, it SHOULD meter its TGS-REQ transactions - for that Manager to the KDC using an exponential backoff mechan- - ism truncated at 10 seconds. - - - - 6) Upon recepit of an INFORM or TRAP PDU with a krbUsmMibApReq, a - Manager may accept the AP-REQ. If it is accompanied with a - krbUsmMibNonce it MUST correlate it with any outstanding transac- - tions using its stored nonce for the transaction. If it does not - correlate with a current nonce, the request MUST be rejected as - it may be a replay. - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 6] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - If the Manager chooses to reject an unsolicited keying request, - it SHOULD send a WrongValue Error to the Agent with the krbUsmMi- - bApReq as the subject of the WrongValue. If an Agent receives a - WrongValue Error from a Manager it MUST cease retransmission of - the INFORM or TRAP PDU's so as to mitigate event avalanches by - Agents. There is a possible denial of service attack here, but it - must be weighed against the larger problem of network congestion, - flapping, etc. Therefore, if the Agent finds that it cannot can- - cel an unsolicited Notify (ie, it must be reliable), it MUST use - a truncated exponential backoff mechanism with the maximum trun- - cation interval set to 10 minutes. - - Otherwise, the Manager MUST send a SET PDU to the Agent which - contains a krbUsmMibApRep. - - - 7) If the Agent detects an error (including detecting replays) in - the final AP-REP, it MUST send a WrongValue error with a pointer - to the krbUsmMibApRep varbind to indicate its inability to estab- - lish the security association. Otherwise, receipt of the positive - acknowledgement from the final SET indicates to the Manager that - the proper keys have been installed on the Agent in the USM MIB. - -Unsolicited Agent Keying Requests - - An Agent may find that it needs to set up a security association for - a USM user in order to notify a Manager of some event. When the Agent - engine receives a request for a notify, it SHOULD check to see if - keying material has been established for the user and that the keying - material is valid. If the keying material is not valid and the USM - user has been tagged as being a Kerberos principal in a realm, the - Agent SHOULD first try to instantiate a security association by - obtaining a service ticket for the USM User and follow steps 3-7 of - the flow above. This insures that the USM User will have proper key- - ing material and providing a mechanism to allow for casual security - associations to be built up and torn down. This is especially useful - for Agents which may not normally need to be under constant Manager - supervision, such as the case with high fan out user residential CPE - and other SNMP managed "appliances". In all cases, the Agent MUST NOT - send an unsolicited Notify if krbUsmUnsolicitedNotify is set to - false. - - How the Agent obtains the Manager's address, how it determines - whether a Manager, realm, and whether it can be keyed using this MIB - is outside of the scope of this memo. - - Note: Although the MIB allows for a Manager to set up a session - using User-User mode of Kerberos by sending a TGT along with - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 7] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - the nonce, this, is limited to Manager initiated sessions - only since there is no easy way to store the Manager's ticket - in the MIB since it is publicly writable and as such would be - subject to denial of service attacks. Another method might be - to have the Agent send a krbUsmMibNonce to the Manager which - would tell it to instigate a session. Overall, it seems like - a marginal feature to allow a PKinit authenticated user be - the target of unsolicited informs and it would complicate the - transactions. For this reason, this scenario has been omitted - in favor of simplicity. - -Retransmissions - - Since this MIB defines not only variables, but transactions, discus- - sion of the retransmission state machine is in order. There are two - similar but different state machines for the Manager Solicited and - Agent Unsolicited transactions. There is one timer Timeout which - SHOULD take into consideration round trip considerations and MUST - implement a truncated exponential backoff mechanism. In addition, in - the case where an Agent makes an unsolicited Agent keying request, - the Agent SHOULD perform an initial random backoff if the keying - request to the Manager may result in a restart avalanche. A suitable - method is described in section 4.3.4 of [5]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 8] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - -Manager Solicited Retransmission State Machine - - Timeout - +---+ - | | - | V - +-----------+ Set-Ack (2) +----------+ - | |------------>| | - | Set-Nonce | | Ap-Req | - | (1) |<------------| (5) | - +-----------+ Timeout +----------+ - ^ | - | | Set-Ap-Rep - | +----------+ | (6) - +------| |<------+ - Timeout | Estab-wt | - | (7) | - +----------+ - | - | Set-Ap-Rep-Ack (7) - V - +----------+ - | | - | Estab | - | | - - +----------+ - - - - - - - - - - - - - - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 9] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - -Agent Unsolicited Retransmission State Machine - - Timeout - +---+ - | | - | V - +----------+ - | | - +----> | Ap-Req |-------+ - | | (5) | | - | +----------+ | - | | - | | Set-Ap-Rep - | +----------+ | (6) - +------| |<------+ - Timeout | Estab-wt | - | (7) | - +----------+ - | - | Set-Ap-Rep-Ack (7) - V - +----------+ - | | - | Estab | - | | - +----------+ - -Session Duration and Failures - - The KerbUsmMib uses the ticket lifetime to determine the life of the - USM session. The Agent MUST keep track of whether the ticket which - instigated the session is valid whenever it forms PDU's for that par- - ticular user. If a session expires, or if it wasn't valid to begin - with (from the Agent's perspective), the Agent MUST reject the PDU by - sending a XXX Error [mat: help me here Keith... what does USM say - about this?]. - - Kerberos also inherently implies adding state to the Agent and - Manager since they share not only a key, but a lifetime associated - with that key. This is in some sense soft state because failure of an - Agent will cause it to reject PDU's for Managers with whom it does - not share a secret. The Manager can use the Error PDU's as an indica- - tion that it needs to reauthenticate with the Agent, taking care not - to loop. The Manager is even easier: when it reboots, it can either - check its credential cache to reconstruct state or cause the Agent to - reauthenticate to the Manager with its service ticket by initiating a - authentication transaction with the manager. - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 10] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - -Manager Collisions - - Managers may freely set up keys for different USM users using this - MIB without problem since they access different rows in the krbUsm- - PrinTable. However, multiple Managers trying to set up keys for the - same USM user is possible but discouraged. The requirement for the - Manager is that they MUST share the same service key with the KDC so - that they can all decrypt the same service ticket. There are two race - conditions, however, which are not well handled: - - - -1) At the end of a ticket lifetime, one manager may request the agent - to refresh its service ticket causing a new session key to be - installed for the USM user leaving the other managers with stale - keys. The workaround here is that the Agent will reject the stale - manager's PDU's which should inform them to do their own rekeying - operations. - - -2) If multiple managers try to access the same row at the same time, - the Agent SHOULD try to keep the transactions separate based on the - nonce values. The Managers or the Agents SHOULD NOT break the - krbUsmMibNonce and any other additional varbinds into separate PDU's - as this may result in a meta stable state. Given normal MTU sizes, - this should not be an issue in practice, and this should at worst - devolve into the case above. - - In all cases, the krbUsmMibNonce MUST be the last value to be - transmitted, though its position within a PDU is unimportant. - - - - - - - - - - - - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 11] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - - KrbUSM MIB - - KRB-USM-MIB DEFINITIONS ::= BEGIN - IMPORTS - MODULE-IDENTITY, - OBJECT-TYPE, OBJECT-IDENTITY, - snmpModules, Counter32, Unsigned32 FROM SNMPv2-SMI - TruthValue, DisplayString FROM SNMPv2-TC - usmUserEntry FROM SNMP-USER-BASED-SM-MIB - - - - krbUsmMib MODULE-IDENTITY - LAST-UPDATED "00071300Z" - ORGANIZATION "IETF SNMP V3 Working Group" - CONTACT-INFO - "Michael Thomas - Cisco Systems - 375 E Tasman Drive - San Jose, Ca 95134 - Phone: +1 408-525-5386 - Fax: +1 801-382-5284 - email: mat@cisco.com" - DESCRIPTION - "This MIB contains the MIB variables to - exchange Kerberos credentials and a session - key to be used to authenticate and set up - USM keys" - - ::= { snmpModules nnn } -- not sure what needs to be here. - krbUsmMibObjects OBJECT INDENTIFIER ::= { krbUsmMib 1 } - - krbUsmMibAuthInAttemps - SYNTAX Counter32 - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "Counter of the number of Kerberos - authorization attempts as defined by - receipt of a PDU from a Manager with a - krbUsmMibNonce set in the principal table." - ::= { krbUsmMibObjects 1 } - - krbUsmMibAuthOutAttemps - SYNTAX Counter32 - MAX-ACCESS read-only - STATUS current - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 12] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - DESCRIPTION - "Counter of the number of unsolicited Kerberos - authorization attempts as defined by - an Agent sending an INFORM or TRAP PDU with a - krbUsmMibApRep but without krbUsmApMibNonce - varbind." - ::= { krbUsmMibObjects 2 } - krbUsmMibAuthInFail - SYNTAX Counter32 - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "Counter of the number of Kerberos - authorization failures as defined by - a Manager setting the krbUsmMibNonce - in the principal table which results - in some sort of failure to install keys - in the requested USM user entry." - ::= { krbUsmMibObjects 3 } - - krbUsmMibAuthOutFail - SYNTAX Counter32 - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "Counter of the number of unsolicited Kerberos - authorization failures as defined by - an Agent sending an INFORM or TRAP PDU with a - krbUsmMibApRep but without a krbUsmMibNonce - varbind which does not result in keys being - installed for that USM user entry." - ::= { krbUsmMibObjects 4 } - - krbUsmMibPrinTable OBJECT-TYPE - SYNTAX SEQUENCE OF krbUsmMibEntry - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - "Table which maps Kerberos principals with USM - users as well as the per user variables to key - up sessions" - ::= { krbUsmMibObjects 5 } - - krbUsmMibPrinEntry OBJECT-TYPE - SYNTAX KrbUsmMibPrinEntry - MAX-ACCESS not-accessible - STATUS current - DESCRIPTION - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 13] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - "an entry into the krbMibPrinTable which is a - parallel table to UsmUserEntry table" - AUGMENTS { usmUserEntry } - ::= { krbUsmMibPrinTable 1 } - - KrbUsmMibPrinEntry SEQUENCE - { - krbUsmMibApReq OCTET STRING, - krbUsmMibApRep OCTET STRING, - krbUsmMibNonce OCTET STRING, - krbUsmMibMgrTGT OCTET STRING, - krbUsmMibUnsolicitedNotify TruthValue, - } - - - krbUsmMibApReq OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS accessible-for-notify - STATUS current - DESCRIPTION - "This variable contains a DER encoded Kerberos - AP-REQ or KRB-ERROR for the USM user which is - to be keyed. This is sent from the Agent to - the Manager in an INFORM or TRAP request. - KRB-ERROR MUST only be sent to the Manager - if it is in response to a keying request from - the Manager. - " - ::= { krbUsmMibPrinEntry 1 } - - krbUsmMibApRep OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "This variable contains the DER encoded response - to an AP-REQ. This variable is SET by the - Manager to acknowledge receipt of an AP-REQ. If - krbUsmMibApRep contains a Kerberos AP-REP, the - Agent must derive keys from the session key - of the Kerberos ticket in the AP-REQ and place - them in the USM database in a manner specified - by [RFC2574]. If the Manager detects an error, - it will instead place a KRB-ERROR in this - variable to inform the Agent of the error. - - This variable is in effect a write-only variable. - attempts to read this variable will result in a - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 14] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - null octet string being returned" - ::= { krbUsmMibPrinEntry 2 } - - krbUsmMibNonce OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "SET'ing a krbUsmMibnonce allows a Manager to - determine whether an INFORM or TRAP from an - Agent is an outstanding keying request, or - unsolicited from the Agent. The Manager - initiates keying for a particular USM user - by writing a nonce into the row for which - desires to establish a security association. - The nonce is an ASCII string of the form - ``host:port?nonce'' where: - - host: is either an FQDN, or valid ipv4 or ipv6 - numerical notation of the Manager which - desires to initiate keying - port: is the destination port at which that the - Manager may be contacted - nonce: is a number generated by the Manager to - correlate the transaction - - The same nonce MUST be sent to the Manager in a - subsequent INFORM or TRAP with a krbUsmApReq. - The Agent MUST use the host address and port - supplied in the nonce as the destination of a - subsequent INFORM or TRAP. Unsolicited keying - requests MUST NOT contain a nonce, and should - instead use the destination stored Notifies of - this type. - - Nonces MUST be highly collision resistant either - using a time based method or a suitable random - number generator. Managers MUST never create - nonces which are 0. - - This variable is in effect a write-only variable. - Attempts to read this variable will result in a - nonce of value 0 being returned" - - - ::= { krbUsmMibPrinEntry 3 } - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 15] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - krbUsmMibMgrTgt OBJECT-TYPE - SYNTAX OCTET STRING - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "If the Manager does not possess a symmetric - key with the KDC as would be the case with - a Manager using PKinit for authentication, - the Manager MUST SET its DER encoded ticket - granting ticket into KrbUsmMgrTgt along - with krbUsmMibNonce. - - The agent will then attach the Manager's TGT - into the additional tickets field of the - TGS-REQ message to the KDC to get a User-User - service ticket. - - This variable is in effect a write-only variable. - Attempts to read this variable will result in a - null octet string being returned" - ::= { krbUsmMibPrinEntry 4 } - - - krbUsmMibUnsolicitedNotify OBJECT-TYPE - SYNTAX TruthValue - MAX-ACCESS read-write - STATUS current - DESCRIPTION - "If this variable is false, the Agent MUST NOT - send unsolicited INFORM or TRAP PDU's to the - Manager. - - Attempts to SET this variable by the no-auth - no-priv user MUST be rejected." - ::= { krbUsmMibPrinEntry 5 } - - -- - -- Conformance section... nothing optional. - - krbUsmMibCompliences MODULE-COMPLIANCE - STATUS current - DESCRIPTION "The compliance statement for SNMP - engines whichimplement the KRB-USM-MIB - " - MODULE -- this module - MANDATORY-GROUPS { krbUsmMib } - ::= { krbUsmMibCompliances 1 } - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 16] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - END - - -Key Derivation - - The session key provides the basis for the keying material for the - USM user specified in the AP-REQ. The actual keys for use for the - authentication and privacy are produced using the cryptographic hash- - ing function used to protect the ticket itself. The keying material - is derived using this function, F(key, salt), using successive - interations of F over the salt string "SNMPV3RULZ%d", where %d is a - monotonic counter starting at zero. The bits are taken directly from - the successive interations to produce two keys of appropriate size - (as specified in the USM user row) for the authentication transform - first, and the privacy transform second. If the authentication - transform is null, the first bits of the derived key are used for the - privacy transform. - -Security Considerations - - Various elements of this MIB must be readable and writable as the - no-auth, no-priv user. Unless specifically necessary for the key - negotiation, elements of this MIB SHOULD be protected by VACM views - which limit access. In particular, there is no reason anything in - this MIB should be visible to a no-auth, no-priv user with the excep- - tion of KrbUsmMibApReq, KrbUsmMibApRep, KrbUsmMibNonce, and - KrbUsmMibMgrTgt, and then only with the restrictions placed on them - in the MIB. As such, probing attacks are still possible, but should - not be profitable: all of the writable variables with interesting - information in them are defined in such a way as to be write only. - - There are some interesting denial of service attacks which are possi- - ble by attackers spoofing managers and putting load on the KDC to - generate unnecessary tickets. For large numbers or agents this could - be problematic. This can probably be mitigated by the KDC prioritiz- - ing TGS-REQ's though. - - -References - -[1] The CAT Working Group, J. Kohl, C.Neuman, "The Kerberos - Network Authentication Service (V5)", RFC 1510, September - 1993 - -[2] The SNMPV3 Working Group, U. Blumenthal, B. Wijnen, "The - User-based Security Model of SNMP V3", RFC 2574, April 1999 - -[3] The SNMPV3 Working Group, B. Wijnen, R. Presuhn, - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 17] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - - K.McCloghrie, "The View-based Access Control Model of SNMP - V3", RFC 2575, April 1999 - -[4] The CAT Working Group, Tung, et al, "Public Key Cryptography - for Initial Authentication in Kerberos", draft-ietf-cat-pk- - init-11, November 1999 - -[5] Arango, et al, "Media Gateway Control Protocl (MGCP)", RFC - 2705, October 1999 - - -[RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, An Architecture - for Describing SNMP Management Frameworks, RFC 2571, April - 1999. - -[RFC1155] Rose, M., and K. McCloghrie, Structure and Identification of - Management Information for TCP/IP-based Internets, STD 16, - RFC 1155, May 1990. - -[RFC1212] Rose, M., and K. McCloghrie, Concise MIB Definitions, STD - 16, RFC 1212, March 1991. - -[RFC1215] M. Rose, A Convention for Defining Traps for use with the - SNMP, RFC 1215, March 1991. - -[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., - Rose, M., and S. Waldbusser, Structure of Management Infor- - mation Version 2 (SMIv2), STD 58, RFC 2578, April 1999. - -[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., - Rose, M., and S. Waldbusser, Textual Conventions for SMIv2, - STD 58, RFC 2579, April 1999. - -[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., - Rose, M., and S. Waldbusser, Conformance Statements for - SMIv2, STD 58, RFC 2580, April 1999. - -[RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, Simple - Network Management Protocol, STD 15, RFC 1157, May 1990. - -[RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, - Introduction to Community-based SNMPv2, RFC 1901, January - 1996. - -[RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Tran- - sport Mappings for Version 2 of the Simple Network Manage- - ment Protocol (SNMPv2), RFC 1906, January 1996. - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 18] - - - - - -INTERNET-DRAFT Kerberized USM Keying 13 July 2000 - - -[RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, Message - Processing and Dispatching for the Simple Network Management - Protocol (SNMP), RFC 2572, April 1999. - -[RFC2574] Blumenthal, U., and B. Wijnen, User-based Security Model - (USM) for version 3 of the Simple Network Management Proto- - col (SNMPv3), RFC 2574, April 1999. - -[RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Pro- - tocol Operations for Version 2 of the Simple Network Manage- - ment Protocol (SNMPv2), RFC 1905, January 1996. - -[RFC2573] Levi, D., Meyer, P., and B. Stewart, SNMPv3 Applications, - RFC 2573, April 1999. - -[RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, View-based - Access Control Model (VACM) for the Simple Network Manage- - ment Protocol (SNMP), RFC 2575, April 1999. - -[RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, Introduc- - tion to Version 3 of the Internet-standard Network Manage- - ment Framework, RFC 2570, April 1999. - -Author's Address - - Michael Thomas - Cisco Systems - 375 E Tasman Rd - San Jose, Ca, 95134, USA - Tel: +1 408-525-5386 - email: mat@cisco.com - - - - - - - - - - - - - - - - - - - - -Thomas draft-thomas-snmpv3-kerbusm-00 [Page 19] - - diff --git a/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt b/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt deleted file mode 100644 index b89108a53be9..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt +++ /dev/null @@ -1,227 +0,0 @@ - -CAT Working Group Mike Swift -draft-trostle-win2k-cat-kerberos-set-passwd-00.txt Microsoft -February 2000 Jonathan Trostle -Category: Informational Cisco Systems - John Brezak - Microsoft - - Extending Change Password for Setting Kerberos Passwords - - -0. Status Of This Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet- - Drafts as reference material or to cite them other than as - "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Comments and suggestions on this document are encouraged. Comments - on this document should be sent to the CAT working group discussion - list: - ietf-cat-wg@stanford.edu - -1. Abstract - - The Kerberos [1] change password protocol [2], does not allow for - an administrator to set a password for a new user. This functionality - is useful in some environments, and this proposal extends [2] to - allow password setting. The changes are: adding new fields to the - request message to indicate the principal which is having its - password set, not requiring the initial flag in the service ticket, - using a new protocol version number, and adding three new result - codes. - -2. The Protocol - - The service must accept requests on UDP port 464 and TCP port 464 as - well. The protocol consists of a single request message followed by - a single reply message. For UDP transport, each message must be fully - contained in a single UDP packet. - - For TCP transport, there is a 4 octet header in network byte order - precedes the message and specifies the length of the message. This - - requirement is consistent with the TCP transport header in 1510bis. - -Request Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REQ length | AP_REQ data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - All 16 bit fields are in big-endian order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0xff80 (big-endian - integer). - - AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REQ data: (see [1]) The AP-REQ message must be for the service - principal kadmin/changepw@REALM, where REALM is the REALM of the user - who wishes to change/set his password. The ticket in the AP-REQ must - must include a subkey in the Authenticator. To enable setting of - passwords, it is not required that the initial flag be set in the - Kerberos service ticket. - - KRB-PRIV message (see [1]) This KRB-PRIV message must be generated - using the subkey from the authenticator in the AP-REQ data. - - The user-data component of the message consists of the following ASN.1 - structure encoded as an OCTET STRING: - - ChangePasswdData ::= SEQUENCE { - newpasswd[0] OCTET STRING, - targname[2] PrincipalName OPTIONAL, - targrealm[3] Realm OPTIONAL - } - - The server must verify the AP-REQ message, check whether the client - principal in the ticket is authorized to set/change the password - (either for that principal, or for the principal in the targname - field if present), and decrypt the new password. The server also - checks whether the initial flag is required for this request, - replying with status 0x0007 if it is not set and should be. An - authorization failure is cause to respond with status 0x0005. For - forward compatibility, the server should be prepared to ignore fields - after targrealm in the structure that it does not understand. - - The newpasswd field contains the cleartext password, and the server - should apply any local policy checks including password policy checks. - The server then generates the appropriate keytypes from the password - - and stores them in the KDC database. If all goes well, status 0x0000 - is returned to the client in the reply message (see below). - -Reply Message - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | message length | protocol version number | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AP_REP length | AP-REP data / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / KRB-PRIV message / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - All 16 bit fields are in big-endian order. - - message length field: contains the number of bytes in the message - including this field. - - protocol version number: contains the hex constant 0x0001 (big-endian - integer). (The reply message has the same format as in [2]). - - AP-REP length: length of AP-REP data, in bytes. If the length is zero, - then the last field contains a KRB-ERROR message instead of a KRB-PRIV - message. - - AP-REP data: the AP-REP is the response to the AP-REQ in the request - packet. - - KRB-PRIV from [2]: This KRB-PRIV message must be generated using the - subkey in the authenticator in the AP-REQ data. - - The server will respond with a KRB-PRIV message unless it cannot - decode the client AP-REQ or KRB-PRIV message, in which case it will - respond with a KRB-ERROR message. NOTE: Unlike change password version - 1, the KRB-ERROR message will be sent back without any encapsulation. - - The user-data component of the KRB-PRIV message, or e-data component - of the KRB-ERROR message, must consist of the following data. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | result code | result string / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - result code (16 bits) (result codes 0-4 are from [2]): - The result code must have one of the following values (big- - endian integer): - KRB5_KPASSWD_SUCCESS 0 request succeeds (This value is not - allowed in a KRB-ERROR message) - KRB5_KPASSWD_MALFORMED 1 request fails due to being malformed - KRB5_KPASSWD_HARDERROR 2 request fails due to "hard" error in - processing the request (for example, - there is a resource or other problem - causing the request to fail) - - KRB5_KPASSWD_AUTHERROR 3 request fails due to an error in - authentication processing - KRB5_KPASSWD_SOFTERROR 4 request fails due to a "soft" error - in processing the request - KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized - KRB5_KPASSWD_BAD_VERSION 6 protocol version unsupported - KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required - 0xFFFF if the request fails for some other reason. - Although only a few non-zero result codes are specified here, - the client should accept any non-zero result code as indicating - failure. - result string - from [2]: - This field should contain information which the server thinks - might be useful to the user, such as feedback about policy - failures. The string must be encoded in UTF-8. It may be - omitted if the server does not wish to include it. If it is - present, the client should display the string to the user. - This field is analogous to the string which follows the numeric - code in SMTP, FTP, and similar protocols. - -3. References - - [1] J. Kohl, C. Neuman. The Kerberos Network Authentication - Service (V5). Request for Comments 1510. - - [2] M. Horowitz. Kerberos Change Password Protocol. - ftp://ds.internic.net/internet-drafts/ - draft-ietf-cat-kerb-chg-password-02.txt - -4. Expiration Date - - This draft expires in August 2000. - -5. Authors' Addresses - - Jonathan Trostle - Cisco Systems - 170 W. Tasman Dr. - San Jose, CA 95134 - Email: jtrostle@cisco.com - - Mike Swift - 1 Microsoft Way - Redmond, WA 98052 - mikesw@microsoft.com - - John Brezak - 1 Microsoft Way - Redmond, WA 98052 - jbrezak@microsoft.com diff --git a/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt b/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt deleted file mode 100644 index e9611e395bfd..000000000000 --- a/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt +++ /dev/null @@ -1,327 +0,0 @@ -Network Working Group T. Ts'o, Editor -Internet-Draft Massachusetts Institute of Technology -draft-tso-telnet-krb5-04.txt April 2000 - - Telnet Authentication: Kerberos Version 5 - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. Internet-Drafts are working - documents of the Internet Engineering Task Force (IETF), its areas, - and its working groups. Note that other groups may also distribute - working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference mate- - rial or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119. - -0. Abstract - - This document describes how Kerberos Version 5 [1] is used with the - telnet protocol. It describes an telnet authentication sub-option - to be used with the telnet authentication option [2]. This mecha- - nism can also used to provide keying material to provide data confi- - dentiality services in conjuction with the telnet encryption option - [3]. - -1. Command Names and Codes - - Authentication Types - - KERBEROS_V5 2 - - Sub-option Commands - - Expires Sept 2000 [Page 1] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - AUTH 0 - REJECT 1 - ACCEPT 2 - RESPONSE 3 - FORWARD 4 - FORWARD_ACCEPT 5 - FORWARD_REJECT 6 - -2. Command Meanings - - IAC SB AUTHENTICATION IS AUTH IAC SE - - This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the - remote side of the connection. The first octet of the value is KERBEROS_V5, to indicate that Version 5 - of Kerberos is being used. The Kerberos V5 authenticator in the - KRB_AP_REQ message must contain a Kerberos V5 checksum of the - two-byte authentication type pair. This checksum must be verified - by the server to assure that the authentication type pair was cor- - rectly negotiated. The Kerberos V5 authenticator must also in- - clude the optional subkey field, which shall be filled in with a - randomly chosen key. This key shall be used for encryption pur- - poses if encryption is negotiated, and shall be used as the nego- - tiated session key (i.e., used as keyid 0) for the purposes of the - telnet encryption option; if the subkey is not filled in, then the - ticket session key will be used instead. - - If data confidentiality services is desired the ENCRYPT_US- - ING_TELOPT flag must be set in the authentication-type-pair as - specified in [2]. - - IAC SB AUTHENTICATION REPLY ACCEPT IAC SE - - This command indicates that the authentication was successful. - - If the AUTH_HOW_MUTUAL bit is set in the second octet of the au- - thentication-type-pair, the RESPONSE command must be sent before - the ACCEPT command is sent. - - IAC SB AUTHENTICATION REPLY REJECT IAC SE - - This command indicates that the authentication was not successful, - and if there is any more data in the sub-option, it is an ASCII - text message of the reason for the rejection. - - IAC SB AUTHENTICATION REPLY RESPONSE - IAC SE - - Expires Sept 2000 [Page 2] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - This command is used to perform mutual authentication. It is only - used when the AUTH_HOW_MUTUAL bit is set in the second octet of - the authentication-type-pair. After an AUTH command is verified, - a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP - message to perform the mutual authentication. - - IAC SB AUTHENTICATION FORWARD IAC SE - - This command is used to forward kerberos credentials for use by - the remote session. The credentials are passed as a Kerberos V5 - KRB_CRED message which includes, among other things, the forwarded - Kerberos ticket and a session key associated with the ticket. Part - of the KRB_CRED message is encrypted in the key previously ex- - changed for the telnet session by the AUTH suboption. - - IAC SB AUTHENTICATION FORWARD_ACCEPT IAC - SE - - This command indicates that the credential forwarding was success- - ful. - - IAC SB AUTHENTICATION FORWARD_REJECT IAC SE - - This command indicates that the credential forwarding was not suc- - cessful, and if there is any more data in the sub-option, it is an - ASCII text message of the reason for the rejection. - -3. Implementation Rules - - If the second octet of the authentication-type-pair has the AUTH_WHO - bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial - AUTH command, and the server responds with either ACCEPT or REJECT. - In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the serv- - er will send a RESPONSE before it sends the ACCEPT. - - If the second octet of the authentication-type-pair has the AUTH_WHO - bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial - AUTH command, and the client responds with either ACCEPT or REJECT. - In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the - client will send a RESPONSE before it sends the ACCEPT. - - The Kerberos principal used by the server will generally be of the - form "host/@realm". That is, the first component of the - Kerberos principal is "host"; the second component is the fully qual- - ified lower-case hostname of the server; and the realm is the Ker- - beros realm to which the server belongs. - - Expires Sept 2000 [Page 3] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - Any Telnet IAC characters that occur in the KRB_AP_REQ or KRB_AP_REP - messages, the KRB_CRED structure, or the optional rejection text - string must be doubled as specified in [4]. Otherwise the following - byte might be mis-interpreted as a Telnet command. - -4. Examples - - User "joe" may wish to log in as user "pete" on machine "foo". If - "pete" has set things up on "foo" to allow "joe" access to his ac- - count, then the client would send IAC SB AUTHENTICATION NAME "pete" - IAC SE IAC SB AUTHENTICATION IS KERBEROS_V5 AUTH - IAC SE - - The server would then authenticate the user as "joe" from the - KRB_AP_REQ_MESSAGE, and if the KRB_AP_REQ_MESSAGE was accepted by - Kerberos, and if "pete" has allowed "joe" to use his account, the - server would then continue the authentication sequence by sending a - RESPONSE (to do mutual authentication, if it was requested) followed - by the ACCEPT. - - If forwarding has been requested, the client then sends IAC SB AU- - THENTICATION IS KERBEROS_V5 CLIENT|MUTUAL FORWARD IAC SE. If the server succeeds in - reading the forwarded credentials, the server sends FORWARD_ACCEPT - else, a FORWARD_REJECT is sent back. - - Client Server - IAC DO AUTHENTICATION - IAC WILL AUTHENTICATION - - [ The server is now free to request authentication information. - ] - - IAC SB AUTHENTICATION SEND - KERBEROS_V5 CLIENT|MUTUAL - KERBEROS_V5 CLIENT|ONE_WAY IAC - SE - - [ The server has requested mutual Version 5 Kerberos - authentication. If mutual authentication is not supported, - then the server is willing to do one-way authentication. - - The client will now respond with the name of the user that it - wants to log in as, and the Kerberos ticket. ] - - IAC SB AUTHENTICATION NAME - "pete" IAC SE - IAC SB AUTHENTICATION IS - KERBEROS_V5 CLIENT|MUTUAL AUTH - IAC SE - - Expires Sept 2000 [Page 4] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - [ Since mutual authentication is desired, the server sends across - a RESPONSE to prove that it really is the right server. ] - - IAC SB AUTHENTICATION REPLY - KERBEROS_V5 CLIENT|MUTUAL - RESPONSE - IAC SE - - [ The server responds with an ACCEPT command to state that the - authentication was successful. ] - - IAC SB AUTHENTICATION REPLY KER- - BEROS_V5 CLIENT|MUTUAL ACCEPT - IAC SE - - [ If so requested, the client now sends the FORWARD command to - forward credentials to the remote site. ] - - IAC SB AUTHENTICATION IS KER- - BEROS_V5 CLIENT|MUTUAL - FORWARD IAC - SE - - [ The server responds with a FORWARD_ACCEPT command to state that - the credential forwarding was successful. ] - - Expires Sept 2000 [Page 5] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - IAC SB AUTHENTICATION REPLY KER- - BEROS_V5 CLIENT|MUTUAL FOR- - WARD_ACCEPT IAC SE - -5. Security Considerations - - The selection of the random session key in the Kerberos V5 authenti- - cator is critical, since this key will be used for encrypting the - telnet data stream if encryption is enabled. It is strongly advised - that the random key selection be done using cryptographic techniques - that involve the Kerberos ticket's session key. For example, using - the current time, encrypting it with the ticket session key, and then - correcting for key parity is a strong way to generate a subsession - key, since the ticket session key is assumed to be never disclosed to - an attacker. - - Care should be taken before forwarding a user's Kerberos credentials - to the remote server. If the remote server is not trustworthy, this - could result in the user's credentials being compromised. Hence, the - user interface should not forward credentials by default; it would be - far safer to either require the user to explicitly request creden- - tials forwarding for each connection, or to have a trusted list of - hosts for which credentials forwarding is enabled, but to not enable - credentials forwarding by default for all machines. - -6. IANA Considerations - - The authentication type KERBEROS_V5 and its associated suboption values - are registered with IANA. Any suboption values used to extend - the protocol as described in this document must be registered - with IANA before use. IANA is instructed not to issue new suboption - values without submission of documentation of their use. - -7. Acknowledgments - - This document was originally written by Dave Borman of Cray Research, - Inc. Theodore Ts'o of MIT revised it to reflect the latest implemen- - tation experience. Cliff Neuman and Prasad Upasani of USC's Informa- - tion Sciences Institute developed the credential forwarding support. - - In addition, the contributions of the Telnet Working Group are also - gratefully acknowledged. - -8. References - - [1] Kohl, J. and B. Neuman, "The Kerberos Network Authentication Sys- - tem (V5)", RFC 1510, USC/Information Sciences Institute, Septem- - ber 1993. - - [2] Internet Engineering Task Force, "Telnet Authentication", draft- - tso-telnet-auth-enc-04.txt, T. Ts'o, Editor, VA Linux Systems, - April 2000. - - [3] Internet Engineering Task Force, "Telnet Data Encryption Option", - draft-tso-telnet-encryption-04.txt, T. Ts'o, Editor, VA Linux - Systems, April 2000. - - [4] Postel, J.B. and J. Reynolds, "Telnet Option Specifications", RFC - - Expires Sept 2000 [Page 6] - -Internet-Draft Kerberos Version 5 for Telnet April 2000 - - 855, STD 8, USC/Information Sciences Institute, May 1983. - -Editor's Address - - Theodore Ts'o - Massachusetts Institute of Technology - MIT Room E40-343 - 77 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: (617) 253-8091 - EMail: tytso@mit.edu - - Expires Sept 2000 [Page 7] - - - Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2 - The Kermit Project * Columbia University - 612 West 115th St #716 * New York, NY * 10025 - http://www.kermit-project.org/k95.html * kermit-support@kermit-project.org - - diff --git a/crypto/heimdal/doc/standardisation/rc4-hmac.txt b/crypto/heimdal/doc/standardisation/rc4-hmac.txt deleted file mode 100644 index 202d44e8639c..000000000000 --- a/crypto/heimdal/doc/standardisation/rc4-hmac.txt +++ /dev/null @@ -1,587 +0,0 @@ -CAT working group M. Swift -Internet Draft J. Brezak -Document: draft-brezak-win2k-krb-rc4-hmac-03.txt Microsoft -Category: Informational June 2000 - - - The Windows 2000 RC4-HMAC Kerberos encryption type - - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are - working documents of the Internet Engineering Task Force (IETF), its - areas, and its working groups. Note that other groups may also - distribute working documents as Internet-Drafts. Internet-Drafts are - draft documents valid for a maximum of six months and may be - updated, replaced, or obsoleted by other documents at any time. It - is inappropriate to use Internet- Drafts as reference material or to - cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - -1. Abstract - - The Windows 2000 implementation of Kerberos introduces a new - encryption type based on the RC4 encryption algorithm and using an - MD5 HMAC for checksum. This is offered as an alternative to using - the existing DES based encryption types. - - The RC4-HMAC encryption types are used to ease upgrade of existing - Windows NT environments, provide strong crypto (128-bit key - lengths), and provide exportable (meet United States government - export restriction requirements) encryption. - - The Windows 2000 implementation of Kerberos contains new encryption - and checksum types for two reasons: for export reasons early in the - development process, 56 bit DES encryption could not be exported, - and because upon upgrade from Windows NT 4.0 to Windows 2000, - accounts will not have the appropriate DES keying material to do the - standard DES encryption. Furthermore, 3DES is not available for - export, and there was a desire to use a single flavor of encryption - in the product for both US and international products. - - As a result, there are two new encryption types and one new checksum - type introduced in Windows 2000. - - -2. Conventions used in this document - - - -Swift Category - Informational 1 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC-2119 [2]. - -3. Key Generation - - On upgrade from existing Windows NT domains, the user accounts would - not have a DES based key available to enable the use of DES base - encryption types specified in RFC 1510. The key used for RC4-HMAC is - the same as the existing Windows NT key (NT Password Hash) for - compatibility reasons. Once the account password is changed, the DES - based keys are created and maintained. Once the DES keys are - available DES based encryption types can be used with Kerberos. - - The RC4-HMAC String to key function is defined as follow: - - String2Key(password) - - K = MD4(UNICODE(password)) - - The RC4-HMAC keys are generated by using the Windows UNICODE version - of the password. Each Windows UNICODE character is encoded in - little-endian format of 2 octets each. Then performing an MD4 [6] - hash operation on just the UNICODE characters of the password (not - including the terminating zero octets). - - For an account with a password of "foo", this String2Key("foo") will - return: - - 0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, - 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc - -4. Basic Operations - - The MD5 HMAC function is defined in [3]. It is used in this - encryption type for checksum operations. Refer to [3] for details on - its operation. In this document this function is referred to as - HMAC(Key, Data) returning the checksum using the specified key on - the data. - - The basic MD5 hash operation is used in this encryption type and - defined in [7]. In this document this function is referred to as - MD5(Data) returning the checksum of the data. - - RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A - compatible cipher is described in [8]. In this document the function - is referred to as RC4(Key, Data) returning the encrypted data using - the specified key on the data. - - These encryption types use key derivation as defined in [9] (RFC- - 1510BIS) in Section titled "Key Derivation". With each message, the - message type (T) is used as a component of the keying material. This - summarizes the different key derivation values used in the various - -Swift Category - Informational 2 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - operations. Note that these differ from the key derivations used in - other Kerberos encryption types. - - T = 1 for TS-ENC-TS in the AS-Request - T = 8 for the AS-Reply - T = 7 for the Authenticator in the TGS-Request - T = 8 for the TGS-Reply - T = 2 for the Server Ticket in the AP-Request - T = 11 for the Authenticator in the AP-Request - T = 12 for the Server returned AP-Reply - T = 15 in the generation of checksum for the MIC token - T = 0 in the generation of sequence number for the MIC token - T = 13 in the generation of checksum for the WRAP token - T = 0 in the generation of sequence number for the WRAP token - T = 0 in the generation of encrypted data for the WRAPPED token - - All strings in this document are ASCII unless otherwise specified. - The lengths of ASCII encoded character strings include the trailing - terminator character (0). - - The concat(a,b,c,...) function will return the logical concatenation - (left to right) of the values of the arguments. - - The nonce(n) function returns a pseudo-random number of "n" octets. - -5. Checksum Types - - There is one checksum type used in this encryption type. The - Kerberos constant for this type is: - #define KERB_CHECKSUM_HMAC_MD5 (-138) - - The function is defined as follows: - - K - is the Key - T - the message type, encoded as a little-endian four byte integer - - CHKSUM(K, T, data) - - Ksign = HMAC(K, "signaturekey") //includes zero octet at end - tmp = MD5(concat(T, data)) - CHKSUM = HMAC(Ksign, tmp) - - -6. Encryption Types - - There are two encryption types used in these encryption types. The - Kerberos constants for these types are: - #define KERB_ETYPE_RC4_HMAC 23 - #define KERB_ETYPE_RC4_HMAC_EXP 24 - - The basic encryption function is defined as follow: - - T = the message type, encoded as a little-endian four byte integer. - -Swift Category - Informational 3 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - BYTE L40[14] = "fortybits"; - BYTE SK = "signaturekey"; - - ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 10 + 4, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - add_8_random_bytes(data, data_len, conf_plus_data); - HMAC (K2, conf_plus_data, 8 + data_len, checksum); - HMAC (K1, checksum, 16, K3); - RC4(K3, conf_plus_data, 8 + data_len, edata + 16); - memcpy (edata, checksum, 16); - edata_len = 16 + 8 + data_len; - } - - DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) - { - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K1); - }else{ - HMAC (K, &T, 4, K1); - } - memcpy (K2, K1, 16); - if (fRC4_EXP) memset (K1+7, 0xAB, 9); - HMAC (K1, edata, 16, K3); // checksum is at edata - RC4(K3, edata + 16, edata_len - 16, edata + 16); - data_len = edata_len - 16 - 8; - memcpy (data, edata + 16 + 8, data_len); - - // verify generated and received checksums - HMAC (K2, edata + 16, edata_len - 16, checksum); - if (memcmp(edata, checksum, 16) != 0) - printf("CHECKSUM ERROR !!!!!!\n"); - } - - The header field on the encrypted data in KDC messages is: - - typedef struct _RC4_MDx_HEADER { - UCHAR Checksum[16]; - UCHAR Confounder[8]; - } RC4_MDx_HEADER, *PRC4_MDx_HEADER; - - The KDC message is encrypted using the ENCRYPT function not - including the Checksum in the RC4_MDx_HEADER. - - -Swift Category - Informational 4 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -7. Key Strength Negotiation - - A Kerberos client and server can negotiate over key length if they - are using mutual authentication. If the client is unable to perform - full strength encryption, it may propose a key in the "subkey" field - of the authenticator, using a weaker encryption type. The server - must then either return the same key or suggest its own key in the - subkey field of the AP reply message. The key used to encrypt data - is derived from the key returned by the server. If the client is - able to perform strong encryption but the server is not, it may - propose a subkey in the AP reply without first being sent a subkey - in the authenticator. - -8. GSSAPI Kerberos V5 Mechanism Type - -8.1 Mechanism Specific Changes - - The GSSAPI per-message tokens also require new checksum and - encryption types. The GSS-API per-message tokens must be changed to - support these new encryption types (See [5] Section 1.2.2). The - sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption - is: - Byte 4..5 SEAL_ALG 0x10 0x00 - RC4 - - The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: - Byte 2..3 SGN ALG 0x11 0x00 - HMAC - - The only support quality of protection is: - #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0 - - In addition, when using an RC4 based encryption type, the sequence - number is sent in big-endian rather than little-endian order. - - The Windows 2000 implementation also defines new GSSAPI flags in the - initial token passed when initializing a security context. These - flags are passed in the checksum field of the authenticator (See [5] - Section 1.1.1). - - GSS_C_DCE_STYLE - This flag was added for use with Microsoft’s - implementation of DCE RPC, which initially expected three legs of - authentication. Setting this flag causes an extra AP reply to be - sent from the client back to the server after receiving the server’s - AP reply. In addition, the context negotiation tokens do not have - GSSAPI framing - they are raw AP message and do not include object - identifiers. - #define GSS_C_DCE_STYLE 0x1000 - - - -Swift Category - Informational 5 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the - server that it should only allow the server application to identify - the client by name and ID, but not to impersonate the client. - #define GSS_C_IDENTIFY_FLAG 0x2000 - - GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the - client wants to be informed of extended error information. In - particular, Windows 2000 status codes may be returned in the data - field of a Kerberos error message. This allows the client to - understand a server failure more precisely. In addition, the server - may return errors to the client that are normally handled at the - application layer in the server, in order to let the client try to - recover. After receiving an error message, the client may attempt to - resubmit an AP request. - #define GSS_C_EXTENDED_ERROR_FLAG 0x4000 - - These flags are only used if a client is aware of these conventions - when using the SSPI on the Windows platform, they are not generally - used by default. - - When NetBIOS addresses are used in the GSSAPI, they are identified - by the GSS_C_AF_NETBIOS value. This value is defined as: - #define GSS_C_AF_NETBIOS 0x14 - NetBios addresses are 16-octet addresses typically composed of 1 to th 15 characters, trailing blank (ascii char 20) filled, with a 16 - octet of 0x0. - -8.2 GSSAPI Checksum Type - - The GSSAPI checksum type and algorithm is defined in Section 5. Only - the first 8 octets of the checksum are used. The resulting checksum - is stored in the SGN_CKSUM field (See [5] Section 1.2) for - GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). - - MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, - MIC_seq, MIC_checksum) - { - HMAC (K, SK, 13, K4); - T = 15; - memcpy (T_plus_hdr_plus_msg + 00, &T, 4); - memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8); - // 0101 1100 FFFFFFFF - memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); - MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); - HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); - memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K5); - }else{ - HMAC (K, &T, 4, K5); - -Swift Category - Informational 6 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - } - if (fRC4_EXP) memset(K5+7, 0xAB, 9); - HMAC(K5, MIT_checksum, 8, K6); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K6, seq_plus_direction, 8, MIC_seq); - } - -8.3 GSSAPI Encryption Types - - There are two encryption types for GSSAPI message tokens, one that - is 128 bits in strength, and one that is 56 bits in strength as - defined in Section 6. - - All padding is rounded up to 1 byte. One byte is needed to say that - there is 1 byte of padding. The DES based mechanism type uses 8 byte - padding. See [5] Section 1.2.2.3. - - The encryption mechanism used for GSS wrap based messages is as - follow: - - - WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, - WRAP_seq, WRAP_checksum, edata, edata_len) - { - HMAC (K, SK, 13, K7); - T = 13; - PAD = 1; - memcpy (T_hdr_conf_msg_pad + 00, &T, 4); - memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 - FFFFFFFF - memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); - memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); - MD5 (T_hdr_conf_msg_pad, - 4 + 8 + 8 + msg_len + 1, - MD5_of_T_hdr_conf_msg_pad); - HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); - memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 - bytes - - T = 0; - if (fRC4_EXP){ - *((DWORD *)(L40+10)) = T; - HMAC (K, L40, 14, K8); - }else{ - HMAC (K, &T, 4, K8); - } - if (fRC4_EXP) memset(K8+7, 0xAB, 9); - HMAC(K8, WRAP_checksum, 8, K9); - copy_seq_num_in_big_endian(seq_num, seq_plus_direction); - //0x12345678 - -Swift Category - Informational 7 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - copy_direction_flag (direction_flag, seq_plus_direction + - 4); //0x12345678FFFFFFFF - RC4(K9, seq_plus_direction, 8, WRAP_seq); - - for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte - of key with 0xF0 - T = 0; - if (fRC4_EXP){ - *(DWORD *)(L40+10) = T; - HMAC(K10, L40, 14, K11); - memset(K11+7, 0xAB, 9); - }else{ - HMAC(K10, &T, 4, K11); - } - HMAC(K11, seq_num, 4, K12); - RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, - edata); /* skip T & hdr */ - edata_len = 8 + msg_len + 1; // conf + msg_len + pad - } - - - The character constant "fortybits" evolved from the time when a 40- - bit key length was all that was exportable from the United States. - It is now used to recognize that the key length is of "exportable" - length. In this description, the key size is actually 56-bits. - -9. Security Considerations - - Care must be taken in implementing this encryption type because it - uses a stream cipher. If a different IV isn’t used in each direction - when using a session key, the encryption is weak. By using the - sequence number as an IV, this is avoided. - -10. Acknowledgements - - We would like to thank Salil Dangi for the valuable input in - refining the descriptions of the functions and review input. - -11. References - - 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP - 9, RFC 2026, October 1996. - - 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997 - - 3 Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for - Message Authentication", RFC 2104, February 1997 - - 4 Kohl, J., Neuman, C., "The Kerberos Network Authentication - Service (V5)", RFC 1510, September 1993 - - - -Swift Category - Informational 8 - - Windows 2000 RC4-HMAC Kerberos E-Type June 2000 - - - - 5 Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, - June 1996 - - 6 R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April - 1992 - - 7 R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April - 1992 - - 8 Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption - Algorithm", Work in Progress. - - 9 RC4 is a proprietary encryption algorithm available under license - from RSA Data Security Inc. For licensing information, contact: - - RSA Data Security, Inc. - 100 Marine Parkway - Redwood City, CA 94065-1031 - - 10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network - Authentication Service (V5)", draft-ietf-cat-kerberos-revisions- - 04.txt, June 25, 1999 - - -12. Author's Addresses - - Mike Swift - Dept. of Computer Science - Sieg Hall - University of Washington - Seattle, WA 98105 - Email: mikesw@cs.washington.edu - - John Brezak - Microsoft - One Microsoft Way - Redmond, Washington - Email: jbrezak@microsoft.com - - - - - - - - - - - - - - - -Swift Category - Informational 9 - - Windows 2000 RC4-HMAC Kerberos E-Type October 1999 - - - -13. Full Copyright Statement - - "Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and - furnished to others, and derivative works that comment on or - otherwise explain it or assist in its implementation may be - prepared, copied, published and distributed, in whole or in - part, without restriction of any kind, provided that the above - copyright notice and this paragraph are included on all such - copies and derivative works. However, this document itself may - not be modified in any way, such as by removing the copyright - notice or references to the Internet Society or other Internet - organizations, except as needed for the purpose of developing - Internet standards in which case the procedures for copyrights - defined in the Internet Standards process must be followed, or - as required to translate it into languages other than English. - - The limited permissions granted above are perpetual and will - not be revoked by the Internet Society or its successors or - assigns. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Swift Category - Informational 10 - diff --git a/crypto/heimdal/doc/standardisation/rfc1508.txt b/crypto/heimdal/doc/standardisation/rfc1508.txt deleted file mode 100644 index 132b855e05e6..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc1508.txt +++ /dev/null @@ -1,2747 +0,0 @@ - - - - - - -Network Working Group J. Linn -Request for Comments: 1508 Geer Zolot Associates - September 1993 - - - Generic Security Service Application Program Interface - -Status of this Memo - - This RFC specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" for the standardization state and status - of this protocol. Distribution of this memo is unlimited. - -Abstract - - This Generic Security Service Application Program Interface (GSS-API) - definition provides security services to callers in a generic - fashion, supportable with a range of underlying mechanisms and - technologies and hence allowing source-level portability of - applications to different environments. This specification defines - GSS-API services and primitives at a level independent of underlying - mechanism and programming language environment, and is to be - complemented by other, related specifications: - - documents defining specific parameter bindings for particular - language environments - - documents defining token formats, protocols, and procedures to - be implemented in order to realize GSS-API services atop - particular security mechanisms - -Table of Contents - - 1. GSS-API Characteristics and Concepts ....................... 2 - 1.1. GSS-API Constructs ....................................... 5 - 1.1.1. Credentials ........................................... 5 - 1.1.2. Tokens ................................................ 6 - 1.1.3. Security Contexts ..................................... 7 - 1.1.4. Mechanism Types ....................................... 8 - 1.1.5. Naming ................................................ 9 - 1.1.6. Channel Bindings ...................................... 10 - 1.2. GSS-API Features and Issues ............................. 11 - 1.2.1. Status Reporting ...................................... 11 - 1.2.2. Per-Message Security Service Availability ............. 12 - 1.2.3. Per-Message Replay Detection and Sequencing ........... 13 - 1.2.4. Quality of Protection ................................. 15 - - - -Linn [Page 1] - -RFC 1508 Generic Security Interface September 1993 - - - 2. Interface Descriptions ..................................... 15 - 2.1. Credential management calls ............................. 17 - 2.1.1. GSS_Acquire_cred call ................................. 17 - 2.1.2. GSS_Release_cred call ................................. 19 - 2.1.3. GSS_Inquire_cred call ................................. 20 - 2.2. Context-level calls ..................................... 21 - 2.2.1. GSS_Init_sec_context call ............................. 21 - 2.2.2. GSS_Accept_sec_context call ........................... 26 - 2.2.3. GSS_Delete_sec_context call ........................... 29 - 2.2.4. GSS_Process_context_token call ........................ 30 - 2.2.5. GSS_Context_time call ................................. 31 - 2.3. Per-message calls ....................................... 32 - 2.3.1. GSS_Sign call ......................................... 32 - 2.3.2. GSS_Verify call ....................................... 33 - 2.3.3. GSS_Seal call ......................................... 35 - 2.3.4. GSS_Unseal call ....................................... 36 - 2.4. Support calls ........................................... 37 - 2.4.1. GSS_Display_status call ............................... 37 - 2.4.2. GSS_Indicate_mechs call ............................... 38 - 2.4.3. GSS_Compare_name call ................................. 38 - 2.4.4. GSS_Display_name call ................................. 39 - 2.4.5. GSS_Import_name call .................................. 40 - 2.4.6. GSS_Release_name call ................................. 41 - 2.4.7. GSS_Release_buffer call ............................... 41 - 2.4.8. GSS_Release_oid_set call .............................. 42 - 3. Mechanism-Specific Example Scenarios ....................... 42 - 3.1. Kerberos V5, single-TGT ................................. 43 - 3.2. Kerberos V5, double-TGT ................................. 43 - 3.3. X.509 Authentication Framework .......................... 44 - 4. Related Activities ......................................... 45 - 5. Acknowledgments ............................................ 46 - 6. Security Considerations .................................... 46 - 7. Author's Address ........................................... 46 - Appendix A .................................................... 47 - Appendix B .................................................... 48 - Appendix C .................................................... 49 - -1. GSS-API Characteristics and Concepts - - The operational paradigm in which GSS-API operates is as follows. A - typical GSS-API caller is itself a communications protocol, calling - on GSS-API in order to protect its communications with - authentication, integrity, and/or confidentiality security services. - A GSS-API caller accepts tokens provided to it by its local GSS-API - implementation and transfers the tokens to a peer on a remote system; - that peer passes the received tokens to its local GSS-API - implementation for processing. The security services available - through GSS-API in this fashion are implementable (and have been - - - -Linn [Page 2] - -RFC 1508 Generic Security Interface September 1993 - - - implemented) over a range of underlying mechanisms based on secret- - key and public-key cryptographic technologies. - - The GSS-API separates the operations of initializing a security - context between peers, achieving peer entity authentication (This - security service definition, and other definitions used in this - document, corresponds to that provided in International Standard ISO - 7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context() and - GSS_Accept_sec_context() calls), from the operations of providing - per-message data origin authentication and data integrity protection - (GSS_Sign() and GSS_Verify() calls) for messages subsequently - transferred in conjunction with that context. Per-message GSS_Seal() - and GSS_Unseal() calls provide the data origin authentication and - data integrity services which GSS_Sign() and GSS_Verify() offer, and - also support selection of confidentiality services as a caller - option. Additional calls provide supportive functions to the GSS- - API's users. - - The following paragraphs provide an example illustrating the - dataflows involved in use of the GSS-API by a client and server in a - mechanism-independent fashion, establishing a security context and - transferring a protected message. The example assumes that credential - acquisition has already been completed. The example assumes that the - underlying authentication technology is capable of authenticating a - client to a server using elements carried within a single token, and - of authenticating the server to the client (mutual authentication) - with a single returned token; this assumption holds for presently- - documented CAT mechanisms but is not necessarily true for other - cryptographic technologies and associated protocols. - - The client calls GSS_Init_sec_context() to establish a security - context to the server identified by targ_name, and elects to set the - mutual_req_flag so that mutual authentication is performed in the - course of context establishment. GSS_Init_sec_context() returns an - output_token to be passed to the server, and indicates - GSS_CONTINUE_NEEDED status pending completion of the mutual - authentication sequence. Had mutual_req_flag not been set, the - initial call to GSS_Init_sec_context() would have returned - GSS_COMPLETE status. The client sends the output_token to the server. - - The server passes the received token as the input_token parameter to - GSS_Accept_sec_context(). GSS_Accept_sec_context indicates - GSS_COMPLETE status, provides the client's authenticated identity in - the src_name result, and provides an output_token to be passed to the - client. The server sends the output_token to the client. - - The client passes the received token as the input_token parameter to - a successor call to GSS_Init_sec_context(), which processes data - - - -Linn [Page 3] - -RFC 1508 Generic Security Interface September 1993 - - - included in the token in order to achieve mutual authentication from - the client's viewpoint. This call to GSS_Init_sec_context() returns - GSS_COMPLETE status, indicating successful mutual authentication and - the completion of context establishment for this example. - - The client generates a data message and passes it to GSS_Seal(). - GSS_Seal() performs data origin authentication, data integrity, and - (optionally) confidentiality processing on the message and - encapsulates the result into output_message, indicating GSS_COMPLETE - status. The client sends the output_message to the server. - - The server passes the received message to GSS_Unseal(). GSS_Unseal - inverts the encapsulation performed by GSS_Seal(), deciphers the - message if the optional confidentiality feature was applied, and - validates the data origin authentication and data integrity checking - quantities. GSS_Unseal() indicates successful validation by - returning GSS_COMPLETE status along with the resultant - output_message. - - For purposes of this example, we assume that the server knows by - out-of-band means that this context will have no further use after - one protected message is transferred from client to server. Given - this premise, the server now calls GSS_Delete_sec_context() to flush - context-level information. GSS_Delete_sec_context() returns a - context_token for the server to pass to the client. - - The client passes the returned context_token to - GSS_Process_context_token(), which returns GSS_COMPLETE status after - deleting context-level information at the client system. - - The GSS-API design assumes and addresses several basic goals, - including: - - Mechanism independence: The GSS-API defines an interface to - cryptographically implemented strong authentication and other - security services at a generic level which is independent of - particular underlying mechanisms. For example, GSS-API-provided - services can be implemented by secret-key technologies (e.g., - Kerberos) or public-key approaches (e.g., X.509). - - Protocol environment independence: The GSS-API is independent of - the communications protocol suites with which it is employed, - permitting use in a broad range of protocol environments. In - appropriate environments, an intermediate implementation "veneer" - which is oriented to a particular communication protocol (e.g., - Remote Procedure Call (RPC)) may be interposed between - applications which call that protocol and the GSS-API, thereby - invoking GSS-API facilities in conjunction with that protocol's - - - -Linn [Page 4] - -RFC 1508 Generic Security Interface September 1993 - - - communications invocations. - - Protocol association independence: The GSS-API's security context - construct is independent of communications protocol association - constructs. This characteristic allows a single GSS-API - implementation to be utilized by a variety of invoking protocol - modules on behalf of those modules' calling applications. GSS-API - services can also be invoked directly by applications, wholly - independent of protocol associations. - - Suitability to a range of implementation placements: GSS-API - clients are not constrained to reside within any Trusted Computing - Base (TCB) perimeter defined on a system where the GSS-API is - implemented; security services are specified in a manner suitable - to both intra-TCB and extra-TCB callers. - -1.1. GSS-API Constructs - - This section describes the basic elements comprising the GSS-API. - -1.1.1. Credentials - - Credentials structures provide the prerequisites enabling peers to - establish security contexts with each other. A caller may designate - that its default credential be used for context establishment calls - without presenting an explicit handle to that credential. - Alternately, those GSS-API callers which need to make explicit - selection of particular credentials structures may make references to - those credentials through GSS-API-provided credential handles - ("cred_handles"). - - A single credential structure may be used for initiation of outbound - contexts and acceptance of inbound contexts. Callers needing to - operate in only one of these modes may designate this fact when - credentials are acquired for use, allowing underlying mechanisms to - optimize their processing and storage requirements. The credential - elements defined by a particular mechanism may contain multiple - cryptographic keys, e.g., to enable authentication and message - encryption to be performed with different algorithms. - - A single credential structure may accommodate credential information - associated with multiple underlying mechanisms (mech_types); a - credential structure's contents will vary depending on the set of - mech_types supported by a particular GSS-API implementation. - Commonly, a single mech_type will be used for all security contexts - established by a particular initiator to a particular target; the - primary motivation for supporting credential sets representing - multiple mech_types is to allow initiators on systems which are - - - -Linn [Page 5] - -RFC 1508 Generic Security Interface September 1993 - - - equipped to handle multiple types to initiate contexts to targets on - other systems which can accommodate only a subset of the set - supported at the initiator's system. - - It is the responsibility of underlying system-specific mechanisms and - OS functions below the GSS-API to ensure that the ability to acquire - and use credentials associated with a given identity is constrained - to appropriate processes within a system. This responsibility should - be taken seriously by implementors, as the ability for an entity to - utilize a principal's credentials is equivalent to the entity's - ability to successfully assert that principal's identity. - - Once a set of GSS-API credentials is established, the transferability - of that credentials set to other processes or analogous constructs - within a system is a local matter, not defined by the GSS-API. An - example local policy would be one in which any credentials received - as a result of login to a given user account, or of delegation of - rights to that account, are accessible by, or transferable to, - processes running under that account. - - The credential establishment process (particularly when performed on - behalf of users rather than server processes) is likely to require - access to passwords or other quantities which should be protected - locally and exposed for the shortest time possible. As a result, it - will often be appropriate for preliminary credential establishment to - be performed through local means at user login time, with the - result(s) cached for subsequent reference. These preliminary - credentials would be set aside (in a system-specific fashion) for - subsequent use, either: - - to be accessed by an invocation of the GSS-API GSS_Acquire_cred() - call, returning an explicit handle to reference that credential - - as the default credentials installed on behalf of a process - -1.1.2. Tokens - - Tokens are data elements transferred between GSS-API callers, and are - divided into two classes. Context-level tokens are exchanged in order - to establish and manage a security context between peers. Per-message - tokens are exchanged in conjunction with an established context to - provide protective security services for corresponding data messages. - The internal contents of both classes of tokens are specific to the - particular underlying mechanism used to support the GSS-API; Appendix - B of this document provides a uniform recommendation for designers of - GSS-API support mechanisms, encapsulating mechanism-specific - information along with a globally-interpretable mechanism identifier. - - - - -Linn [Page 6] - -RFC 1508 Generic Security Interface September 1993 - - - Tokens are opaque from the viewpoint of GSS-API callers. They are - generated within the GSS-API implementation at an end system, - provided to a GSS-API caller to be transferred to the peer GSS-API - caller at a remote end system, and processed by the GSS-API - implementation at that remote end system. Tokens may be output by - GSS-API primitives (and are to be transferred to GSS-API peers) - independent of the status indications which those primitives - indicate. Token transfer may take place in an in-band manner, - integrated into the same protocol stream used by the GSS-API callers - for other data transfers, or in an out-of-band manner across a - logically separate channel. - - Development of GSS-API support primitives based on a particular - underlying cryptographic technique and protocol does not necessarily - imply that GSS-API callers invoking that GSS-API mechanism type will - be able to interoperate with peers invoking the same technique and - protocol outside the GSS-API paradigm. For example, the format of - GSS-API tokens defined in conjunction with a particular mechanism, - and the techniques used to integrate those tokens into callers' - protocols, may not be the same as those used by non-GSS-API callers - of the same underlying technique. - -1.1.3. Security Contexts - - Security contexts are established between peers, using credentials - established locally in conjunction with each peer or received by - peers via delegation. Multiple contexts may exist simultaneously - between a pair of peers, using the same or different sets of - credentials. Coexistence of multiple contexts using different - credentials allows graceful rollover when credentials expire. - Distinction among multiple contexts based on the same credentials - serves applications by distinguishing different message streams in a - security sense. - - The GSS-API is independent of underlying protocols and addressing - structure, and depends on its callers to transport GSS-API-provided - data elements. As a result of these factors, it is a caller - responsibility to parse communicated messages, separating GSS-API- - related data elements from caller-provided data. The GSS-API is - independent of connection vs. connectionless orientation of the - underlying communications service. - - No correlation between security context and communications protocol - association is dictated. (The optional channel binding facility, - discussed in Section 1.1.6 of this document, represents an - intentional exception to this rule, supporting additional protection - features within GSS-API supporting mechanisms.) This separation - allows the GSS-API to be used in a wide range of communications - - - -Linn [Page 7] - -RFC 1508 Generic Security Interface September 1993 - - - environments, and also simplifies the calling sequences of the - individual calls. In many cases (depending on underlying security - protocol, associated mechanism, and availability of cached - information), the state information required for context setup can be - sent concurrently with initial signed user data, without interposing - additional message exchanges. - -1.1.4. Mechanism Types - - In order to successfully establish a security context with a target - peer, it is necessary to identify an appropriate underlying mechanism - type (mech_type) which both initiator and target peers support. The - definition of a mechanism embodies not only the use of a particular - cryptographic technology (or a hybrid or choice among alternative - cryptographic technologies), but also definition of the syntax and - semantics of data element exchanges which that mechanism will employ - in order to support security services. - - It is recommended that callers initiating contexts specify the - "default" mech_type value, allowing system-specific functions within - or invoked by the GSS-API implementation to select the appropriate - mech_type, but callers may direct that a particular mech_type be - employed when necessary. - - The means for identifying a shared mech_type to establish a security - context with a peer will vary in different environments and - circumstances; examples include (but are not limited to): - - use of a fixed mech_type, defined by configuration, within an - environment - - syntactic convention on a target-specific basis, through - examination of a target's name - - lookup of a target's name in a naming service or other database in - order to identify mech_types supported by that target - - explicit negotiation between GSS-API callers in advance of - security context setup - - When transferred between GSS-API peers, mech_type specifiers (per - Appendix B, represented as Object Identifiers (OIDs)) serve to - qualify the interpretation of associated tokens. (The structure and - encoding of Object Identifiers is defined in ISO/IEC 8824, - "Specification of Abstract Syntax Notation One (ASN.1)" and in - ISO/IEC 8825, "Specification of Basic Encoding Rules for Abstract - Syntax Notation One (ASN.1)".) Use of hierarchically structured OIDs - serves to preclude ambiguous interpretation of mech_type specifiers. - - - -Linn [Page 8] - -RFC 1508 Generic Security Interface September 1993 - - - The OID representing the DASS MechType, for example, is - 1.3.12.2.1011.7.5. - -1.1.5. Naming - - The GSS-API avoids prescription of naming structures, treating the - names transferred across the interface in order to initiate and - accept security contexts as opaque octet string quantities. This - approach supports the GSS-API's goal of implementability atop a range - of underlying security mechanisms, recognizing the fact that - different mechanisms process and authenticate names which are - presented in different forms. Generalized services offering - translation functions among arbitrary sets of naming environments are - outside the scope of the GSS-API; availability and use of local - conversion functions to translate among the naming formats supported - within a given end system is anticipated. - - Two distinct classes of name representations are used in conjunction - with different GSS-API parameters: - - a printable form (denoted by OCTET STRING), for acceptance from - and presentation to users; printable name forms are accompanied by - OID tags identifying the namespace to which they correspond - - an internal form (denoted by INTERNAL NAME), opaque to callers and - defined by individual GSS-API implementations; GSS-API - implementations supporting multiple namespace types are - responsible for maintaining internal tags to disambiguate the - interpretation of particular names - - Tagging of printable names allows GSS-API callers and underlying - GSS-API mechanisms to disambiguate name types and to determine - whether an associated name's type is one which they are capable of - processing, avoiding aliasing problems which could result from - misinterpreting a name of one type as a name of another type. - - In addition to providing means for names to be tagged with types, - this specification defines primitives to support a level of naming - environment independence for certain calling applications. To provide - basic services oriented towards the requirements of callers which - need not themselves interpret the internal syntax and semantics of - names, GSS-API calls for name comparison (GSS_Compare_name()), - human-readable display (GSS_Display_name()), input conversion - (GSS_Import_name()), and internal name deallocation - (GSS_Release_name()) functions are defined. (It is anticipated that - these proposed GSS-API calls will be implemented in many end systems - based on system-specific name manipulation primitives already extant - within those end systems; inclusion within the GSS-API is intended to - - - -Linn [Page 9] - -RFC 1508 Generic Security Interface September 1993 - - - offer GSS-API callers a portable means to perform specific - operations, supportive of authorization and audit requirements, on - authenticated names.) - - GSS_Import_name() implementations can, where appropriate, support - more than one printable syntax corresponding to a given namespace - (e.g., alternative printable representations for X.500 Distinguished - Names), allowing flexibility for their callers to select among - alternative representations. GSS_Display_name() implementations - output a printable syntax selected as appropriate to their - operational environments; this selection is a local matter. Callers - desiring portability across alternative printable syntaxes should - refrain from implementing comparisons based on printable name forms - and should instead use the GSS_Compare_name() call to determine - whether or not one internal-format name matches another. - -1.1.6. Channel Bindings - - The GSS-API accommodates the concept of caller-provided channel - binding ("chan_binding") information, used by GSS-API callers to bind - the establishment of a security context to relevant characteristics - (e.g., addresses, transformed representations of encryption keys) of - the underlying communications channel and of protection mechanisms - applied to that communications channel. Verification by one peer of - chan_binding information provided by the other peer to a context - serves to protect against various active attacks. The caller - initiating a security context must determine the chan_binding values - before making the GSS_Init_sec_context() call, and consistent values - must be provided by both peers to a context. Callers should not - assume that underlying mechanisms provide confidentiality protection - for channel binding information. - - Use or non-use of the GSS-API channel binding facility is a caller - option, and GSS-API supporting mechanisms can support operation in an - environment where NULL channel bindings are presented. When non-NULL - channel bindings are used, certain mechanisms will offer enhanced - security value by interpreting the bindings' content (rather than - simply representing those bindings, or signatures computed on them, - within tokens) and will therefore depend on presentation of specific - data in a defined format. To this end, agreements among mechanism - implementors are defining conventional interpretations for the - contents of channel binding arguments, including address specifiers - (with content dependent on communications protocol environment) for - context initiators and acceptors. (These conventions are being - incorporated into related documents.) In order for GSS-API callers to - be portable across multiple mechanisms and achieve the full security - functionality available from each mechanism, it is strongly - recommended that GSS-API callers provide channel bindings consistent - - - -Linn [Page 10] - -RFC 1508 Generic Security Interface September 1993 - - - with these conventions and those of the networking environment in - which they operate. - -1.2. GSS-API Features and Issues - - This section describes aspects of GSS-API operations, of the security - services which the GSS-API provides, and provides commentary on - design issues. - -1.2.1. Status Reporting - - Each GSS-API call provides two status return values. Major_status - values provide a mechanism-independent indication of call status - (e.g., GSS_COMPLETE, GSS_FAILURE, GSS_CONTINUE_NEEDED), sufficient to - drive normal control flow within the caller in a generic fashion. - Table 1 summarizes the defined major_status return codes in tabular - fashion. - - Table 1: GSS-API Major Status Codes - - FATAL ERROR CODES - - GSS_BAD_BINDINGS channel binding mismatch - GSS_BAD_MECH unsupported mechanism requested - GSS_BAD_NAME invalid name provided - GSS_BAD_NAMETYPE name of unsupported type provided - GSS_BAD_STATUS invalid input status selector - GSS_BAD_SIG token had invalid signature - GSS_CONTEXT_EXPIRED specified security context expired - GSS_CREDENTIALS_EXPIRED expired credentials detected - GSS_DEFECTIVE_CREDENTIAL defective credential detected - GSS_DEFECTIVE_TOKEN defective token detected - GSS_FAILURE failure, unspecified at GSS-API - level - GSS_NO_CONTEXT no valid security context specified - GSS_NO_CRED no valid credentials provided - - INFORMATORY STATUS CODES - - GSS_COMPLETE normal completion - GSS_CONTINUE_NEEDED continuation call to routine - required - GSS_DUPLICATE_TOKEN duplicate per-message token - detected - GSS_OLD_TOKEN timed-out per-message token - detected - GSS_UNSEQ_TOKEN out-of-order per-message token - detected - - - -Linn [Page 11] - -RFC 1508 Generic Security Interface September 1993 - - - Minor_status provides more detailed status information which may - include status codes specific to the underlying security mechanism. - Minor_status values are not specified in this document. - - GSS_CONTINUE_NEEDED major_status returns, and optional message - outputs, are provided in GSS_Init_sec_context() and - GSS_Accept_sec_context() calls so that different mechanisms' - employment of different numbers of messages within their - authentication sequences need not be reflected in separate code paths - within calling applications. Instead, such cases are accomodated with - sequences of continuation calls to GSS_Init_sec_context() and - GSS_Accept_sec_context(). The same mechanism is used to encapsulate - mutual authentication within the GSS-API's context initiation calls. - - For mech_types which require interactions with third-party servers in - order to establish a security context, GSS-API context establishment - calls may block pending completion of such third-party interactions. - On the other hand, no GSS-API calls pend on serialized interactions - with GSS-API peer entities. As a result, local GSS-API status - returns cannot reflect unpredictable or asynchronous exceptions - occurring at remote peers, and reflection of such status information - is a caller responsibility outside the GSS-API. - -1.2.2. Per-Message Security Service Availability - - When a context is established, two flags are returned to indicate the - set of per-message protection security services which will be - available on the context: - - the integ_avail flag indicates whether per-message integrity and - data origin authentication services are available - - the conf_avail flag indicates whether per-message confidentiality - services are available, and will never be returned TRUE unless the - integ_avail flag is also returned TRUE - - GSS-API callers desiring per-message security services should - check the values of these flags at context establishment time, and - must be aware that a returned FALSE value for integ_avail means - that invocation of GSS_Sign() or GSS_Seal() primitives on the - associated context will apply no cryptographic protection to user - data messages. - - The GSS-API per-message protection service primitives, as the - category name implies, are oriented to operation at the granularity - of protocol data units. They perform cryptographic operations on the - data units, transfer cryptographic control information in tokens, - and, in the case of GSS_Seal(), encapsulate the protected data unit. - - - -Linn [Page 12] - -RFC 1508 Generic Security Interface September 1993 - - - As such, these primitives are not oriented to efficient data - protection for stream-paradigm protocols (e.g., Telnet) if - cryptography must be applied on an octet-by-octet basis. - -1.2.3. Per-Message Replay Detection and Sequencing - - Certain underlying mech_types are expected to offer support for - replay detection and/or sequencing of messages transferred on the - contexts they support. These optionally-selectable protection - features are distinct from replay detection and sequencing features - applied to the context establishment operation itself; the presence - or absence of context-level replay or sequencing features is wholly a - function of the underlying mech_type's capabilities, and is not - selected or omitted as a caller option. - - The caller initiating a context provides flags (replay_det_req_flag - and sequence_req_flag) to specify whether the use of per-message - replay detection and sequencing features is desired on the context - being established. The GSS-API implementation at the initiator system - can determine whether these features are supported (and whether they - are optionally selectable) as a function of mech_type, without need - for bilateral negotiation with the target. When enabled, these - features provide recipients with indicators as a result of GSS-API - processing of incoming messages, identifying whether those messages - were detected as duplicates or out-of-sequence. Detection of such - events does not prevent a suspect message from being provided to a - recipient; the appropriate course of action on a suspect message is a - matter of caller policy. - - The semantics of the replay detection and sequencing services applied - to received messages, as visible across the interface which the GSS- - API provides to its clients, are as follows: - - When replay_det_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_COMPLETE indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - and that the message was not a replay of a previously-processed - message within that window. - - 2. GSS_DUPLICATE_TOKEN indicates that the signature on the - received message was correct, but that the message was recognized - as a duplicate of a previously-processed message. - - 3. GSS_OLD_TOKEN indicates that the signature on the received - message was correct, but that the message is too old to be checked - for duplication. - - - -Linn [Page 13] - -RFC 1508 Generic Security Interface September 1993 - - - When sequence_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_COMPLETE indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - and that the message was not a replay of a previously-processed - message within that window. - - 2. GSS_DUPLICATE_TOKEN indicates that the signature on the - received message was correct, but that the message was recognized - as a duplicate of a previously-processed message. - - 3. GSS_OLD_TOKEN indicates that the signature on the received - message was correct, but that the token is too old to be checked - for duplication. - - 4. GSS_UNSEQ_TOKEN indicates that the signature on the received - message was correct, but that it is earlier in a sequenced stream - than a message already processed on the context. [Note: - Mechanisms can be architected to provide a stricter form of - sequencing service, delivering particular messages to recipients - only after all predecessor messages in an ordered stream have been - delivered. This type of support is incompatible with the GSS-API - paradigm in which recipients receive all messages, whether in - order or not, and provide them (one at a time, without intra-GSS- - API message buffering) to GSS-API routines for validation. GSS- - API facilities provide supportive functions, aiding clients to - achieve strict message stream integrity in an efficient manner in - conjunction with sequencing provisions in communications - protocols, but the GSS-API does not offer this level of message - stream integrity service by itself.] - - As the message stream integrity features (especially sequencing) may - interfere with certain applications' intended communications - paradigms, and since support for such features is likely to be - resource intensive, it is highly recommended that mech_types - supporting these features allow them to be activated selectively on - initiator request when a context is established. A context initiator - and target are provided with corresponding indicators - (replay_det_state and sequence_state), signifying whether these - features are active on a given context. - - An example mech_type supporting per-message replay detection could - (when replay_det_state is TRUE) implement the feature as follows: The - underlying mechanism would insert timestamps in data elements output - by GSS_Sign() and GSS_Seal(), and would maintain (within a time- - limited window) a cache (qualified by originator-recipient pair) - identifying received data elements processed by GSS_Verify() and - - - -Linn [Page 14] - -RFC 1508 Generic Security Interface September 1993 - - - GSS_Unseal(). When this feature is active, exception status returns - (GSS_DUPLICATE_TOKEN, GSS_ OLD_TOKEN) will be provided when - GSS_Verify() or GSS_Unseal() is presented with a message which is - either a detected duplicate of a prior message or which is too old to - validate against a cache of recently received messages. - -1.2.4. Quality of Protection - - Some mech_types will provide their users with fine granularity - control over the means used to provide per-message protection, - allowing callers to trade off security processing overhead - dynamically against the protection requirements of particular - messages. A per-message quality-of-protection parameter (analogous to - quality-of-service, or QOS) selects among different QOP options - supported by that mechanism. On context establishment for a multi-QOP - mech_type, context-level data provides the prerequisite data for a - range of protection qualities. - - It is expected that the majority of callers will not wish to exert - explicit mechanism-specific QOP control and will therefore request - selection of a default QOP. Definitions of, and choices among, non- - default QOP values are mechanism-specific, and no ordered sequences - of QOP values can be assumed equivalent across different mechanisms. - Meaningful use of non-default QOP values demands that callers be - familiar with the QOP definitions of an underlying mechanism or - mechanisms, and is therefore a non-portable construct. - -2. Interface Descriptions - - This section describes the GSS-API's service interface, dividing the - set of calls offered into four groups. Credential management calls - are related to the acquisition and release of credentials by - principals. Context-level calls are related to the management of - security contexts between principals. Per-message calls are related - to the protection of individual messages on established security - contexts. Support calls provide ancillary functions useful to GSS-API - callers. Table 2 groups and summarizes the calls in tabular fashion. - - - - - - - - - - - - - - -Linn [Page 15] - -RFC 1508 Generic Security Interface September 1993 - - - Table 2: GSS-API Calls - - CREDENTIAL MANAGEMENT - - GSS_Acquire_cred acquire credentials for use - GSS_Release_cred release credentials after use - GSS_Inquire_cred display information about - credentials - - CONTEXT-LEVEL CALLS - - GSS_Init_sec_context initiate outbound security context - GSS_Accept_sec_context accept inbound security context - GSS_Delete_sec_context flush context when no longer needed - GSS_Process_context_token process received control token on - context - GSS_Context_time indicate validity time remaining on - context - - PER-MESSAGE CALLS - - GSS_Sign apply signature, receive as token - separate from message - GSS_Verify validate signature token along with - message - GSS_Seal sign, optionally encrypt, - encapsulate - GSS_Unseal decapsulate, decrypt if needed, - validate signature - - SUPPORT CALLS - - GSS_Display_status translate status codes to printable - form - GSS_Indicate_mechs indicate mech_types supported on - local system - GSS_Compare_name compare two names for equality - GSS_Display_name translate name to printable form - GSS_Import_name convert printable name to - normalized form - GSS_Release_name free storage of normalized-form - name - GSS_Release_buffer free storage of printable name - GSS_Release_oid_set free storage of OID set object - - - - - - - -Linn [Page 16] - -RFC 1508 Generic Security Interface September 1993 - - -2.1. Credential management calls - - These GSS-API calls provide functions related to the management of - credentials. Their characterization with regard to whether or not - they may block pending exchanges with other network entities (e.g., - directories or authentication servers) depends in part on OS-specific - (extra-GSS-API) issues, so is not specified in this document. - - The GSS_Acquire_cred() call is defined within the GSS-API in support - of application portability, with a particular orientation towards - support of portable server applications. It is recognized that (for - certain systems and mechanisms) credentials for interactive users may - be managed differently from credentials for server processes; in such - environments, it is the GSS-API implementation's responsibility to - distinguish these cases and the procedures for making this - distinction are a local matter. The GSS_Release_cred() call provides - a means for callers to indicate to the GSS-API that use of a - credentials structure is no longer required. The GSS_Inquire_cred() - call allows callers to determine information about a credentials - structure. - -2.1.1. GSS_Acquire_cred call - - Inputs: - - o desired_name INTERNAL NAME, -NULL requests locally-determined - default - - o lifetime_req INTEGER,-in seconds; 0 requests default - - o desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests - system-selected default - - o cred_usage INTEGER-0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle OCTET STRING, - - o actual_mechs SET OF OBJECT IDENTIFIER, - - o lifetime_rec INTEGER -in seconds, or reserved value for - INDEFINITE - - - -Linn [Page 17] - -RFC 1508 Generic Security Interface September 1993 - - - Return major_status codes: - - o GSS_COMPLETE indicates that requested credentials were - successfully established, for the duration indicated in - lifetime_rec, suitable for the usage requested in cred_usage, for - the set of mech_types indicated in actual_mechs, and that those - credentials can be referenced for subsequent use with the handle - returned in output_cred_handle. - - o GSS_BAD_MECH indicates that a mech_type unsupported by the GSS-API - implementation type was requested, causing the credential - establishment operation to fail. - - o GSS_BAD_NAMETYPE indicates that the provided desired_name is - uninterpretable or of a type unsupported by the supporting GSS-API - implementation, so no credentials could be established for the - accompanying desired_name. - - o GSS_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so no credentials could be established for the - accompanying desired_name. - - o GSS_FAILURE indicates that credential establishment failed for - reasons unspecified at the GSS-API level, including lack of - authorization to establish and use credentials associated with the - identity named in the input desired_name argument. - - GSS_Acquire_cred() is used to acquire credentials so that a - principal can (as a function of the input cred_usage parameter) - initiate and/or accept security contexts under the identity - represented by the desired_name input argument. On successful - completion, the returned output_cred_handle result provides a handle - for subsequent references to the acquired credentials. Typically, - single-user client processes using only default credentials for - context establishment purposes will have no need to invoke this call. - - A caller may provide the value NULL for desired_name, signifying a - request for credentials corresponding to a default principal - identity. The procedures used by GSS-API implementations to select - the appropriate principal identity in response to this form of - request are local matters. It is possible that multiple pre- - established credentials may exist for the same principal identity - (for example, as a result of multiple user login sessions) when - GSS_Acquire_cred() is called; the means used in such cases to select - a specific credential are local matters. The input lifetime_req - argument to GSS_Acquire_cred() may provide useful information for - local GSS-API implementations to employ in making this disambiguation - - - -Linn [Page 18] - -RFC 1508 Generic Security Interface September 1993 - - - in a manner which will best satisfy a caller's intent. - - The lifetime_rec result indicates the length of time for which the - acquired credentials will be valid, as an offset from the present. A - mechanism may return a reserved value indicating INDEFINITE if no - constraints on credential lifetime are imposed. A caller of - GSS_Acquire_cred() can request a length of time for which acquired - credentials are to be valid (lifetime_req argument), beginning at the - present, or can request credentials with a default validity interval. - (Requests for postdated credentials are not supported within the - GSS-API.) Certain mechanisms and implementations may bind in - credential validity period specifiers at a point preliminary to - invocation of the GSS_Acquire_cred() call (e.g., in conjunction with - user login procedures). As a result, callers requesting non-default - values for lifetime_req must recognize that such requests cannot - always be honored and must be prepared to accommodate the use of - returned credentials with different lifetimes as indicated in - lifetime_rec. - - The caller of GSS_Acquire_cred() can explicitly specify a set of - mech_types which are to be accommodated in the returned credentials - (desired_mechs argument), or can request credentials for a system- - defined default set of mech_types. Selection of the system-specified - default set is recommended in the interests of application - portability. The actual_mechs return value may be interrogated by the - caller to determine the set of mechanisms with which the returned - credentials may be used. - -2.1.2. GSS_Release_cred call - - Input: - - o cred_handle OCTET STRING-NULL specifies default credentials - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_COMPLETE indicates that the credentials referenced by the - input cred_handle were released for purposes of subsequent access - by the caller. The effect on other processes which may be - authorized shared access to such credentials is a local matter. - - - - - -Linn [Page 19] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_NO_CRED indicates that no release operation was performed, - either because the input cred_handle was invalid or because the - caller lacks authorization to access the referenced credentials. - - o GSS_FAILURE indicates that the release operation failed for - reasons unspecified at the GSS-API level. - - Provides a means for a caller to explicitly request that credentials - be released when their use is no longer required. Note that system- - specific credential management functions are also likely to exist, - for example to assure that credentials shared among processes are - properly deleted when all affected processes terminate, even if no - explicit release requests are issued by those processes. Given the - fact that multiple callers are not precluded from gaining authorized - access to the same credentials, invocation of GSS_Release_cred() - cannot be assumed to delete a particular set of credentials on a - system-wide basis. - -2.1.3. GSS_Inquire_cred call - - Input: - - o cred_handle OCTET STRING -NULL specifies default credentials - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, - - o lifetime_rec INTEGER -in seconds, or reserved value for - INDEFINITE - - o cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, and that the output - cred_name, lifetime_rec, and cred_usage values represent, - respectively, the credentials' associated principal name, - remaining lifetime, suitable usage modes, and supported - mechanism types. - - - -Linn [Page 20] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks - authorization to access the referenced credentials. - - o GSS_FAILURE indicates that the release operation failed for - reasons unspecified at the GSS-API level. - - The GSS_Inquire_cred() call is defined primarily for the use of - those callers which make use of default credentials rather than - acquiring credentials explicitly with GSS_Acquire_cred(). It enables - callers to determine a credential structure's associated principal - name, remaining validity period, usability for security context - initiation and/or acceptance, and supported mechanisms. - -2.2. Context-level calls - - This group of calls is devoted to the establishment and management of - security contexts between peers. A context's initiator calls - GSS_Init_sec_context(), resulting in generation of a token which the - caller passes to the target. At the target, that token is passed to - GSS_Accept_sec_context(). Depending on the underlying mech_type and - specified options, additional token exchanges may be performed in the - course of context establishment; such exchanges are accommodated by - GSS_CONTINUE_NEEDED status returns from GSS_Init_sec_context() and - GSS_Accept_sec_context(). Either party to an established context may - invoke GSS_Delete_sec_context() to flush context information when a - context is no longer required. GSS_Process_context_token() is used - to process received tokens carrying context-level control - information. GSS_Context_time() allows a caller to determine the - length of time for which an established context will remain valid. - -2.2.1. GSS_Init_sec_context call - - Inputs: - - o claimant_cred_handle OCTET STRING, -NULL specifies "use - default" - - o input_context_handle INTEGER, -0 specifies "none assigned - yet" - - o targ_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER, -NULL parameter specifies "use - default" - - o deleg_req_flag BOOLEAN, - - - -Linn [Page 21] - -RFC 1508 Generic Security Interface September 1993 - - - o mutual_req_flag BOOLEAN, - - o replay_det_req_flag BOOLEAN, - - o sequence_req_flag BOOLEAN, - - o lifetime_req INTEGER,-0 specifies default lifetime - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING-NULL or token received from target - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_context_handle INTEGER, - - o mech_type OBJECT IDENTIFIER, -actual mechanism always - indicated, never NULL - - o output_token OCTET STRING, -NULL or token to pass to context - target - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - This call may block pending network interactions for those mech_types - in which an authentication server or other network entity must be - consulted on behalf of a context initiator in order to generate an - output_token suitable for presentation to a specified target. - - Return major_status codes: - - - - -Linn [Page 22] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_COMPLETE indicates that context-level information was - successfully initialized, and that the returned output_token will - provide sufficient information for the target to perform per- - message processing on the newly-established context. - - o GSS_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the target, and that a reply - must be received and passed as the input_token argument to a - continuation call to GSS_Init_sec_context(), before per-message - processing can be performed in conjunction with this context. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the input_token failed, preventing further processing from being - performed based on that token. - - o GSS_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - claimant_cred_handle failed, preventing further processing from - being performed using that credential structure. - - o GSS_BAD_SIG indicates that the received input_token contains an - incorrect signature, so context setup cannot be accomplished. - - o GSS_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the referenced - credentials are valid for context acceptor use only, or because - the caller lacks authorization to access the referenced - credentials. - - o GSS_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input claimant_cred_handle argument are no longer - valid, so context establishment cannot be completed. - - o GSS_BAD_BINDINGS indicates that a mismatch between the caller- - provided chan_bindings and those extracted from the input_token - was detected, signifying a security-relevant event and preventing - context establishment. (This result will be returned by - GSS_Init_sec_context only for contexts where mutual_state is - TRUE.) - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided; this major status will be - returned only for successor calls following GSS_CONTINUE_NEEDED - status returns. - - o GSS_BAD_NAMETYPE indicates that the provided targ_name is of a - type uninterpretable or unsupported by the supporting GSS-API - implementation, so context establishment cannot be completed. - - - -Linn [Page 23] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_BAD_NAME indicates that the provided targ_name is inconsistent - in terms of internally-incorporated type specifier information, so - context establishment cannot be accomplished. - - o GSS_FAILURE indicates that context setup could not be accomplished - for reasons unspecified at the GSS-API level, and that no - interface-defined recovery action is available. - - This routine is used by a context initiator, and ordinarily emits one - (or, for the case of a multi-step exchange, more than one) - output_token suitable for use by the target within the selected - mech_type's protocol. Using information in the credentials structure - referenced by claimant_cred_handle, GSS_Init_sec_context() - initializes the data structures required to establish a security - context with target targ_name. The claimant_cred_handle must - correspond to the same valid credentials structure on the initial - call to GSS_Init_sec_context() and on any successor calls resulting - from GSS_CONTINUE_NEEDED status returns; different protocol sequences - modeled by the GSS_CONTINUE_NEEDED mechanism will require access to - credentials at different points in the context establishment - sequence. - - The input_context_handle argument is 0, specifying "not yet - assigned", on the first GSS_Init_sec_context() call relating to a - given context. That call returns an output_context_handle for future - references to this context. When continuation attempts to - GSS_Init_sec_context() are needed to perform context establishment, - the previously-returned non-zero handle value is entered into the - input_context_handle argument and will be echoed in the returned - output_context_handle argument. On such continuation attempts (and - only on continuation attempts) the input_token value is used, to - provide the token returned from the context's target. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The input_token argument contains a message received from the target, - and is significant only on a call to GSS_Init_sec_context() which - follows a previous return indicating GSS_CONTINUE_NEEDED - major_status. - - It is the caller's responsibility to establish a communications path - to the target, and to transmit any returned output_token (independent - of the accompanying returned major_status value) to the target over - that path. The output_token can, however, be transmitted along with - - - -Linn [Page 24] - -RFC 1508 Generic Security Interface September 1993 - - - the first application-provided input message to be processed by - GSS_Sign() or GSS_Seal() in conjunction with a successfully- - established context. - - The initiator may request various context-level functions through - input flags: the deleg_req_flag requests delegation of access rights, - the mutual_req_flag requests mutual authentication, the - replay_det_req_flag requests that replay detection features be - applied to messages transferred on the established context, and the - sequence_req_flag requests that sequencing be enforced. (See Section - 1.2.3 for more information on replay detection and sequencing - features.) - - Not all of the optionally-requestable features will be available in - all underlying mech_types; the corresponding return state values - (deleg_state, mutual_state, replay_det_state, sequence_state) - indicate, as a function of mech_type processing capabilities and - initiator-provided input flags, the set of features which will be - active on the context. These state indicators' values are undefined - unless the routine's major_status indicates COMPLETE. Failure to - provide the precise set of features requested by the caller does not - cause context establishment to fail; it is the caller's prerogative - to delete the context if the feature set provided is unsuitable for - the caller's use. The returned mech_type value indicates the - specific mechanism employed on the context, and will never indicate - the value for "default". - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Seal() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_Sign() or GSS_Seal()) on - the established context. - - The lifetime_req input specifies a desired upper bound for the - lifetime of the context to be established, with a value of 0 used to - request a default lifetime. The lifetime_rec return value indicates - the length of time for which the context will be valid, expressed as - an offset from the present; depending on mechanism capabilities, - credential lifetimes, and local policy, it may not correspond to the - value requested in lifetime_req. If no constraints on context - lifetime are imposed, this may be indicated by returning a reserved - value representing INDEFINITE lifetime_req. The values of conf_avail, - integ_avail, and lifetime_rec are undefined unless the routine's - major_status indicates COMPLETE. - - If the mutual_state is TRUE, this fact will be reflected within the - - - -Linn [Page 25] - -RFC 1508 Generic Security Interface September 1993 - - - output_token. A call to GSS_Accept_sec_context() at the target in - conjunction with such a context will return a token, to be processed - by a continuation call to GSS_Init_sec_context(), in order to achieve - mutual authentication. - -2.2.2. GSS_Accept_sec_context call - - Inputs: - - o acceptor_cred_handle OCTET STRING,-NULL specifies "use - default" - - o input_context_handle INTEGER, -0 specifies "not yet assigned" - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o src_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER, - - o output_context_handle INTEGER, - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER, - in seconds, or reserved value for - INDEFINITE - - o delegated_cred_handle OCTET STRING, - - o output_token OCTET STRING -NULL or token to pass to context - - - -Linn [Page 26] - -RFC 1508 Generic Security Interface September 1993 - - - initiator - - This call may block pending network interactions for those mech_types - in which a directory service or other network entity must be - consulted on behalf of a context acceptor in order to validate a - received input_token. - - Return major_status codes: - - o GSS_COMPLETE indicates that context-level data structures were - successfully initialized, and that per-message processing can now - be performed in conjunction with this context. - - o GSS_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the initiator, and that a - response must be received and passed as the input_token argument - to a continuation call to GSS_Accept_sec_context(), before per- - message processing can be performed in conjunction with this - context. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the input_token failed, preventing further processing from being - performed based on that token. - - o GSS_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - acceptor_cred_handle failed, preventing further processing from - being performed using that credential structure. - - o GSS_BAD_SIG indicates that the received input_token contains an - incorrect signature, so context setup cannot be accomplished. - - o GSS_DUPLICATE_TOKEN indicates that the signature on the received - input_token was correct, but that the input_token was recognized - as a duplicate of an input_token already processed. No new context - is established. - - o GSS_OLD_TOKEN indicates that the signature on the received - input_token was correct, but that the input_token is too old to be - checked for duplication against previously-processed input_tokens. - No new context is established. - - o GSS_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the referenced - credentials are valid for context initiator use only, or because - the caller lacks authorization to access the referenced - credentials. - - - - -Linn [Page 27] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input acceptor_cred_handle argument are no longer - valid, so context establishment cannot be completed. - - o GSS_BAD_BINDINGS indicates that a mismatch between the caller- - provided chan_bindings and those extracted from the input_token - was detected, signifying a security-relevant event and preventing - context establishment. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided; this major status will be - returned only for successor calls following GSS_CONTINUE_NEEDED - status returns. - - o GSS_FAILURE indicates that context setup could not be accomplished - for reasons unspecified at the GSS-API level, and that no - interface-defined recovery action is available. - - The GSS_Accept_sec_context() routine is used by a context target. - Using information in the credentials structure referenced by the - input acceptor_cred_handle, it verifies the incoming input_token and - (following the successful completion of a context establishment - sequence) returns the authenticated src_name and the mech_type used. - The acceptor_cred_handle must correspond to the same valid - credentials structure on the initial call to GSS_Accept_sec_context() - and on any successor calls resulting from GSS_CONTINUE_NEEDED status - returns; different protocol sequences modeled by the - GSS_CONTINUE_NEEDED mechanism will require access to credentials at - different points in the context establishment sequence. - - The input_context_handle argument is 0, specifying "not yet - assigned", on the first GSS_Accept_sec_context() call relating to a - given context. That call returns an output_context_handle for future - references to this context; when continuation attempts to - GSS_Accept_sec_context() are needed to perform context - establishment, that handle value will be entered into the - input_context_handle argument. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The returned state results (deleg_state, mutual_state, - replay_det_state, and sequence_state) reflect the same context state - values as returned to GSS_Init_sec_context()'s caller at the - initiator system. - - - -Linn [Page 28] - -RFC 1508 Generic Security Interface September 1993 - - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Seal() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_Sign() or GSS_Seal()) on - the established context. - - The lifetime_rec return value indicates the length of time for which - the context will be valid, expressed as an offset from the present. - The values of deleg_state, mutual_state, replay_det_state, - sequence_state, conf_avail, integ_avail, and lifetime_rec are - undefined unless the accompanying major_status indicates COMPLETE. - - The delegated_cred_handle result is significant only when deleg_state - is TRUE, and provides a means for the target to reference the - delegated credentials. The output_token result, when non-NULL, - provides a context-level token to be returned to the context - initiator to continue a multi-step context establishment sequence. As - noted with GSS_Init_sec_context(), any returned token should be - transferred to the context's peer (in this case, the context - initiator), independent of the value of the accompanying returned - major_status. - - Note: A target must be able to distinguish a context-level - input_token, which is passed to GSS_Accept_sec_context(), from the - per-message data elements passed to GSS_Verify() or GSS_Unseal(). - These data elements may arrive in a single application message, and - GSS_Accept_sec_context() must be performed before per-message - processing can be performed successfully. - -2.2.3. GSS_Delete_sec_context call - - Input: - - o context_handle INTEGER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_context_token OCTET STRING - - Return major_status codes: - - - - - -Linn [Page 29] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_COMPLETE indicates that the context was recognized, that - relevant context-specific information was flushed, and that the - returned output_context_token is ready for transfer to the - context's peer. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provide, so no deletion was performed. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Delete_sec_context() operation could not be performed for - reasons unspecified at the GSS-API level. - - This call may block pending network interactions for mech_types in - which active notification must be made to a central server when a - security context is to be deleted. - - This call can be made by either peer in a security context, to flush - context-specific information and to return an output_context_token - which can be passed to the context's peer informing it that the - peer's corresponding context information can also be flushed. (Once a - context is established, the peers involved are expected to retain - cached credential and context-related information until the - information's expiration time is reached or until a - GSS_Delete_sec_context() call is made.) Attempts to perform per- - message processing on a deleted context will result in error returns. - -2.2.4. GSS_Process_context_token call - - Inputs: - - o context_handle INTEGER, - - o input_context_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_COMPLETE indicates that the input_context_token was - successfully processed in conjunction with the context referenced - by context_handle. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the received context_token failed, preventing further processing - - - -Linn [Page 30] - -RFC 1508 Generic Security Interface September 1993 - - - from being performed with that token. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Process_context_token() operation could not be performed for - reasons unspecified at the GSS-API level. - - This call is used to process context_tokens received from a peer once - a context has been established, with corresponding impact on - context-level state information. One use for this facility is - processing of the context_tokens generated by - GSS_Delete_sec_context(); GSS_Process_context_token() will not block - pending network interactions for that purpose. Another use is to - process tokens indicating remote-peer context establishment failures - after the point where the local GSS-API implementation has already - indicated GSS_COMPLETE status. - -2.2.5. GSS_Context_time call - - Input: - - o context_handle INTEGER, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o lifetime_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - Return major_status codes: - - o GSS_COMPLETE indicates that the referenced context is valid, and - will remain valid for the amount of time indicated in - lifetime_rec. - - o GSS_CONTEXT_EXPIRED indicates that data items related to the - referenced context have expired. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - - -Linn [Page 31] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. - - This call is used to determine the amount of time for which a - currently established context will remain valid. - -2.3. Per-message calls - - This group of calls is used to perform per-message protection - processing on an established security context. None of these calls - block pending network interactions. These calls may be invoked by a - context's initiator or by the context's target. The four members of - this group should be considered as two pairs; the output from - GSS_Sign() is properly input to GSS_Verify(), and the output from - GSS_Seal() is properly input to GSS_Unseal(). - - GSS_Sign() and GSS_Verify() support data origin authentication and - data integrity services. When GSS_Sign() is invoked on an input - message, it yields a per-message token containing data items which - allow underlying mechanisms to provide the specified security - services. The original message, along with the generated per-message - token, is passed to the remote peer; these two data elements are - processed by GSS_Verify(), which validates the message in - conjunction with the separate token. - - GSS_Seal() and GSS_Unseal() support caller-requested confidentiality - in addition to the data origin authentication and data integrity - services offered by GSS_Sign() and GSS_Verify(). GSS_Seal() outputs - a single data element, encapsulating optionally enciphered user data - as well as associated token data items. The data element output from - GSS_Seal() is passed to the remote peer and processed by - GSS_Unseal() at that system. GSS_Unseal() combines decipherment (as - required) with validation of data items related to authentication and - integrity. - -2.3.1. GSS_Sign call - - Inputs: - - o context_handle INTEGER, - - o qop_req INTEGER,-0 specifies default QOP - - o message OCTET STRING - - Outputs: - - o major_status INTEGER, - - - -Linn [Page 32] - -RFC 1508 Generic Security Interface September 1993 - - - o minor_status INTEGER, - - o per_msg_token OCTET STRING - - Return major_status codes: - - o GSS_COMPLETE indicates that a signature, suitable for an - established security context, was successfully applied and that - the message and corresponding per_msg_token are ready for - transmission. - - o GSS_CONTEXT_EXPIRED indicates that context-related data items have - expired, so that the requested operation cannot be performed. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so that the - requested operation cannot be performed. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - requested operation could not be performed for reasons unspecified - at the GSS-API level. - - Using the security context referenced by context_handle, apply a - signature to the input message (along with timestamps and/or other - data included in support of mech_type-specific mechanisms) and return - the result in per_msg_token. The qop_req parameter allows quality- - of-protection control. The caller passes the message and the - per_msg_token to the target. - - The GSS_Sign() function completes before the message and - per_msg_token is sent to the peer; successful application of - GSS_Sign() does not guarantee that a corresponding GSS_Verify() has - been (or can necessarily be) performed successfully when the message - arrives at the destination. - -2.3.2. GSS_Verify call - - Inputs: - - o context_handle INTEGER, - - o message OCTET STRING, - - o per_msg_token OCTET STRING - - - - -Linn [Page 33] - -RFC 1508 Generic Security Interface September 1993 - - - Outputs: - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_COMPLETE indicates that the message was successfully verified. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the received per_msg_token failed, preventing further processing - from being performed with that token. - - o GSS_BAD_SIG indicates that the received per_msg_token contains an - incorrect signature for the message. - - o GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN values - appear in conjunction with the optional per-message replay - detection features described in Section 1.2.3; their semantics are - described in that section. - - o GSS_CONTEXT_EXPIRED indicates that context-related data items have - expired, so that the requested operation cannot be performed. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so that the - requested operation cannot be performed. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Verify() operation could not be performed for reasons - unspecified at the GSS-API level. - - Using the security context referenced by context_handle, verify that - the input per_msg_token contains an appropriate signature for the - input message, and apply any active replay detection or sequencing - features. Return an indication of the quality-of-protection applied - to the processed message in the qop_state result. - - - - - - - - -Linn [Page 34] - -RFC 1508 Generic Security Interface September 1993 - - -2.3.3. GSS_Seal call - - Inputs: - - o context_handle INTEGER, - - o conf_req_flag BOOLEAN, - - o qop_req INTEGER,-0 specifies default QOP - - o input_message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o conf_state BOOLEAN, - - o output_message OCTET STRING - - Return major_status codes: - - o GSS_COMPLETE indicates that the input_message was successfully - processed and that the output_message is ready for transmission. - - o GSS_CONTEXT_EXPIRED indicates that context-related data items have - expired, so that the requested operation cannot be performed. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so that the - requested operation cannot be performed. - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Seal() operation could not be performed for reasons - unspecified at the GSS-API level. - - Performs the data origin authentication and data integrity functions - of GSS_Sign(). If the input conf_req_flag is TRUE, requests that - confidentiality be applied to the input_message. Confidentiality may - not be supported in all mech_types or by all implementations; the - returned conf_state flag indicates whether confidentiality was - provided for the input_message. The qop_req parameter allows - quality-of-protection control. - - - -Linn [Page 35] - -RFC 1508 Generic Security Interface September 1993 - - - In all cases, the GSS_Seal() call yields a single output_message - data element containing (optionally enciphered) user data as well as - control information. - -2.3.4. GSS_Unseal call - - Inputs: - - o context_handle INTEGER, - - o input_message OCTET STRING - - Outputs: - - o conf_state BOOLEAN, - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_message OCTET STRING - - Return major_status codes: - - o GSS_COMPLETE indicates that the input_message was successfully - processed and that the resulting output_message is available. - - o GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on - the per_msg_token extracted from the input_message failed, - preventing further processing from being performed. - - o GSS_BAD_SIG indicates that an incorrect signature was detected for - the message. - - o GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN values - appear in conjunction with the optional per-message replay - detection features described in Section 1.2.3; their semantics are - described in that section. - - o GSS_CONTEXT_EXPIRED indicates that context-related data items have - expired, so that the requested operation cannot be performed. - - o GSS_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so that the - requested operation cannot be performed. - - - - -Linn [Page 36] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_NO_CONTEXT indicates that no valid context was recognized for - the input context_handle provided. - - o GSS_FAILURE indicates that the context is recognized, but that the - GSS_Unseal() operation could not be performed for reasons - unspecified at the GSS-API level. - - Processes a data element generated (and optionally enciphered) by - GSS_Seal(), provided as input_message. The returned conf_state value - indicates whether confidentiality was applied to the input_message. - If conf_state is TRUE, GSS_Unseal() deciphers the input_message. - Returns an indication of the quality-of-protection applied to the - processed message in the qop_state result. GSS_Seal() performs the - data integrity and data origin authentication checking functions of - GSS_Verify() on the plaintext data. Plaintext data is returned in - output_message. - -2.4. Support calls - - This group of calls provides support functions useful to GSS-API - callers, independent of the state of established contexts. Their - characterization with regard to blocking or non-blocking status in - terms of network interactions is unspecified. - -2.4.1. GSS_Display_status call - - Inputs: - - o status_value INTEGER,-GSS-API major_status or minor_status - return value - - o status_type INTEGER,-1 if major_status, 2 if minor_status - - o mech_type OBJECT IDENTIFIER-mech_type to be used for minor_ - status translation - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o status_string_set SET OF OCTET STRING - - Return major_status codes: - - o GSS_COMPLETE indicates that a valid printable status - representation (possibly representing more than one status event - - - -Linn [Page 37] - -RFC 1508 Generic Security Interface September 1993 - - - encoded within the status_value) is available in the returned - status_string_set. - - o GSS_BAD_MECH indicates that translation in accordance with an - unsupported mech_type was requested, so translation could not be - performed. - - o GSS_BAD_STATUS indicates that the input status_value was invalid, - or that the input status_type carried a value other than 1 or 2, - so translation could not be performed. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Provides a means for callers to translate GSS-API-returned major and - minor status codes into printable string representations. - -2.4.2. GSS_Indicate_mechs call - - Input: - - o (none) - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o mech_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_COMPLETE indicates that a set of available mechanisms has - been returned in mech_set. - - o GSS_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of mechanism types available on - the local system. This call is intended for support of specialized - callers who need to request non-default mech_type sets from - GSS_Acquire_cred(), and should not be needed by other callers. - -2.4.3. GSS_Compare_name call - - Inputs: - - - - -Linn [Page 38] - -RFC 1508 Generic Security Interface September 1993 - - - o name1 INTERNAL NAME, - - o name2 INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_equal BOOLEAN - - Return major_status codes: - - o GSS_COMPLETE indicates that name1 and name2 were comparable, and - that the name_equal result indicates whether name1 and name2 were - equal or unequal. - - o GSS_BAD_NAMETYPE indicates that one or both of name1 and name2 - contained internal type specifiers uninterpretable by the - supporting GSS-API implementation, or that the two names' types - are different and incomparable, so the equality comparison could - not be completed. - - o GSS_BAD_NAME indicates that one or both of the input names was - ill-formed in terms of its internal type specifier, so the - equality comparison could not be completed. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to compare two internal name representations for - equality. - -2.4.4. GSS_Display_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_string OCTET STRING, - - - - -Linn [Page 39] - -RFC 1508 Generic Security Interface September 1993 - - - o name_type OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_COMPLETE indicates that a valid printable name representation - is available in the returned name_string. - - o GSS_BAD_NAMETYPE indicates that the provided name was of a type - uninterpretable by the supporting GSS-API implementation, so no - printable representation could be generated. - - o GSS_BAD_NAME indicates that the contents of the provided name were - inconsistent with the internally-indicated name type, so no - printable representation could be generated. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to translate an internal name representation into a - printable form with associated namespace type descriptor. The syntax - of the printable form is a local matter. - -2.4.5. GSS_Import_name call - - Inputs: - - o input_name_string OCTET STRING, - - o input_name_type OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name INTERNAL NAME - - Return major_status codes: - - o GSS_COMPLETE indicates that a valid name representation is output - in output_name and described by the type value in - output_name_type. - - o GSS_BAD_NAMETYPE indicates that the input_name_type is unsupported - by the GSS-API implementation, so the import operation could not - be completed. - - - - -Linn [Page 40] - -RFC 1508 Generic Security Interface September 1993 - - - o GSS_BAD_NAME indicates that the provided input_name_string is - ill-formed in terms of the input_name_type, so the import - operation could not be completed. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to provide a printable name representation, designate - the type of namespace in conjunction with which it should be parsed, - and convert that printable representation to an internal form - suitable for input to other GSS-API routines. The syntax of the - input_name is a local matter. - -2.4.6. GSS_Release_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_COMPLETE indicates that the storage associated with the input - name was successfully released. - - o GSS_BAD_NAME indicates that the input name argument did not - contain a valid name. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an internal - name representation. - -2.4.7. GSS_Release_buffer call - - Inputs: - - o buffer OCTET STRING - - Outputs: - - o major_status INTEGER, - - - -Linn [Page 41] - -RFC 1508 Generic Security Interface September 1993 - - - o minor_status INTEGER - - Return major_status codes: - - o GSS_COMPLETE indicates that the storage associated with the input - buffer was successfully released. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an OCTET STRING - buffer allocated by another GSS-API call. - -2.4.8. GSS_Release_oid_set call - - Inputs: - - o buffer SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_COMPLETE indicates that the storage associated with the input - object identifier set was successfully released. - - o GSS_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an object - identifier set object allocated by another GSS-API call. - -3. Mechanism-Specific Example Scenarios - - This section provides illustrative overviews of the use of various - candidate mechanism types to support the GSS-API. These discussions - are intended primarily for readers familiar with specific security - technologies, demonstrating how GSS-API functions can be used and - implemented by candidate underlying mechanisms. They should not be - regarded as constrictive to implementations or as defining the only - means through which GSS-API functions can be realized with a - particular underlying technology, and do not demonstrate all GSS-API - features with each technology. - - - - -Linn [Page 42] - -RFC 1508 Generic Security Interface September 1993 - - -3.1. Kerberos V5, single-TGT - - OS-specific login functions yield a TGT to the local realm Kerberos - server; TGT is placed in a credentials structure for the client. - Client calls GSS_Acquire_cred() to acquire a cred_handle in order to - reference the credentials for use in establishing security contexts. - - Client calls GSS_Init_sec_context(). If the requested service is - located in a different realm, GSS_Init_sec_context() gets the - necessary TGT/key pairs needed to traverse the path from local to - target realm; these data are placed in the owner's TGT cache. After - any needed remote realm resolution, GSS_Init_sec_context() yields a - service ticket to the requested service with a corresponding session - key; these data are stored in conjunction with the context. GSS-API - code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP - response(s) (in the successful case) or KRB_ERROR. - - Assuming success, GSS_Init_sec_context() builds a Kerberos-formatted - KRB_AP_REQ message, and returns it in output_token. The client sends - the output_token to the service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which verifies the authenticator, provides - the service with the client's authenticated name, and returns an - output_context_handle. - - Both parties now hold the session key associated with the service - ticket, and can use this key in subsequent GSS_Sign(), GSS_Verify(), - GSS_Seal(), and GSS_Unseal() operations. - -3.2. Kerberos V5, double-TGT - - TGT acquisition as above. - - Note: To avoid unnecessary frequent invocations of error paths when - implementing the GSS-API atop Kerberos V5, it seems appropriate to - represent "single-TGT K-V5" and "double-TGT K-V5" with separate - mech_types, and this discussion makes that assumption. - - Based on the (specified or defaulted) mech_type, - GSS_Init_sec_context() determines that the double-TGT protocol - should be employed for the specified target. GSS_Init_sec_context() - returns GSS_CONTINUE_NEEDED major_status, and its returned - output_token contains a request to the service for the service's TGT. - (If a service TGT with suitably long remaining lifetime already - exists in a cache, it may be usable, obviating the need for this - step.) The client passes the output_token to the service. Note: this - scenario illustrates a different use for the GSS_CONTINUE_NEEDED - - - -Linn [Page 43] - -RFC 1508 Generic Security Interface September 1993 - - - status return facility than for support of mutual authentication; - note that both uses can coexist as successive operations within a - single context establishment operation. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which recognizes it as a request for TGT. - (Note that current Kerberos V5 defines no intra-protocol mechanism to - represent such a request.) GSS_Accept_sec_context() returns - GSS_CONTINUE_NEEDED major_status and provides the service's TGT in - its output_token. The service sends the output_token to the client. - - The client passes the received token as the input_token argument to a - continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches - the received service TGT and uses it as part of a service ticket - request to the Kerberos authentication server, storing the returned - service ticket and session key in conjunction with the context. - GSS_Init_sec_context() builds a Kerberos-formatted authenticator, - and returns it in output_token along with GSS_COMPLETE return - major_status. The client sends the output_token to the service. - - Service passes the received token as the input_token argument to a - continuation call to GSS_Accept_sec_context(). - GSS_Accept_sec_context() verifies the authenticator, provides the - service with the client's authenticated name, and returns - major_status GSS_COMPLETE. - - GSS_Sign(), GSS_Verify(), GSS_Seal(), and GSS_Unseal() as above. - -3.3. X.509 Authentication Framework - - This example illustrates use of the GSS-API in conjunction with - public-key mechanisms, consistent with the X.509 Directory - Authentication Framework. - - The GSS_Acquire_cred() call establishes a credentials structure, - making the client's private key accessible for use on behalf of the - client. - - The client calls GSS_Init_sec_context(), which interrogates the - Directory to acquire (and validate) a chain of public-key - certificates, thereby collecting the public key of the service. The - certificate validation operation determines that suitable signatures - were applied by trusted authorities and that those certificates have - not expired. GSS_Init_sec_context() generates a secret key for use - in per-message protection operations on the context, and enciphers - that secret key under the service's public key. - - The enciphered secret key, along with an authenticator quantity - - - -Linn [Page 44] - -RFC 1508 Generic Security Interface September 1993 - - - signed with the client's private key, is included in the output_token - from GSS_Init_sec_context(). The output_token also carries a - certification path, consisting of a certificate chain leading from - the service to the client; a variant approach would defer this path - resolution to be performed by the service instead of being asserted - by the client. The client application sends the output_token to the - service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(). GSS_Accept_sec_context() validates the - certification path, and as a result determines a certified binding - between the client's distinguished name and the client's public key. - Given that public key, GSS_Accept_sec_context() can process the - input_token's authenticator quantity and verify that the client's - private key was used to sign the input_token. At this point, the - client is authenticated to the service. The service uses its private - key to decipher the enciphered secret key provided to it for per- - message protection operations on the context. - - The client calls GSS_Sign() or GSS_Seal() on a data message, which - causes per-message authentication, integrity, and (optional) - confidentiality facilities to be applied to that message. The service - uses the context's shared secret key to perform corresponding - GSS_Verify() and GSS_Unseal() calls. - -4. Related Activities - - In order to implement the GSS-API atop existing, emerging, and future - security mechanisms: - - object identifiers must be assigned to candidate GSS-API - mechanisms and the name types which they support - - concrete data element formats must be defined for candidate - mechanisms - - Calling applications must implement formatting conventions which will - enable them to distinguish GSS-API tokens from other data carried in - their application protocols. - - Concrete language bindings are required for the programming - environments in which the GSS-API is to be employed; such bindings - for the C language are available in an associated RFC. - - - - - - - - -Linn [Page 45] - -RFC 1508 Generic Security Interface September 1993 - - -5. Acknowledgments - - This proposal is the result of a collaborative effort. - Acknowledgments are due to the many members of the IETF Security Area - Advisory Group (SAAG) and the Common Authentication Technology (CAT) - Working Group for their contributions at meetings and by electronic - mail. Acknowledgments are also due to Kannan Alagappan, Doug Barlow, - Bill Brown, Cliff Kahn, Charlie Kaufman, Butler Lampson, Richard - Pitkin, Joe Tardo, and John Wray of Digital Equipment Corporation, - and John Carr, John Kohl, Jon Rochlis, Jeff Schiller, and Ted T'so of - MIT and Project Athena. Joe Pato and Bill Sommerfeld of HP/Apollo, - Walt Tuvell of OSF, and Bill Griffith and Mike Merritt of AT&T, - provided inputs which helped to focus and clarify directions. - Precursor work by Richard Pitkin, presented to meetings of the - Trusted Systems Interoperability Group (TSIG), helped to demonstrate - the value of a generic, mechanism-independent security service API. - -6. Security Considerations - - Security issues are discussed throughout this memo. - -7. Author's Address - - John Linn - Geer Zolot Associates - One Main St. - Cambridge, MA 02142 USA - - Phone: +1 617.374.3700 - Email: Linn@gza.com - - - - - - - - - - - - - - - - - - - - - -Linn [Page 46] - -RFC 1508 Generic Security Interface September 1993 - - -APPENDIX A - -PACS AND AUTHORIZATION SERVICES - - Consideration has been given to modifying the GSS-API service - interface to recognize and manipulate Privilege Attribute - Certificates (PACs) as in ECMA 138, carrying authorization data as a - side effect of establishing a security context, but no such - modifications have been incorporated at this time. This appendix - provides rationale for this decision and discusses compatibility - alternatives between PACs and the GSS-API which do not require that - PACs be made visible to GSS-API callers. - - Existing candidate mechanism types such as Kerberos and X.509 do not - incorporate PAC manipulation features, and exclusion of such - mechanisms from the set of candidates equipped to fully support the - GSS-API seems inappropriate. Inclusion (and GSS-API visibility) of a - feature supported by only a limited number of mechanisms could - encourage the development of ostensibly portable applications which - would in fact have only limited portability. - - The status quo, in which PACs are not visible across the GSS-API - interface, does not preclude implementations in which PACs are - carried transparently, within the tokens defined and used for certain - mech_types, and stored within peers' credentials and context-level - data structures. While invisible to API callers, such PACs could be - used by operating system or other local functions as inputs in the - course of mediating access requests made by callers. This course of - action allows dynamic selection of PAC contents, if such selection is - administratively-directed rather than caller-directed. - - In a distributed computing environment, authentication must span - different systems; the need for such authentication provides - motivation for GSS-API definition and usage. Heterogeneous systems in - a network can intercommunicate, with globally authenticated names - comprising the common bond between locally defined access control - policies. Access control policies to which authentication provides - inputs are often local, or specific to particular operating systems - or environments. If the GSS-API made particular authorization models - visible across its service interface, its scope of application would - become less general. The current GSS-API paradigm is consistent with - the precedent set by Kerberos, neither defining the interpretation of - authorization-related data nor enforcing access controls based on - such data. - - The GSS-API is a general interface, whose callers may reside inside - or outside any defined TCB or NTCB boundaries. Given this - characteristic, it appears more realistic to provide facilities which - - - -Linn [Page 47] - -RFC 1508 Generic Security Interface September 1993 - - - provide "value-added" security services to its callers than to offer - facilities which enforce restrictions on those callers. Authorization - decisions must often be mediated below the GSS-API level in a local - manner against (or in spite of) applications, and cannot be - selectively invoked or omitted at those applications' discretion. - Given that the GSS-API's placement prevents it from providing a - comprehensive solution to the authorization issue, the value of a - partial contribution specific to particular authorization models is - debatable. - -APPENDIX B - -MECHANISM-INDEPENDENT TOKEN FORMAT - - This appendix specifies a mechanism-independent level of - encapsulating representation for the initial token of a GSS-API - context establishment sequence, incorporating an identifier of the - mechanism type to be used on that context. Use of this format (with - ASN.1-encoded data elements represented in BER, constrained in the - interests of parsing simplicity to the Distinguished Encoding Rule - (DER) BER subset defined in X.509, clause 8.7) is recommended to the - designers of GSS-API implementations based on various mechanisms, so - that tokens can be interpreted unambiguously at GSS-API peers. There - is no requirement that the mechanism-specific innerContextToken, - innerMsgToken, and sealedUserData data elements be encoded in ASN.1 - BER. - - -- optional top-level token definitions to - -- frame different mechanisms - - GSS-API DEFINITIONS ::= - - BEGIN - - MechType ::= OBJECT IDENTIFIER - -- data structure definitions - - -- callers must be able to distinguish among - -- InitialContextToken, SubsequentContextToken, - -- PerMsgToken, and SealedMessage data elements - -- based on the usage in which they occur - - InitialContextToken ::= - -- option indication (delegation, etc.) indicated within - -- mechanism-specific token - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType, - innerContextToken ANY DEFINED BY thisMech - - - -Linn [Page 48] - -RFC 1508 Generic Security Interface September 1993 - - - -- contents mechanism-specific - } - - SubsequentContextToken ::= innerContextToken ANY - -- interpretation based on predecessor InitialContextToken - - PerMsgToken ::= - -- as emitted by GSS_Sign and processed by GSS_Verify - innerMsgToken ANY - - SealedMessage ::= - -- as emitted by GSS_Seal and processed by GSS_Unseal - -- includes internal, mechanism-defined indicator - -- of whether or not encrypted - sealedUserData ANY - - END - -APPENDIX C - -MECHANISM DESIGN CONSTRAINTS - - The following constraints on GSS-API mechanism designs are adopted in - response to observed caller protocol requirements, and adherence - thereto is anticipated in subsequent descriptions of GSS-API - mechanisms to be documented in standards-track Internet - specifications. - - Use of the approach defined in Appendix B of this specification, - applying a mechanism type tag to the InitialContextToken, is - required. - - It is strongly recommended that mechanisms offering per-message - protection services also offer at least one of the replay detection - and sequencing services, as mechanisms offering neither of the latter - will fail to satisfy recognized requirements of certain candidate - caller protocols. - - - - - - - - - - - - - - -Linn [Page 49] - \ No newline at end of file diff --git a/crypto/heimdal/doc/standardisation/rfc1509.txt b/crypto/heimdal/doc/standardisation/rfc1509.txt deleted file mode 100644 index f36cd80e6dcd..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc1509.txt +++ /dev/null @@ -1,2691 +0,0 @@ - - - - - - -Network Working Group J. Wray -Request for Comments: 1509 Digital Equipment Corporation - September 1993 - - - Generic Security Service API : C-bindings - -Status of this Memo - - This RFC specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" for the standardization state and status - of this protocol. Distribution of this memo is unlimited. - -Abstract - - This document specifies C language bindings for the Generic Security - Service Application Program Interface (GSS-API), which is described - at a language-independent conceptual level in other documents. - - The Generic Security Service Application Programming Interface (GSS- - API) provides security services to its callers, and is intended for - implementation atop alternative underlying cryptographic mechanisms. - Typically, GSS-API callers will be application protocols into which - security enhancements are integrated through invocation of services - provided by the GSS-API. The GSS-API allows a caller application to - authenticate a principal identity associated with a peer application, - to delegate rights to a peer, and to apply security services such as - confidentiality and integrity on a per-message basis. - -1. INTRODUCTION - - The Generic Security Service Application Programming Interface [1] - provides security services to calling applications. It allows a - communicating application to authenticate the user associated with - another application, to delegate rights to another application, and - to apply security services such as confidentiality and integrity on a - per-message basis. - - There are four stages to using the GSSAPI: - - (a) The application acquires a set of credentials with which it may - prove its identity to other processes. The application's - credentials vouch for its global identity, which may or may not - be related to the local username under which it is running. - - - - - -Wray [Page 1] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - (b) A pair of communicating applications establish a joint security - context using their credentials. The security context is a - pair of GSSAPI data structures that contain shared state - information, which is required in order that per-message - security services may be provided. As part of the - establishment of a security context, the context initiator is - authenticated to the responder, and may require that the - responder is authenticated in turn. The initiator may - optionally give the responder the right to initiate further - security contexts. This transfer of rights is termed - delegation, and is achieved by creating a set of credentials, - similar to those used by the originating application, but which - may be used by the responder. To establish and maintain the - shared information that makes up the security context, certain - GSSAPI calls will return a token data structure, which is a - cryptographically protected opaque data type. The caller of - such a GSSAPI routine is responsible for transferring the token - to the peer application, which should then pass it to a - corresponding GSSAPI routine which will decode it and extract - the information. - - (c) Per-message services are invoked to apply either: - - (i) integrity and data origin authentication, or - - (ii) confidentiality, integrity and data origin authentication - to application data, which are treated by GSSAPI as - arbitrary octet-strings. The application transmitting a - message that it wishes to protect will call the appropriate - GSSAPI routine (sign or seal) to apply protection, specifying - the appropriate security context, and send the result to the - receiving application. The receiver will pass the received - data to the corresponding decoding routine (verify or unseal) - to remove the protection and validate the data. - - (d) At the completion of a communications session (which may extend - across several connections), the peer applications call GSSAPI - routines to delete the security context. Multiple contexts may - also be used (either successively or simultaneously) within a - single communications association. - -2. GSSAPI Routines - - This section lists the functions performed by each of the GSSAPI - routines and discusses their major parameters, describing how they - are to be passed to the routines. The routines are listed in figure - 4-1. - - - - -Wray [Page 2] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Figure 4-1 GSSAPI Routines - - - Routine Function - - gss_acquire_cred Assume a global identity - - gss_release_cred Discard credentials - - gss_init_sec_context Initiate a security context - with a peer application - - gss_accept_sec_context Accept a security context - initiated by a peer - application - - gss_process_context_token Process a token on a security - context from a peer - application - - gss_delete_sec_context Discard a security context - - gss_context_time Determine for how long a - context will remain valid - - gss_sign Sign a message; integrity - service - - gss_verify Check signature on a message - - gss_seal Sign (optionally encrypt) a - message; confidentiality - service - - gss_unseal Verify (optionally decrypt) - message - - gss_display_status Convert an API status code - to text - - gss_indicate_mechs Determine underlying - authentication mechanism - - gss_compare_name Compare two internal-form - names - - gss_display_name Convert opaque name to text - - - - -Wray [Page 3] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - gss_import_name Convert a textual name to - internal-form - - gss_release_name Discard an internal-form - name - - gss_release_buffer Discard a buffer - - gss_release_oid_set Discard a set of object - identifiers - - gss_inquire_cred Determine information about - a credential - - Individual GSSAPI implementations may augment these routines by - providing additional mechanism-specific routines if required - functionality is not available from the generic forms. Applications - are encouraged to use the generic routines wherever possible on - portability grounds. - -2.1. Data Types and Calling Conventions - - The following conventions are used by the GSSAPI: - -2.1.1. Structured data types - - Wherever these GSSAPI C-bindings describe structured data, only - fields that must be provided by all GSSAPI implementation are - documented. Individual implementations may provide additional - fields, either for internal use within GSSAPI routines, or for use by - non-portable applications. - -2.1.2. Integer types - - GSSAPI defines the following integer data type: - - OM_uint32 32-bit unsigned integer - - Where guaranteed minimum bit-count is important, this portable data - type is used by the GSSAPI routine definitions. Individual GSSAPI - implementations will include appropriate typedef definitions to map - this type onto a built-in data type. - -2.1.3. String and similar data - - Many of the GSSAPI routines take arguments and return values that - describe contiguous multiple-byte data. All such data is passed - between the GSSAPI and the caller using the gss_buffer_t data type. - - - -Wray [Page 4] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - This data type is a pointer to a buffer descriptor, which consists of - a length field that contains the total number of bytes in the datum, - and a value field which contains a pointer to the actual datum: - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - Storage for data passed to the application by a GSSAPI routine using - the gss_buffer_t conventions is allocated by the GSSAPI routine. The - application may free this storage by invoking the gss_release_buffer - routine. Allocation of the gss_buffer_desc object is always the - responsibility of the application; Unused gss_buffer_desc objects - may be initialized to the value GSS_C_EMPTY_BUFFER. - -2.1.3.1. Opaque data types - - Certain multiple-word data items are considered opaque data types at - the GSSAPI, because their internal structure has no significance - either to the GSSAPI or to the caller. Examples of such opaque data - types are the input_token parameter to gss_init_sec_context (which is - opaque to the caller), and the input_message parameter to gss_seal - (which is opaque to the GSSAPI). Opaque data is passed between the - GSSAPI and the application using the gss_buffer_t datatype. - -2.1.3.2. Character strings - - Certain multiple-word data items may be regarded as simple ISO - Latin-1 character strings. An example of this is the - input_name_buffer parameter to gss_import_name. Some GSSAPI routines - also return character strings. Character strings are passed between - the application and the GSSAPI using the gss_buffer_t datatype, - defined earlier. - -2.1.4. Object Identifiers - - Certain GSSAPI procedures take parameters of the type gss_OID, or - Object identifier. This is a type containing ISO-defined tree- - structured values, and is used by the GSSAPI caller to select an - underlying security mechanism. A value of type gss_OID has the - following structure: - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - - - -Wray [Page 5] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - The elements field of this structure points to the first byte of an - octet string containing the ASN.1 BER encoding of the value of the - gss_OID. The length field contains the number of bytes in this - value. For example, the gss_OID value corresponding to {iso(1) - identified- oganization(3) icd-ecma(12) member-company(2) dec(1011) - cryptoAlgorithms(7) SPX(5)} meaning SPX (Digital's X.509 - authentication mechanism) has a length field of 7 and an elements - field pointing to seven octets containing the following octal values: - 53,14,2,207,163,7,5. GSSAPI implementations should provide constant - gss_OID values to allow callers to request any supported mechanism, - although applications are encouraged on portability grounds to accept - the default mechanism. gss_OID values should also be provided to - allow applications to specify particular name types (see section - 2.1.10). Applications should treat gss_OID_desc values returned by - GSSAPI routines as read-only. In particular, the application should - not attempt to deallocate them. The gss_OID_desc datatype is - equivalent to the X/Open OM_object_identifier datatype [2]. - -2.1.5. Object Identifier Sets - - Certain GSSAPI procedures take parameters of the type gss_OID_set. - This type represents one or more object identifiers (section 2.1.4). - A gss_OID_set object has the following structure: - - typedef struct gss_OID_set_desc_struct { - int count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - The count field contains the number of OIDs within the set. The - elements field is a pointer to an array of gss_OID_desc objects, each - of which describes a single OID. gss_OID_set values are used to name - the available mechanisms supported by the GSSAPI, to request the use - of specific mechanisms, and to indicate which mechanisms a given - credential supports. Storage associated with gss_OID_set values - returned to the application by the GSSAPI may be deallocated by the - gss_release_oid_set routine. - -2.1.6. Credentials - - A credential handle is a caller-opaque atomic datum that identifies a - GSSAPI credential data structure. It is represented by the caller- - opaque type gss_cred_id_t, which may be implemented as either an - arithmetic or a pointer type. Credentials describe a principal, and - they give their holder the ability to act as that principal. The - GSSAPI does not make the actual credentials available to - applications; instead the credential handle is used to identify a - particular credential, held internally by GSSAPI or underlying - - - -Wray [Page 6] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - mechanism. Thus the credential handle contains no security-relavent - information, and requires no special protection by the application. - Depending on the implementation, a given credential handle may refer - to different credentials when presented to the GSSAPI by different - callers. Individual GSSAPI implementations should define both the - scope of a credential handle and the scope of a credential itself - (which must be at least as wide as that of a handle). Possibilities - for credential handle scope include the process that acquired the - handle, the acquiring process and its children, or all processes - sharing some local identification information (e.g., UID). If no - handles exist by which a given credential may be reached, the GSSAPI - may delete the credential. - - Certain routines allow credential handle parameters to be omitted to - indicate the use of a default credential. The mechanism by which a - default credential is established and its scope should be defined by - the individual GSSAPI implementation. - -2.1.7. Contexts - - The gss_ctx_id_t data type contains a caller-opaque atomic value that - identifies one end of a GSSAPI security context. It may be - implemented as either an arithmetic or a pointer type. Depending on - the implementation, a given gss_ctx_id_t value may refer to different - GSSAPI security contexts when presented to the GSSAPI by different - callers. The security context holds state information about each end - of a peer communication, including cryptographic state information. - Individual GSSAPI implementations should define the scope of a - context. Since no way is provided by which a new gss_ctx_id_t value - may be obtained for an existing context, the scope of a context - should be the same as the scope of a gss_ctx_id_t. - -2.1.8. Authentication tokens - - A token is a caller-opaque type that GSSAPI uses to maintain - synchronization between the context data structures at each end of a - GSSAPI security context. The token is a cryptographically protected - bit-string, generated by the underlying mechanism at one end of a - GSSAPI security context for use by the peer mechanism at the other - end. Encapsulation (if required) and transfer of the token are the - responsibility of the peer applications. A token is passed between - the GSSAPI and the application using the gss_buffer_t conventions. - -2.1.9. Status values - - One or more status codes are returned by each GSSAPI routine. Two - distinct sorts of status codes are returned. These are termed GSS - status codes and Mechanism status codes. - - - -Wray [Page 7] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -2.1.9.1. GSS status codes - - GSSAPI routines return GSS status codes as their OM_uint32 function - value. These codes indicate errors that are independent of the - underlying mechanism used to provide the security service. The - errors that can be indicated via a GSS status code are either generic - API routine errors (errors that are defined in the GSSAPI - specification) or calling errors (errors that are specific to these - bindings). - - A GSS status code can indicate a single fatal generic API error from - the routine and a single calling error. In addition, supplementary - status information may be indicated via the setting of bits in the - supplementary info field of a GSS status code. - - These errors are encoded into the 32-bit GSS status code as follows: - - MSB LSB - |------------------------------------------------------------| - | Calling Error | Routine Error | Supplementary Info | - |------------------------------------------------------------| - Bit 31 24 23 16 15 0 - - Hence if a GSSAPI routine returns a GSS status code whose upper 16 - bits contain a non-zero value, the call failed. If the calling error - field is non-zero, the invoking application's call of the routine was - erroneous. Calling errors are defined in table 5-1. If the routine - error field is non-zero, the routine failed for one of the routine- - specific reasons listed below in table 5-2. Whether or not the upper - 16 bits indicate a failure or a success, the routine may indicate - additional information by setting bits in the supplementary info - field of the status code. The meaning of individual bits is listed - below in table 5-3. - - Table 5-1 Calling Errors - - Name Value in Meaning - Field - GSS_S_CALL_INACCESSIBLE_READ 1 A required input - parameter could - not be read. - GSS_S_CALL_INACCESSIBLE_WRITE 2 A required output - parameter could - not be written. - GSS_S_CALL_BAD_STRUCTURE 3 A parameter was - malformed - - - - - -Wray [Page 8] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Table 5-2 Routine Errors - - Name Value in Meaning - Field - - GSS_S_BAD_MECH 1 An unsupported mechanism was - requested - GSS_S_BAD_NAME 2 An invalid name was supplied - GSS_S_BAD_NAMETYPE 3 A supplied name was of an - unsupported type - GSS_S_BAD_BINDINGS 4 Incorrect channel bindings - were supplied - GSS_S_BAD_STATUS 5 An invalid status code was - supplied - - GSS_S_BAD_SIG 6 A token had an invalid - signature - GSS_S_NO_CRED 7 No credentials were supplied - GSS_S_NO_CONTEXT 8 No context has been - established - GSS_S_DEFECTIVE_TOKEN 9 A token was invalid - GSS_S_DEFECTIVE_CREDENTIAL 10 A credential was invalid - GSS_S_CREDENTIALS_EXPIRED 11 The referenced credentials - have expired - GSS_S_CONTEXT_EXPIRED 12 The context has expired - GSS_S_FAILURE 13 Miscellaneous failure - (see text) - - Table 5-3 Supplementary Status Bits - - Name Bit Number Meaning - GSS_S_CONTINUE_NEEDED 0 (LSB) The routine must be called - again to complete its - function. - See routine documentation for - detailed description. - GSS_S_DUPLICATE_TOKEN 1 The token was a duplicate of - an earlier token - GSS_S_OLD_TOKEN 2 The token's validity period - has expired - GSS_S_UNSEQ_TOKEN 3 A later token has already been - processed - - The routine documentation also uses the name GSS_S_COMPLETE, which is - a zero value, to indicate an absence of any API errors or - supplementary information bits. - - - - - -Wray [Page 9] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - All GSS_S_xxx symbols equate to complete OM_uint32 status codes, - rather than to bitfield values. For example, the actual value of the - symbol GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is 3 - << 16. - - The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and - GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS - status code and removes all but the relevant field. For example, the - value obtained by applying GSS_ROUTINE_ERROR to a status code removes - the calling errors and supplementary info fields, leaving only the - routine errors field. The values delivered by these macros may be - directly compared with a GSS_S_xxx symbol of the appropriate type. - The macro GSS_ERROR() is also provided, which when applied to a GSS - status code returns a non-zero value if the status code indicated a - calling or routine error, and a zero value otherwise. - - A GSSAPI implementation may choose to signal calling errors in a - platform-specific manner instead of, or in addition to the routine - value; routine errors and supplementary info should be returned via - routine status values only. - -2.1.9.2. Mechanism-specific status codes - - GSSAPI routines return a minor_status parameter, which is used to - indicate specialized errors from the underlying security mechanism. - This parameter may contain a single mechanism-specific error, - indicated by a OM_uint32 value. - - The minor_status parameter will always be set by a GSSAPI routine, - even if it returns a calling error or one of the generic API errors - indicated above as fatal, although other output parameters may remain - unset in such cases. However, output parameters that are expected to - return pointers to storage allocated by a routine must always set set - by the routine, even in the event of an error, although in such cases - the GSSAPI routine may elect to set the returned parameter value to - NULL to indicate that no storage was actually allocated. Any length - field associated with such pointers (as in a gss_buffer_desc - structure) should also be set to zero in such cases. - - The GSS status code GSS_S_FAILURE is used to indicate that the - underlying mechanism detected an error for which no specific GSS - status code is defined. The mechanism status code will provide more - details about the error. - -2.1.10. Names - - A name is used to identify a person or entity. GSSAPI authenticates - the relationship between a name and the entity claiming the name. - - - -Wray [Page 10] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Two distinct representations are defined for names: - - (a) A printable form, for presentation to a user - - (b) An internal form, for presentation at the API - - The syntax of a printable name is defined by the GSSAPI - implementation, and may be dependent on local system configuration, - or on individual user preference. The internal form provides a - canonical representation of the name that is independent of - configuration. - - A given GSSAPI implementation may support names drawn from multiple - namespaces. In such an implementation, the internal form of the name - must include fields that identify the namespace from which the name - is drawn. The namespace from which a printable name is drawn is - specified by an accompanying object identifier. - - Routines (gss_import_name and gss_display_name) are provided to - convert names between their printable representations and the - gss_name_t type. gss_import_name may support multiple syntaxes for - each supported namespace, allowing users the freedom to choose a - preferred name representation. gss_display_name should use an - implementation-chosen preferred syntax for each supported name-type. - - Comparison of internal-form names is accomplished via the - gss_compare_names routine. This removes the need for the application - program to understand the syntaxes of the various printable names - that a given GSSAPI implementation may support. - - Storage is allocated by routines that return gss_name_t values. A - procedure, gss_release_name, is provided to free storage associated - with a name. - -2.1.11. Channel Bindings - - GSSAPI supports the use of user-specified tags to identify a given - context to the peer application. These tags are used to identify the - particular communications channel that carries the context. Channel - bindings are communicated to the GSSAPI using the following - structure: - - - - - - - - - - -Wray [Page 11] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - The initiator_addrtype and acceptor_addrtype fields denote the type - of addresses contained in the initiator_address and acceptor_address - buffers. The address type should be one of the following: - - GSS_C_AF_UNSPEC Unspecified address type - GSS_C_AF_LOCAL Host-local address type - GSS_C_AF_INET DARPA Internet address type - GSS_C_AF_IMPLINK ARPAnet IMP address type (eg IP) - GSS_C_AF_PUP pup protocols (eg BSP) address type - GSS_C_AF_CHAOS MIT CHAOS protocol address type - GSS_C_AF_NS XEROX NS address type - GSS_C_AF_NBS nbs address type - GSS_C_AF_ECMA ECMA address type - GSS_C_AF_DATAKIT datakit protocols address type - GSS_C_AF_CCITT CCITT protocols (eg X.25) - GSS_C_AF_SNA IBM SNA address type - GSS_C_AF_DECnet DECnet address type - GSS_C_AF_DLI Direct data link interface address type - GSS_C_AF_LAT LAT address type - GSS_C_AF_HYLINK NSC Hyperchannel address type - GSS_C_AF_APPLETALK AppleTalk address type - GSS_C_AF_BSC BISYNC 2780/3780 address type - GSS_C_AF_DSS Distributed system services address type - GSS_C_AF_OSI OSI TP4 address type - GSS_C_AF_X25 X25 - GSS_C_AF_NULLADDR No address specified - - Note that these name address families rather than specific addressing - formats. For address families that contain several alternative - address forms, the initiator_address and acceptor_address fields must - contain sufficient information to determine which address form is - used. When not otherwise specified, addresses should be specified in - network byte-order. - - Conceptually, the GSSAPI concatenates the initiator_addrtype, - initiator_address, acceptor_addrtype, acceptor_address and - application_data to form an octet string. The mechanism signs this - octet string, and binds the signature to the context establishment - token emitted by gss_init_sec_context. The same bindings are - presented by the context acceptor to gss_accept_sec_context, and a - - - -Wray [Page 12] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - signature is calculated in the same way. The calculated signature is - compared with that found in the token, and if the signatures differ, - gss_accept_sec_context will return a GSS_S_BAD_BINDINGS error, and - the context will not be established. Some mechanisms may include the - actual channel binding data in the token (rather than just a - signature); applications should therefore not use confidential data - as channel-binding components. Individual mechanisms may impose - additional constraints on addresses and address types that may appear - in channel bindings. For example, a mechanism may verify that the - initiator_address field of the channel bindings presented to - gss_init_sec_context contains the correct network address of the host - system. - -2.1.12. Optional parameters - - Various parameters are described as optional. This means that they - follow a convention whereby a default value may be requested. The - following conventions are used for omitted parameters. These - conventions apply only to those parameters that are explicitly - documented as optional. - -2.1.12.1. gss_buffer_t types - - Specify GSS_C_NO_BUFFER as a value. For an input parameter this - signifies that default behavior is requested, while for an output - parameter it indicates that the information that would be returned - via the parameter is not required by the application. - -2.1.12.2. Integer types (input) - - Individual parameter documentation lists values to be used to - indicate default actions. - -2.1.12.3. Integer types (output) - - Specify NULL as the value for the pointer. - -2.1.12.4. Pointer types - - Specify NULL as the value. - -2.1.12.5. Object IDs - - Specify GSS_C_NULL_OID as the value. - -2.1.12.6. Object ID Sets - - Specify GSS_C_NULL_OID_SET as the value. - - - -Wray [Page 13] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -2.1.12.7. Credentials - - Specify GSS_C_NO_CREDENTIAL to use the default credential handle. - -2.1.12.8. Channel Bindings - - Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings - are not to be used. - -3. GSSAPI routine descriptions - -2.1. gss_acquire_cred - - OM_uint32 gss_acquire_cred ( - OM_uint32 * minor_status, - gss_name_t desired_name, - OM_uint32 time_req, - gss_OID_set desired_mechs, - int cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_int32 * time_rec) - Purpose: - - Allows an application to acquire a handle for a pre-existing - credential by name. GSSAPI implementations must impose a local - access-control policy on callers of this routine to prevent - unauthorized callers from acquiring credentials to which they are not - entitled. This routine is not intended to provide a "login to the - network" function, as such a function would result in the creation of - new credentials rather than merely acquiring a handle to existing - credentials. Such functions, if required, should be defined in - implementation-specific extensions to the API. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may chooses to delay the actual acquisition until the - credential is required (e.g., by gss_init_sec_context or - gss_accept_sec_context). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call - of gss_inquire_cred immediately following the call of - gss_acquire_cred must return valid credential data, and may therefore - incur the overhead of a deferred credential acquisition. - - Parameters: - - desired_name gss_name_t, read - Name of principal whose credential - should be acquired - - - -Wray [Page 14] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - time_req integer, read - number of seconds that credentials - should remain valid - - desired_mechs Set of Object IDs, read - set of underlying security mechanisms that - may be used. GSS_C_NULL_OID_SET may be used - to obtain an implementation-specific default. - - cred_usage integer, read - GSS_C_BOTH - Credentials may be used - either to initiate or accept - security contexts. - GSS_C_INITIATE - Credentials will only be - used to initiate security - contexts. - GSS_C_ACCEPT - Credentials will only be used to - accept security contexts. - - output_cred_handle gss_cred_id_t, modify - The returned credential handle. - - actual_mechs Set of Object IDs, modify, optional - The set of mechanisms for which the - credential is valid. Specify NULL - if not required. - - time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid. If the - implementation does not support expiration of - credentials, the value GSS_C_INDEFINITE will - be returned. Specify NULL if not required - - minor_status Integer, modify - Mechanism specific status code. - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Unavailable mechanism requested - - GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is - not supported - - GSS_S_BAD_NAME Value supplied for desired_name parameter is - - - -Wray [Page 15] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - ill-formed. - - GSS_S_FAILURE Unspecified failure. The minor_status parameter - contains more detailed information - -3.2. gss_release_cred - - OM_uint32 gss_release_cred ( - OM_uint32 * minor_status, - gss_cred_id_t * cred_handle) - - Purpose: - - Informs GSSAPI that the specified credential handle is no longer - required by the process. When all processes have released a - credential, it will be deleted. - - Parameters: - - cred_handle gss_cred_id_t, modify, optional - buffer containing opaque credential - handle. If GSS_C_NO_CREDENTIAL is supplied, - the default credential will be released - - minor_status integer, modify - Mechanism specific status code. - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED Credentials could not be accessed. - - - - - - - - - - - - - - - - - -Wray [Page 16] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -3.3. gss_init_sec_context - - OM_uint32 gss_init_sec_context ( - OM_uint32 * minor_status, - gss_cred_id_t claimant_cred_handle, - gss_ctx_id_t * context_handle, - gss_name_t target_name, - gss_OID mech_type, - int req_flags, - int time_req, - gss_channel_bindings_t - input_chan_bindings, - gss_buffer_t input_token - gss_OID * actual_mech_type, - gss_buffer_t output_token, - int * ret_flags, - OM_uint32 * time_rec ) - - Purpose: - - Initiates the establishment of a security context between the - application and a remote peer. Initially, the input_token parameter - should be specified as GSS_C_NO_BUFFER. The routine may return a - output_token which should be transferred to the peer application, - where the peer application will present it to gss_accept_sec_context. - If no token need be sent, gss_init_sec_context will indicate this by - setting the length field of the output_token argument to zero. To - complete the context establishment, one or more reply tokens may be - required from the peer application; if so, gss_init_sec_context will - return a status indicating GSS_S_CONTINUE_NEEDED in which case it - should be called again when the reply token is received from the peer - application, passing the token to gss_init_sec_context via the - input_token parameters. - - The values returned via the ret_flags and time_rec parameters are not - defined unless the routine returns GSS_S_COMPLETE. - - Parameters: - - claimant_cred_handle gss_cred_id_t, read, optional - handle for credentials claimed. Supply - GSS_C_NO_CREDENTIAL to use default - credentials. - - context_handle gss_ctx_id_t, read/modify - context handle for new context. Supply - GSS_C_NO_CONTEXT for first call; use value - returned by first call in continuation calls. - - - -Wray [Page 17] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - target_name gss_name_t, read - Name of target - - mech_type OID, read, optional - Object ID of desired mechanism. Supply - GSS_C_NULL_OID to obtain an implementation - specific default - - req_flags bit-mask, read - Contains four independent flags, each of - which requests that the context support a - specific service option. Symbolic - names are provided for each flag, and the - symbolic names corresponding to the required - flags should be logically-ORed - together to form the bit-mask value. The - flags are: - - GSS_C_DELEG_FLAG - True - Delegate credentials to remote peer - False - Don't delegate - GSS_C_MUTUAL_FLAG - True - Request that remote peer - authenticate itself - False - Authenticate self to remote peer - only - GSS_C_REPLAY_FLAG - True - Enable replay detection for signed - or sealed messages - False - Don't attempt to detect - replayed messages - GSS_C_SEQUENCE_FLAG - True - Enable detection of out-of-sequence - signed or sealed messages - False - Don't attempt to detect - out-of-sequence messages - - time_req integer, read - Desired number of seconds for which context - should remain valid. Supply 0 to request a - default validity period. - - input_chan_bindings channel bindings, read - Application-specified bindings. Allows - application to securely bind channel - identification information to the security - context. - - - - -Wray [Page 18] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - input_token buffer, opaque, read, optional (see text) - Token received from peer application. - Supply GSS_C_NO_BUFFER on initial call. - - actual_mech_type OID, modify - actual mechanism used. - - output_token buffer, opaque, modify - token to be sent to peer application. If - the length field of the returned buffer is - zero, no token need be sent to the peer - application. - - ret_flags bit-mask, modify - Contains six independent flags, each of which - indicates that the context supports a specific - service option. Symbolic names are provided - for each flag, and the symbolic names - corresponding to the required flags should be - logically-ANDed with the ret_flags value to test - whether a given option is supported by the - context. The flags are: - - GSS_C_DELEG_FLAG - True - Credentials were delegated to - the remote peer - False - No credentials were delegated - GSS_C_MUTUAL_FLAG - True - Remote peer has been asked to - authenticated itself - False - Remote peer has not been asked to - authenticate itself - GSS_C_REPLAY_FLAG - True - replay of signed or sealed messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence signed or sealed - messages will be detected - False - out-of-sequence messages will not - be detected - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling seal routine - False - No confidentiality service (via - seal) available. seal will provide - message encapsulation, data-origin - - - -Wray [Page 19] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - authentication and integrity - services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_sign or gss_seal - routines. - False - Per-message integrity service - unavailable. - - time_rec integer, modify, optional - number of seconds for which the context - will remain valid. If the implementation does - not support credential expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - minor_status integer, modify - Mechanism specific status code. - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer - application is required to complete thecontext, and - that gss_init_sec_context must be called again with - that token. - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on - the input_token failed - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks - performed on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for context - initiation, or the credential handle did not - reference any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired - - GSS_S_BAD_BINDINGS The input_token contains different channel - bindings to those specified via the - input_chan_bindings parameter - - GSS_S_BAD_SIG The input_token contains an invalid signature, or a - signature that could not be verified - - - -Wray [Page 20] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal error - during context establishment - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of - a token already processed. This is a fatal error - during context establishment. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did not - refer to a valid context - - GSS_S_BAD_NAMETYPE The provided target_name parameter contained an - invalid or unsupported type of name - - GSS_S_BAD_NAME The provided target_name parameter was ill-formed. - - GSS_S_FAILURE Failure. See minor_status for more information - -3.4. gss_accept_sec_context - - OM_uint32 gss_accept_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_cred_id_t verifier_cred_handle, - gss_buffer_t input_token_buffer - gss_channel_bindings_t - input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - int * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle) - - Purpose: - - Allows a remotely initiated security context between the application - and a remote peer to be established. The routine may return a - output_token which should be transferred to the peer application, - where the peer application will present it to gss_init_sec_context. - If no token need be sent, gss_accept_sec_context will indicate this - by setting the length field of the output_token argument to zero. To - complete the context establishment, one or more reply tokens may be - required from the peer application; if so, gss_accept_sec_context - will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it - should be called again when the reply token is received from the peer - application, passing the token to gss_accept_sec_context via the - input_token parameters. - - - - -Wray [Page 21] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - The values returned via the src_name, ret_flags, time_rec, and - delegated_cred_handle parameters are not defined unless the routine - returns GSS_S_COMPLETE. - - Parameters: - - context_handle gss_ctx_id_t, read/modify - context handle for new context. Supply - GSS_C_NO_CONTEXT for first call; use value - returned in subsequent calls. - - verifier_cred_handle gss_cred_id_t, read, optional - Credential handle claimed by context - acceptor. - Specify GSS_C_NO_CREDENTIAL to use default - credentials. If GSS_C_NO_CREDENTIAL is - specified, but the caller has no default - credentials established, an - implementation-defined default credential - may be used. - - input_token_buffer buffer, opaque, read - token obtained from remote application - - input_chan_bindings channel bindings, read - Application-specified bindings. Allows - application to securely bind channel - identification information to the security - context. - - src_name gss_name_t, modify, optional - Authenticated name of context initiator. - After use, this name should be deallocated by - passing it to gss_release_name. If not required, - specify NULL. - - mech_type Object ID, modify - Security mechanism used. The returned - OID value will be a pointer into static - storage, and should be treated as read-only - by the caller. - - output_token buffer, opaque, modify - Token to be passed to peer application. If the - length field of the returned token buffer is 0, - then no token need be passed to the peer - application. - - - - -Wray [Page 22] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - ret_flags bit-mask, modify - Contains six independent flags, each of - which indicates that the context supports a - specific service option. Symbolic names are - provided for each flag, and the symbolic names - corresponding to the required flags - should be logically-ANDed with the ret_flags - value to test whether a given option is - supported by the context. The flags are: - GSS_C_DELEG_FLAG - True - Delegated credentials are available - via the delegated_cred_handle - parameter - False - No credentials were delegated - GSS_C_MUTUAL_FLAG - True - Remote peer asked for mutual - authentication - False - Remote peer did not ask for mutual - authentication - GSS_C_REPLAY_FLAG - True - replay of signed or sealed messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence signed or sealed - messages will be detected - False - out-of-sequence messages will not - be detected - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling seal routine - False - No confidentiality service (via - seal) available. seal will - provide message encapsulation, - data-origin authentication and - integrity services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked - by calling either gss_sign or - gss_seal routines. - False - Per-message integrity service - unavailable. - - time_rec integer, modify, optional - number of seconds for which the context - will remain valid. Specify NULL if not required. - - - - -Wray [Page 23] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - delegated_cred_handle - gss_cred_id_t, modify - credential handle for credentials received from - context initiator. Only valid if deleg_flag in - ret_flags is true. - - minor_status integer, modify - Mechanism specific status code. - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer - application is required to complete the context, - and that gss_accept_sec_context must be called - again with that token. - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks - performed on the input_token failed. - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks - performed on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for - context acceptance, or the credential handle - did not reference any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have - expired. - - GSS_S_BAD_BINDINGS The input_token contains different channel - bindings to those specified via the - input_chan_bindings parameter. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did - not refer to a valid context. - - GSS_S_BAD_SIG The input_token contains an invalid signature. - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal - error during context establishment. - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a - duplicate of a token already processed. This - is a fatal error during context establishment. - - - -Wray [Page 24] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.5. gss_process_context_token - - OM_uint32 gss_process_context_token ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t token_buffer) - - Purpose: - - Provides a way to pass a token to the security service. Usually, - tokens are associated either with context establishment (when they - would be passed to gss_init_sec_context or gss_accept_sec_context) or - with per-message security service (when they would be passed to - gss_verify or gss_unseal). Occasionally, tokens may be received at - other times, and gss_process_context_token allows such tokens to be - passed to the underlying security service for processing. At - present, such additional tokens may only be generated by - gss_delete_sec_context. GSSAPI implementation may use this service - to implement deletion of the security context. - - Parameters: - - context_handle gss_ctx_id_t, read - context handle of context on which token is to - be processed - - token_buffer buffer, opaque, read - pointer to first byte of token to process - - minor_status integer, modify - Implementation specific status code. - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks - performed on the token failed - - GSS_S_FAILURE Failure. See minor_status for more information - - GSS_S_NO_CONTEXT The context_handle did not refer to a valid - context - - - - -Wray [Page 25] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -3.6. gss_delete_sec_context - - OM_uint32 gss_delete_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token) - - Purpose: - - Delete a security context. gss_delete_sec_context will delete the - local data structures associated with the specified security context, - and generate an output_token, which when passed to the peer - gss_process_context_token will instruct it to do likewise. No - further security services may be obtained using the context specified - by context_handle. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, modify - context handle identifying context to delete. - - output_token buffer, opaque, modify - token to be sent to remote application to - instruct it to also delete the context - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_FAILURE Failure, see minor_status for more information - - GSS_S_NO_CONTEXT No valid context was supplied - -3.7. gss_context_time - - OM_uint32 gss_context_time ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - OM_uint32 * time_rec) - Purpose: - - Determines the number of seconds for which the specified context will - remain valid. - - - -Wray [Page 26] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Parameters: - - minor_status integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context to be interrogated. - - time_rec integer, modify - Number of seconds that the context will remain - valid. If the context has already expired, - zero will be returned. - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - -3.8. gss_sign - - OM_uint32 gss_sign ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t msg_token) - Purpose: - - Generates a cryptographic signature for the supplied message, and - places the signature in a token for transfer to the peer application. - The qop_req parameter allows a choice between several cryptographic - algorithms, if supported by the chosen mechanism. - - Parameters: - - minor_status integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - - - -Wray [Page 27] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - will be sent - - qop_req integer, read, optional - Specifies requested quality of protection. - Callers are encouraged, on portability grounds, - to accept the default quality of protection - offered by the chosen mechanism, which may be - requested by specifying GSS_C_QOP_DEFAULT for - this parameter. If an unsupported protection - strength is requested, gss_sign will return a - major_status of GSS_S_FAILURE. - - message_buffer buffer, opaque, read - message to be signed - - msg_token buffer, opaque, modify - buffer to receive token - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.9. gss_verify - - OM_uint32 gss_verify ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state) - Purpose: - - Verifies that a cryptographic signature, contained in the token - parameter, fits the supplied message. The qop_state parameter allows - a message recipient to determine the strength of protection that was - applied to the message. - - - -Wray [Page 28] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - arrived - - message_buffer buffer, opaque, read - message to be verified - - token_buffer buffer, opaque, read - token associated with message - - qop_state integer, modify - quality of protection gained from signature - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The signature was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct - signature for the message, but it had already - been processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct - signature for the message, but it is too old - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct - signature for the message, but has been - verified out of sequence; an earlier token has - been signed or sealed by the remote - application, but not yet been processed - locally. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - - - - -Wray [Page 29] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.10. gss_seal - - OM_uint32 gss_seal ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer) - - Purpose: - - Cryptographically signs and optionally encrypts the specified - input_message. The output_message contains both the signature and - the message. The qop_req parameter allows a choice between several - cryptographic algorithms, if supported by the chosen mechanism. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - will be sent - - conf_req_flag boolean, read - True - Both confidentiality and integrity - services are requested - False - Only integrity service is requested - - qop_req integer, read, optional - Specifies required quality of protection. A - mechanism-specific default may be requested by - setting qop_req to GSS_C_QOP_DEFAULT. If an - unsupported protection strength is requested, - gss_seal will return a major_status of - GSS_S_FAILURE. - - input_message_buffer buffer, opaque, read - message to be sealed - - - - -Wray [Page 30] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - conf_state boolean, modify - True - Confidentiality, data origin - authentication and integrity services - have been applied - False - Integrity and data origin services only - has been applied. - - output_message_buffer buffer, opaque, modify - buffer to receive sealed message - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.11. gss_unseal - - OM_uint32 gss_unseal ( - OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state) - - Purpose: - - Converts a previously sealed message back to a usable form, verifying - the embedded signature. The conf_state parameter indicates whether - the message was encrypted; the qop_state parameter indicates the - strength of protection that was used to provide the confidentiality - and integrity services. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - - -Wray [Page 31] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - context_handle gss_ctx_id_t, read - identifies the context on which the message - arrived - - input_message_buffer buffer, opaque, read - sealed message - - output_message_buffer buffer, opaque, modify - buffer to receive unsealed message - - conf_state boolean, modify - True - Confidentiality and integrity protection - were used - False - Inteegrity service only was used - - qop_state integer, modify - quality of protection gained from signature - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The signature was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a - correct signature for the message, but it had - already been processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct - signature for the message, but it is too old - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct - signature for the message, but has been - verified out of sequence; an earlier token has - been signed or sealed by the remote - application, but not yet been processed - locally. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_CREDENTIALS_EXPIRED The context is recognized, but - associated credentials have expired - - - - - -Wray [Page 32] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_FAILURE Failure. See minor_status for more information. - -3.12. gss_display_status - - OM_uint32 gss_display_status ( - OM_uint32 * minor_status, - int status_value, - int status_type, - gss_OID mech_type, - int * message_context, - gss_buffer_t status_string) - - Purpose: - - Allows an application to obtain a textual representation of a GSSAPI - status code, for display to the user or for logging purposes. Since - some status values may indicate multiple errors, applications may - need to call gss_display_status multiple times, each call generating - a single text string. The message_context parameter is used to - indicate which error message should be extracted from a given - status_value; message_context should be initialized to 0, and - gss_display_status will return a non-zero value if there are further - messages to extract. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - status_value integer, read - Status value to be converted - - status_type integer, read - GSS_C_GSS_CODE - status_value is a GSS status - code - GSS_C_MECH_CODE - status_value is a mechanism - status code - - mech_type Object ID, read, optional - Underlying mechanism (used to interpret a - minor status value) Supply GSS_C_NULL_OID to - obtain the system default. - - message_context integer, read/modify - Should be initialized to zero by caller - - - -Wray [Page 33] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - on first call. If further messages are - contained in the status_value parameter, - message_context will be non-zero on return, - and this value should be passed back to - subsequent calls, along with the same - status_value, status_type and mech_type - parameters. - - status_string buffer, character string, modify - textual interpretation of the status_value - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Indicates that translation in accordance with - an unsupported mechanism type was requested - - GSS_S_BAD_STATUS The status value was not recognized, or the - status type was neither GSS_C_GSS_CODE nor - GSS_C_MECH_CODE. - - -3.13. gss_indicate_mechs - - OM_uint32 gss_indicate_mechs ( - OM_uint32 * minor_status, - gss_OID_set * mech_set) - - Purpose: - - Allows an application to determine which underlying security - mechanisms are available. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - mech_set set of Object IDs, modify - set of implementation-supported mechanisms. - The returned gss_OID_set value will be a - pointer into static storage, and should be - treated as read-only by the caller. - - - - - -Wray [Page 34] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - -3.14. gss_compare_name - - OM_uint32 gss_compare_name ( - OM_uint32 * minor_status, - gss_name_t name1, - gss_name_t name2, - int * name_equal) - - Purpose: - - Allows an application to compare two internal-form names to determine - whether they refer to the same entity. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - name1 gss_name_t, read - internal-form name - - name2 gss_name_t, read - internal-form name - - name_equal boolean, modify - True - names refer to same entity - False - names refer to different entities - (strictly, the names are not known to - refer to the same identity). - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The type contained within either name1 or - name2 was unrecognized, or the names were of - incomparable types. - - GSS_S_BAD_NAME One or both of name1 or name2 was ill-formed - - - - - -Wray [Page 35] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - -3.15. gss_display_name - - OM_uint32 gss_display_name ( - OM_uint32 * minor_status, - gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type) - - Purpose: - - Allows an application to obtain a textual representation of an opaque - internal-form name for display purposes. The syntax of a printable - name is defined by the GSSAPI implementation. - - Parameters: - - minor_status integer, modify - Mechanism specific status code. - - input_name gss_name_t, read - name to be displayed - - output_name_buffer buffer, character-string, modify - buffer to receive textual name string - - output_name_type Object ID, modify - The type of the returned name. The returned - gss_OID will be a pointer into static storage, - and should be treated as read-only by the caller - - Function value: - - GSS status code: - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The type of input_name was not recognized - - GSS_S_BAD_NAME input_name was ill-formed - -3.16. gss_import_name - - OM_uint32 gss_import_name ( - OM_uint32 * minor_status, - gss_buffer_t input_name_buffer, - gss_OID input_name_type, - gss_name_t * output_name) - - - - -Wray [Page 36] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Purpose: - - Convert a printable name to internal form. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - input_name_buffer buffer, character-string, read - buffer containing printable name to convert - - input_name_type Object ID, read, optional - Object Id specifying type of printable - name. Applications may specify either - GSS_C_NULL_OID to use a local system-specific - printable syntax, or an OID registered by the - GSSAPI implementation to name a particular - namespace. - - output_name gss_name_t, modify - returned name in internal form - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The input_name_type was unrecognized - - GSS_S_BAD_NAME The input_name parameter could not be - interpreted as a name of the specified type - -3.17. gss_release_name - - OM_uint32 gss_release_name ( - OM_uint32 * minor_status, - gss_name_t * name) - - Purpose: - - Free GSSAPI-allocated storage associated with an internal form name. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - - -Wray [Page 37] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - name gss_name_t, modify - The name to be deleted - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The name parameter did not contain a valid name - -3.18. gss_release_buffer - - OM_uint32 gss_release_buffer ( - OM_uint32 * minor_status, - gss_buffer_t buffer) - - Purpose: - - Free storage associated with a buffer format name. The storage must - have been allocated by a GSSAPI routine. In addition to freeing the - associated storage, the routine will zero the length field in the - buffer parameter. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - buffer buffer, modify - The storage associated with the buffer will be - deleted. The gss_buffer_desc object will not - be freed, but its length field will be zeroed. - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - -3.19. gss_release_oid_set - - OM_uint32 gss_release_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * set) - - Purpose: - - - - -Wray [Page 38] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - Free storage associated with a gss_OID_set object. The storage must - have been allocated by a GSSAPI routine. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - set Set of Object IDs, modify - The storage associated with the gss_OID_set - will be deleted. - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - -3.20. gss_inquire_cred - - OM_uint32 gss_inquire_cred ( - OM_uint32 * minor_status, - gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - int * cred_usage, - gss_OID_set * mechanisms ) - - Purpose: - - Obtains information about a credential. The caller must already have - obtained a handle that refers to the credential. - - Parameters: - - minor_status integer, modify - Mechanism specific status code - - cred_handle gss_cred_id_t, read - A handle that refers to the target credential. - Specify GSS_C_NO_CREDENTIAL to inquire about - the default credential. - - name gss_name_t, modify - The name whose identity the credential asserts. - Specify NULL if not required. - - lifetime Integer, modify - - - -Wray [Page 39] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - The number of seconds for which the credential - will remain valid. If the credential has - expired, this parameter will be set to zero. - If the implementation does not support - credential expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - cred_usage Integer, modify - How the credential may be used. One of the - following: - GSS_C_INITIATE - GSS_C_ACCEPT - GSS_C_BOTH - Specify NULL if not required. - - mechanisms gss_OID_set, modify - Set of mechanisms supported by the credential. - Specify NULL if not required. - - Function value: - - GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED The referenced credentials could not be - accessed. - - GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were - invalid. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - If the lifetime parameter was not passed as - NULL, it will be set to 0. - - - #ifndef GSSAPI_H_ - #define GSSAPI_H_ - - /* - * First, define the platform-dependent types. - */ - typedef OM_uint32; - typedef gss_ctx_id_t; - typedef gss_cred_id_t; - typedef gss_name_t; - - - - -Wray [Page 40] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - /* - * Note that a platform supporting the xom.h X/Open header file - * may make use of that header for the definitions of OM_uint32 - * and the structure to which gss_OID_desc equates. - */ - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - typedef struct gss_OID_set_desc_struct { - int count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - - /* - * Six independent flags each of which indicates that a context - * supports a specific service option. - */ - #define GSS_C_DELEG_FLAG 1 - #define GSS_C_MUTUAL_FLAG 2 - #define GSS_C_REPLAY_FLAG 4 - #define GSS_C_SEQUENCE_FLAG 8 - #define GSS_C_CONF_FLAG 16 - #define GSS_C_INTEG_FLAG 32 - - - /* - * Credential usage options - */ - #define GSS_C_BOTH 0 - #define GSS_C_INITIATE 1 - #define GSS_C_ACCEPT 2 - - - -Wray [Page 41] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - /* - * Status code types for gss_display_status - */ - #define GSS_C_GSS_CODE 1 - #define GSS_C_MECH_CODE 2 - - /* - * The constant definitions for channel-bindings address families - */ - #define GSS_C_AF_UNSPEC 0; - #define GSS_C_AF_LOCAL 1; - #define GSS_C_AF_INET 2; - #define GSS_C_AF_IMPLINK 3; - #define GSS_C_AF_PUP 4; - #define GSS_C_AF_CHAOS 5; - #define GSS_C_AF_NS 6; - #define GSS_C_AF_NBS 7; - #define GSS_C_AF_ECMA 8; - #define GSS_C_AF_DATAKIT 9; - #define GSS_C_AF_CCITT 10; - #define GSS_C_AF_SNA 11; - #define GSS_C_AF_DECnet 12; - #define GSS_C_AF_DLI 13; - #define GSS_C_AF_LAT 14; - #define GSS_C_AF_HYLINK 15; - #define GSS_C_AF_APPLETALK 16; - #define GSS_C_AF_BSC 17; - #define GSS_C_AF_DSS 18; - #define GSS_C_AF_OSI 19; - #define GSS_C_AF_X25 21; - - #define GSS_C_AF_NULLADDR 255; - - #define GSS_C_NO_BUFFER ((gss_buffer_t) 0) - #define GSS_C_NULL_OID ((gss_OID) 0) - #define GSS_C_NULL_OID_SET ((gss_OID_set) 0) - #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) - #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) - #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) - #define GSS_C_EMPTY_BUFFER {0, NULL} - - /* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may either reserve a value (for example zero, - * as assumed here) to mean "default protection", or alternatively - * may simply equate GSS_C_QOP_DEFAULT to a specific explicit QOP - * value. - - - -Wray [Page 42] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - */ - #define GSS_C_QOP_DEFAULT 0 - - /* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ - #define GSS_C_INDEFINITE 0xfffffffful - - - /* Major status codes */ - - #define GSS_S_COMPLETE 0 - - /* - * Some "helper" definitions to make the status code macros obvious. - */ - #define GSS_C_CALLING_ERROR_OFFSET 24 - #define GSS_C_ROUTINE_ERROR_OFFSET 16 - #define GSS_C_SUPPLEMENTARY_OFFSET 0 - #define GSS_C_CALLING_ERROR_MASK 0377ul - #define GSS_C_ROUTINE_ERROR_MASK 0377ul - #define GSS_C_SUPPLEMENTARY_MASK 0177777ul - - /* - * The macros that test status codes for error conditions - */ - #define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) - #define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) - #define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) - #define GSS_ERROR(x) \ - ((GSS_CALLING_ERROR(x) != 0) || (GSS_ROUTINE_ERROR(x) != 0)) - - - /* - * Now the actual status code definitions - */ - - /* - * Calling errors: - */ - #define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) - #define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) - - - -Wray [Page 43] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - #define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - - /* - * Routine errors: - */ - #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) - - /* - * Supplementary info bits: - */ - #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) - #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) - #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) - #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) - - - /* - * Finally, function prototypes for the GSSAPI routines. - */ - - OM_uint32 gss_acquire_cred - (OM_uint32*, /* minor_status */ - gss_name_t, /* desired_name */ - OM_uint32, /* time_req */ - gss_OID_set, /* desired_mechs */ - int, /* cred_usage */ - gss_cred_id_t*, /* output_cred_handle */ - gss_OID_set*, /* actual_mechs */ - OM_uint32* /* time_rec */ - ); - - OM_uint32 gss_release_cred, - (OM_uint32*, /* minor_status */ - gss_cred_id_t* /* cred_handle */ - ); - - - -Wray [Page 44] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - OM_uint32 gss_init_sec_context - (OM_uint32*, /* minor_status */ - gss_cred_id_t, /* claimant_cred_handle */ - gss_ctx_id_t*, /* context_handle */ - gss_name_t, /* target_name */ - gss_OID, /* mech_type */ - int, /* req_flags */ - OM_uint32, /* time_req */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_buffer_t, /* input_token */ - gss_OID*, /* actual_mech_type */ - gss_buffer_t, /* output_token */ - int*, /* ret_flags */ - OM_uint32* /* time_rec */ - ); - - OM_uint32 gss_accept_sec_context - (OM_uint32*, /* minor_status */ - gss_ctx_id_t*, /* context_handle */ - gss_cred_id_t, /* verifier_cred_handle */ - gss_buffer_t, /* input_token_buffer */ - gss_channel_bindings_t, - /* input_chan_bindings */ - gss_name_t*, /* src_name */ - gss_OID*, /* mech_type */ - gss_buffer_t, /* output_token */ - int*, /* ret_flags */ - OM_uint32*, /* time_rec */ - gss_cred_id_t* /* delegated_cred_handle */ - ); - - OM_uint32 gss_process_context_token - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t /* token_buffer */ - ); - - OM_uint32 gss_delete_sec_context - (OM_uint32*, /* minor_status */ - gss_ctx_id_t*, /* context_handle */ - gss_buffer_t /* output_token */ - ); - - - - - - - - -Wray [Page 45] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - OM_uint32 gss_context_time - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - OM_uint32* /* time_rec */ - ); - - OM_uint32 gss_sign - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - - OM_uitn32 gss_verify - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* token_buffer */ - int* /* qop_state */ - ); - - OM_uint32 gss_seal - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int*, /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - - OM_uint32 gss_unseal - (OM_uint32*, /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int*, /* conf_state */ - int* /* qop_state */ - ); - - - - - - - - - - - -Wray [Page 46] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - OM_uint32 gss_display_status - (OM_uint32*, /* minor_status */ - OM_uint32, /* status_value */ - int, /* status_type */ - gss_OID, /* mech_type */ - int*, /* message_context */ - gss_buffer_t /* status_string */ - ); - - OM_uint32 gss_indicate_mechs - (OM_uint32*, /* minor_status */ - gss_OID_set* /* mech_set */ - ); - - OM_uint32 gss_compare_name - (OM_uint32*, /* minor_status */ - gss_name_t, /* name1 */ - gss_name_t, /* name2 */ - int* /* name_equal */ - ); - - OM_uint32 gss_display_name, - (OM_uint32*, /* minor_status */ - gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ - gss_OID* /* output_name_type */ - ); - - OM_uint32 gss_import_name - (OM_uint32*, /* minor_status */ - gss_buffer_t, /* input_name_buffer */ - gss_OID, /* input_name_type */ - gss_name_t* /* output_name */ - ); - - OM_uint32 gss_release_name - (OM_uint32*, /* minor_status */ - gss_name_t* /* input_name */ - ); - - OM_uint32 gss_release_buffer - (OM_uint32*, /* minor_status */ - gss_buffer_t /* buffer */ - ); - - OM_uint32 gss_release_oid_set - (OM_uint32*, /* minor_status */ - gss_OID_set* /* set */ - - - -Wray [Page 47] - -RFC 1509 GSSAPI - Overview and C bindings September 1993 - - - ); - - OM_uint32 gss_inquire_cred - (OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - gss_name_t *, /* name */ - OM_uint32 *, /* lifetime */ - int *, /* cred_usage */ - gss_OID_set * /* mechanisms */ - ); - - - - #endif /* GSSAPI_H_ */ - -References - - [1] Linn, J., "Generic Security Service Application Program - Interface", RFC 1508, Geer Zolot Associate, September 1993. - - [2] "OSI Object Management API Specification, Version 2.0 t", X.400 - API Association & X/Open Company Limited, August 24, 1990. - Specification of datatypes and routines for manipulating - information objects. - -Security Considerations - - Security issues are discussed throughout this memo. - -Author's Address - - John Wray - Digital Equipment Corporation - 550 King Street, LKG2-2/AA6 - Littleton, MA 01460 - USA - - Phone: +1-508-486-5210 - EMail: Wray@tuxedo.enet.dec.com - - - - - - - - - - - - -Wray [Page 48] - \ No newline at end of file diff --git a/crypto/heimdal/doc/standardisation/rfc1510.txt b/crypto/heimdal/doc/standardisation/rfc1510.txt deleted file mode 100644 index bc810cc506fa..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc1510.txt +++ /dev/null @@ -1,6275 +0,0 @@ - - - - - - -Network Working Group J. Kohl -Request for Comments: 1510 Digital Equipment Corporation - C. Neuman - ISI - September 1993 - - - The Kerberos Network Authentication Service (V5) - -Status of this Memo - - This RFC specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" for the standardization state and status - of this protocol. Distribution of this memo is unlimited. - -Abstract - - This document gives an overview and specification of Version 5 of the - protocol for the Kerberos network authentication system. Version 4, - described elsewhere [1,2], is presently in production use at MIT's - Project Athena, and at other Internet sites. - -Overview - - Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, - Moira, and Zephyr are trademarks of the Massachusetts Institute of - Technology (MIT). No commercial use of these trademarks may be made - without prior written permission of MIT. - - This RFC describes the concepts and model upon which the Kerberos - network authentication system is based. It also specifies Version 5 - of the Kerberos protocol. - - The motivations, goals, assumptions, and rationale behind most design - decisions are treated cursorily; for Version 4 they are fully - described in the Kerberos portion of the Athena Technical Plan [1]. - The protocols are under review, and are not being submitted for - consideration as an Internet standard at this time. Comments are - encouraged. Requests for addition to an electronic mailing list for - discussion of Kerberos, kerberos@MIT.EDU, may be addressed to - kerberos-request@MIT.EDU. This mailing list is gatewayed onto the - Usenet as the group comp.protocols.kerberos. Requests for further - information, including documents and code availability, may be sent - to info-kerberos@MIT.EDU. - - - - - -Kohl & Neuman [Page 1] - -RFC 1510 Kerberos September 1993 - - -Background - - The Kerberos model is based in part on Needham and Schroeder's - trusted third-party authentication protocol [3] and on modifications - suggested by Denning and Sacco [4]. The original design and - implementation of Kerberos Versions 1 through 4 was the work of two - former Project Athena staff members, Steve Miller of Digital - Equipment Corporation and Clifford Neuman (now at the Information - Sciences Institute of the University of Southern California), along - with Jerome Saltzer, Technical Director of Project Athena, and - Jeffrey Schiller, MIT Campus Network Manager. Many other members of - Project Athena have also contributed to the work on Kerberos. - Version 4 is publicly available, and has seen wide use across the - Internet. - - Version 5 (described in this document) has evolved from Version 4 - based on new requirements and desires for features not available in - Version 4. Details on the differences between Kerberos Versions 4 - and 5 can be found in [5]. - -Table of Contents - - 1. Introduction ....................................... 5 - 1.1. Cross-Realm Operation ............................ 7 - 1.2. Environmental assumptions ........................ 8 - 1.3. Glossary of terms ................................ 9 - 2. Ticket flag uses and requests ...................... 12 - 2.1. Initial and pre-authenticated tickets ............ 12 - 2.2. Invalid tickets .................................. 12 - 2.3. Renewable tickets ................................ 12 - 2.4. Postdated tickets ................................ 13 - 2.5. Proxiable and proxy tickets ...................... 14 - 2.6. Forwardable tickets .............................. 15 - 2.7. Other KDC options ................................ 15 - 3. Message Exchanges .................................. 16 - 3.1. The Authentication Service Exchange .............. 16 - 3.1.1. Generation of KRB_AS_REQ message ............... 17 - 3.1.2. Receipt of KRB_AS_REQ message .................. 17 - 3.1.3. Generation of KRB_AS_REP message ............... 17 - 3.1.4. Generation of KRB_ERROR message ................ 19 - 3.1.5. Receipt of KRB_AS_REP message .................. 19 - 3.1.6. Receipt of KRB_ERROR message ................... 20 - 3.2. The Client/Server Authentication Exchange ........ 20 - 3.2.1. The KRB_AP_REQ message ......................... 20 - 3.2.2. Generation of a KRB_AP_REQ message ............. 20 - 3.2.3. Receipt of KRB_AP_REQ message .................. 21 - 3.2.4. Generation of a KRB_AP_REP message ............. 23 - 3.2.5. Receipt of KRB_AP_REP message .................. 23 - - - -Kohl & Neuman [Page 2] - -RFC 1510 Kerberos September 1993 - - - 3.2.6. Using the encryption key ....................... 24 - 3.3. The Ticket-Granting Service (TGS) Exchange ....... 24 - 3.3.1. Generation of KRB_TGS_REQ message .............. 25 - 3.3.2. Receipt of KRB_TGS_REQ message ................. 26 - 3.3.3. Generation of KRB_TGS_REP message .............. 27 - 3.3.3.1. Encoding the transited field ................. 29 - 3.3.4. Receipt of KRB_TGS_REP message ................. 31 - 3.4. The KRB_SAFE Exchange ............................ 31 - 3.4.1. Generation of a KRB_SAFE message ............... 31 - 3.4.2. Receipt of KRB_SAFE message .................... 32 - 3.5. The KRB_PRIV Exchange ............................ 33 - 3.5.1. Generation of a KRB_PRIV message ............... 33 - 3.5.2. Receipt of KRB_PRIV message .................... 33 - 3.6. The KRB_CRED Exchange ............................ 34 - 3.6.1. Generation of a KRB_CRED message ............... 34 - 3.6.2. Receipt of KRB_CRED message .................... 34 - 4. The Kerberos Database .............................. 35 - 4.1. Database contents ................................ 35 - 4.2. Additional fields ................................ 36 - 4.3. Frequently Changing Fields ....................... 37 - 4.4. Site Constants ................................... 37 - 5. Message Specifications ............................. 38 - 5.1. ASN.1 Distinguished Encoding Representation ...... 38 - 5.2. ASN.1 Base Definitions ........................... 38 - 5.3. Tickets and Authenticators ....................... 42 - 5.3.1. Tickets ........................................ 42 - 5.3.2. Authenticators ................................. 47 - 5.4. Specifications for the AS and TGS exchanges ...... 49 - 5.4.1. KRB_KDC_REQ definition ......................... 49 - 5.4.2. KRB_KDC_REP definition ......................... 56 - 5.5. Client/Server (CS) message specifications ........ 58 - 5.5.1. KRB_AP_REQ definition .......................... 58 - 5.5.2. KRB_AP_REP definition .......................... 60 - 5.5.3. Error message reply ............................ 61 - 5.6. KRB_SAFE message specification ................... 61 - 5.6.1. KRB_SAFE definition ............................ 61 - 5.7. KRB_PRIV message specification ................... 62 - 5.7.1. KRB_PRIV definition ............................ 62 - 5.8. KRB_CRED message specification ................... 63 - 5.8.1. KRB_CRED definition ............................ 63 - 5.9. Error message specification ...................... 65 - 5.9.1. KRB_ERROR definition ........................... 66 - 6. Encryption and Checksum Specifications ............. 67 - 6.1. Encryption Specifications ........................ 68 - 6.2. Encryption Keys .................................. 71 - 6.3. Encryption Systems ............................... 71 - 6.3.1. The NULL Encryption System (null) .............. 71 - 6.3.2. DES in CBC mode with a CRC-32 checksum (descbc-crc)71 - - - -Kohl & Neuman [Page 3] - -RFC 1510 Kerberos September 1993 - - - 6.3.3. DES in CBC mode with an MD4 checksum (descbc-md4) 72 - 6.3.4. DES in CBC mode with an MD5 checksum (descbc-md5) 72 - 6.4. Checksums ........................................ 74 - 6.4.1. The CRC-32 Checksum (crc32) .................... 74 - 6.4.2. The RSA MD4 Checksum (rsa-md4) ................. 75 - 6.4.3. RSA MD4 Cryptographic Checksum Using DES - (rsa-md4-des) ......................................... 75 - 6.4.4. The RSA MD5 Checksum (rsa-md5) ................. 76 - 6.4.5. RSA MD5 Cryptographic Checksum Using DES - (rsa-md5-des) ......................................... 76 - 6.4.6. DES cipher-block chained checksum (des-mac) - 6.4.7. RSA MD4 Cryptographic Checksum Using DES - alternative (rsa-md4-des-k) ........................... 77 - 6.4.8. DES cipher-block chained checksum alternative - (des-mac-k) ........................................... 77 - 7. Naming Constraints ................................. 78 - 7.1. Realm Names ...................................... 77 - 7.2. Principal Names .................................. 79 - 7.2.1. Name of server principals ...................... 80 - 8. Constants and other defined values ................. 80 - 8.1. Host address types ............................... 80 - 8.2. KDC messages ..................................... 81 - 8.2.1. IP transport ................................... 81 - 8.2.2. OSI transport .................................. 82 - 8.2.3. Name of the TGS ................................ 82 - 8.3. Protocol constants and associated values ......... 82 - 9. Interoperability requirements ...................... 86 - 9.1. Specification 1 .................................. 86 - 9.2. Recommended KDC values ........................... 88 - 10. Acknowledgments ................................... 88 - 11. References ........................................ 89 - 12. Security Considerations ........................... 90 - 13. Authors' Addresses ................................ 90 - A. Pseudo-code for protocol processing ................ 91 - A.1. KRB_AS_REQ generation ............................ 91 - A.2. KRB_AS_REQ verification and KRB_AS_REP generation 92 - A.3. KRB_AS_REP verification .......................... 95 - A.4. KRB_AS_REP and KRB_TGS_REP common checks ......... 96 - A.5. KRB_TGS_REQ generation ........................... 97 - A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation 98 - A.7. KRB_TGS_REP verification ......................... 104 - A.8. Authenticator generation ......................... 104 - A.9. KRB_AP_REQ generation ............................ 105 - A.10. KRB_AP_REQ verification ......................... 105 - A.11. KRB_AP_REP generation ........................... 106 - A.12. KRB_AP_REP verification ......................... 107 - A.13. KRB_SAFE generation ............................. 107 - A.14. KRB_SAFE verification ........................... 108 - - - -Kohl & Neuman [Page 4] - -RFC 1510 Kerberos September 1993 - - - A.15. KRB_SAFE and KRB_PRIV common checks ............. 108 - A.16. KRB_PRIV generation ............................. 109 - A.17. KRB_PRIV verification ........................... 110 - A.18. KRB_CRED generation ............................. 110 - A.19. KRB_CRED verification ........................... 111 - A.20. KRB_ERROR generation ............................ 112 - -1. Introduction - - Kerberos provides a means of verifying the identities of principals, - (e.g., a workstation user or a network server) on an open - (unprotected) network. This is accomplished without relying on - authentication by the host operating system, without basing trust on - host addresses, without requiring physical security of all the hosts - on the network, and under the assumption that packets traveling along - the network can be read, modified, and inserted at will. (Note, - however, that many applications use Kerberos' functions only upon the - initiation of a stream-based network connection, and assume the - absence of any "hijackers" who might subvert such a connection. Such - use implicitly trusts the host addresses involved.) Kerberos - performs authentication under these conditions as a trusted third- - party authentication service by using conventional cryptography, - i.e., shared secret key. (shared secret key - Secret and private are - often used interchangeably in the literature. In our usage, it takes - two (or more) to share a secret, thus a shared DES key is a secret - key. Something is only private when no one but its owner knows it. - Thus, in public key cryptosystems, one has a public and a private - key.) - - The authentication process proceeds as follows: A client sends a - request to the authentication server (AS) requesting "credentials" - for a given server. The AS responds with these credentials, - encrypted in the client's key. The credentials consist of 1) a - "ticket" for the server and 2) a temporary encryption key (often - called a "session key"). The client transmits the ticket (which - contains the client's identity and a copy of the session key, all - encrypted in the server's key) to the server. The session key (now - shared by the client and server) is used to authenticate the client, - and may optionally be used to authenticate the server. It may also - be used to encrypt further communication between the two parties or - to exchange a separate sub-session key to be used to encrypt further - communication. - - The implementation consists of one or more authentication servers - running on physically secure hosts. The authentication servers - maintain a database of principals (i.e., users and servers) and their - secret keys. Code libraries provide encryption and implement the - Kerberos protocol. In order to add authentication to its - - - -Kohl & Neuman [Page 5] - -RFC 1510 Kerberos September 1993 - - - transactions, a typical network application adds one or two calls to - the Kerberos library, which results in the transmission of the - necessary messages to achieve authentication. - - The Kerberos protocol consists of several sub-protocols (or - exchanges). There are two methods by which a client can ask a - Kerberos server for credentials. In the first approach, the client - sends a cleartext request for a ticket for the desired server to the - AS. The reply is sent encrypted in the client's secret key. Usually - this request is for a ticket-granting ticket (TGT) which can later be - used with the ticket-granting server (TGS). In the second method, - the client sends a request to the TGS. The client sends the TGT to - the TGS in the same manner as if it were contacting any other - application server which requires Kerberos credentials. The reply is - encrypted in the session key from the TGT. - - Once obtained, credentials may be used to verify the identity of the - principals in a transaction, to ensure the integrity of messages - exchanged between them, or to preserve privacy of the messages. The - application is free to choose whatever protection may be necessary. - - To verify the identities of the principals in a transaction, the - client transmits the ticket to the server. Since the ticket is sent - "in the clear" (parts of it are encrypted, but this encryption - doesn't thwart replay) and might be intercepted and reused by an - attacker, additional information is sent to prove that the message - was originated by the principal to whom the ticket was issued. This - information (called the authenticator) is encrypted in the session - key, and includes a timestamp. The timestamp proves that the message - was recently generated and is not a replay. Encrypting the - authenticator in the session key proves that it was generated by a - party possessing the session key. Since no one except the requesting - principal and the server know the session key (it is never sent over - the network in the clear) this guarantees the identity of the client. - - The integrity of the messages exchanged between principals can also - be guaranteed using the session key (passed in the ticket and - contained in the credentials). This approach provides detection of - both replay attacks and message stream modification attacks. It is - accomplished by generating and transmitting a collision-proof - checksum (elsewhere called a hash or digest function) of the client's - message, keyed with the session key. Privacy and integrity of the - messages exchanged between principals can be secured by encrypting - the data to be passed using the session key passed in the ticket, and - contained in the credentials. - - The authentication exchanges mentioned above require read-only access - to the Kerberos database. Sometimes, however, the entries in the - - - -Kohl & Neuman [Page 6] - -RFC 1510 Kerberos September 1993 - - - database must be modified, such as when adding new principals or - changing a principal's key. This is done using a protocol between a - client and a third Kerberos server, the Kerberos Administration - Server (KADM). The administration protocol is not described in this - document. There is also a protocol for maintaining multiple copies of - the Kerberos database, but this can be considered an implementation - detail and may vary to support different database technologies. - -1.1. Cross-Realm Operation - - The Kerberos protocol is designed to operate across organizational - boundaries. A client in one organization can be authenticated to a - server in another. Each organization wishing to run a Kerberos - server establishes its own "realm". The name of the realm in which a - client is registered is part of the client's name, and can be used by - the end-service to decide whether to honor a request. - - By establishing "inter-realm" keys, the administrators of two realms - can allow a client authenticated in the local realm to use its - authentication remotely (Of course, with appropriate permission the - client could arrange registration of a separately-named principal in - a remote realm, and engage in normal exchanges with that realm's - services. However, for even small numbers of clients this becomes - cumbersome, and more automatic methods as described here are - necessary). The exchange of inter-realm keys (a separate key may be - used for each direction) registers the ticket-granting service of - each realm as a principal in the other realm. A client is then able - to obtain a ticket-granting ticket for the remote realm's ticket- - granting service from its local realm. When that ticket-granting - ticket is used, the remote ticket-granting service uses the inter- - realm key (which usually differs from its own normal TGS key) to - decrypt the ticket-granting ticket, and is thus certain that it was - issued by the client's own TGS. Tickets issued by the remote ticket- - granting service will indicate to the end-service that the client was - authenticated from another realm. - - A realm is said to communicate with another realm if the two realms - share an inter-realm key, or if the local realm shares an inter-realm - key with an intermediate realm that communicates with the remote - realm. An authentication path is the sequence of intermediate realms - that are transited in communicating from one realm to another. - - Realms are typically organized hierarchically. Each realm shares a - key with its parent and a different key with each child. If an - inter-realm key is not directly shared by two realms, the - hierarchical organization allows an authentication path to be easily - constructed. If a hierarchical organization is not used, it may be - necessary to consult some database in order to construct an - - - -Kohl & Neuman [Page 7] - -RFC 1510 Kerberos September 1993 - - - authentication path between realms. - - Although realms are typically hierarchical, intermediate realms may - be bypassed to achieve cross-realm authentication through alternate - authentication paths (these might be established to make - communication between two realms more efficient). It is important - for the end-service to know which realms were transited when deciding - how much faith to place in the authentication process. To facilitate - this decision, a field in each ticket contains the names of the - realms that were involved in authenticating the client. - -1.2. Environmental assumptions - - Kerberos imposes a few assumptions on the environment in which it can - properly function: - - + "Denial of service" attacks are not solved with Kerberos. There - are places in these protocols where an intruder intruder can - prevent an application from participating in the proper - authentication steps. Detection and solution of such attacks - (some of which can appear to be not-uncommon "normal" failure - modes for the system) is usually best left to the human - administrators and users. - - + Principals must keep their secret keys secret. If an intruder - somehow steals a principal's key, it will be able to masquerade - as that principal or impersonate any server to the legitimate - principal. - - + "Password guessing" attacks are not solved by Kerberos. If a - user chooses a poor password, it is possible for an attacker to - successfully mount an offline dictionary attack by repeatedly - attempting to decrypt, with successive entries from a - dictionary, messages obtained which are encrypted under a key - derived from the user's password. - - + Each host on the network must have a clock which is "loosely - synchronized" to the time of the other hosts; this - synchronization is used to reduce the bookkeeping needs of - application servers when they do replay detection. The degree - of "looseness" can be configured on a per-server basis. If the - clocks are synchronized over the network, the clock - synchronization protocol must itself be secured from network - attackers. - - + Principal identifiers are not recycled on a short-term basis. A - typical mode of access control will use access control lists - (ACLs) to grant permissions to particular principals. If a - - - -Kohl & Neuman [Page 8] - -RFC 1510 Kerberos September 1993 - - - stale ACL entry remains for a deleted principal and the - principal identifier is reused, the new principal will inherit - rights specified in the stale ACL entry. By not re-using - principal identifiers, the danger of inadvertent access is - removed. - -1.3. Glossary of terms - - Below is a list of terms used throughout this document. - - - Authentication Verifying the claimed identity of a - principal. - - - Authentication header A record containing a Ticket and an - Authenticator to be presented to a - server as part of the authentication - process. - - - Authentication path A sequence of intermediate realms transited - in the authentication process when - communicating from one realm to another. - - Authenticator A record containing information that can - be shown to have been recently generated - using the session key known only by the - client and server. - - - Authorization The process of determining whether a - client may use a service, which objects - the client is allowed to access, and the - type of access allowed for each. - - - Capability A token that grants the bearer permission - to access an object or service. In - Kerberos, this might be a ticket whose - use is restricted by the contents of the - authorization data field, but which - lists no network addresses, together - with the session key necessary to use - the ticket. - - - - - - -Kohl & Neuman [Page 9] - -RFC 1510 Kerberos September 1993 - - - Ciphertext The output of an encryption function. - Encryption transforms plaintext into - ciphertext. - - - Client A process that makes use of a network - service on behalf of a user. Note that - in some cases a Server may itself be a - client of some other server (e.g., a - print server may be a client of a file - server). - - - Credentials A ticket plus the secret session key - necessary to successfully use that - ticket in an authentication exchange. - - - KDC Key Distribution Center, a network service - that supplies tickets and temporary - session keys; or an instance of that - service or the host on which it runs. - The KDC services both initial ticket and - ticket-granting ticket requests. The - initial ticket portion is sometimes - referred to as the Authentication Server - (or service). The ticket-granting - ticket portion is sometimes referred to - as the ticket-granting server (or service). - - Kerberos Aside from the 3-headed dog guarding - Hades, the name given to Project - Athena's authentication service, the - protocol used by that service, or the - code used to implement the authentication - service. - - - Plaintext The input to an encryption function or - the output of a decryption function. - Decryption transforms ciphertext into - plaintext. - - - Principal A uniquely named client or server - instance that participates in a network - communication. - - - - -Kohl & Neuman [Page 10] - -RFC 1510 Kerberos September 1993 - - - Principal identifier The name used to uniquely identify each - different principal. - - - Seal To encipher a record containing several - fields in such a way that the fields - cannot be individually replaced without - either knowledge of the encryption key - or leaving evidence of tampering. - - - Secret key An encryption key shared by a principal - and the KDC, distributed outside the - bounds of the system, with a long lifetime. - In the case of a human user's - principal, the secret key is derived - from a password. - - - Server A particular Principal which provides a - resource to network clients. - - - Service A resource provided to network clients; - often provided by more than one server - (for example, remote file service). - - - Session key A temporary encryption key used between - two principals, with a lifetime limited - to the duration of a single login "session". - - - Sub-session key A temporary encryption key used between - two principals, selected and exchanged - by the principals using the session key, - and with a lifetime limited to the duration - of a single association. - - - Ticket A record that helps a client authenticate - itself to a server; it contains the - client's identity, a session key, a - timestamp, and other information, all - sealed using the server's secret key. - It only serves to authenticate a client - when presented along with a fresh - Authenticator. - - - -Kohl & Neuman [Page 11] - -RFC 1510 Kerberos September 1993 - - -2. Ticket flag uses and requests - - Each Kerberos ticket contains a set of flags which are used to - indicate various attributes of that ticket. Most flags may be - requested by a client when the ticket is obtained; some are - automatically turned on and off by a Kerberos server as required. - The following sections explain what the various flags mean, and gives - examples of reasons to use such a flag. - -2.1. Initial and pre-authenticated tickets - - The INITIAL flag indicates that a ticket was issued using the AS - protocol and not issued based on a ticket-granting ticket. - Application servers that want to require the knowledge of a client's - secret key (e.g., a passwordchanging program) can insist that this - flag be set in any tickets they accept, and thus be assured that the - client's key was recently presented to the application client. - - The PRE-AUTHENT and HW-AUTHENT flags provide addition information - about the initial authentication, regardless of whether the current - ticket was issued directly (in which case INITIAL will also be set) - or issued on the basis of a ticket-granting ticket (in which case the - INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags are - carried forward from the ticket-granting ticket). - -2.2. Invalid tickets - - The INVALID flag indicates that a ticket is invalid. Application - servers must reject tickets which have this flag set. A postdated - ticket will usually be issued in this form. Invalid tickets must be - validated by the KDC before use, by presenting them to the KDC in a - TGS request with the VALIDATE option specified. The KDC will only - validate tickets after their starttime has passed. The validation is - required so that postdated tickets which have been stolen before - their starttime can be rendered permanently invalid (through a hot- - list mechanism). - -2.3. Renewable tickets - - Applications may desire to hold tickets which can be valid for long - periods of time. However, this can expose their credentials to - potential theft for equally long periods, and those stolen - credentials would be valid until the expiration time of the - ticket(s). Simply using shortlived tickets and obtaining new ones - periodically would require the client to have long-term access to its - secret key, an even greater risk. Renewable tickets can be used to - mitigate the consequences of theft. Renewable tickets have two - "expiration times": the first is when the current instance of the - - - -Kohl & Neuman [Page 12] - -RFC 1510 Kerberos September 1993 - - - ticket expires, and the second is the latest permissible value for an - individual expiration time. An application client must periodically - (i.e., before it expires) present a renewable ticket to the KDC, with - the RENEW option set in the KDC request. The KDC will issue a new - ticket with a new session key and a later expiration time. All other - fields of the ticket are left unmodified by the renewal process. - When the latest permissible expiration time arrives, the ticket - expires permanently. At each renewal, the KDC may consult a hot-list - to determine if the ticket had been reported stolen since its last - renewal; it will refuse to renew such stolen tickets, and thus the - usable lifetime of stolen tickets is reduced. - - The RENEWABLE flag in a ticket is normally only interpreted by the - ticket-granting service (discussed below in section 3.3). It can - usually be ignored by application servers. However, some - particularly careful application servers may wish to disallow - renewable tickets. - - If a renewable ticket is not renewed by its expiration time, the KDC - will not renew the ticket. The RENEWABLE flag is reset by default, - but a client may request it be set by setting the RENEWABLE option - in the KRB_AS_REQ message. If it is set, then the renew-till field - in the ticket contains the time after which the ticket may not be - renewed. - -2.4. Postdated tickets - - Applications may occasionally need to obtain tickets for use much - later, e.g., a batch submission system would need tickets to be valid - at the time the batch job is serviced. However, it is dangerous to - hold valid tickets in a batch queue, since they will be on-line - longer and more prone to theft. Postdated tickets provide a way to - obtain these tickets from the KDC at job submission time, but to - leave them "dormant" until they are activated and validated by a - further request of the KDC. If a ticket theft were reported in the - interim, the KDC would refuse to validate the ticket, and the thief - would be foiled. - - The MAY-POSTDATE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - This flag must be set in a ticket-granting ticket in order to issue a - postdated ticket based on the presented ticket. It is reset by - default; it may be requested by a client by setting the ALLOW- - POSTDATE option in the KRB_AS_REQ message. This flag does not allow - a client to obtain a postdated ticket-granting ticket; postdated - ticket-granting tickets can only by obtained by requesting the - postdating in the KRB_AS_REQ message. The life (endtime-starttime) - of a postdated ticket will be the remaining life of the ticket- - - - -Kohl & Neuman [Page 13] - -RFC 1510 Kerberos September 1993 - - - granting ticket at the time of the request, unless the RENEWABLE - option is also set, in which case it can be the full life (endtime- - starttime) of the ticket-granting ticket. The KDC may limit how far - in the future a ticket may be postdated. - - The POSTDATED flag indicates that a ticket has been postdated. The - application server can check the authtime field in the ticket to see - when the original authentication occurred. Some services may choose - to reject postdated tickets, or they may only accept them within a - certain period after the original authentication. When the KDC issues - a POSTDATED ticket, it will also be marked as INVALID, so that the - application client must present the ticket to the KDC to be validated - before use. - -2.5. Proxiable and proxy tickets - - At times it may be necessary for a principal to allow a service to - perform an operation on its behalf. The service must be able to take - on the identity of the client, but only for a particular purpose. A - principal can allow a service to take on the principal's identity for - a particular purpose by granting it a proxy. - - The PROXIABLE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - When set, this flag tells the ticket-granting server that it is OK to - issue a new ticket (but not a ticket-granting ticket) with a - different network address based on this ticket. This flag is set by - default. - - This flag allows a client to pass a proxy to a server to perform a - remote request on its behalf, e.g., a print service client can give - the print server a proxy to access the client's files on a particular - file server in order to satisfy a print request. - - In order to complicate the use of stolen credentials, Kerberos - tickets are usually valid from only those network addresses - specifically included in the ticket (It is permissible to request or - issue tickets with no network addresses specified, but we do not - recommend it). For this reason, a client wishing to grant a proxy - must request a new ticket valid for the network address of the - service to be granted the proxy. - - The PROXY flag is set in a ticket by the TGS when it issues a - proxy ticket. Application servers may check this flag and require - additional authentication from the agent presenting the proxy in - order to provide an audit trail. - - - - - -Kohl & Neuman [Page 14] - -RFC 1510 Kerberos September 1993 - - -2.6. Forwardable tickets - - Authentication forwarding is an instance of the proxy case where the - service is granted complete use of the client's identity. An example - where it might be used is when a user logs in to a remote system and - wants authentication to work from that system as if the login were - local. - - The FORWARDABLE flag in a ticket is normally only interpreted by the - ticket-granting service. It can be ignored by application servers. - The FORWARDABLE flag has an interpretation similar to that of the - PROXIABLE flag, except ticket-granting tickets may also be issued - with different network addresses. This flag is reset by default, but - users may request that it be set by setting the FORWARDABLE option in - the AS request when they request their initial ticket-granting - ticket. - - This flag allows for authentication forwarding without requiring the - user to enter a password again. If the flag is not set, then - authentication forwarding is not permitted, but the same end result - can still be achieved if the user engages in the AS exchange with the - requested network addresses and supplies a password. - - The FORWARDED flag is set by the TGS when a client presents a ticket - with the FORWARDABLE flag set and requests it be set by specifying - the FORWARDED KDC option and supplying a set of addresses for the new - ticket. It is also set in all tickets issued based on tickets with - the FORWARDED flag set. Application servers may wish to process - FORWARDED tickets differently than non-FORWARDED tickets. - -2.7. Other KDC options - - There are two additional options which may be set in a client's - request of the KDC. The RENEWABLE-OK option indicates that the - client will accept a renewable ticket if a ticket with the requested - life cannot otherwise be provided. If a ticket with the requested - life cannot be provided, then the KDC may issue a renewable ticket - with a renew-till equal to the the requested endtime. The value of - the renew-till field may still be adjusted by site-determined limits - or limits imposed by the individual principal or server. - - The ENC-TKT-IN-SKEY option is honored only by the ticket-granting - service. It indicates that the to-be-issued ticket for the end - server is to be encrypted in the session key from the additional - ticket-granting ticket provided with the request. See section 3.3.3 - for specific details. - - - - - -Kohl & Neuman [Page 15] - -RFC 1510 Kerberos September 1993 - - -3. Message Exchanges - - The following sections describe the interactions between network - clients and servers and the messages involved in those exchanges. - -3.1. The Authentication Service Exchange - - Summary - - Message direction Message type Section - 1. Client to Kerberos KRB_AS_REQ 5.4.1 - 2. Kerberos to client KRB_AS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - The Authentication Service (AS) Exchange between the client and the - Kerberos Authentication Server is usually initiated by a client when - it wishes to obtain authentication credentials for a given server but - currently holds no credentials. The client's secret key is used for - encryption and decryption. This exchange is typically used at the - initiation of a login session, to obtain credentials for a Ticket- - Granting Server, which will subsequently be used to obtain - credentials for other servers (see section 3.3) without requiring - further use of the client's secret key. This exchange is also used - to request credentials for services which must not be mediated - through the Ticket-Granting Service, but rather require a principal's - secret key, such as the password-changing service. (The password- - changing request must not be honored unless the requester can provide - the old password (the user's current secret key). Otherwise, it - would be possible for someone to walk up to an unattended session and - change another user's password.) This exchange does not by itself - provide any assurance of the the identity of the user. (To - authenticate a user logging on to a local system, the credentials - obtained in the AS exchange may first be used in a TGS exchange to - obtain credentials for a local server. Those credentials must then - be verified by the local server through successful completion of the - Client/Server exchange.) - - The exchange consists of two messages: KRB_AS_REQ from the client to - Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these - messages are described in sections 5.4.1, 5.4.2, and 5.9.1. - - In the request, the client sends (in cleartext) its own identity and - the identity of the server for which it is requesting credentials. - The response, KRB_AS_REP, contains a ticket for the client to present - to the server, and a session key that will be shared by the client - and the server. The session key and additional information are - encrypted in the client's secret key. The KRB_AS_REP message - contains information which can be used to detect replays, and to - - - -Kohl & Neuman [Page 16] - -RFC 1510 Kerberos September 1993 - - - associate it with the message to which it replies. Various errors - can occur; these are indicated by an error response (KRB_ERROR) - instead of the KRB_AS_REP response. The error message is not - encrypted. The KRB_ERROR message also contains information which can - be used to associate it with the message to which it replies. The - lack of encryption in the KRB_ERROR message precludes the ability to - detect replays or fabrications of such messages. - - In the normal case the authentication server does not know whether - the client is actually the principal named in the request. It simply - sends a reply without knowing or caring whether they are the same. - This is acceptable because nobody but the principal whose identity - was given in the request will be able to use the reply. Its critical - information is encrypted in that principal's key. The initial - request supports an optional field that can be used to pass - additional information that might be needed for the initial exchange. - This field may be used for preauthentication if desired, but the - mechanism is not currently specified. - -3.1.1. Generation of KRB_AS_REQ message - - The client may specify a number of options in the initial request. - Among these options are whether preauthentication is to be performed; - whether the requested ticket is to be renewable, proxiable, or - forwardable; whether it should be postdated or allow postdating of - derivative tickets; and whether a renewable ticket will be accepted - in lieu of a non-renewable ticket if the requested ticket expiration - date cannot be satisfied by a nonrenewable ticket (due to - configuration constraints; see section 4). See section A.1 for - pseudocode. - - The client prepares the KRB_AS_REQ message and sends it to the KDC. - -3.1.2. Receipt of KRB_AS_REQ message - - If all goes well, processing the KRB_AS_REQ message will result in - the creation of a ticket for the client to present to the server. - The format for the ticket is described in section 5.3.1. The - contents of the ticket are determined as follows. - -3.1.3. Generation of KRB_AS_REP message - - The authentication server looks up the client and server principals - named in the KRB_AS_REQ in its database, extracting their respective - keys. If required, the server pre-authenticates the request, and if - the pre-authentication check fails, an error message with the code - KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate - the requested encryption type, an error message with code - - - -Kohl & Neuman [Page 17] - -RFC 1510 Kerberos September 1993 - - - KDC_ERR_ETYPE_NOSUPP is returned. Otherwise it generates a "random" - session key ("Random" means that, among other things, it should be - impossible to guess the next session key based on knowledge of past - session keys. This can only be achieved in a pseudo-random number - generator if it is based on cryptographic principles. It would be - more desirable to use a truly random number generator, such as one - based on measurements of random physical phenomena.). - - If the requested start time is absent or indicates a time in the - past, then the start time of the ticket is set to the authentication - server's current time. If it indicates a time in the future, but the - POSTDATED option has not been specified, then the error - KDC_ERR_CANNOT_POSTDATE is returned. Otherwise the requested start - time is checked against the policy of the local realm (the - administrator might decide to prohibit certain types or ranges of - postdated tickets), and if acceptable, the ticket's start time is set - as requested and the INVALID flag is set in the new ticket. The - postdated ticket must be validated before use by presenting it to the - KDC after the start time has been reached. - - The expiration time of the ticket will be set to the minimum of the - following: - - +The expiration time (endtime) requested in the KRB_AS_REQ - message. - - +The ticket's start time plus the maximum allowable lifetime - associated with the client principal (the authentication - server's database includes a maximum ticket lifetime field - in each principal's record; see section 4). - - +The ticket's start time plus the maximum allowable lifetime - associated with the server principal. - - +The ticket's start time plus the maximum lifetime set by - the policy of the local realm. - - If the requested expiration time minus the start time (as determined - above) is less than a site-determined minimum lifetime, an error - message with code KDC_ERR_NEVER_VALID is returned. If the requested - expiration time for the ticket exceeds what was determined as above, - and if the "RENEWABLE-OK" option was requested, then the "RENEWABLE" - flag is set in the new ticket, and the renew-till value is set as if - the "RENEWABLE" option were requested (the field and option names are - described fully in section 5.4.1). If the RENEWABLE option has been - requested or if the RENEWABLE-OK option has been set and a renewable - ticket is to be issued, then the renew-till field is set to the - minimum of: - - - -Kohl & Neuman [Page 18] - -RFC 1510 Kerberos September 1993 - - - +Its requested value. - - +The start time of the ticket plus the minimum of the two - maximum renewable lifetimes associated with the principals' - database entries. - - +The start time of the ticket plus the maximum renewable - lifetime set by the policy of the local realm. - - The flags field of the new ticket will have the following options set - if they have been requested and if the policy of the local realm - allows: FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. - If the new ticket is postdated (the start time is in the future), its - INVALID flag will also be set. - - If all of the above succeed, the server formats a KRB_AS_REP message - (see section 5.4.2), copying the addresses in the request into the - caddr of the response, placing any required pre-authentication data - into the padata of the response, and encrypts the ciphertext part in - the client's key using the requested encryption method, and sends it - to the client. See section A.2 for pseudocode. - -3.1.4. Generation of KRB_ERROR message - - Several errors can occur, and the Authentication Server responds by - returning an error message, KRB_ERROR, to the client, with the - error-code and e-text fields set to appropriate values. The error - message contents and details are described in Section 5.9.1. - -3.1.5. Receipt of KRB_AS_REP message - - If the reply message type is KRB_AS_REP, then the client verifies - that the cname and crealm fields in the cleartext portion of the - reply match what it requested. If any padata fields are present, - they may be used to derive the proper secret key to decrypt the - message. The client decrypts the encrypted part of the response - using its secret key, verifies that the nonce in the encrypted part - matches the nonce it supplied in its request (to detect replays). It - also verifies that the sname and srealm in the response match those - in the request, and that the host address field is also correct. It - then stores the ticket, session key, start and expiration times, and - other information for later use. The key-expiration field from the - encrypted part of the response may be checked to notify the user of - impending key expiration (the client program could then suggest - remedial action, such as a password change). See section A.3 for - pseudocode. - - Proper decryption of the KRB_AS_REP message is not sufficient to - - - -Kohl & Neuman [Page 19] - -RFC 1510 Kerberos September 1993 - - - verify the identity of the user; the user and an attacker could - cooperate to generate a KRB_AS_REP format message which decrypts - properly but is not from the proper KDC. If the host wishes to - verify the identity of the user, it must require the user to present - application credentials which can be verified using a securely-stored - secret key. If those credentials can be verified, then the identity - of the user can be assured. - -3.1.6. Receipt of KRB_ERROR message - - If the reply message type is KRB_ERROR, then the client interprets it - as an error and performs whatever application-specific tasks are - necessary to recover. - -3.2. The Client/Server Authentication Exchange - - Summary - - Message direction Message type Section - Client to Application server KRB_AP_REQ 5.5.1 - [optional] Application server to client KRB_AP_REP or 5.5.2 - KRB_ERROR 5.9.1 - - The client/server authentication (CS) exchange is used by network - applications to authenticate the client to the server and vice versa. - The client must have already acquired credentials for the server - using the AS or TGS exchange. - -3.2.1. The KRB_AP_REQ message - - The KRB_AP_REQ contains authentication information which should be - part of the first message in an authenticated transaction. It - contains a ticket, an authenticator, and some additional bookkeeping - information (see section 5.5.1 for the exact format). The ticket by - itself is insufficient to authenticate a client, since tickets are - passed across the network in cleartext(Tickets contain both an - encrypted and unencrypted portion, so cleartext here refers to the - entire unit, which can be copied from one message and replayed in - another without any cryptographic skill.), so the authenticator is - used to prevent invalid replay of tickets by proving to the server - that the client knows the session key of the ticket and thus is - entitled to use it. The KRB_AP_REQ message is referred to elsewhere - as the "authentication header." - -3.2.2. Generation of a KRB_AP_REQ message - - When a client wishes to initiate authentication to a server, it - obtains (either through a credentials cache, the AS exchange, or the - - - -Kohl & Neuman [Page 20] - -RFC 1510 Kerberos September 1993 - - - TGS exchange) a ticket and session key for the desired service. The - client may re-use any tickets it holds until they expire. The client - then constructs a new Authenticator from the the system time, its - name, and optionally an application specific checksum, an initial - sequence number to be used in KRB_SAFE or KRB_PRIV messages, and/or a - session subkey to be used in negotiations for a session key unique to - this particular session. Authenticators may not be re-used and will - be rejected if replayed to a server (Note that this can make - applications based on unreliable transports difficult to code - correctly, if the transport might deliver duplicated messages. In - such cases, a new authenticator must be generated for each retry.). - If a sequence number is to be included, it should be randomly chosen - so that even after many messages have been exchanged it is not likely - to collide with other sequence numbers in use. - - The client may indicate a requirement of mutual authentication or the - use of a session-key based ticket by setting the appropriate flag(s) - in the ap-options field of the message. - - The Authenticator is encrypted in the session key and combined with - the ticket to form the KRB_AP_REQ message which is then sent to the - end server along with any additional application-specific - information. See section A.9 for pseudocode. - -3.2.3. Receipt of KRB_AP_REQ message - - Authentication is based on the server's current time of day (clocks - must be loosely synchronized), the authenticator, and the ticket. - Several errors are possible. If an error occurs, the server is - expected to reply to the client with a KRB_ERROR message. This - message may be encapsulated in the application protocol if its "raw" - form is not acceptable to the protocol. The format of error messages - is described in section 5.9.1. - - The algorithm for verifying authentication information is as follows. - If the message type is not KRB_AP_REQ, the server returns the - KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket - in the KRB_AP_REQ is not one the server can use (e.g., it indicates - an old key, and the server no longer possesses a copy of the old - key), the KRB_AP_ERR_BADKEYVER error is returned. If the USE- - SESSION-KEY flag is set in the ap-options field, it indicates to the - server that the ticket is encrypted in the session key from the - server's ticket-granting ticket rather than its secret key (This is - used for user-to-user authentication as described in [6]). Since it - is possible for the server to be registered in multiple realms, with - different keys in each, the srealm field in the unencrypted portion - of the ticket in the KRB_AP_REQ is used to specify which secret key - the server should use to decrypt that ticket. The KRB_AP_ERR_NOKEY - - - -Kohl & Neuman [Page 21] - -RFC 1510 Kerberos September 1993 - - - error code is returned if the server doesn't have the proper key to - decipher the ticket. - - The ticket is decrypted using the version of the server's key - specified by the ticket. If the decryption routines detect a - modification of the ticket (each encryption system must provide - safeguards to detect modified ciphertext; see section 6), the - KRB_AP_ERR_BAD_INTEGRITY error is returned (chances are good that - different keys were used to encrypt and decrypt). - - The authenticator is decrypted using the session key extracted from - the decrypted ticket. If decryption shows it to have been modified, - the KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm - of the client from the ticket are compared against the same fields in - the authenticator. If they don't match, the KRB_AP_ERR_BADMATCH - error is returned (they might not match, for example, if the wrong - session key was used to encrypt the authenticator). The addresses in - the ticket (if any) are then searched for an address matching the - operating-system reported address of the client. If no match is - found or the server insists on ticket addresses but none are present - in the ticket, the KRB_AP_ERR_BADADDR error is returned. - - If the local (server) time and the client time in the authenticator - differ by more than the allowable clock skew (e.g., 5 minutes), the - KRB_AP_ERR_SKEW error is returned. If the server name, along with - the client name, time and microsecond fields from the Authenticator - match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is - returned (Note that the rejection here is restricted to - authenticators from the same principal to the same server. Other - client principals communicating with the same server principal should - not be have their authenticators rejected if the time and microsecond - fields happen to match some other client's authenticator.). The - server must remember any authenticator presented within the allowable - clock skew, so that a replay attempt is guaranteed to fail. If a - server loses track of any authenticator presented within the - allowable clock skew, it must reject all requests until the clock - skew interval has passed. This assures that any lost or re-played - authenticators will fall outside the allowable clock skew and can no - longer be successfully replayed (If this is not done, an attacker - could conceivably record the ticket and authenticator sent over the - network to a server, then disable the client's host, pose as the - disabled host, and replay the ticket and authenticator to subvert the - authentication.). If a sequence number is provided in the - authenticator, the server saves it for later use in processing - KRB_SAFE and/or KRB_PRIV messages. If a subkey is present, the - server either saves it for later use or uses it to help generate its - own choice for a subkey to be returned in a KRB_AP_REP message. - - - - -Kohl & Neuman [Page 22] - -RFC 1510 Kerberos September 1993 - - - The server computes the age of the ticket: local (server) time minus - the start time inside the Ticket. If the start time is later than - the current time by more than the allowable clock skew or if the - INVALID flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is - returned. Otherwise, if the current time is later than end time by - more than the allowable clock skew, the KRB_AP_ERR_TKT_EXPIRED error - is returned. - - If all these checks succeed without an error, the server is assured - that the client possesses the credentials of the principal named in - the ticket and thus, the client has been authenticated to the server. - See section A.10 for pseudocode. - -3.2.4. Generation of a KRB_AP_REP message - - Typically, a client's request will include both the authentication - information and its initial request in the same message, and the - server need not explicitly reply to the KRB_AP_REQ. However, if - mutual authentication (not only authenticating the client to the - server, but also the server to the client) is being performed, the - KRB_AP_REQ message will have MUTUAL-REQUIRED set in its ap-options - field, and a KRB_AP_REP message is required in response. As with the - error message, this message may be encapsulated in the application - protocol if its "raw" form is not acceptable to the application's - protocol. The timestamp and microsecond field used in the reply must - be the client's timestamp and microsecond field (as provided in the - authenticator). [Note: In the Kerberos version 4 protocol, the - timestamp in the reply was the client's timestamp plus one. This is - not necessary in version 5 because version 5 messages are formatted - in such a way that it is not possible to create the reply by - judicious message surgery (even in encrypted form) without knowledge - of the appropriate encryption keys.] If a sequence number is to be - included, it should be randomly chosen as described above for the - authenticator. A subkey may be included if the server desires to - negotiate a different subkey. The KRB_AP_REP message is encrypted in - the session key extracted from the ticket. See section A.11 for - pseudocode. - -3.2.5. Receipt of KRB_AP_REP message - - If a KRB_AP_REP message is returned, the client uses the session key - from the credentials obtained for the server (Note that for - encrypting the KRB_AP_REP message, the sub-session key is not used, - even if present in the Authenticator.) to decrypt the message, and - verifies that the timestamp and microsecond fields match those in the - Authenticator it sent to the server. If they match, then the client - is assured that the server is genuine. The sequence number and subkey - (if present) are retained for later use. See section A.12 for - - - -Kohl & Neuman [Page 23] - -RFC 1510 Kerberos September 1993 - - - pseudocode. - -3.2.6. Using the encryption key - - After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and - server share an encryption key which can be used by the application. - The "true session key" to be used for KRB_PRIV, KRB_SAFE, or other - application-specific uses may be chosen by the application based on - the subkeys in the KRB_AP_REP message and the authenticator - (Implementations of the protocol may wish to provide routines to - choose subkeys based on session keys and random numbers and to - orchestrate a negotiated key to be returned in the KRB_AP_REP - message.). In some cases, the use of this session key will be - implicit in the protocol; in others the method of use must be chosen - from a several alternatives. We leave the protocol negotiations of - how to use the key (e.g., selecting an encryption or checksum type) - to the application programmer; the Kerberos protocol does not - constrain the implementation options. - - With both the one-way and mutual authentication exchanges, the peers - should take care not to send sensitive information to each other - without proper assurances. In particular, applications that require - privacy or integrity should use the KRB_AP_REP or KRB_ERROR responses - from the server to client to assure both client and server of their - peer's identity. If an application protocol requires privacy of its - messages, it can use the KRB_PRIV message (section 3.5). The KRB_SAFE - message (section 3.4) can be used to assure integrity. - -3.3. The Ticket-Granting Service (TGS) Exchange - - Summary - - Message direction Message type Section - 1. Client to Kerberos KRB_TGS_REQ 5.4.1 - 2. Kerberos to client KRB_TGS_REP or 5.4.2 - KRB_ERROR 5.9.1 - - The TGS exchange between a client and the Kerberos Ticket-Granting - Server is initiated by a client when it wishes to obtain - authentication credentials for a given server (which might be - registered in a remote realm), when it wishes to renew or validate an - existing ticket, or when it wishes to obtain a proxy ticket. In the - first case, the client must already have acquired a ticket for the - Ticket-Granting Service using the AS exchange (the ticket-granting - ticket is usually obtained when a client initially authenticates to - the system, such as when a user logs in). The message format for the - TGS exchange is almost identical to that for the AS exchange. The - primary difference is that encryption and decryption in the TGS - - - -Kohl & Neuman [Page 24] - -RFC 1510 Kerberos September 1993 - - - exchange does not take place under the client's key. Instead, the - session key from the ticket-granting ticket or renewable ticket, or - sub-session key from an Authenticator is used. As is the case for - all application servers, expired tickets are not accepted by the TGS, - so once a renewable or ticket-granting ticket expires, the client - must use a separate exchange to obtain valid tickets. - - The TGS exchange consists of two messages: A request (KRB_TGS_REQ) - from the client to the Kerberos Ticket-Granting Server, and a reply - (KRB_TGS_REP or KRB_ERROR). The KRB_TGS_REQ message includes - information authenticating the client plus a request for credentials. - The authentication information consists of the authentication header - (KRB_AP_REQ) which includes the client's previously obtained ticket- - granting, renewable, or invalid ticket. In the ticket-granting - ticket and proxy cases, the request may include one or more of: a - list of network addresses, a collection of typed authorization data - to be sealed in the ticket for authorization use by the application - server, or additional tickets (the use of which are described later). - The TGS reply (KRB_TGS_REP) contains the requested credentials, - encrypted in the session key from the ticket-granting ticket or - renewable ticket, or if present, in the subsession key from the - Authenticator (part of the authentication header). The KRB_ERROR - message contains an error code and text explaining what went wrong. - The KRB_ERROR message is not encrypted. The KRB_TGS_REP message - contains information which can be used to detect replays, and to - associate it with the message to which it replies. The KRB_ERROR - message also contains information which can be used to associate it - with the message to which it replies, but the lack of encryption in - the KRB_ERROR message precludes the ability to detect replays or - fabrications of such messages. - -3.3.1. Generation of KRB_TGS_REQ message - - Before sending a request to the ticket-granting service, the client - must determine in which realm the application server is registered - [Note: This can be accomplished in several ways. It might be known - beforehand (since the realm is part of the principal identifier), or - it might be stored in a nameserver. Presently, however, this - information is obtained from a configuration file. If the realm to - be used is obtained from a nameserver, there is a danger of being - spoofed if the nameservice providing the realm name is not - authenticated. This might result in the use of a realm which has - been compromised, and would result in an attacker's ability to - compromise the authentication of the application server to the - client.]. If the client does not already possess a ticket-granting - ticket for the appropriate realm, then one must be obtained. This is - first attempted by requesting a ticket-granting ticket for the - destination realm from the local Kerberos server (using the - - - -Kohl & Neuman [Page 25] - -RFC 1510 Kerberos September 1993 - - - KRB_TGS_REQ message recursively). The Kerberos server may return a - TGT for the desired realm in which case one can proceed. - Alternatively, the Kerberos server may return a TGT for a realm which - is "closer" to the desired realm (further along the standard - hierarchical path), in which case this step must be repeated with a - Kerberos server in the realm specified in the returned TGT. If - neither are returned, then the request must be retried with a - Kerberos server for a realm higher in the hierarchy. This request - will itself require a ticket-granting ticket for the higher realm - which must be obtained by recursively applying these directions. - - Once the client obtains a ticket-granting ticket for the appropriate - realm, it determines which Kerberos servers serve that realm, and - contacts one. The list might be obtained through a configuration file - or network service; as long as the secret keys exchanged by realms - are kept secret, only denial of service results from a false Kerberos - server. - - As in the AS exchange, the client may specify a number of options in - the KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ - message, providing an authentication header as an element of the - padata field, and including the same fields as used in the KRB_AS_REQ - message along with several optional fields: the enc-authorization- - data field for application server use and additional tickets required - by some options. - - In preparing the authentication header, the client can select a sub- - session key under which the response from the Kerberos server will be - encrypted (If the client selects a sub-session key, care must be - taken to ensure the randomness of the selected subsession key. One - approach would be to generate a random number and XOR it with the - session key from the ticket-granting ticket.). If the sub-session key - is not specified, the session key from the ticket-granting ticket - will be used. If the enc-authorization-data is present, it must be - encrypted in the sub-session key, if present, from the authenticator - portion of the authentication header, or if not present in the - session key from the ticket-granting ticket. - - Once prepared, the message is sent to a Kerberos server for the - destination realm. See section A.5 for pseudocode. - -3.3.2. Receipt of KRB_TGS_REQ message - - The KRB_TGS_REQ message is processed in a manner similar to the - KRB_AS_REQ message, but there are many additional checks to be - performed. First, the Kerberos server must determine which server - the accompanying ticket is for and it must select the appropriate key - to decrypt it. For a normal KRB_TGS_REQ message, it will be for the - - - -Kohl & Neuman [Page 26] - -RFC 1510 Kerberos September 1993 - - - ticket granting service, and the TGS's key will be used. If the TGT - was issued by another realm, then the appropriate inter-realm key - must be used. If the accompanying ticket is not a ticket granting - ticket for the current realm, but is for an application server in the - current realm, the RENEW, VALIDATE, or PROXY options are specified in - the request, and the server for which a ticket is requested is the - server named in the accompanying ticket, then the KDC will decrypt - the ticket in the authentication header using the key of the server - for which it was issued. If no ticket can be found in the padata - field, the KDC_ERR_PADATA_TYPE_NOSUPP error is returned. - - Once the accompanying ticket has been decrypted, the user-supplied - checksum in the Authenticator must be verified against the contents - of the request, and the message rejected if the checksums do not - match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum - is not keyed or not collision-proof (with an error code of - KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not supported, the - KDC_ERR_SUMTYPE_NOSUPP error is returned. If the authorization-data - are present, they are decrypted using the sub-session key from the - Authenticator. - - If any of the decryptions indicate failed integrity checks, the - KRB_AP_ERR_BAD_INTEGRITY error is returned. - -3.3.3. Generation of KRB_TGS_REP message - - The KRB_TGS_REP message shares its format with the KRB_AS_REP - (KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The - detailed specification is in section 5.4.2. - - The response will include a ticket for the requested server. The - Kerberos database is queried to retrieve the record for the requested - server (including the key with which the ticket will be encrypted). - If the request is for a ticket granting ticket for a remote realm, - and if no key is shared with the requested realm, then the Kerberos - server will select the realm "closest" to the requested realm with - which it does share a key, and use that realm instead. This is the - only case where the response from the KDC will be for a different - server than that requested by the client. - - By default, the address field, the client's name and realm, the list - of transited realms, the time of initial authentication, the - expiration time, and the authorization data of the newly-issued - ticket will be copied from the ticket-granting ticket (TGT) or - renewable ticket. If the transited field needs to be updated, but - the transited type is not supported, the KDC_ERR_TRTYPE_NOSUPP error - is returned. - - - - -Kohl & Neuman [Page 27] - -RFC 1510 Kerberos September 1993 - - - If the request specifies an endtime, then the endtime of the new - ticket is set to the minimum of (a) that request, (b) the endtime - from the TGT, and (c) the starttime of the TGT plus the minimum of - the maximum life for the application server and the maximum life for - the local realm (the maximum life for the requesting principal was - already applied when the TGT was issued). If the new ticket is to be - a renewal, then the endtime above is replaced by the minimum of (a) - the value of the renew_till field of the ticket and (b) the starttime - for the new ticket plus the life (endtimestarttime) of the old - ticket. - - If the FORWARDED option has been requested, then the resulting ticket - will contain the addresses specified by the client. This option will - only be honored if the FORWARDABLE flag is set in the TGT. The PROXY - option is similar; the resulting ticket will contain the addresses - specified by the client. It will be honored only if the PROXIABLE - flag in the TGT is set. The PROXY option will not be honored on - requests for additional ticket-granting tickets. - - If the requested start time is absent or indicates a time in the - past, then the start time of the ticket is set to the authentication - server's current time. If it indicates a time in the future, but the - POSTDATED option has not been specified or the MAY-POSTDATE flag is - not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is - returned. Otherwise, if the ticket-granting ticket has the - MAYPOSTDATE flag set, then the resulting ticket will be postdated and - the requested starttime is checked against the policy of the local - realm. If acceptable, the ticket's start time is set as requested, - and the INVALID flag is set. The postdated ticket must be validated - before use by presenting it to the KDC after the starttime has been - reached. However, in no case may the starttime, endtime, or renew- - till time of a newly-issued postdated ticket extend beyond the - renew-till time of the ticket-granting ticket. - - If the ENC-TKT-IN-SKEY option has been specified and an additional - ticket has been included in the request, the KDC will decrypt the - additional ticket using the key for the server to which the - additional ticket was issued and verify that it is a ticket-granting - ticket. If the name of the requested server is missing from the - request, the name of the client in the additional ticket will be - used. Otherwise the name of the requested server will be compared to - the name of the client in the additional ticket and if different, the - request will be rejected. If the request succeeds, the session key - from the additional ticket will be used to encrypt the new ticket - that is issued instead of using the key of the server for which the - new ticket will be used (This allows easy implementation of user-to- - user authentication [6], which uses ticket-granting ticket session - keys in lieu of secret server keys in situations where such secret - - - -Kohl & Neuman [Page 28] - -RFC 1510 Kerberos September 1993 - - - keys could be easily compromised.). - - If the name of the server in the ticket that is presented to the KDC - as part of the authentication header is not that of the ticket- - granting server itself, and the server is registered in the realm of - the KDC, If the RENEW option is requested, then the KDC will verify - that the RENEWABLE flag is set in the ticket and that the renew_till - time is still in the future. If the VALIDATE option is rqeuested, - the KDC will check that the starttime has passed and the INVALID flag - is set. If the PROXY option is requested, then the KDC will check - that the PROXIABLE flag is set in the ticket. If the tests succeed, - the KDC will issue the appropriate new ticket. - - Whenever a request is made to the ticket-granting server, the - presented ticket(s) is(are) checked against a hot-list of tickets - which have been canceled. This hot-list might be implemented by - storing a range of issue dates for "suspect tickets"; if a presented - ticket had an authtime in that range, it would be rejected. In this - way, a stolen ticket-granting ticket or renewable ticket cannot be - used to gain additional tickets (renewals or otherwise) once the - theft has been reported. Any normal ticket obtained before it was - reported stolen will still be valid (because they require no - interaction with the KDC), but only until their normal expiration - time. - - The ciphertext part of the response in the KRB_TGS_REP message is - encrypted in the sub-session key from the Authenticator, if present, - or the session key key from the ticket-granting ticket. It is not - encrypted using the client's secret key. Furthermore, the client's - key's expiration date and the key version number fields are left out - since these values are stored along with the client's database - record, and that record is not needed to satisfy a request based on a - ticket-granting ticket. See section A.6 for pseudocode. - -3.3.3.1. Encoding the transited field - - If the identity of the server in the TGT that is presented to the KDC - as part of the authentication header is that of the ticket-granting - service, but the TGT was issued from another realm, the KDC will look - up the inter-realm key shared with that realm and use that key to - decrypt the ticket. If the ticket is valid, then the KDC will honor - the request, subject to the constraints outlined above in the section - describing the AS exchange. The realm part of the client's identity - will be taken from the ticket-granting ticket. The name of the realm - that issued the ticket-granting ticket will be added to the transited - field of the ticket to be issued. This is accomplished by reading - the transited field from the ticket-granting ticket (which is treated - as an unordered set of realm names), adding the new realm to the set, - - - -Kohl & Neuman [Page 29] - -RFC 1510 Kerberos September 1993 - - - then constructing and writing out its encoded (shorthand) form (this - may involve a rearrangement of the existing encoding). - - Note that the ticket-granting service does not add the name of its - own realm. Instead, its responsibility is to add the name of the - previous realm. This prevents a malicious Kerberos server from - intentionally leaving out its own name (it could, however, omit other - realms' names). - - The names of neither the local realm nor the principal's realm are to - be included in the transited field. They appear elsewhere in the - ticket and both are known to have taken part in authenticating the - principal. Since the endpoints are not included, both local and - single-hop inter-realm authentication result in a transited field - that is empty. - - Because the name of each realm transited is added to this field, - it might potentially be very long. To decrease the length of this - field, its contents are encoded. The initially supported encoding is - optimized for the normal case of inter-realm communication: a - hierarchical arrangement of realms using either domain or X.500 style - realm names. This encoding (called DOMAIN-X500-COMPRESS) is now - described. - - Realm names in the transited field are separated by a ",". The ",", - "\", trailing "."s, and leading spaces (" ") are special characters, - and if they are part of a realm name, they must be quoted in the - transited field by preceding them with a "\". - - A realm name ending with a "." is interpreted as being prepended to - the previous realm. For example, we can encode traversal of EDU, - MIT.EDU, ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as: - - "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.". - - Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were endpoints, - that they would not be included in this field, and we would have: - - "EDU,MIT.,WASHINGTON.EDU" - - A realm name beginning with a "/" is interpreted as being appended to - the previous realm (For the purpose of appending, the realm preceding - the first listed realm is considered to be the null realm ("")). If - it is to stand by itself, then it should be preceded by a space (" - "). For example, we can encode traversal of /COM/HP/APOLLO, /COM/HP, - /COM, and /COM/DEC as: - - "/COM,/HP,/APOLLO, /COM/DEC". - - - -Kohl & Neuman [Page 30] - -RFC 1510 Kerberos September 1993 - - - Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, - they they would not be included in this field, and we would have: - - "/COM,/HP" - - A null subfield preceding or following a "," indicates that all - realms between the previous realm and the next realm have been - traversed (For the purpose of interpreting null subfields, the - client's realm is considered to precede those in the transited field, - and the server's realm is considered to follow them.). Thus, "," - means that all realms along the path between the client and the - server have been traversed. ",EDU, /COM," means that that all realms - from the client's realm up to EDU (in a domain style hierarchy) have - been traversed, and that everything from /COM down to the server's - realm in an X.500 style has also been traversed. This could occur if - the EDU realm in one hierarchy shares an inter-realm key directly - with the /COM realm in another hierarchy. - -3.3.4. Receipt of KRB_TGS_REP message - - When the KRB_TGS_REP is received by the client, it is processed in - the same manner as the KRB_AS_REP processing described above. The - primary difference is that the ciphertext part of the response must - be decrypted using the session key from the ticket-granting ticket - rather than the client's secret key. See section A.7 for pseudocode. - -3.4. The KRB_SAFE Exchange - - The KRB_SAFE message may be used by clients requiring the ability to - detect modifications of messages they exchange. It achieves this by - including a keyed collisionproof checksum of the user data and some - control information. The checksum is keyed with an encryption key - (usually the last key negotiated via subkeys, or the session key if - no negotiation has occured). - -3.4.1. Generation of a KRB_SAFE message - - When an application wishes to send a KRB_SAFE message, it collects - its data and the appropriate control information and computes a - checksum over them. The checksum algorithm should be some sort of - keyed one-way hash function (such as the RSA-MD5-DES checksum - algorithm specified in section 6.4.5, or the DES MAC), generated - using the sub-session key if present, or the session key. Different - algorithms may be selected by changing the checksum type in the - message. Unkeyed or non-collision-proof checksums are not suitable - for this use. - - The control information for the KRB_SAFE message includes both a - - - -Kohl & Neuman [Page 31] - -RFC 1510 Kerberos September 1993 - - - timestamp and a sequence number. The designer of an application - using the KRB_SAFE message must choose at least one of the two - mechanisms. This choice should be based on the needs of the - application protocol. - - Sequence numbers are useful when all messages sent will be received - by one's peer. Connection state is presently required to maintain - the session key, so maintaining the next sequence number should not - present an additional problem. - - If the application protocol is expected to tolerate lost messages - without them being resent, the use of the timestamp is the - appropriate replay detection mechanism. Using timestamps is also the - appropriate mechanism for multi-cast protocols where all of one's - peers share a common sub-session key, but some messages will be sent - to a subset of one's peers. - - After computing the checksum, the client then transmits the - information and checksum to the recipient in the message format - specified in section 5.6.1. - -3.4.2. Receipt of KRB_SAFE message - - When an application receives a KRB_SAFE message, it verifies it as - follows. If any error occurs, an error code is reported for use by - the application. - - The message is first checked by verifying that the protocol version - and type fields match the current version and KRB_SAFE, respectively. - A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE - error. The application verifies that the checksum used is a - collisionproof keyed checksum, and if it is not, a - KRB_AP_ERR_INAPP_CKSUM error is generated. The recipient verifies - that the operating system's report of the sender's address matches - the sender's address in the message, and (if a recipient address is - specified or the recipient requires an address) that one of the - recipient's addresses appears as the recipient's address in the - message. A failed match for either case generates a - KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the - sequence number fields are checked. If timestamp and usec are - expected and not present, or they are present but not current, the - KRB_AP_ERR_SKEW error is generated. If the server name, along with - the client name, time and microsecond fields from the Authenticator - match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is - generated. If an incorrect sequence number is included, or a - sequence number is expected but not present, the KRB_AP_ERR_BADORDER - error is generated. If neither a timestamp and usec or a sequence - number is present, a KRB_AP_ERR_MODIFIED error is generated. - - - -Kohl & Neuman [Page 32] - -RFC 1510 Kerberos September 1993 - - - Finally, the checksum is computed over the data and control - information, and if it doesn't match the received checksum, a - KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application is assured that the - message was generated by its peer and was not modified in transit. - -3.5. The KRB_PRIV Exchange - - The KRB_PRIV message may be used by clients requiring confidentiality - and the ability to detect modifications of exchanged messages. It - achieves this by encrypting the messages and adding control - information. - -3.5.1. Generation of a KRB_PRIV message - - When an application wishes to send a KRB_PRIV message, it collects - its data and the appropriate control information (specified in - section 5.7.1) and encrypts them under an encryption key (usually the - last key negotiated via subkeys, or the session key if no negotiation - has occured). As part of the control information, the client must - choose to use either a timestamp or a sequence number (or both); see - the discussion in section 3.4.1 for guidelines on which to use. - After the user data and control information are encrypted, the client - transmits the ciphertext and some "envelope" information to the - recipient. - -3.5.2. Receipt of KRB_PRIV message - - When an application receives a KRB_PRIV message, it verifies it as - follows. If any error occurs, an error code is reported for use by - the application. - - The message is first checked by verifying that the protocol version - and type fields match the current version and KRB_PRIV, respectively. - A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE - error. The application then decrypts the ciphertext and processes - the resultant plaintext. If decryption shows the data to have been - modified, a KRB_AP_ERR_BAD_INTEGRITY error is generated. The - recipient verifies that the operating system's report of the sender's - address matches the sender's address in the message, and (if a - recipient address is specified or the recipient requires an address) - that one of the recipient's addresses appears as the recipient's - address in the message. A failed match for either case generates a - KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the - sequence number fields are checked. If timestamp and usec are - expected and not present, or they are present but not current, the - KRB_AP_ERR_SKEW error is generated. If the server name, along with - - - -Kohl & Neuman [Page 33] - -RFC 1510 Kerberos September 1993 - - - the client name, time and microsecond fields from the Authenticator - match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is - generated. If an incorrect sequence number is included, or a - sequence number is expected but not present, the KRB_AP_ERR_BADORDER - error is generated. If neither a timestamp and usec or a sequence - number is present, a KRB_AP_ERR_MODIFIED error is generated. - - If all the checks succeed, the application can assume the message was - generated by its peer, and was securely transmitted (without - intruders able to see the unencrypted contents). - -3.6. The KRB_CRED Exchange - - The KRB_CRED message may be used by clients requiring the ability to - send Kerberos credentials from one host to another. It achieves this - by sending the tickets together with encrypted data containing the - session keys and other information associated with the tickets. - -3.6.1. Generation of a KRB_CRED message - - When an application wishes to send a KRB_CRED message it first (using - the KRB_TGS exchange) obtains credentials to be sent to the remote - host. It then constructs a KRB_CRED message using the ticket or - tickets so obtained, placing the session key needed to use each - ticket in the key field of the corresponding KrbCredInfo sequence of - the encrypted part of the the KRB_CRED message. - - Other information associated with each ticket and obtained during the - KRB_TGS exchange is also placed in the corresponding KrbCredInfo - sequence in the encrypted part of the KRB_CRED message. The current - time and, if specifically required by the application the nonce, s- - address, and raddress fields, are placed in the encrypted part of the - KRB_CRED message which is then encrypted under an encryption key - previosuly exchanged in the KRB_AP exchange (usually the last key - negotiated via subkeys, or the session key if no negotiation has - occured). - -3.6.2. Receipt of KRB_CRED message - - When an application receives a KRB_CRED message, it verifies it. If - any error occurs, an error code is reported for use by the - application. The message is verified by checking that the protocol - version and type fields match the current version and KRB_CRED, - respectively. A mismatch generates a KRB_AP_ERR_BADVERSION or - KRB_AP_ERR_MSG_TYPE error. The application then decrypts the - ciphertext and processes the resultant plaintext. If decryption shows - the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is - generated. - - - -Kohl & Neuman [Page 34] - -RFC 1510 Kerberos September 1993 - - - If present or required, the recipient verifies that the operating - system's report of the sender's address matches the sender's address - in the message, and that one of the recipient's addresses appears as - the recipient's address in the message. A failed match for either - case generates a KRB_AP_ERR_BADADDR error. The timestamp and usec - fields (and the nonce field if required) are checked next. If the - timestamp and usec are not present, or they are present but not - current, the KRB_AP_ERR_SKEW error is generated. - - If all the checks succeed, the application stores each of the new - tickets in its ticket cache together with the session key and other - information in the corresponding KrbCredInfo sequence from the - encrypted part of the KRB_CRED message. - -4. The Kerberos Database - - The Kerberos server must have access to a database containing the - principal identifiers and secret keys of principals to be - authenticated (The implementation of the Kerberos server need not - combine the database and the server on the same machine; it is - feasible to store the principal database in, say, a network name - service, as long as the entries stored therein are protected from - disclosure to and modification by unauthorized parties. However, we - recommend against such strategies, as they can make system management - and threat analysis quite complex.). - -4.1. Database contents - - A database entry should contain at least the following fields: - - Field Value - - name Principal's identifier - key Principal's secret key - p_kvno Principal's key version - max_life Maximum lifetime for Tickets - max_renewable_life Maximum total lifetime for renewable - Tickets - - The name field is an encoding of the principal's identifier. The key - field contains an encryption key. This key is the principal's secret - key. (The key can be encrypted before storage under a Kerberos - "master key" to protect it in case the database is compromised but - the master key is not. In that case, an extra field must be added to - indicate the master key version used, see below.) The p_kvno field is - the key version number of the principal's secret key. The max_life - field contains the maximum allowable lifetime (endtime - starttime) - for any Ticket issued for this principal. The max_renewable_life - - - -Kohl & Neuman [Page 35] - -RFC 1510 Kerberos September 1993 - - - field contains the maximum allowable total lifetime for any renewable - Ticket issued for this principal. (See section 3.1 for a description - of how these lifetimes are used in determining the lifetime of a - given Ticket.) - - A server may provide KDC service to several realms, as long as the - database representation provides a mechanism to distinguish between - principal records with identifiers which differ only in the realm - name. - - When an application server's key changes, if the change is routine - (i.e., not the result of disclosure of the old key), the old key - should be retained by the server until all tickets that had been - issued using that key have expired. Because of this, it is possible - for several keys to be active for a single principal. Ciphertext - encrypted in a principal's key is always tagged with the version of - the key that was used for encryption, to help the recipient find the - proper key for decryption. - - When more than one key is active for a particular principal, the - principal will have more than one record in the Kerberos database. - The keys and key version numbers will differ between the records (the - rest of the fields may or may not be the same). Whenever Kerberos - issues a ticket, or responds to a request for initial authentication, - the most recent key (known by the Kerberos server) will be used for - encryption. This is the key with the highest key version number. - -4.2. Additional fields - - Project Athena's KDC implementation uses additional fields in its - database: - - Field Value - - K_kvno Kerberos' key version - expiration Expiration date for entry - attributes Bit field of attributes - mod_date Timestamp of last modification - mod_name Modifying principal's identifier - - The K_kvno field indicates the key version of the Kerberos master key - under which the principal's secret key is encrypted. - - After an entry's expiration date has passed, the KDC will return an - error to any client attempting to gain tickets as or for the - principal. (A database may want to maintain two expiration dates: - one for the principal, and one for the principal's current key. This - allows password aging to work independently of the principal's - - - -Kohl & Neuman [Page 36] - -RFC 1510 Kerberos September 1993 - - - expiration date. However, due to the limited space in the responses, - the KDC must combine the key expiration and principal expiration date - into a single value called "key_exp", which is used as a hint to the - user to take administrative action.) - - The attributes field is a bitfield used to govern the operations - involving the principal. This field might be useful in conjunction - with user registration procedures, for site-specific policy - implementations (Project Athena currently uses it for their user - registration process controlled by the system-wide database service, - Moira [7]), or to identify the "string to key" conversion algorithm - used for a principal's key. (See the discussion of the padata field - in section 5.4.2 for details on why this can be useful.) Other bits - are used to indicate that certain ticket options should not be - allowed in tickets encrypted under a principal's key (one bit each): - Disallow issuing postdated tickets, disallow issuing forwardable - tickets, disallow issuing tickets based on TGT authentication, - disallow issuing renewable tickets, disallow issuing proxiable - tickets, and disallow issuing tickets for which the principal is the - server. - - The mod_date field contains the time of last modification of the - entry, and the mod_name field contains the name of the principal - which last modified the entry. - -4.3. Frequently Changing Fields - - Some KDC implementations may wish to maintain the last time that a - request was made by a particular principal. Information that might - be maintained includes the time of the last request, the time of the - last request for a ticket-granting ticket, the time of the last use - of a ticket-granting ticket, or other times. This information can - then be returned to the user in the last-req field (see section 5.2). - - Other frequently changing information that can be maintained is the - latest expiration time for any tickets that have been issued using - each key. This field would be used to indicate how long old keys - must remain valid to allow the continued use of outstanding tickets. - -4.4. Site Constants - - The KDC implementation should have the following configurable - constants or options, to allow an administrator to make and enforce - policy decisions: - - + The minimum supported lifetime (used to determine whether the - KDC_ERR_NEVER_VALID error should be returned). This constant - should reflect reasonable expectations of round-trip time to the - - - -Kohl & Neuman [Page 37] - -RFC 1510 Kerberos September 1993 - - - KDC, encryption/decryption time, and processing time by the client - and target server, and it should allow for a minimum "useful" - lifetime. - - + The maximum allowable total (renewable) lifetime of a ticket - (renew_till - starttime). - - + The maximum allowable lifetime of a ticket (endtime - starttime). - - + Whether to allow the issue of tickets with empty address fields - (including the ability to specify that such tickets may only be - issued if the request specifies some authorization_data). - - + Whether proxiable, forwardable, renewable or post-datable tickets - are to be issued. - -5. Message Specifications - - The following sections describe the exact contents and encoding of - protocol messages and objects. The ASN.1 base definitions are - presented in the first subsection. The remaining subsections specify - the protocol objects (tickets and authenticators) and messages. - Specification of encryption and checksum techniques, and the fields - related to them, appear in section 6. - -5.1. ASN.1 Distinguished Encoding Representation - - All uses of ASN.1 in Kerberos shall use the Distinguished Encoding - Representation of the data elements as described in the X.509 - specification, section 8.7 [8]. - -5.2. ASN.1 Base Definitions - - The following ASN.1 base definitions are used in the rest of this - section. Note that since the underscore character (_) is not - permitted in ASN.1 names, the hyphen (-) is used in its place for the - purposes of ASN.1 names. - - Realm ::= GeneralString - PrincipalName ::= SEQUENCE { - name-type[0] INTEGER, - name-string[1] SEQUENCE OF GeneralString - } - - Kerberos realms are encoded as GeneralStrings. Realms shall not - contain a character with the code 0 (the ASCII NUL). Most realms - will usually consist of several components separated by periods (.), - in the style of Internet Domain Names, or separated by slashes (/) in - - - -Kohl & Neuman [Page 38] - -RFC 1510 Kerberos September 1993 - - - the style of X.500 names. Acceptable forms for realm names are - specified in section 7. A PrincipalName is a typed sequence of - components consisting of the following sub-fields: - - name-type This field specifies the type of name that follows. - Pre-defined values for this field are - specified in section 7.2. The name-type should be - treated as a hint. Ignoring the name type, no two - names can be the same (i.e., at least one of the - components, or the realm, must be different). - This constraint may be eliminated in the future. - - name-string This field encodes a sequence of components that - form a name, each component encoded as a General - String. Taken together, a PrincipalName and a Realm - form a principal identifier. Most PrincipalNames - will have only a few components (typically one or two). - - KerberosTime ::= GeneralizedTime - -- Specifying UTC time zone (Z) - - The timestamps used in Kerberos are encoded as GeneralizedTimes. An - encoding shall specify the UTC time zone (Z) and shall not include - any fractional portions of the seconds. It further shall not include - any separators. Example: The only valid format for UTC time 6 - minutes, 27 seconds after 9 pm on 6 November 1985 is 19851106210627Z. - - HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING - } - - HostAddresses ::= SEQUENCE OF SEQUENCE { - addr-type[0] INTEGER, - address[1] OCTET STRING - } - - - The host adddress encodings consists of two fields: - - addr-type This field specifies the type of address that - follows. Pre-defined values for this field are - specified in section 8.1. - - - address This field encodes a single address of type addr-type. - - The two forms differ slightly. HostAddress contains exactly one - - - -Kohl & Neuman [Page 39] - -RFC 1510 Kerberos September 1993 - - - address; HostAddresses contains a sequence of possibly many - addresses. - - AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, - ad-data[1] OCTET STRING - } - - - ad-data This field contains authorization data to be - interpreted according to the value of the - corresponding ad-type field. - - ad-type This field specifies the format for the ad-data - subfield. All negative values are reserved for - local use. Non-negative values are reserved for - registered use. - - APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) - } - - - TicketFlags ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - may-postdate(5), - postdated(6), - invalid(7), - renewable(8), - initial(9), - pre-authent(10), - hw-authent(11) - } - - KDCOptions ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - - - -Kohl & Neuman [Page 40] - -RFC 1510 Kerberos September 1993 - - - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) - } - - - LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, - lr-value[1] KerberosTime - } - - lr-type This field indicates how the following lr-value - field is to be interpreted. Negative values indicate - that the information pertains only to the - responding server. Non-negative values pertain to - all servers for the realm. - - If the lr-type field is zero (0), then no information - is conveyed by the lr-value subfield. If the - absolute value of the lr-type field is one (1), - then the lr-value subfield is the time of last - initial request for a TGT. If it is two (2), then - the lr-value subfield is the time of last initial - request. If it is three (3), then the lr-value - subfield is the time of issue for the newest - ticket-granting ticket used. If it is four (4), - then the lr-value subfield is the time of the last - renewal. If it is five (5), then the lr-value - subfield is the time of last request (of any - type). - - lr-value This field contains the time of the last request. - The time must be interpreted according to the contents - of the accompanying lr-type subfield. - - See section 6 for the definitions of Checksum, ChecksumType, - EncryptedData, EncryptionKey, EncryptionType, and KeyType. - - - - - - - - -Kohl & Neuman [Page 41] - -RFC 1510 Kerberos September 1993 - - -5.3. Tickets and Authenticators - - This section describes the format and encryption parameters for - tickets and authenticators. When a ticket or authenticator is - included in a protocol message it is treated as an opaque object. - -5.3.1. Tickets - - A ticket is a record that helps a client authenticate to a service. - A Ticket contains the following information: - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] INTEGER, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData -} --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] INTEGER, -- must be registered - contents[1] OCTET STRING -} - - The encoding of EncTicketPart is encrypted in the key shared by - Kerberos and the end server (the server's secret key). See section 6 - for the format of the ciphertext. - - tkt-vno This field specifies the version number for the ticket - format. This document describes version number 5. - - realm This field specifies the realm that issued a ticket. It - also serves to identify the realm part of the server's - principal identifier. Since a Kerberos server can only - issue tickets for servers within its realm, the two will - - - -Kohl & Neuman [Page 42] - -RFC 1510 Kerberos September 1993 - - - always be identical. - - sname This field specifies the name part of the server's - identity. - - enc-part This field holds the encrypted encoding of the - EncTicketPart sequence. - - flags This field indicates which of various options were used or - requested when the ticket was issued. It is a bit-field, - where the selected options are indicated by the bit being - set (1), and the unselected options and reserved fields - being reset (0). Bit 0 is the most significant bit. The - encoding of the bits is specified in section 5.2. The - flags are described in more detail above in section 2. The - meanings of the flags are: - - Bit(s) Name Description - - 0 RESERVED Reserved for future expansion of this - field. - - 1 FORWARDABLE The FORWARDABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. When set, - this flag tells the ticket-granting - server that it is OK to issue a new - ticket- granting ticket with a - different network address based on - the presented ticket. - - 2 FORWARDED When set, this flag indicates that - the ticket has either been forwarded - or was issued based on authentication - involving a forwarded ticket-granting - ticket. - - 3 PROXIABLE The PROXIABLE flag is normally only - interpreted by the TGS, and can be - ignored by end servers. The PROXIABLE - flag has an interpretation identical - to that of the FORWARDABLE flag, - except that the PROXIABLE flag tells - the ticket-granting server that only - non- ticket-granting tickets may be - issued with different network - addresses. - - - - -Kohl & Neuman [Page 43] - -RFC 1510 Kerberos September 1993 - - - 4 PROXY When set, this flag indicates that a - ticket is a proxy. - - 5 MAY-POSTDATE The MAY-POSTDATE flag is normally - only interpreted by the TGS, and can - be ignored by end servers. This flag - tells the ticket-granting server that - a post- dated ticket may be issued - based on this ticket-granting ticket. - - 6 POSTDATED This flag indicates that this ticket - has been postdated. The end-service - can check the authtime field to see - when the original authentication - occurred. - - 7 INVALID This flag indicates that a ticket is - invalid, and it must be validated by - the KDC before use. Application - servers must reject tickets which - have this flag set. - - 8 RENEWABLE The RENEWABLE flag is normally only - interpreted by the TGS, and can - usually be ignored by end servers - (some particularly careful servers - may wish to disallow renewable - tickets). A renewable ticket can be - used to obtain a replacement ticket - that expires at a later date. - - 9 INITIAL This flag indicates that this ticket - was issued using the AS protocol, and - not issued based on a ticket-granting - ticket. - - 10 PRE-AUTHENT This flag indicates that during - initial authentication, the client - was authenticated by the KDC before a - ticket was issued. The strength of - the preauthentication method is not - indicated, but is acceptable to the - KDC. - - 11 HW-AUTHENT This flag indicates that the protocol - employed for initial authentication - required the use of hardware expected - to be possessed solely by the named - - - -Kohl & Neuman [Page 44] - -RFC 1510 Kerberos September 1993 - - - client. The hardware authentication - method is selected by the KDC and the - strength of the method is not - indicated. - - 12-31 RESERVED Reserved for future use. - - key This field exists in the ticket and the KDC response and is - used to pass the session key from Kerberos to the - application server and the client. The field's encoding is - described in section 6.2. - - crealm This field contains the name of the realm in which the - client is registered and in which initial authentication - took place. - - cname This field contains the name part of the client's principal - identifier. - - transited This field lists the names of the Kerberos realms that took - part in authenticating the user to whom this ticket was - issued. It does not specify the order in which the realms - were transited. See section 3.3.3.1 for details on how - this field encodes the traversed realms. - - authtime This field indicates the time of initial authentication for - the named principal. It is the time of issue for the - original ticket on which this ticket is based. It is - included in the ticket to provide additional information to - the end service, and to provide the necessary information - for implementation of a `hot list' service at the KDC. An - end service that is particularly paranoid could refuse to - accept tickets for which the initial authentication - occurred "too far" in the past. - - This field is also returned as part of the response from - the KDC. When returned as part of the response to initial - authentication (KRB_AS_REP), this is the current time on - the Kerberos server (It is NOT recommended that this time - value be used to adjust the workstation's clock since the - workstation cannot reliably determine that such a - KRB_AS_REP actually came from the proper KDC in a timely - manner.). - - starttime This field in the ticket specifies the time after which the - ticket is valid. Together with endtime, this field - specifies the life of the ticket. If it is absent from - the ticket, its value should be treated as that of the - - - -Kohl & Neuman [Page 45] - -RFC 1510 Kerberos September 1993 - - - authtime field. - - endtime This field contains the time after which the ticket will - not be honored (its expiration time). Note that individual - services may place their own limits on the life of a ticket - and may reject tickets which have not yet expired. As - such, this is really an upper bound on the expiration time - for the ticket. - - renew-till This field is only present in tickets that have the - RENEWABLE flag set in the flags field. It indicates the - maximum endtime that may be included in a renewal. It can - be thought of as the absolute expiration time for the - ticket, including all renewals. - - caddr This field in a ticket contains zero (if omitted) or more - (if present) host addresses. These are the addresses from - which the ticket can be used. If there are no addresses, - the ticket can be used from any location. The decision - by the KDC to issue or by the end server to accept zero- - address tickets is a policy decision and is left to the - Kerberos and end-service administrators; they may refuse to - issue or accept such tickets. The suggested and default - policy, however, is that such tickets will only be issued - or accepted when additional information that can be used to - restrict the use of the ticket is included in the - authorization_data field. Such a ticket is a capability. - - Network addresses are included in the ticket to make it - harder for an attacker to use stolen credentials. Because - the session key is not sent over the network in cleartext, - credentials can't be stolen simply by listening to the - network; an attacker has to gain access to the session key - (perhaps through operating system security breaches or a - careless user's unattended session) to make use of stolen - tickets. - - It is important to note that the network address from which - a connection is received cannot be reliably determined. - Even if it could be, an attacker who has compromised the - client's workstation could use the credentials from there. - Including the network addresses only makes it more - difficult, not impossible, for an attacker to walk off with - stolen credentials and then use them from a "safe" - location. - - - - - - -Kohl & Neuman [Page 46] - -RFC 1510 Kerberos September 1993 - - - authorization-data The authorization-data field is used to pass - authorization data from the principal on whose behalf a - ticket was issued to the application service. If no - authorization data is included, this field will be left - out. The data in this field are specific to the end - service. It is expected that the field will contain the - names of service specific objects, and the rights to those - objects. The format for this field is described in section - 5.2. Although Kerberos is not concerned with the format of - the contents of the subfields, it does carry type - information (ad-type). - - By using the authorization_data field, a principal is able - to issue a proxy that is valid for a specific purpose. For - example, a client wishing to print a file can obtain a file - server proxy to be passed to the print server. By - specifying the name of the file in the authorization_data - field, the file server knows that the print server can only - use the client's rights when accessing the particular file - to be printed. - - It is interesting to note that if one specifies the - authorization-data field of a proxy and leaves the host - addresses blank, the resulting ticket and session key can - be treated as a capability. See [9] for some suggested - uses of this field. - - The authorization-data field is optional and does not have - to be included in a ticket. - -5.3.2. Authenticators - - An authenticator is a record sent with a ticket to a server to - certify the client's knowledge of the encryption key in the ticket, - to help the server detect replays, and to help choose a "true session - key" to use with the particular session. The encoding is encrypted - in the ticket's session key shared by the client and the server: - --- Unencrypted authenticator -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - - - -Kohl & Neuman [Page 47] - -RFC 1510 Kerberos September 1993 - - - authorization-data[8] AuthorizationData OPTIONAL - } - - authenticator-vno This field specifies the version number for the - format of the authenticator. This document specifies - version 5. - - crealm and cname These fields are the same as those described for the - ticket in section 5.3.1. - - cksum This field contains a checksum of the the application data - that accompanies the KRB_AP_REQ. - - cusec This field contains the microsecond part of the client's - timestamp. Its value (before encryption) ranges from 0 to - 999999. It often appears along with ctime. The two fields - are used together to specify a reasonably accurate - timestamp. - - ctime This field contains the current time on the client's host. - - subkey This field contains the client's choice for an encryption - key which is to be used to protect this specific - application session. Unless an application specifies - otherwise, if this field is left out the session key from - the ticket will be used. - - seq-number This optional field includes the initial sequence number - to be used by the KRB_PRIV or KRB_SAFE messages when - sequence numbers are used to detect replays (It may also be - used by application specific messages). When included in - the authenticator this field specifies the initial sequence - number for messages from the client to the server. When - included in the AP-REP message, the initial sequence number - is that for messages from the server to the client. When - used in KRB_PRIV or KRB_SAFE messages, it is incremented by - one after each message is sent. - - For sequence numbers to adequately support the detection of - replays they should be non-repeating, even across - connection boundaries. The initial sequence number should - be random and uniformly distributed across the full space - of possible sequence numbers, so that it cannot be guessed - by an attacker and so that it and the successive sequence - numbers do not repeat other sequences. - - - - - - -Kohl & Neuman [Page 48] - -RFC 1510 Kerberos September 1993 - - - authorization-data This field is the same as described for the ticket - in section 5.3.1. It is optional and will only appear when - additional restrictions are to be placed on the use of a - ticket, beyond those carried in the ticket itself. - -5.4. Specifications for the AS and TGS exchanges - - This section specifies the format of the messages used in exchange - between the client and the Kerberos server. The format of possible - error messages appears in section 5.9.1. - -5.4.1. KRB_KDC_REQ definition - - The KRB_KDC_REQ message has no type of its own. Instead, its type is - one of KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is - for an initial ticket or an additional ticket. In either case, the - message is sent from the client to the Authentication Server to - request credentials for a service. - -The message fields are: - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - -KDC-REQ ::= SEQUENCE { - pvno[1] INTEGER, - msg-type[2] INTEGER, - padata[3] SEQUENCE OF PA-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -PA-DATA ::= SEQUENCE { - padata-type[1] INTEGER, - padata-value[2] OCTET STRING, - -- might be encoded AP-REQ -} - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, - -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime, - rtime[6] KerberosTime OPTIONAL, - nonce[7] INTEGER, - - - -Kohl & Neuman [Page 49] - -RFC 1510 Kerberos September 1993 - - - etype[8] SEQUENCE OF INTEGER, -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - - The fields in this message are: - - pvno This field is included in each message, and specifies the - protocol version number. This document specifies protocol - version 5. - - msg-type This field indicates the type of a protocol message. It - will almost always be the same as the application - identifier associated with a message. It is included to - make the identifier more readily accessible to the - application. For the KDC-REQ message, this type will be - KRB_AS_REQ or KRB_TGS_REQ. - - padata The padata (pre-authentication data) field contains a of - authentication information which may be needed before - credentials can be issued or decrypted. In the case of - requests for additional tickets (KRB_TGS_REQ), this field - will include an element with padata-type of PA-TGS-REQ and - data of an authentication header (ticket-granting ticket - and authenticator). The checksum in the authenticator - (which must be collisionproof) is to be computed over the - KDC-REQ-BODY encoding. In most requests for initial - authentication (KRB_AS_REQ) and most replies (KDC-REP), the - padata field will be left out. - - This field may also contain information needed by certain - extensions to the Kerberos protocol. For example, it might - be used to initially verify the identity of a client before - any response is returned. This is accomplished with a - padata field with padata-type equal to PA-ENC-TIMESTAMP and - padata-value defined as follows: - - padata-type ::= PA-ENC-TIMESTAMP - padata-value ::= EncryptedData -- PA-ENC-TS-ENC - - PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] INTEGER OPTIONAL - } - - - - -Kohl & Neuman [Page 50] - -RFC 1510 Kerberos September 1993 - - - with patimestamp containing the client's time and pausec - containing the microseconds which may be omitted if a - client will not generate more than one request per second. - The ciphertext (padata-value) consists of the PA-ENC-TS-ENC - sequence, encrypted using the client's secret key. - - The padata field can also contain information needed to - help the KDC or the client select the key needed for - generating or decrypting the response. This form of the - padata is useful for supporting the use of certain - "smartcards" with Kerberos. The details of such extensions - are beyond the scope of this specification. See [10] for - additional uses of this field. - - padata-type The padata-type element of the padata field indicates the - way that the padata-value element is to be interpreted. - Negative values of padata-type are reserved for - unregistered use; non-negative values are used for a - registered interpretation of the element type. - - req-body This field is a placeholder delimiting the extent of the - remaining fields. If a checksum is to be calculated over - the request, it is calculated over an encoding of the KDC- - REQ-BODY sequence which is enclosed within the req-body - field. - - kdc-options This field appears in the KRB_AS_REQ and KRB_TGS_REQ - requests to the KDC and indicates the flags that the client - wants set on the tickets as well as other information that - is to modify the behavior of the KDC. Where appropriate, - the name of an option may be the same as the flag that is - set by that option. Although in most case, the bit in the - options field will be the same as that in the flags field, - this is not guaranteed, so it is not acceptable to simply - copy the options field to the flags field. There are - various checks that must be made before honoring an option - anyway. - - The kdc_options field is a bit-field, where the selected - options are indicated by the bit being set (1), and the - unselected options and reserved fields being reset (0). - The encoding of the bits is specified in section 5.2. The - options are described in more detail above in section 2. - The meanings of the options are: - - - - - - - -Kohl & Neuman [Page 51] - -RFC 1510 Kerberos September 1993 - - - Bit(s) Name Description - - 0 RESERVED Reserved for future expansion of this - field. - - 1 FORWARDABLE The FORWARDABLE option indicates that - the ticket to be issued is to have its - forwardable flag set. It may only be - set on the initial request, or in a - subsequent request if the ticket- - granting ticket on which it is based - is also forwardable. - - 2 FORWARDED The FORWARDED option is only specified - in a request to the ticket-granting - server and will only be honored if the - ticket-granting ticket in the request - has its FORWARDABLE bit set. This - option indicates that this is a - request for forwarding. The - address(es) of the host from which the - resulting ticket is to be valid are - included in the addresses field of the - request. - - - 3 PROXIABLE The PROXIABLE option indicates that - the ticket to be issued is to have its - proxiable flag set. It may only be set - on the initial request, or in a - subsequent request if the ticket- - granting ticket on which it is based - is also proxiable. - - 4 PROXY The PROXY option indicates that this - is a request for a proxy. This option - will only be honored if the ticket- - granting ticket in the request has its - PROXIABLE bit set. The address(es) of - the host from which the resulting - ticket is to be valid are included in - the addresses field of the request. - - 5 ALLOW-POSTDATE The ALLOW-POSTDATE option indicates - that the ticket to be issued is to - have its MAY-POSTDATE flag set. It - may only be set on the initial - request, or in a subsequent request if - - - -Kohl & Neuman [Page 52] - -RFC 1510 Kerberos September 1993 - - - the ticket-granting ticket on which it - is based also has its MAY-POSTDATE - flag set. - - 6 POSTDATED The POSTDATED option indicates that - this is a request for a postdated - ticket. This option will only be - honored if the ticket-granting ticket - on which it is based has its MAY- - POSTDATE flag set. The resulting - ticket will also have its INVALID flag - set, and that flag may be reset by a - subsequent request to the KDC after - the starttime in the ticket has been - reached. - - 7 UNUSED This option is presently unused. - - 8 RENEWABLE The RENEWABLE option indicates that - the ticket to be issued is to have its - RENEWABLE flag set. It may only be - set on the initial request, or when - the ticket-granting ticket on which - the request is based is also - renewable. If this option is - requested, then the rtime field in the - request contains the desired absolute - expiration time for the ticket. - - 9-26 RESERVED Reserved for future use. - - 27 RENEWABLE-OK The RENEWABLE-OK option indicates that - a renewable ticket will be acceptable - if a ticket with the requested life - cannot otherwise be provided. If a - ticket with the requested life cannot - be provided, then a renewable ticket - may be issued with a renew-till equal - to the the requested endtime. The - value of the renew-till field may - still be limited by local limits, or - limits selected by the individual - principal or server. - - 28 ENC-TKT-IN-SKEY This option is used only by the - ticket-granting service. The ENC- - TKT-IN-SKEY option indicates that the - ticket for the end server is to be - - - -Kohl & Neuman [Page 53] - -RFC 1510 Kerberos September 1993 - - - encrypted in the session key from the - additional ticket-granting ticket - provided. - - 29 RESERVED Reserved for future use. - - 30 RENEW This option is used only by the - ticket-granting service. The RENEW - option indicates that the present - request is for a renewal. The ticket - provided is encrypted in the secret - key for the server on which it is - valid. This option will only be - honored if the ticket to be renewed - has its RENEWABLE flag set and if the - time in its renew till field has not - passed. The ticket to be renewed is - passed in the padata field as part of - the authentication header. - - 31 VALIDATE This option is used only by the - ticket-granting service. The VALIDATE - option indicates that the request is - to validate a postdated ticket. It - will only be honored if the ticket - presented is postdated, presently has - its INVALID flag set, and would be - otherwise usable at this time. A - ticket cannot be validated before its - starttime. The ticket presented for - validation is encrypted in the key of - the server for which it is valid and - is passed in the padata field as part - of the authentication header. - - cname and sname These fields are the same as those described for the - ticket in section 5.3.1. sname may only be absent when the - ENC-TKT-IN-SKEY option is specified. If absent, the name - of the server is taken from the name of the client in the - ticket passed as additional-tickets. - - enc-authorization-data The enc-authorization-data, if present (and it - can only be present in the TGS_REQ form), is an encoding of - the desired authorization-data encrypted under the sub- - session key if present in the Authenticator, or - alternatively from the session key in the ticket-granting - ticket, both from the padata field in the KRB_AP_REQ. - - - - -Kohl & Neuman [Page 54] - -RFC 1510 Kerberos September 1993 - - - realm This field specifies the realm part of the server's - principal identifier. In the AS exchange, this is also the - realm part of the client's principal identifier. - - from This field is included in the KRB_AS_REQ and KRB_TGS_REQ - ticket requests when the requested ticket is to be - postdated. It specifies the desired start time for the - requested ticket. - - till This field contains the expiration date requested by the - client in a ticket request. - - rtime This field is the requested renew-till time sent from a - client to the KDC in a ticket request. It is optional. - - nonce This field is part of the KDC request and response. It it - intended to hold a random number generated by the client. - If the same number is included in the encrypted response - from the KDC, it provides evidence that the response is - fresh and has not been replayed by an attacker. Nonces - must never be re-used. Ideally, it should be gen erated - randomly, but if the correct time is known, it may suffice - (Note, however, that if the time is used as the nonce, one - must make sure that the workstation time is monotonically - increasing. If the time is ever reset backwards, there is - a small, but finite, probability that a nonce will be - reused.). - - etype This field specifies the desired encryption algorithm to be - used in the response. - - addresses This field is included in the initial request for tickets, - and optionally included in requests for additional tickets - from the ticket-granting server. It specifies the - addresses from which the requested ticket is to be valid. - Normally it includes the addresses for the client's host. - If a proxy is requested, this field will contain other - addresses. The contents of this field are usually copied - by the KDC into the caddr field of the resulting ticket. - - additional-tickets Additional tickets may be optionally included in a - request to the ticket-granting server. If the ENC-TKT-IN- - SKEY option has been specified, then the session key from - the additional ticket will be used in place of the server's - key to encrypt the new ticket. If more than one option - which requires additional tickets has been specified, then - the additional tickets are used in the order specified by - the ordering of the options bits (see kdc-options, above). - - - -Kohl & Neuman [Page 55] - -RFC 1510 Kerberos September 1993 - - - The application code will be either ten (10) or twelve (12) depending - on whether the request is for an initial ticket (AS-REQ) or for an - additional ticket (TGS-REQ). - - The optional fields (addresses, authorization-data and additional- - tickets) are only included if necessary to perform the operation - specified in the kdc-options field. - - It should be noted that in KRB_TGS_REQ, the protocol version number - appears twice and two different message types appear: the KRB_TGS_REQ - message contains these fields as does the authentication header - (KRB_AP_REQ) that is passed in the padata field. - -5.4.2. KRB_KDC_REP definition - - The KRB_KDC_REP message format is used for the reply from the KDC for - either an initial (AS) request or a subsequent (TGS) request. There - is no message type for KRB_KDC_REP. Instead, the type will be either - KRB_AS_REP or KRB_TGS_REP. The key used to encrypt the ciphertext - part of the reply depends on the message type. For KRB_AS_REP, the - ciphertext is encrypted in the client's secret key, and the client's - key version number is included in the key version number for the - encrypted data. For KRB_TGS_REP, the ciphertext is encrypted in the - sub-session key from the Authenticator, or if absent, the session key - from the ticket-granting ticket used in the request. In that case, - no version number will be present in the EncryptedData sequence. - - The KRB_KDC_REP message contains the following fields: - - AS-REP ::= [APPLICATION 11] KDC-REP - TGS-REP ::= [APPLICATION 13] KDC-REP - - KDC-REP ::= SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - padata[2] SEQUENCE OF PA-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData - } - - EncASRepPart ::= [APPLICATION 25[25]] EncKDCRepPart - EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - - EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - - - -Kohl & Neuman [Page 56] - -RFC 1510 Kerberos September 1993 - - - nonce[2] INTEGER, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL - } - - NOTE: In EncASRepPart, the application code in the encrypted - part of a message provides an additional check that - the message was decrypted properly. - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is either KRB_AS_REP or KRB_TGS_REP. - - padata This field is described in detail in section 5.4.1. One - possible use for this field is to encode an alternate - "mix-in" string to be used with a string-to-key algorithm - (such as is described in section 6.3.2). This ability is - useful to ease transitions if a realm name needs to change - (e.g., when a company is acquired); in such a case all - existing password-derived entries in the KDC database would - be flagged as needing a special mix-in string until the - next password change. - - crealm, cname, srealm and sname These fields are the same as those - described for the ticket in section 5.3.1. - - ticket The newly-issued ticket, from section 5.3.1. - - enc-part This field is a place holder for the ciphertext and related - information that forms the encrypted part of a message. - The description of the encrypted part of the message - follows each appearance of this field. The encrypted part - is encoded as described in section 6.1. - - key This field is the same as described for the ticket in - section 5.3.1. - - last-req This field is returned by the KDC and specifies the time(s) - of the last request by a principal. Depending on what - information is available, this might be the last time that - a request for a ticket-granting ticket was made, or the - last time that a request based on a ticket-granting ticket - - - -Kohl & Neuman [Page 57] - -RFC 1510 Kerberos September 1993 - - - was successful. It also might cover all servers for a - realm, or just the particular server. Some implementations - may display this information to the user to aid in - discovering unauthorized use of one's identity. It is - similar in spirit to the last login time displayed when - logging into timesharing systems. - - nonce This field is described above in section 5.4.1. - - key-expiration The key-expiration field is part of the response from - the KDC and specifies the time that the client's secret key - is due to expire. The expiration might be the result of - password aging or an account expiration. This field will - usually be left out of the TGS reply since the response to - the TGS request is encrypted in a session key and no client - information need be retrieved from the KDC database. It is - up to the application client (usually the login program) to - take appropriate action (such as notifying the user) if the - expira tion time is imminent. - - flags, authtime, starttime, endtime, renew-till and caddr These - fields are duplicates of those found in the encrypted - portion of the attached ticket (see section 5.3.1), - provided so the client may verify they match the intended - request and to assist in proper ticket caching. If the - message is of type KRB_TGS_REP, the caddr field will only - be filled in if the request was for a proxy or forwarded - ticket, or if the user is substituting a subset of the - addresses from the ticket granting ticket. If the client- - requested addresses are not present or not used, then the - addresses contained in the ticket will be the same as those - included in the ticket-granting ticket. - -5.5. Client/Server (CS) message specifications - - This section specifies the format of the messages used for the - authentication of the client to the application server. - -5.5.1. KRB_AP_REQ definition - - The KRB_AP_REQ message contains the Kerberos protocol version number, - the message type KRB_AP_REQ, an options field to indicate any options - in use, and the ticket and authenticator themselves. The KRB_AP_REQ - message is often referred to as the "authentication header". - - AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - - - -Kohl & Neuman [Page 58] - -RFC 1510 Kerberos September 1993 - - - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData - } - - APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) - } - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_AP_REQ. - - ap-options This field appears in the application request (KRB_AP_REQ) - and affects the way the request is processed. It is a - bit-field, where the selected options are indicated by the - bit being set (1), and the unselected options and reserved - fields being reset (0). The encoding of the bits is - specified in section 5.2. The meanings of the options are: - - Bit(s) Name Description - - 0 RESERVED Reserved for future expansion of - this field. - - 1 USE-SESSION-KEYThe USE-SESSION-KEY option indicates - that the ticket the client is - presenting to a server is encrypted in - the session key from the server's - ticket-granting ticket. When this - option is not specified, the ticket is - encrypted in the server's secret key. - - 2 MUTUAL-REQUIREDThe MUTUAL-REQUIRED option tells the - server that the client requires mutual - authentication, and that it must - respond with a KRB_AP_REP message. - - 3-31 RESERVED Reserved for future use. - - ticket This field is a ticket authenticating the client to the - server. - - authenticator This contains the authenticator, which includes the - client's choice of a subkey. Its encoding is described in - section 5.3.2. - - - - -Kohl & Neuman [Page 59] - -RFC 1510 Kerberos September 1993 - - -5.5.2. KRB_AP_REP definition - - The KRB_AP_REP message contains the Kerberos protocol version number, - the message type, and an encrypted timestamp. The message is sent in - in response to an application request (KRB_AP_REQ) where the mutual - authentication option has been selected in the ap-options field. - - AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[2] EncryptedData - } - - EncAPRepPart ::= [APPLICATION 27] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] INTEGER, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] INTEGER OPTIONAL - } - - NOTE: in EncAPRepPart, the application code in the encrypted part of - a message provides an additional check that the message was decrypted - properly. - - The encoded EncAPRepPart is encrypted in the shared session key of - the ticket. The optional subkey field can be used in an - application-arranged negotiation to choose a per association session - key. - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_AP_REP. - - enc-part This field is described above in section 5.4.2. - - ctime This field contains the current time on the client's host. - - cusec This field contains the microsecond part of the client's - timestamp. - - subkey This field contains an encryption key which is to be used - to protect this specific application session. See section - 3.2.6 for specifics on how this field is used to negotiate - a key. Unless an application specifies otherwise, if this - field is left out, the sub-session key from the - authenticator, or if also left out, the session key from - the ticket will be used. - - - - - -Kohl & Neuman [Page 60] - -RFC 1510 Kerberos September 1993 - - -5.5.3. Error message reply - - If an error occurs while processing the application request, the - KRB_ERROR message will be sent in response. See section 5.9.1 for - the format of the error message. The cname and crealm fields may be - left out if the server cannot determine their appropriate values from - the corresponding KRB_AP_REQ message. If the authenticator was - decipherable, the ctime and cusec fields will contain the values from - it. - -5.6. KRB_SAFE message specification - - This section specifies the format of a message that can be used by - either side (client or server) of an application to send a tamper- - proof message to its peer. It presumes that a session key has - previously been exchanged (for example, by using the - KRB_AP_REQ/KRB_AP_REP messages). - -5.6.1. KRB_SAFE definition - - The KRB_SAFE message contains user data along with a collision-proof - checksum keyed with the session key. The message fields are: - - KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum - } - - KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress, - r-address[5] HostAddress OPTIONAL - } - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_SAFE. - - safe-body This field is a placeholder for the body of the KRB-SAFE - message. It is to be encoded separately and then have the - checksum computed over it, for use in the cksum field. - - cksum This field contains the checksum of the application data. - Checksum details are described in section 6.4. The - - - -Kohl & Neuman [Page 61] - -RFC 1510 Kerberos September 1993 - - - checksum is computed over the encoding of the KRB-SAFE-BODY - sequence. - - user-data This field is part of the KRB_SAFE and KRB_PRIV messages - and contain the application specific data that is being - passed from the sender to the recipient. - - timestamp This field is part of the KRB_SAFE and KRB_PRIV messages. - Its contents are the current time as known by the sender of - the message. By checking the timestamp, the recipient of - the message is able to make sure that it was recently - generated, and is not a replay. - - usec This field is part of the KRB_SAFE and KRB_PRIV headers. - It contains the microsecond part of the timestamp. - - seq-number This field is described above in section 5.3.2. - - s-address This field specifies the address in use by the sender of - the message. - - r-address This field specifies the address in use by the recipient of - the message. It may be omitted for some uses (such as - broadcast protocols), but the recipient may arbitrarily - reject such messages. This field along with s-address can - be used to help detect messages which have been incorrectly - or maliciously delivered to the wrong recipient. - -5.7. KRB_PRIV message specification - - This section specifies the format of a message that can be used by - either side (client or server) of an application to securely and - privately send a message to its peer. It presumes that a session key - has previously been exchanged (for example, by using the - KRB_AP_REQ/KRB_AP_REP messages). - -5.7.1. KRB_PRIV definition - - The KRB_PRIV message contains user data encrypted in the Session Key. - The message fields are: - - KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - enc-part[3] EncryptedData - } - - - - - -Kohl & Neuman [Page 62] - -RFC 1510 Kerberos September 1993 - - - EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] INTEGER OPTIONAL, - seq-number[3] INTEGER OPTIONAL, - s-address[4] HostAddress, -- sender's addr - r-address[5] HostAddress OPTIONAL - -- recip's addr - } - - NOTE: In EncKrbPrivPart, the application code in the encrypted part - of a message provides an additional check that the message was - decrypted properly. - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_PRIV. - - enc-part This field holds an encoding of the EncKrbPrivPart sequence - encrypted under the session key (If supported by the - encryption method in use, an initialization vector may be - passed to the encryption procedure, in order to achieve - proper cipher chaining. The initialization vector might - come from the last block of the ciphertext from the - previous KRB_PRIV message, but it is the application's - choice whether or not to use such an initialization vector. - If left out, the default initialization vector for the - encryption algorithm will be used.). This encrypted - encoding is used for the enc-part field of the KRB-PRIV - message. See section 6 for the format of the ciphertext. - - user-data, timestamp, usec, s-address and r-address These fields are - described above in section 5.6.1. - - seq-number This field is described above in section 5.3.2. - -5.8. KRB_CRED message specification - - This section specifies the format of a message that can be used to - send Kerberos credentials from one principal to another. It is - presented here to encourage a common mechanism to be used by - applications when forwarding tickets or providing proxies to - subordinate servers. It presumes that a session key has already been - exchanged perhaps by using the KRB_AP_REQ/KRB_AP_REP messages. - -5.8.1. KRB_CRED definition - - The KRB_CRED message contains a sequence of tickets to be sent and - information needed to use the tickets, including the session key from - - - -Kohl & Neuman [Page 63] - -RFC 1510 Kerberos September 1993 - - - each. The information needed to use the tickets is encryped under an - encryption key previously exchanged. The message fields are: - - KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData - } - - EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] INTEGER OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] INTEGER OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL - } - - KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL - } - - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_CRED. - - tickets - These are the tickets obtained from the KDC specifically - for use by the intended recipient. Successive tickets are - paired with the corresponding KrbCredInfo sequence from the - enc-part of the KRB-CRED message. - - enc-part This field holds an encoding of the EncKrbCredPart sequence - encrypted under the session key shared between the sender - and the intended recipient. This encrypted encoding is - used for the enc-part field of the KRB-CRED message. See - section 6 for the format of the ciphertext. - - - -Kohl & Neuman [Page 64] - -RFC 1510 Kerberos September 1993 - - - nonce If practical, an application may require the inclusion of a - nonce generated by the recipient of the message. If the - same value is included as the nonce in the message, it - provides evidence that the message is fresh and has not - been replayed by an attacker. A nonce must never be re- - used; it should be generated randomly by the recipient of - the message and provided to the sender of the mes sage in - an application specific manner. - - timestamp and usec These fields specify the time that the KRB-CRED - message was generated. The time is used to provide - assurance that the message is fresh. - - s-address and r-address These fields are described above in section - 5.6.1. They are used optionally to provide additional - assurance of the integrity of the KRB-CRED message. - - key This field exists in the corresponding ticket passed by the - KRB-CRED message and is used to pass the session key from - the sender to the intended recipient. The field's encoding - is described in section 6.2. - - The following fields are optional. If present, they can be - associated with the credentials in the remote ticket file. If left - out, then it is assumed that the recipient of the credentials already - knows their value. - - prealm and pname The name and realm of the delegated principal - identity. - - flags, authtime, starttime, endtime, renew-till, srealm, sname, - and caddr These fields contain the values of the - corresponding fields from the ticket found in the ticket - field. Descriptions of the fields are identical to the - descriptions in the KDC-REP message. - -5.9. Error message specification - - This section specifies the format for the KRB_ERROR message. The - fields included in the message are intended to return as much - information as possible about an error. It is not expected that all - the information required by the fields will be available for all - types of errors. If the appropriate information is not available - when the message is composed, the corresponding field will be left - out of the message. - - Note that since the KRB_ERROR message is not protected by any - encryption, it is quite possible for an intruder to synthesize or - - - -Kohl & Neuman [Page 65] - -RFC 1510 Kerberos September 1993 - - - modify such a message. In particular, this means that the client - should not use any fields in this message for security-critical - purposes, such as setting a system clock or generating a fresh - authenticator. The message can be useful, however, for advising a - user on the reason for some failure. - -5.9.1. KRB_ERROR definition - - The KRB_ERROR message consists of the following fields: - - KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL - } - - pvno and msg-type These fields are described above in section 5.4.1. - msg-type is KRB_ERROR. - - ctime This field is described above in section 5.4.1. - - cusec This field is described above in section 5.5.2. - - stime This field contains the current time on the server. It is - of type KerberosTime. - - susec This field contains the microsecond part of the server's - timestamp. Its value ranges from 0 to 999. It appears - along with stime. The two fields are used in conjunction to - specify a reasonably accurate timestamp. - - error-code This field contains the error code returned by Kerberos or - the server when a request fails. To interpret the value of - this field see the list of error codes in section 8. - Implementations are encouraged to provide for national - language support in the display of error messages. - - crealm, cname, srealm and sname These fields are described above in - - - -Kohl & Neuman [Page 66] - -RFC 1510 Kerberos September 1993 - - - section 5.3.1. - - e-text This field contains additional text to help explain the - error code associated with the failed request (for example, - it might include a principal name which was unknown). - - e-data This field contains additional data about the error for use - by the application to help it recover from or handle the - error. If the errorcode is KDC_ERR_PREAUTH_REQUIRED, then - the e-data field will contain an encoding of a sequence of - padata fields, each corresponding to an acceptable pre- - authentication method and optionally containing data for - the method: - - METHOD-DATA ::= SEQUENCE of PA-DATA - - If the error-code is KRB_AP_ERR_METHOD, then the e-data field will - contain an encoding of the following sequence: - - METHOD-DATA ::= SEQUENCE { - method-type[0] INTEGER, - method-data[1] OCTET STRING OPTIONAL - } - - method-type will indicate the required alternate method; method-data - will contain any required additional information. - -6. Encryption and Checksum Specifications - - The Kerberos protocols described in this document are designed to use - stream encryption ciphers, which can be simulated using commonly - available block encryption ciphers, such as the Data Encryption - Standard [11], in conjunction with block chaining and checksum - methods [12]. Encryption is used to prove the identities of the - network entities participating in message exchanges. The Key - Distribution Center for each realm is trusted by all principals - registered in that realm to store a secret key in confidence. Proof - of knowledge of this secret key is used to verify the authenticity of - a principal. - - The KDC uses the principal's secret key (in the AS exchange) or a - shared session key (in the TGS exchange) to encrypt responses to - ticket requests; the ability to obtain the secret key or session key - implies the knowledge of the appropriate keys and the identity of the - KDC. The ability of a principal to decrypt the KDC response and - present a Ticket and a properly formed Authenticator (generated with - the session key from the KDC response) to a service verifies the - identity of the principal; likewise the ability of the service to - - - -Kohl & Neuman [Page 67] - -RFC 1510 Kerberos September 1993 - - - extract the session key from the Ticket and prove its knowledge - thereof in a response verifies the identity of the service. - - The Kerberos protocols generally assume that the encryption used is - secure from cryptanalysis; however, in some cases, the order of - fields in the encrypted portions of messages are arranged to minimize - the effects of poorly chosen keys. It is still important to choose - good keys. If keys are derived from user-typed passwords, those - passwords need to be well chosen to make brute force attacks more - difficult. Poorly chosen keys still make easy targets for intruders. - - The following sections specify the encryption and checksum mechanisms - currently defined for Kerberos. The encodings, chaining, and padding - requirements for each are described. For encryption methods, it is - often desirable to place random information (often referred to as a - confounder) at the start of the message. The requirements for a - confounder are specified with each encryption mechanism. - - Some encryption systems use a block-chaining method to improve the - the security characteristics of the ciphertext. However, these - chaining methods often don't provide an integrity check upon - decryption. Such systems (such as DES in CBC mode) must be augmented - with a checksum of the plaintext which can be verified at decryption - and used to detect any tampering or damage. Such checksums should be - good at detecting burst errors in the input. If any damage is - detected, the decryption routine is expected to return an error - indicating the failure of an integrity check. Each encryption type is - expected to provide and verify an appropriate checksum. The - specification of each encryption method sets out its checksum - requirements. - - Finally, where a key is to be derived from a user's password, an - algorithm for converting the password to a key of the appropriate - type is included. It is desirable for the string to key function to - be one-way, and for the mapping to be different in different realms. - This is important because users who are registered in more than one - realm will often use the same password in each, and it is desirable - that an attacker compromising the Kerberos server in one realm not - obtain or derive the user's key in another. - - For a discussion of the integrity characteristics of the candidate - encryption and checksum methods considered for Kerberos, the the - reader is referred to [13]. - -6.1. Encryption Specifications - - The following ASN.1 definition describes all encrypted messages. The - enc-part field which appears in the unencrypted part of messages in - - - -Kohl & Neuman [Page 68] - -RFC 1510 Kerberos September 1993 - - - section 5 is a sequence consisting of an encryption type, an optional - key version number, and the ciphertext. - - EncryptedData ::= SEQUENCE { - etype[0] INTEGER, -- EncryptionType - kvno[1] INTEGER OPTIONAL, - cipher[2] OCTET STRING -- ciphertext - } - - etype This field identifies which encryption algorithm was used - to encipher the cipher. Detailed specifications for - selected encryption types appear later in this section. - - kvno This field contains the version number of the key under - which data is encrypted. It is only present in messages - encrypted under long lasting keys, such as principals' - secret keys. - - cipher This field contains the enciphered text, encoded as an - OCTET STRING. - - The cipher field is generated by applying the specified encryption - algorithm to data composed of the message and algorithm-specific - inputs. Encryption mechanisms defined for use with Kerberos must - take sufficient measures to guarantee the integrity of the plaintext, - and we recommend they also take measures to protect against - precomputed dictionary attacks. If the encryption algorithm is not - itself capable of doing so, the protections can often be enhanced by - adding a checksum and a confounder. - - The suggested format for the data to be encrypted includes a - confounder, a checksum, the encoded plaintext, and any necessary - padding. The msg-seq field contains the part of the protocol message - described in section 5 which is to be encrypted. The confounder, - checksum, and padding are all untagged and untyped, and their length - is exactly sufficient to hold the appropriate item. The type and - length is implicit and specified by the particular encryption type - being used (etype). The format for the data to be encrypted is - described in the following diagram: - - +-----------+----------+-------------+-----+ - |confounder | check | msg-seq | pad | - +-----------+----------+-------------+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - - - - -Kohl & Neuman [Page 69] - -RFC 1510 Kerberos September 1993 - - -CipherText ::= ENCRYPTED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(conf_length) OPTIONAL, - check[1] UNTAGGED OCTET STRING(checksum_length) OPTIONAL, - msg-seq[2] MsgSequence, - pad UNTAGGED OCTET STRING(pad_length) OPTIONAL -} - - In the above specification, UNTAGGED OCTET STRING(length) is the - notation for an octet string with its tag and length removed. It is - not a valid ASN.1 type. The tag bits and length must be removed from - the confounder since the purpose of the confounder is so that the - message starts with random data, but the tag and its length are - fixed. For other fields, the length and tag would be redundant if - they were included because they are specified by the encryption type. - - One generates a random confounder of the appropriate length, placing - it in confounder; zeroes out check; calculates the appropriate - checksum over confounder, check, and msg-seq, placing the result in - check; adds the necessary padding; then encrypts using the specified - encryption type and the appropriate key. - - Unless otherwise specified, a definition of an encryption algorithm - that specifies a checksum, a length for the confounder field, or an - octet boundary for padding uses this ciphertext format (The ordering - of the fields in the CipherText is important. Additionally, messages - encoded in this format must include a length as part of the msg-seq - field. This allows the recipient to verify that the message has not - been truncated. Without a length, an attacker could use a chosen - plaintext attack to generate a message which could be truncated, - while leaving the checksum intact. Note that if the msg-seq is an - encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length is - part of that encoding.). Those fields which are not specified will be - omitted. - - In the interest of allowing all implementations using a particular - encryption type to communicate with all others using that type, the - specification of an encryption type defines any checksum that is - needed as part of the encryption process. If an alternative checksum - is to be used, a new encryption type must be defined. - - Some cryptosystems require additional information beyond the key and - the data to be encrypted. For example, DES, when used in cipher- - block-chaining mode, requires an initialization vector. If required, - the description for each encryption type must specify the source of - such additional information. - - - - - - -Kohl & Neuman [Page 70] - -RFC 1510 Kerberos September 1993 - - -6.2. Encryption Keys - - The sequence below shows the encoding of an encryption key: - - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, - keyvalue[1] OCTET STRING - } - - keytype This field specifies the type of encryption key that - follows in the keyvalue field. It will almost always - correspond to the encryption algorithm used to generate the - EncryptedData, though more than one algorithm may use the - same type of key (the mapping is many to one). This might - happen, for example, if the encryption algorithm uses an - alternate checksum algorithm for an integrity check, or a - different chaining mechanism. - - keyvalue This field contains the key itself, encoded as an octet - string. - - All negative values for the encryption key type are reserved for - local use. All non-negative values are reserved for officially - assigned type fields and interpretations. - -6.3. Encryption Systems - -6.3.1. The NULL Encryption System (null) - - If no encryption is in use, the encryption system is said to be the - NULL encryption system. In the NULL encryption system there is no - checksum, confounder or padding. The ciphertext is simply the - plaintext. The NULL Key is used by the null encryption system and is - zero octets in length, with keytype zero (0). - -6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc) - - The des-cbc-crc encryption mode encrypts information under the Data - Encryption Standard [11] using the cipher block chaining mode [12]. - A CRC-32 checksum (described in ISO 3309 [14]) is applied to the - confounder and message sequence (msg-seq) and placed in the cksum - field. DES blocks are 8 bytes. As a result, the data to be - encrypted (the concatenation of confounder, checksum, and message) - must be padded to an 8 byte boundary before encryption. The details - of the encryption of this data are identical to those for the des- - cbc-md5 encryption mode. - - Note that, since the CRC-32 checksum is not collisionproof, an - - - -Kohl & Neuman [Page 71] - -RFC 1510 Kerberos September 1993 - - - attacker could use a probabilistic chosenplaintext attack to generate - a valid message even if a confounder is used [13]. The use of - collision-proof checksums is recommended for environments where such - attacks represent a significant threat. The use of the CRC-32 as the - checksum for ticket or authenticator is no longer mandated as an - interoperability requirement for Kerberos Version 5 Specification 1 - (See section 9.1 for specific details). - -6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4) - - The des-cbc-md4 encryption mode encrypts information under the Data - Encryption Standard [11] using the cipher block chaining mode [12]. - An MD4 checksum (described in [15]) is applied to the confounder and - message sequence (msg-seq) and placed in the cksum field. DES blocks - are 8 bytes. As a result, the data to be encrypted (the - concatenation of confounder, checksum, and message) must be padded to - an 8 byte boundary before encryption. The details of the encryption - of this data are identical to those for the descbc-md5 encryption - mode. - -6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5) - - The des-cbc-md5 encryption mode encrypts information under the Data - Encryption Standard [11] using the cipher block chaining mode [12]. - An MD5 checksum (described in [16]) is applied to the confounder and - message sequence (msg-seq) and placed in the cksum field. DES blocks - are 8 bytes. As a result, the data to be encrypted (the - concatenation of confounder, checksum, and message) must be padded to - an 8 byte boundary before encryption. - - Plaintext and DES ciphtertext are encoded as 8-octet blocks which are - concatenated to make the 64-bit inputs for the DES algorithms. The - first octet supplies the 8 most significant bits (with the octet's - MSbit used as the DES input block's MSbit, etc.), the second octet - the next 8 bits, ..., and the eighth octet supplies the 8 least - significant bits. - - Encryption under DES using cipher block chaining requires an - additional input in the form of an initialization vector. Unless - otherwise specified, zero should be used as the initialization - vector. Kerberos' use of DES requires an 8-octet confounder. - - The DES specifications identify some "weak" and "semiweak" keys; - those keys shall not be used for encrypting messages for use in - Kerberos. Additionally, because of the way that keys are derived for - the encryption of checksums, keys shall not be used that yield "weak" - or "semi-weak" keys when eXclusive-ORed with the constant - F0F0F0F0F0F0F0F0. - - - -Kohl & Neuman [Page 72] - -RFC 1510 Kerberos September 1993 - - - A DES key is 8 octets of data, with keytype one (1). This consists - of 56 bits of key, and 8 parity bits (one per octet). The key is - encoded as a series of 8 octets written in MSB-first order. The bits - within the key are also encoded in MSB order. For example, if the - encryption key is: - (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where - B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the - parity bits, the first octet of the key would be B1,B2,...,B7,P1 - (with B1 as the MSbit). [See the FIPS 81 introduction for - reference.] - - To generate a DES key from a text string (password), the text string - normally must have the realm and each component of the principal's - name appended(In some cases, it may be necessary to use a different - "mix-in" string for compatibility reasons; see the discussion of - padata in section 5.4.2.), then padded with ASCII nulls to an 8 byte - boundary. This string is then fan-folded and eXclusive-ORed with - itself to form an 8 byte DES key. The parity is corrected on the - key, and it is used to generate a DES CBC checksum on the initial - string (with the realm and name appended). Next, parity is corrected - on the CBC checksum. If the result matches a "weak" or "semiweak" - key as described in the DES specification, it is eXclusive-ORed with - the constant 00000000000000F0. Finally, the result is returned as - the key. Pseudocode follows: - - string_to_key(string,realm,name) { - odd = 1; - s = string + realm; - for(each component in name) { - s = s + component; - } - tempkey = NULL; - pad(s); /* with nulls to 8 byte boundary */ - for(8byteblock in s) { - if(odd == 0) { - odd = 1; - reverse(8byteblock) - } - else odd = 0; - tempkey = tempkey XOR 8byteblock; - } - fixparity(tempkey); - key = DES-CBC-check(s,tempkey); - fixparity(key); - if(is_weak_key_key(key)) - key = key XOR 0xF0; - return(key); - } - - - -Kohl & Neuman [Page 73] - -RFC 1510 Kerberos September 1993 - - -6.4. Checksums - - The following is the ASN.1 definition used for a checksum: - - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, - checksum[1] OCTET STRING - } - - cksumtype This field indicates the algorithm used to generate the - accompanying checksum. - - checksum This field contains the checksum itself, encoded - as an octet string. - - Detailed specification of selected checksum types appear later in - this section. Negative values for the checksum type are reserved for - local use. All non-negative values are reserved for officially - assigned type fields and interpretations. - - Checksums used by Kerberos can be classified by two properties: - whether they are collision-proof, and whether they are keyed. It is - infeasible to find two plaintexts which generate the same checksum - value for a collision-proof checksum. A key is required to perturb - or initialize the algorithm in a keyed checksum. To prevent - message-stream modification by an active attacker, unkeyed checksums - should only be used when the checksum and message will be - subsequently encrypted (e.g., the checksums defined as part of the - encryption algorithms covered earlier in this section). Collision- - proof checksums can be made tamper-proof as well if the checksum - value is encrypted before inclusion in a message. In such cases, the - composition of the checksum and the encryption algorithm must be - considered a separate checksum algorithm (e.g., RSA-MD5 encrypted - using DES is a new checksum algorithm of type RSA-MD5-DES). For most - keyed checksums, as well as for the encrypted forms of collisionproof - checksums, Kerberos prepends a confounder before the checksum is - calculated. - -6.4.1. The CRC-32 Checksum (crc32) - - The CRC-32 checksum calculates a checksum based on a cyclic - redundancy check as described in ISO 3309 [14]. The resulting - checksum is four (4) octets in length. The CRC-32 is neither keyed - nor collision-proof. The use of this checksum is not recommended. - An attacker using a probabilistic chosen-plaintext attack as - described in [13] might be able to generate an alternative message - that satisfies the checksum. The use of collision-proof checksums is - recommended for environments where such attacks represent a - - - -Kohl & Neuman [Page 74] - -RFC 1510 Kerberos September 1993 - - - significant threat. - -6.4.2. The RSA MD4 Checksum (rsa-md4) - - The RSA-MD4 checksum calculates a checksum using the RSA MD4 - algorithm [15]. The algorithm takes as input an input message of - arbitrary length and produces as output a 128-bit (16 octet) - checksum. RSA-MD4 is believed to be collision-proof. - -6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4des) - - The RSA-MD4-DES checksum calculates a keyed collisionproof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD4 checksum algorithm, and encrypting the confounder and the - checksum using DES in cipher-block-chaining (CBC) mode using a - variant of the key, where the variant is computed by eXclusive-ORing - the key with the constant F0F0F0F0F0F0F0F0 (A variant of the key is - used to limit the use of a key to a particular function, separating - the functions of generating a checksum from other encryption - performed using the session key. The constant F0F0F0F0F0F0F0F0 was - chosen because it maintains key parity. The properties of DES - precluded the use of the complement. The same constant is used for - similar purpose in the Message Integrity Check in the Privacy - Enhanced Mail standard.). The initialization vector should be zero. - The resulting checksum is 24 octets long (8 octets of which are - redundant). This checksum is tamper-proof and believed to be - collision-proof. - - The DES specifications identify some "weak keys"; those keys shall - not be used for generating RSA-MD4 checksums for use in Kerberos. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+-- - | des-cbc(confounder - +--+--+--+--+--+--+--+-- - - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - rsa-md4(confounder+msg),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md4-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - - - -Kohl & Neuman [Page 75] - -RFC 1510 Kerberos September 1993 - - -6.4.4. The RSA MD5 Checksum (rsa-md5) - - The RSA-MD5 checksum calculates a checksum using the RSA MD5 - algorithm [16]. The algorithm takes as input an input message of - arbitrary length and produces as output a 128-bit (16 octet) - checksum. RSA-MD5 is believed to be collision-proof. - -6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5des) - - The RSA-MD5-DES checksum calculates a keyed collisionproof checksum - by prepending an 8 octet confounder before the text, applying the RSA - MD5 checksum algorithm, and encrypting the confounder and the - checksum using DES in cipher-block-chaining (CBC) mode using a - variant of the key, where the variant is computed by eXclusive-ORing - the key with the constant F0F0F0F0F0F0F0F0. The initialization - vector should be zero. The resulting checksum is 24 octets long (8 - octets of which are redundant). This checksum is tamper-proof and - believed to be collision-proof. - - The DES specifications identify some "weak keys"; those keys shall - not be used for encrypting RSA-MD5 checksums for use in Kerberos. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+-- - | des-cbc(confounder - +--+--+--+--+--+--+--+-- - - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - rsa-md5(confounder+msg),key=var(key),iv=0) | - +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(16) - } - -6.4.6. DES cipher-block chained checksum (des-mac) - - The DES-MAC checksum is computed by prepending an 8 octet confounder - to the plaintext, performing a DES CBC-mode encryption on the result - using the key and an initialization vector of zero, taking the last - block of the ciphertext, prepending the same confounder and - encrypting the pair using DES in cipher-block-chaining (CBC) mode - using a a variant of the key, where the variant is computed by - - - -Kohl & Neuman [Page 76] - -RFC 1510 Kerberos September 1993 - - - eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0. The - initialization vector should be zero. The resulting checksum is 128 - bits (16 octets) long, 64 bits of which are redundant. This checksum - is tamper-proof and collision-proof. - - The format for the checksum is described in the following diagram: - - +--+--+--+--+--+--+--+-- - | des-cbc(confounder - +--+--+--+--+--+--+--+-- - - +-----+-----+-----+-----+-----+-----+-----+-----+ - des-mac(conf+msg,iv=0,key),key=var(key),iv=0) | - +-----+-----+-----+-----+-----+-----+-----+-----+ - - The format cannot be described in ASN.1, but for those who prefer an - ASN.1-like notation: - - des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { - confounder[0] UNTAGGED OCTET STRING(8), - check[1] UNTAGGED OCTET STRING(8) - } - - The DES specifications identify some "weak" and "semiweak" keys; - those keys shall not be used for generating DES-MAC checksums for use - in Kerberos, nor shall a key be used whose veriant is "weak" or - "semi-weak". - -6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative - (rsa-md4-des-k) - - The RSA-MD4-DES-K checksum calculates a keyed collision-proof - checksum by applying the RSA MD4 checksum algorithm and encrypting - the results using DES in cipherblock-chaining (CBC) mode using a DES - key as both key and initialization vector. The resulting checksum is - 16 octets long. This checksum is tamper-proof and believed to be - collision-proof. Note that this checksum type is the old method for - encoding the RSA-MD4-DES checksum and it is no longer recommended. - -6.4.8. DES cipher-block chained checksum alternative (desmac-k) - - The DES-MAC-K checksum is computed by performing a DES CBC-mode - encryption of the plaintext, and using the last block of the - ciphertext as the checksum value. It is keyed with an encryption key - and an initialization vector; any uses which do not specify an - additional initialization vector will use the key as both key and - initialization vector. The resulting checksum is 64 bits (8 octets) - long. This checksum is tamper-proof and collision-proof. Note that - - - -Kohl & Neuman [Page 77] - -RFC 1510 Kerberos September 1993 - - - this checksum type is the old method for encoding the DESMAC checksum - and it is no longer recommended. - - The DES specifications identify some "weak keys"; those keys shall - not be used for generating DES-MAC checksums for use in Kerberos. - -7. Naming Constraints - -7.1. Realm Names - - Although realm names are encoded as GeneralStrings and although a - realm can technically select any name it chooses, interoperability - across realm boundaries requires agreement on how realm names are to - be assigned, and what information they imply. - - To enforce these conventions, each realm must conform to the - conventions itself, and it must require that any realms with which - inter-realm keys are shared also conform to the conventions and - require the same from its neighbors. - - There are presently four styles of realm names: domain, X500, other, - and reserved. Examples of each style follow: - - domain: host.subdomain.domain (example) - X500: C=US/O=OSF (example) - other: NAMETYPE:rest/of.name=without-restrictions (example) - reserved: reserved, but will not conflict with above - - Domain names must look like domain names: they consist of components - separated by periods (.) and they contain neither colons (:) nor - slashes (/). - - X.500 names contain an equal (=) and cannot contain a colon (:) - before the equal. The realm names for X.500 names will be string - representations of the names with components separated by slashes. - Leading and trailing slashes will not be included. - - Names that fall into the other category must begin with a prefix that - contains no equal (=) or period (.) and the prefix must be followed - by a colon (:) and the rest of the name. All prefixes must be - assigned before they may be used. Presently none are assigned. - - The reserved category includes strings which do not fall into the - first three categories. All names in this category are reserved. It - is unlikely that names will be assigned to this category unless there - is a very strong argument for not using the "other" category. - - These rules guarantee that there will be no conflicts between the - - - -Kohl & Neuman [Page 78] - -RFC 1510 Kerberos September 1993 - - - various name styles. The following additional constraints apply to - the assignment of realm names in the domain and X.500 categories: the - name of a realm for the domain or X.500 formats must either be used - by the organization owning (to whom it was assigned) an Internet - domain name or X.500 name, or in the case that no such names are - registered, authority to use a realm name may be derived from the - authority of the parent realm. For example, if there is no domain - name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can - authorize the creation of a realm with that name. - - This is acceptable because the organization to which the parent is - assigned is presumably the organization authorized to assign names to - its children in the X.500 and domain name systems as well. If the - parent assigns a realm name without also registering it in the domain - name or X.500 hierarchy, it is the parent's responsibility to make - sure that there will not in the future exists a name identical to the - realm name of the child unless it is assigned to the same entity as - the realm name. - -7.2. Principal Names - - As was the case for realm names, conventions are needed to ensure - that all agree on what information is implied by a principal name. - The name-type field that is part of the principal name indicates the - kind of information implied by the name. The name-type should be - treated as a hint. Ignoring the name type, no two names can be the - same (i.e., at least one of the components, or the realm, must be - different). This constraint may be eliminated in the future. The - following name types are defined: - - name-type value meaning - NT-UNKNOWN 0 Name type not known - NT-PRINCIPAL 1 Just the name of the principal as in - DCE, or for users - NT-SRV-INST 2 Service and other unique instance (krbtgt) - NT-SRV-HST 3 Service with host name as instance - (telnet, rcommands) - NT-SRV-XHST 4 Service with host as remaining components - NT-UID 5 Unique ID - - When a name implies no information other than its uniqueness at a - particular time the name type PRINCIPAL should be used. The - principal name type should be used for users, and it might also be - used for a unique server. If the name is a unique machine generated - ID that is guaranteed never to be reassigned then the name type of - UID should be used (note that it is generally a bad idea to reassign - names of any type since stale entries might remain in access control - lists). - - - -Kohl & Neuman [Page 79] - -RFC 1510 Kerberos September 1993 - - - If the first component of a name identifies a service and the - remaining components identify an instance of the service in a server - specified manner, then the name type of SRV-INST should be used. An - example of this name type is the Kerberos ticket-granting ticket - which has a first component of krbtgt and a second component - identifying the realm for which the ticket is valid. - - If instance is a single component following the service name and the - instance identifies the host on which the server is running, then the - name type SRV-HST should be used. This type is typically used for - Internet services such as telnet and the Berkeley R commands. If the - separate components of the host name appear as successive components - following the name of the service, then the name type SRVXHST should - be used. This type might be used to identify servers on hosts with - X.500 names where the slash (/) might otherwise be ambiguous. - - A name type of UNKNOWN should be used when the form of the name is - not known. When comparing names, a name of type UNKNOWN will match - principals authenticated with names of any type. A principal - authenticated with a name of type UNKNOWN, however, will only match - other names of type UNKNOWN. - - Names of any type with an initial component of "krbtgt" are reserved - for the Kerberos ticket granting service. See section 8.2.3 for the - form of such names. - -7.2.1. Name of server principals - - The principal identifier for a server on a host will generally be - composed of two parts: (1) the realm of the KDC with which the server - is registered, and (2) a two-component name of type NT-SRV-HST if the - host name is an Internet domain name or a multi-component name of - type NT-SRV-XHST if the name of the host is of a form such as X.500 - that allows slash (/) separators. The first component of the two- or - multi-component name will identify the service and the latter - components will identify the host. Where the name of the host is not - case sensitive (for example, with Internet domain names) the name of - the host must be lower case. For services such as telnet and the - Berkeley R commands which run with system privileges, the first - component will be the string "host" instead of a service specific - identifier. - -8. Constants and other defined values - -8.1. Host address types - - All negative values for the host address type are reserved for local - use. All non-negative values are reserved for officially assigned - - - -Kohl & Neuman [Page 80] - -RFC 1510 Kerberos September 1993 - - - type fields and interpretations. - - The values of the types for the following addresses are chosen to - match the defined address family constants in the Berkeley Standard - Distributions of Unix. They can be found in with - symbolic names AF_xxx (where xxx is an abbreviation of the address - family name). - - - Internet addresses - - Internet addresses are 32-bit (4-octet) quantities, encoded in MSB - order. The type of internet addresses is two (2). - - CHAOSnet addresses - - CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB - order. The type of CHAOSnet addresses is five (5). - - ISO addresses - - ISO addresses are variable-length. The type of ISO addresses is - seven (7). - - Xerox Network Services (XNS) addresses - - XNS addresses are 48-bit (6-octet) quantities, encoded in MSB - order. The type of XNS addresses is six (6). - - AppleTalk Datagram Delivery Protocol (DDP) addresses - - AppleTalk DDP addresses consist of an 8-bit node number and a 16- - bit network number. The first octet of the address is the node - number; the remaining two octets encode the network number in MSB - order. The type of AppleTalk DDP addresses is sixteen (16). - - DECnet Phase IV addresses - - DECnet Phase IV addresses are 16-bit addresses, encoded in LSB - order. The type of DECnet Phase IV addresses is twelve (12). - -8.2. KDC messages - -8.2.1. IP transport - - When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request - using IP transport, the client shall send a UDP datagram containing - only an encoding of the request to port 88 (decimal) at the KDC's IP - - - -Kohl & Neuman [Page 81] - -RFC 1510 Kerberos September 1993 - - - address; the KDC will respond with a reply datagram containing only - an encoding of the reply message (either a KRB_ERROR or a - KRB_KDC_REP) to the sending port at the sender's IP address. - -8.2.2. OSI transport - - During authentication of an OSI client to and OSI server, the mutual - authentication of an OSI server to an OSI client, the transfer of - credentials from an OSI client to an OSI server, or during exchange - of private or integrity checked messages, Kerberos protocol messages - may be treated as opaque objects and the type of the authentication - mechanism will be: - - OBJECT IDENTIFIER ::= {iso (1), org(3), dod(5),internet(1), - security(5), kerberosv5(2)} - - Depending on the situation, the opaque object will be an - authentication header (KRB_AP_REQ), an authentication reply - (KRB_AP_REP), a safe message (KRB_SAFE), a private message - (KRB_PRIV), or a credentials message (KRB_CRED). The opaque data - contains an application code as specified in the ASN.1 description - for each message. The application code may be used by Kerberos to - determine the message type. - -8.2.3. Name of the TGS - - The principal identifier of the ticket-granting service shall be - composed of three parts: (1) the realm of the KDC issuing the TGS - ticket (2) a two-part name of type NT-SRVINST, with the first part - "krbtgt" and the second part the name of the realm which will accept - the ticket-granting ticket. For example, a ticket-granting ticket - issued by the ATHENA.MIT.EDU realm to be used to get tickets from the - ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting - ticket issued by the ATHENA.MIT.EDU realm to be used to get tickets - from the MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" - (realm), ("krbtgt", "MIT.EDU") (name). - -8.3. Protocol constants and associated values - - The following tables list constants used in the protocol and defines - their meanings. - - - - - - - - - -Kohl & Neuman [Page 82] - -RFC 1510 Kerberos September 1993 - - ----------------+-----------+----------+----------------+--------------- -Encryption type|etype value|block size|minimum pad size|confounder size ----------------+-----------+----------+----------------+--------------- -NULL 0 1 0 0 -des-cbc-crc 1 8 4 8 -des-cbc-md4 2 8 0 8 -des-cbc-md5 3 8 0 8 - --------------------------------+-------------------+------------- -Checksum type |sumtype value |checksum size --------------------------------+-------------------+------------- -CRC32 1 4 -rsa-md4 2 16 -rsa-md4-des 3 24 -des-mac 4 16 -des-mac-k 5 8 -rsa-md4-des-k 6 16 -rsa-md5 7 16 -rsa-md5-des 8 24 - --------------------------------+----------------- -padata type |padata-type value --------------------------------+----------------- -PA-TGS-REQ 1 -PA-ENC-TIMESTAMP 2 -PA-PW-SALT 3 - --------------------------------+------------- -authorization data type |ad-type value --------------------------------+------------- -reserved values 0-63 -OSF-DCE 64 -SESAME 65 - --------------------------------+----------------- -alternate authentication type |method-type value --------------------------------+----------------- -reserved values 0-63 -ATT-CHALLENGE-RESPONSE 64 - --------------------------------+------------- -transited encoding type |tr-type value --------------------------------+------------- -DOMAIN-X500-COMPRESS 1 -reserved values all others - - - - - - -Kohl & Neuman [Page 83] - -RFC 1510 Kerberos September 1993 - - ---------------+-------+----------------------------------------- -Label |Value |Meaning or MIT code ---------------+-------+----------------------------------------- - -pvno 5 current Kerberos protocol version number - -message types - -KRB_AS_REQ 10 Request for initial authentication -KRB_AS_REP 11 Response to KRB_AS_REQ request -KRB_TGS_REQ 12 Request for authentication based on TGT -KRB_TGS_REP 13 Response to KRB_TGS_REQ request -KRB_AP_REQ 14 application request to server -KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL -KRB_SAFE 20 Safe (checksummed) application message -KRB_PRIV 21 Private (encrypted) application message -KRB_CRED 22 Private (encrypted) message to forward - credentials -KRB_ERROR 30 Error response - -name types - -KRB_NT_UNKNOWN 0 Name type not known -KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or - for users -KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) -KRB_NT_SRV_HST 3 Service with host name as instance (telnet, - rcommands) -KRB_NT_SRV_XHST 4 Service with host as remaining components -KRB_NT_UID 5 Unique ID - -error codes - -KDC_ERR_NONE 0 No error -KDC_ERR_NAME_EXP 1 Client's entry in database has - expired -KDC_ERR_SERVICE_EXP 2 Server's entry in database has - expired -KDC_ERR_BAD_PVNO 3 Requested protocol version number - not supported -KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old - master key -KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old - master key -KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database -KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database -KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in - database - - - -Kohl & Neuman [Page 84] - -RFC 1510 Kerberos September 1993 - - -KDC_ERR_NULL_KEY 9 The client or server has a null key -KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating -KDC_ERR_NEVER_VALID 11 Requested start time is later than - end time -KDC_ERR_POLICY 12 KDC policy rejects request -KDC_ERR_BADOPTION 13 KDC cannot accommodate requested - option -KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption - type -KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type -KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type -KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type -KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked -KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been - revoked -KDC_ERR_TGT_REVOKED 20 TGT has been revoked -KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again - later -KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again - later -KDC_ERR_KEY_EXPIRED 23 Password has expired - change - password to reset -KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information - was invalid -KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authentication - required* -KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field - failed -KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired -KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid -KRB_AP_ERR_REPEAT 34 Request is a replay -KRB_AP_ERR_NOT_US 35 The ticket isn't for us -KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match -KRB_AP_ERR_SKEW 37 Clock skew too great -KRB_AP_ERR_BADADDR 38 Incorrect net address -KRB_AP_ERR_BADVERSION 39 Protocol version mismatch -KRB_AP_ERR_MSG_TYPE 40 Invalid msg type -KRB_AP_ERR_MODIFIED 41 Message stream modified -KRB_AP_ERR_BADORDER 42 Message out of order -KRB_AP_ERR_BADKEYVER 44 Specified version of key is not - available -KRB_AP_ERR_NOKEY 45 Service key not available -KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed -KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction -KRB_AP_ERR_METHOD 48 Alternative authentication method - required* -KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message -KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in - - - -Kohl & Neuman [Page 85] - -RFC 1510 Kerberos September 1993 - - - message -KRB_ERR_GENERIC 60 Generic error (description in e-text) -KRB_ERR_FIELD_TOOLONG 61 Field is too long for this - implementation - - *This error carries additional information in the e-data field. The - contents of the e-data field for this message is described in section - 5.9.1. - -9. Interoperability requirements - - Version 5 of the Kerberos protocol supports a myriad of options. - Among these are multiple encryption and checksum types, alternative - encoding schemes for the transited field, optional mechanisms for - pre-authentication, the handling of tickets with no addresses, - options for mutual authentication, user to user authentication, - support for proxies, forwarding, postdating, and renewing tickets, - the format of realm names, and the handling of authorization data. - - In order to ensure the interoperability of realms, it is necessary to - define a minimal configuration which must be supported by all - implementations. This minimal configuration is subject to change as - technology does. For example, if at some later date it is discovered - that one of the required encryption or checksum algorithms is not - secure, it will be replaced. - -9.1. Specification 1 - - This section defines the first specification of these options. - Implementations which are configured in this way can be said to - support Kerberos Version 5 Specification 1 (5.1). - - Encryption and checksum methods - - The following encryption and checksum mechanisms must be supported. - Implementations may support other mechanisms as well, but the - additional mechanisms may only be used when communicating with - principals known to also support them: Encryption: DES-CBC-MD5 - Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 - - Realm Names - - All implementations must understand hierarchical realms in both the - Internet Domain and the X.500 style. When a ticket granting ticket - for an unknown realm is requested, the KDC must be able to determine - the names of the intermediate realms between the KDCs realm and the - requested realm. - - - - -Kohl & Neuman [Page 86] - -RFC 1510 Kerberos September 1993 - - - Transited field encoding - - DOMAIN-X500-COMPRESS (described in section 3.3.3.1) must be - supported. Alternative encodings may be supported, but they may be - used only when that encoding is supported by ALL intermediate realms. - - Pre-authentication methods - - The TGS-REQ method must be supported. The TGS-REQ method is not used - on the initial request. The PA-ENC-TIMESTAMP method must be supported - by clients but whether it is enabled by default may be determined on - a realm by realm basis. If not used in the initial request and the - error KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENCTIMESTAMP - as an acceptable method, the client should retry the initial request - using the PA-ENC-TIMESTAMP preauthentication method. Servers need not - support the PAENC-TIMESTAMP method, but if not supported the server - should ignore the presence of PA-ENC-TIMESTAMP pre-authentication in - a request. - - Mutual authentication - - Mutual authentication (via the KRB_AP_REP message) must be supported. - - Ticket addresses and flags - - All KDC's must pass on tickets that carry no addresses (i.e., if a - TGT contains no addresses, the KDC will return derivative tickets), - but each realm may set its own policy for issuing such tickets, and - each application server will set its own policy with respect to - accepting them. By default, servers should not accept them. - - Proxies and forwarded tickets must be supported. Individual realms - and application servers can set their own policy on when such tickets - will be accepted. - - All implementations must recognize renewable and postdated tickets, - but need not actually implement them. If these options are not - supported, the starttime and endtime in the ticket shall specify a - ticket's entire useful life. When a postdated ticket is decoded by a - server, all implementations shall make the presence of the postdated - flag visible to the calling server. - - User-to-user authentication - - Support for user to user authentication (via the ENC-TKTIN-SKEY KDC - option) must be provided by implementations, but individual realms - may decide as a matter of policy to reject such requests on a per- - principal or realm-wide basis. - - - -Kohl & Neuman [Page 87] - -RFC 1510 Kerberos September 1993 - - - Authorization data - - Implementations must pass all authorization data subfields from - ticket-granting tickets to any derivative tickets unless directed to - suppress a subfield as part of the definition of that registered - subfield type (it is never incorrect to pass on a subfield, and no - registered subfield types presently specify suppression at the KDC). - - Implementations must make the contents of any authorization data - subfields available to the server when a ticket is used. - Implementations are not required to allow clients to specify the - contents of the authorization data fields. - -9.2. Recommended KDC values - - Following is a list of recommended values for a KDC implementation, - based on the list of suggested configuration constants (see section - 4.4). - - minimum lifetime 5 minutes - - maximum renewable lifetime 1 week - - maximum ticket lifetime 1 day - - empty addresses only when suitable restrictions appear - in authorization data - - proxiable, etc. Allowed. - -10. Acknowledgments - - Early versions of this document, describing version 4 of the - protocol, were written by Jennifer Steiner (formerly at Project - Athena); these drafts provided an excellent starting point for this - current version 5 specification. Many people in the Internet - community have contributed ideas and suggested protocol changes for - version 5. Notable contributions came from Ted Anderson, Steve - Bellovin and Michael Merritt [17], Daniel Bernstein, Mike Burrows, - Donald Davis, Ravi Ganesan, Morrie Gasser, Virgil Gligor, Bill - Griffeth, Mark Lillibridge, Mark Lomas, Steve Lunt, Piers McMahon, - Joe Pato, William Sommerfeld, Stuart Stubblebine, Ralph Swick, Ted - T'so, and Stanley Zanarotti. Many others commented and helped shape - this specification into its current form. - - - - - - - -Kohl & Neuman [Page 88] - -RFC 1510 Kerberos September 1993 - - -11. References - - [1] Miller, S., Neuman, C., Schiller, J., and J. Saltzer, "Section - E.2.1: Kerberos Authentication and Authorization System", - M.I.T. Project Athena, Cambridge, Massachusetts, December 21, - 1987. - - [2] Steiner, J., Neuman, C., and J. Schiller, "Kerberos: An - Authentication Service for Open Network Systems", pp. 191-202 in - Usenix Conference Proceedings, Dallas, Texas, February, 1988. - - [3] Needham, R., and M. Schroeder, "Using Encryption for - Authentication in Large Networks of Computers", Communications - of the ACM, Vol. 21 (12), pp. 993-999, December 1978. - - [4] Denning, D., and G. Sacco, "Time stamps in Key Distribution - Protocols", Communications of the ACM, Vol. 24 (8), pp. 533-536, - August 1981. - - [5] Kohl, J., Neuman, C., and T. Ts'o, "The Evolution of the - Kerberos Authentication Service", in an IEEE Computer Society - Text soon to be published, June 1992. - - [6] Davis, D., and R. Swick, "Workstation Services and Kerberos - Authentication at Project Athena", Technical Memorandum TM-424, - MIT Laboratory for Computer Science, February 1990. - - [7] Levine, P., Gretzinger, M, Diaz, J., Sommerfeld, W., and K. - Raeburn, "Section E.1: Service Management System, M.I.T. - Project Athena, Cambridge, Mas sachusetts (1987). - - [8] CCITT, Recommendation X.509: The Directory Authentication - Framework, December 1988. - - [9] Neuman, C., "Proxy-Based Authorization and Accounting for - Distributed Systems," in Proceedings of the 13th International - Conference on Distributed Computing Systems", Pittsburgh, PA, - May 1993. - - [10] Pato, J., "Using Pre-Authentication to Avoid Password Guessing - Attacks", Open Software Foundation DCE Request for Comments 26, - December 1992. - - [11] National Bureau of Standards, U.S. Department of Commerce, "Data - Encryption Standard", Federal Information Processing Standards - Publication 46, Washington, DC (1977). - - - - - -Kohl & Neuman [Page 89] - -RFC 1510 Kerberos September 1993 - - - [12] National Bureau of Standards, U.S. Department of Commerce, "DES - Modes of Operation", Federal Information Processing Standards - Publication 81, Springfield, VA, December 1980. - - [13] Stubblebine S., and V. Gligor, "On Message Integrity in - Cryptographic Protocols", in Proceedings of the IEEE Symposium - on Research in Security and Privacy, Oakland, California, May - 1992. - - [14] International Organization for Standardization, "ISO Information - Processing Systems - Data Communication High-Level Data Link - Control Procedure - Frame Structure", IS 3309, October 1984, 3rd - Edition. - - [15] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT - Laboratory for Computer Science, April 1992. - - [16] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, MIT - Laboratory for Computer Science, April 1992. - - [17] Bellovin S., and M. Merritt, "Limitations of the Kerberos - Authentication System", Computer Communications Review, Vol. - 20(5), pp. 119-132, October 1990. - -12. Security Considerations - - Security issues are discussed throughout this memo. - -13. Authors' Addresses - - John Kohl - Digital Equipment Corporation - 110 Spit Brook Road, M/S ZKO3-3/U14 - Nashua, NH 03062 - - Phone: 603-881-2481 - EMail: jtkohl@zk3.dec.com - - - B. Clifford Neuman - USC/Information Sciences Institute - 4676 Admiralty Way #1001 - Marina del Rey, CA 90292-6695 - - Phone: 310-822-1511 - EMail: bcn@isi.edu - - - - - -Kohl & Neuman [Page 90] - -RFC 1510 Kerberos September 1993 - - -A. Pseudo-code for protocol processing - - This appendix provides pseudo-code describing how the messages are to - be constructed and interpreted by clients and servers. - -A.1. KRB_AS_REQ generation - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_AS_REQ */ - - if(pa_enc_timestamp_required) then - request.padata.padata-type = PA-ENC-TIMESTAMP; - get system_time; - padata-body.patimestamp,pausec = system_time; - encrypt padata-body into request.padata.padata-value - using client.key; /* derived from password */ - endif - - body.kdc-options := users's preferences; - body.cname := user's name; - body.realm := user's realm; - body.sname := service's name; /* usually "krbtgt", - "localrealm" */ - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - omit body.enc-authorization-data; - request.req-body := body; - - kerberos := lookup(name of local kerberos server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - - - -Kohl & Neuman [Page 91] - -RFC 1510 Kerberos September 1993 - - -A.2. KRB_AS_REQ verification and KRB_AS_REP generation - decode message into req; - - client := lookup(req.cname,req.realm); - server := lookup(req.sname,req.realm); - get system_time; - kdc_time := system_time.seconds; - - if (!client) then - /* no client in Database */ - error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN); - endif - if (!server) then - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - - if(client.pa_enc_timestamp_required and - pa_enc_timestamp not present) then - error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); - endif - - if(pa_enc_timestamp present) then - decrypt req.padata-value into decrypted_enc_timestamp - using client.key; - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - if(decrypted_enc_timestamp is not within allowable - skew) then error_out(KDC_ERR_PREAUTH_FAILED); - endif - if(decrypted_enc_timestamp and usec is replay) - error_out(KDC_ERR_PREAUTH_FAILED); - endif - add decrypted_enc_timestamp and usec to replay cache; - endif - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := req.srealm; - reset all flags in new_tkt.flags; - - - - -Kohl & Neuman [Page 92] - -RFC 1510 Kerberos September 1993 - - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - if (req.kdc-options.FORWARDABLE is set) then - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.PROXIABLE is set) then - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.ALLOW-POSTDATE is set) then - set new_tkt.flags.ALLOW-POSTDATE; - endif - if ((req.kdc-options.RENEW is set) or - (req.kdc-options.VALIDATE is set) or - (req.kdc-options.PROXY is set) or - (req.kdc-options.FORWARDED is set) or - (req.kdc-options.ENC-TKT-IN-SKEY is set)) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.session := random_session_key(); - new_tkt.cname := req.cname; - new_tkt.crealm := req.crealm; - new_tkt.transited := empty_transited_field(); - - new_tkt.authtime := kdc_time; - - if (req.kdc-options.POSTDATED is set) then - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - set new_tkt.flags.INVALID; - new_tkt.starttime := req.from; - else - omit new_tkt.starttime; /* treated as authtime when - omitted */ - endif - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm); - - - -Kohl & Neuman [Page 93] - -RFC 1510 Kerberos September 1993 - - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till)) then - /* we set the RENEWABLE option for later processing */ - set req.kdc-options.RENEWABLE; - req.rtime := req.till; - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if (req.kdc-options.RENEWABLE is set) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm); - else - omit new_tkt.renew-till; /* only present if RENEWABLE */ - endif - - if (req.addresses) then - new_tkt.caddr := req.addresses; - else - omit new_tkt.caddr; - endif - - new_tkt.authorization_data := empty_authorization_data(); - - encode to-be-encrypted part of ticket into OCTET STRING; - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, server.p_kvno; - - - /* Start processing the response */ - - resp.pvno := 5; - resp.msg-type := KRB_AS_REP; - resp.cname := req.cname; - resp.crealm := req.realm; - resp.ticket := new_tkt; - - resp.key := new_tkt.session; - resp.last-req := fetch_last_request_info(client); - resp.nonce := req.nonce; - resp.key-expiration := client.expiration; - - - -Kohl & Neuman [Page 94] - -RFC 1510 Kerberos September 1993 - - - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - resp.realm := new_tkt.realm; - resp.sname := new_tkt.sname; - - resp.caddr := new_tkt.caddr; - - encode body of reply into OCTET STRING; - - resp.enc-part := encrypt OCTET STRING - using use_etype, client.key, client.p_kvno; - send(resp); - -A.3. KRB_AS_REP verification - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) - then set pa_enc_timestamp_required; - goto KRB_AS_REQ; - endif - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key */ - /* from the response immediately */ - - key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype, - resp.padata); - unencrypted part of resp := decode of decrypt of resp.enc-part - using resp.enc-part.etype and key; - zero(key); - - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - if near(resp.princ_exp) then - - - -Kohl & Neuman [Page 95] - -RFC 1510 Kerberos September 1993 - - - print(warning message); - endif - save_for_later(ticket,session,client,server,times,flags); - -A.4. KRB_AS_REP and KRB_TGS_REP common checks - if (decryption_error() or - (req.cname != resp.cname) or - (req.realm != resp.crealm) or - (req.sname != resp.sname) or - (req.realm != resp.realm) or - (req.nonce != resp.nonce) or - (req.addresses != resp.caddr)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - /* make sure no flags are set that shouldn't be, and that */ - /* all that should be are set */ - if (!check_flags_for_compatability(req.kdc-options,resp.flags)) - then destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.from = 0) and - (resp.starttime is not within allowable skew)) then - destroy resp.key; - return KRB_AP_ERR_SKEW; - endif - if ((req.from != 0) and (req.from != resp.starttime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.till != 0) and (resp.endtime > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (req.rtime != 0) and (resp.renew-till > req.rtime)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - endif - if ((req.kdc-options.RENEWABLE-OK is set) and - (resp.flags.RENEWABLE) and - (req.till != 0) and - (resp.renew-till > req.till)) then - destroy resp.key; - return KRB_AP_ERR_MODIFIED; - - - -Kohl & Neuman [Page 96] - -RFC 1510 Kerberos September 1993 - - - endif - -A.5. KRB_TGS_REQ generation - /* Note that make_application_request might have to */ - /* recursivly call this routine to get the appropriate */ - /* ticket-granting ticket */ - - request.pvno := protocol version; /* pvno = 5 */ - request.msg-type := message type; /* type = KRB_TGS_REQ */ - - body.kdc-options := users's preferences; - /* If the TGT is not for the realm of the end-server */ - /* then the sname will be for a TGT for the end-realm */ - /* and the realm of the requested ticket (body.realm) */ - /* will be that of the TGS to which the TGT we are */ - /* sending applies */ - body.sname := service's name; - body.realm := service's realm; - - if (body.kdc-options.POSTDATED is set) then - body.from := requested starting time; - else - omit body.from; - endif - body.till := requested end time; - if (body.kdc-options.RENEWABLE is set) then - body.rtime := requested final renewal time; - endif - body.nonce := random_nonce(); - body.etype := requested etypes; - if (user supplied addresses) then - body.addresses := user's addresses; - else - omit body.addresses; - endif - - body.enc-authorization-data := user-supplied data; - if (body.kdc-options.ENC-TKT-IN-SKEY) then - body.additional-tickets_ticket := second TGT; - endif - - request.req-body := body; - check := generate_checksum (req.body,checksumtype); - - request.padata[0].padata-type := PA-TGS-REQ; - request.padata[0].padata-value := create a KRB_AP_REQ using - the TGT and checksum - - - - -Kohl & Neuman [Page 97] - -RFC 1510 Kerberos September 1993 - - - /* add in any other padata as required/supplied */ - - kerberos := lookup(name of local kerberose server (or servers)); - send(packet,kerberos); - - wait(for response); - if (timed_out) then - retry or use alternate server; - endif - -A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation - /* note that reading the application request requires first - determining the server for which a ticket was issued, and - choosing the correct key for decryption. The name of the - server appears in the plaintext part of the ticket. */ - - if (no KRB_AP_REQ in req.padata) then - error_out(KDC_ERR_PADATA_TYPE_NOSUPP); - endif - verify KRB_AP_REQ in req.padata; - - /* Note that the realm in which the Kerberos server is - operating is determined by the instance from the - ticket-granting ticket. The realm in the ticket-granting - ticket is the realm under which the ticket granting ticket was - issued. It is possible for a single Kerberos server to - support more than one realm. */ - - auth_hdr := KRB_AP_REQ; - tgt := auth_hdr.ticket; - - if (tgt.sname is not a TGT for local realm and is not - req.sname) then error_out(KRB_AP_ERR_NOT_US); - - realm := realm_tgt_is_for(tgt); - - decode remainder of request; - - if (auth_hdr.authenticator.cksum is missing) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - if (auth_hdr.authenticator.cksum is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - - - -Kohl & Neuman [Page 98] - -RFC 1510 Kerberos September 1993 - - - set computed_checksum := checksum(req); - if (computed_checksum != auth_hdr.authenticatory.cksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - server := lookup(req.sname,realm); - - if (!server) then - if (is_foreign_tgt_name(server)) then - server := best_intermediate_tgs(server); - else - /* no server in Database */ - error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN); - endif - endif - - session := generate_random_session_key(); - - - use_etype := first supported etype in req.etypes; - - if (no support for req.etypes) then - error_out(KDC_ERR_ETYPE_NOSUPP); - endif - - new_tkt.vno := ticket version; /* = 5 */ - new_tkt.sname := req.sname; - new_tkt.srealm := realm; - reset all flags in new_tkt.flags; - - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ - - new_tkt.caddr := tgt.caddr; - resp.caddr := NULL; /* We only include this if they change */ - if (req.kdc-options.FORWARDABLE is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDABLE; - endif - if (req.kdc-options.FORWARDED is set) then - if (tgt.flags.FORWARDABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.FORWARDED; - new_tkt.caddr := req.addresses; - - - -Kohl & Neuman [Page 99] - -RFC 1510 Kerberos September 1993 - - - resp.caddr := req.addresses; - endif - if (tgt.flags.FORWARDED is set) then - set new_tkt.flags.FORWARDED; - endif - - if (req.kdc-options.PROXIABLE is set) then - if (tgt.flags.PROXIABLE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXIABLE; - endif - if (req.kdc-options.PROXY is set) then - if (tgt.flags.PROXIABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.PROXY; - new_tkt.caddr := req.addresses; - resp.caddr := req.addresses; - endif - - if (req.kdc-options.POSTDATE is set) then - if (tgt.flags.POSTDATE is reset) - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATE; - endif - if (req.kdc-options.POSTDATED is set) then - if (tgt.flags.POSTDATE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - set new_tkt.flags.POSTDATED; - set new_tkt.flags.INVALID; - if (against_postdate_policy(req.from)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.starttime := req.from; - endif - - - if (req.kdc-options.VALIDATE is set) then - if (tgt.flags.INVALID is reset) then - error_out(KDC_ERR_POLICY); - endif - if (tgt.starttime > kdc_time) then - error_out(KRB_AP_ERR_NYV); - endif - if (check_hot_list(tgt)) then - - - -Kohl & Neuman [Page 100] - -RFC 1510 Kerberos September 1993 - - - error_out(KRB_AP_ERR_REPEAT); - endif - tkt := tgt; - reset new_tkt.flags.INVALID; - endif - - if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW, - and those already processed) is set) then - error_out(KDC_ERR_BADOPTION); - endif - - new_tkt.authtime := tgt.authtime; - - if (req.kdc-options.RENEW is set) then - /* Note that if the endtime has already passed, the ticket */ - /* would have been rejected in the initial authentication */ - /* stage, so there is no need to check again here */ - if (tgt.flags.RENEWABLE is reset) then - error_out(KDC_ERR_BADOPTION); - endif - if (tgt.renew-till >= kdc_time) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - tkt := tgt; - new_tkt.starttime := kdc_time; - old_life := tgt.endttime - tgt.starttime; - new_tkt.endtime := min(tgt.renew-till, - new_tkt.starttime + old_life); - else - new_tkt.starttime := kdc_time; - if (req.till = 0) then - till := infinity; - else - till := req.till; - endif - new_tkt.endtime := min(till, - new_tkt.starttime+client.max_life, - new_tkt.starttime+server.max_life, - new_tkt.starttime+max_life_for_realm, - tgt.endtime); - - if ((req.kdc-options.RENEWABLE-OK is set) and - (new_tkt.endtime < req.till) and - (tgt.flags.RENEWABLE is set) then - /* we set the RENEWABLE option for later */ - /* processing */ - set req.kdc-options.RENEWABLE; - req.rtime := min(req.till, tgt.renew-till); - - - -Kohl & Neuman [Page 101] - -RFC 1510 Kerberos September 1993 - - - endif - endif - - if (req.rtime = 0) then - rtime := infinity; - else - rtime := req.rtime; - endif - - if ((req.kdc-options.RENEWABLE is set) and - (tgt.flags.RENEWABLE is set)) then - set new_tkt.flags.RENEWABLE; - new_tkt.renew-till := min(rtime, - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - new_tkt.starttime+max_rlife_for_realm, - tgt.renew-till); - else - new_tkt.renew-till := OMIT; - /* leave the renew-till field out */ - endif - if (req.enc-authorization-data is present) then - decrypt req.enc-authorization-data - into decrypted_authorization_data - using auth_hdr.authenticator.subkey; - if (decrypt_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - endif - new_tkt.authorization_data := - req.auth_hdr.ticket.authorization_data + - decrypted_authorization_data; - - new_tkt.key := session; - new_tkt.crealm := tgt.crealm; - new_tkt.cname := req.auth_hdr.ticket.cname; - - if (realm_tgt_is_for(tgt) := tgt.realm) then - /* tgt issued by local realm */ - new_tkt.transited := tgt.transited; - else - /* was issued for this realm by some other realm */ - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited - := compress_transited(tgt.transited + tgt.realm) - endif - - - -Kohl & Neuman [Page 102] - -RFC 1510 Kerberos September 1993 - - - encode encrypted part of new_tkt into OCTET STRING; - if (req.kdc-options.ENC-TKT-IN-SKEY is set) then - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - - new_tkt.enc-part := encrypt OCTET STRING using - using etype_for_key(second-ticket.key), - second-ticket.key; - else - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(server.key), server.key, - server.p_kvno; - endif - - resp.pvno := 5; - resp.msg-type := KRB_TGS_REP; - resp.crealm := tgt.crealm; - resp.cname := tgt.cname; - resp.ticket := new_tkt; - - resp.key := session; - resp.nonce := req.nonce; - resp.last-req := fetch_last_request_info(client); - resp.flags := new_tkt.flags; - - resp.authtime := new_tkt.authtime; - resp.starttime := new_tkt.starttime; - resp.endtime := new_tkt.endtime; - - omit resp.key-expiration; - - resp.sname := new_tkt.sname; - resp.realm := new_tkt.realm; - - if (new_tkt.flags.RENEWABLE) then - resp.renew-till := new_tkt.renew-till; - endif - - - encode body of reply into OCTET STRING; - - if (req.padata.authenticator.subkey) - resp.enc-part := encrypt OCTET STRING using use_etype, - - - -Kohl & Neuman [Page 103] - -RFC 1510 Kerberos September 1993 - - - req.padata.authenticator.subkey; - else resp.enc-part := encrypt OCTET STRING - using use_etype, tgt.key; - - send(resp); - -A.7. KRB_TGS_REP verification - decode response into resp; - - if (resp.msg-type = KRB_ERROR) then - process_error(resp); - return; - endif - - /* On error, discard the response, and zero the session key from - the response immediately */ - - if (req.padata.authenticator.subkey) - unencrypted part of resp := - decode of decrypt of resp.enc-part - using resp.enc-part.etype and subkey; - else unencrypted part of resp := - decode of decrypt of resp.enc-part - using resp.enc-part.etype and tgt's session key; - if (common_as_rep_tgs_rep_checks fail) then - destroy resp.key; - return error; - endif - - check authorization_data as necessary; - save_for_later(ticket,session,client,server,times,flags); - -A.8. Authenticator generation - body.authenticator-vno := authenticator vno; /* = 5 */ - body.cname, body.crealm := client name; - if (supplying checksum) then - body.cksum := checksum; - endif - get system_time; - body.ctime, body.cusec := system_time; - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - - -Kohl & Neuman [Page 104] - -RFC 1510 Kerberos September 1993 - - -A.9. KRB_AP_REQ generation - obtain ticket and session_key from cache; - - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REQ */ - - if (desired(MUTUAL_AUTHENTICATION)) then - set packet.ap-options.MUTUAL-REQUIRED; - else - reset packet.ap-options.MUTUAL-REQUIRED; - endif - if (using session key for ticket) then - set packet.ap-options.USE-SESSION-KEY; - else - reset packet.ap-options.USE-SESSION-KEY; - endif - packet.ticket := ticket; /* ticket */ - generate authenticator; - encode authenticator into OCTET STRING; - encrypt OCTET STRING into packet.authenticator - using session_key; - -A.10. KRB_AP_REQ verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REQ) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.ticket.tkt_vno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.ap_options.USE-SESSION-KEY is set) then - retrieve session key from ticket-granting ticket for - packet.ticket.{sname,srealm,enc-part.etype}; - else - retrieve service key for - packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; - endif - if (no_key_available) then - if (cannot_find_specified_skvno) then - error_out(KRB_AP_ERR_BADKEYVER); - else - error_out(KRB_AP_ERR_NOKEY); - endif - - - -Kohl & Neuman [Page 105] - -RFC 1510 Kerberos September 1993 - - - endif - decrypt packet.ticket.enc-part into decr_ticket - using retrieved key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - decrypt packet.authenticator into decr_authenticator - using decr_ticket.key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (decr_authenticator.{cname,crealm} != - decr_ticket.{cname,crealm}) then - error_out(KRB_AP_ERR_BADMATCH); - endif - if (decr_ticket.caddr is present) then - if (sender_address(packet) is not in decr_ticket.caddr) - then error_out(KRB_AP_ERR_BADADDR); - endif - elseif (application requires addresses) then - error_out(KRB_AP_ERR_BADADDR); - endif - if (not in_clock_skew(decr_authenticator.ctime, - decr_authenticator.cusec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) - then error_out(KRB_AP_ERR_REPEAT); - endif - save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); - get system_time; - if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or - (decr_ticket.flags.INVALID is set)) then - /* it hasn't yet become valid */ - error_out(KRB_AP_ERR_TKT_NYV); - endif - if (system_time-decr_ticket.endtime > CLOCK_SKEW) then - error_out(KRB_AP_ERR_TKT_EXPIRED); - endif - /* caller must check decr_ticket.flags for any pertinent */ - /* details */ - return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED); - -A.11. KRB_AP_REP generation - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_AP_REP */ - body.ctime := packet.ctime; - body.cusec := packet.cusec; - - - -Kohl & Neuman [Page 106] - -RFC 1510 Kerberos September 1993 - - - if (selecting sub-session key) then - select sub-session key; - body.subkey := sub-session key; - endif - if (using sequence numbers) then - select initial sequence number; - body.seq-number := initial sequence; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part; - -A.12. KRB_AP_REP verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_AP_REP) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - cleartext := decrypt(packet.enc-part) - using ticket's session key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if (cleartext.ctime != authenticator.ctime) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.cusec != authenticator.cusec) then - error_out(KRB_AP_ERR_MUT_FAIL); - endif - if (cleartext.subkey is present) then - save cleartext.subkey for future use; - endif - if (cleartext.seq-number is present) then - save cleartext.seq-number for future verifications; - endif - return(AUTHENTICATION_SUCCEEDED); - -A.13. KRB_SAFE generation - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_SAFE */ - - - -Kohl & Neuman [Page 107] - -RFC 1510 Kerberos September 1993 - - - body.user-data := buffer; /* DATA */ - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - checksum.cksumtype := checksum type; - compute checksum over body; - checksum.checksum := checksum value; /* checksum.checksum */ - packet.cksum := checksum; - packet.safe-body := body; - -A.14. KRB_SAFE verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_SAFE) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - if (packet.checksum.cksumtype is not both collision-proof - and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - if (safe_priv_common_checks_ok(packet)) then - set computed_checksum := checksum(packet.body); - if (computed_checksum != packet.checksum) then - error_out(KRB_AP_ERR_MODIFIED); - endif - return (packet, PACKET_IS_GENUINE); - else - return common_checks_error; - endif - -A.15. KRB_SAFE and KRB_PRIV common checks - if (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - - - -Kohl & Neuman [Page 108] - -RFC 1510 Kerberos September 1993 - - - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - endif - if (((packet.timestamp is present) and - (not in_clock_skew(packet.timestamp,packet.usec))) or - (packet.timestamp is not present and timestamp expected)) - then error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) - then error_out(KRB_AP_ERR_REPEAT); - endif - if (((packet.seq-number is present) and - ((not in_sequence(packet.seq-number)))) or - (packet.seq-number is not present and sequence expected)) - then error_out(KRB_AP_ERR_BADORDER); - endif - if (packet.timestamp not present and - packet.seq-number not present) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - save_identifier(packet.{timestamp,usec,s-address}, - sender_principal(packet)); - - return PACKET_IS_OK; - -A.16. KRB_PRIV generation - collect user data in buffer; - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_PRIV */ - - packet.enc-part.etype := encryption type; - - body.user-data := buffer; - if (using timestamp) then - get system_time; - body.timestamp, body.usec := system_time; - endif - if (using sequence numbers) then - body.seq-number := sequence number; - endif - body.s-address := sender host addresses; - if (only one recipient) then - body.r-address := recipient host address; - endif - - - - -Kohl & Neuman [Page 109] - -RFC 1510 Kerberos September 1993 - - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher; - -A.17. KRB_PRIV verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_PRIV) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - - if (safe_priv_common_checks_ok(cleartext)) then - return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED); - else - return common_checks_error; - endif - -A.18. KRB_CRED generation - invoke KRB_TGS; /* obtain tickets to be provided to peer */ - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_CRED */ - - for (tickets[n] in tickets to be forwarded) do - packet.tickets[n] = tickets[n].ticket; - done - - packet.enc-part.etype := encryption type; - - for (ticket[n] in tickets to be forwarded) do - body.ticket-info[n].key = tickets[n].session; - body.ticket-info[n].prealm = tickets[n].crealm; - body.ticket-info[n].pname = tickets[n].cname; - body.ticket-info[n].flags = tickets[n].flags; - body.ticket-info[n].authtime = tickets[n].authtime; - body.ticket-info[n].starttime = tickets[n].starttime; - body.ticket-info[n].endtime = tickets[n].endtime; - body.ticket-info[n].renew-till = tickets[n].renew-till; - - - -Kohl & Neuman [Page 110] - -RFC 1510 Kerberos September 1993 - - - body.ticket-info[n].srealm = tickets[n].srealm; - body.ticket-info[n].sname = tickets[n].sname; - body.ticket-info[n].caddr = tickets[n].caddr; - done - - get system_time; - body.timestamp, body.usec := system_time; - - if (using nonce) then - body.nonce := nonce; - endif - - if (using s-address) then - body.s-address := sender host addresses; - endif - if (limited recipients) then - body.r-address := recipient host address; - endif - - encode body into OCTET STRING; - - select encryption type; - encrypt OCTET STRING into packet.enc-part.cipher - using negotiated encryption key; - -A.19. KRB_CRED verification - receive packet; - if (packet.pvno != 5) then - either process using other protocol spec - or error_out(KRB_AP_ERR_BADVERSION); - endif - if (packet.msg-type != KRB_CRED) then - error_out(KRB_AP_ERR_MSG_TYPE); - endif - - cleartext := decrypt(packet.enc-part) using negotiated key; - if (decryption_error()) then - error_out(KRB_AP_ERR_BAD_INTEGRITY); - endif - if ((packet.r-address is present or required) and - (packet.s-address != O/S_sender(packet)) then - /* O/S report of sender not who claims to have sent it */ - error_out(KRB_AP_ERR_BADADDR); - endif - if ((packet.r-address is present) and - (packet.r-address != local_host_address)) then - /* was not sent to proper place */ - error_out(KRB_AP_ERR_BADADDR); - - - -Kohl & Neuman [Page 111] - -RFC 1510 Kerberos September 1993 - - - endif - if (not in_clock_skew(packet.timestamp,packet.usec)) then - error_out(KRB_AP_ERR_SKEW); - endif - if (repeated(packet.timestamp,packet.usec,packet.s-address)) - then error_out(KRB_AP_ERR_REPEAT); - endif - if (packet.nonce is required or present) and - (packet.nonce != expected-nonce) then - error_out(KRB_AP_ERR_MODIFIED); - endif - - for (ticket[n] in tickets that were forwarded) do - save_for_later(ticket[n],key[n],principal[n], - server[n],times[n],flags[n]); - return - -A.20. KRB_ERROR generation - - /* assemble packet: */ - packet.pvno := protocol version; /* 5 */ - packet.msg-type := message type; /* KRB_ERROR */ - - get system_time; - packet.stime, packet.susec := system_time; - packet.realm, packet.sname := server name; - - if (client time available) then - packet.ctime, packet.cusec := client_time; - endif - packet.error-code := error code; - if (client name available) then - packet.cname, packet.crealm := client name; - endif - if (error text available) then - packet.e-text := error text; - endif - if (error data available) then - packet.e-data := error data; - endif - - - - - - - - - - - -Kohl & Neuman [Page 112] - \ No newline at end of file diff --git a/crypto/heimdal/doc/standardisation/rfc1750.txt b/crypto/heimdal/doc/standardisation/rfc1750.txt deleted file mode 100644 index 56d478c7eef4..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc1750.txt +++ /dev/null @@ -1,1683 +0,0 @@ - - - - - - -Network Working Group D. Eastlake, 3rd -Request for Comments: 1750 DEC -Category: Informational S. Crocker - Cybercash - J. Schiller - MIT - December 1994 - - - Randomness Recommendations for Security - -Status of this Memo - - This memo provides information for the Internet community. This memo - does not specify an Internet standard of any kind. Distribution of - this memo is unlimited. - -Abstract - - Security systems today are built on increasingly strong cryptographic - algorithms that foil pattern analysis attempts. However, the security - of these systems is dependent on generating secret quantities for - passwords, cryptographic keys, and similar quantities. The use of - pseudo-random processes to generate secret quantities can result in - pseudo-security. The sophisticated attacker of these security - systems may find it easier to reproduce the environment that produced - the secret quantities, searching the resulting small set of - possibilities, than to locate the quantities in the whole of the - number space. - - Choosing random quantities to foil a resourceful and motivated - adversary is surprisingly difficult. This paper points out many - pitfalls in using traditional pseudo-random number generation - techniques for choosing such quantities. It recommends the use of - truly random hardware techniques and shows that the existing hardware - on many systems can be used for this purpose. It provides - suggestions to ameliorate the problem when a hardware solution is not - available. And it gives examples of how large such quantities need - to be for some particular applications. - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 1] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -Acknowledgements - - Comments on this document that have been incorporated were received - from (in alphabetic order) the following: - - David M. Balenson (TIS) - Don Coppersmith (IBM) - Don T. Davis (consultant) - Carl Ellison (Stratus) - Marc Horowitz (MIT) - Christian Huitema (INRIA) - Charlie Kaufman (IRIS) - Steve Kent (BBN) - Hal Murray (DEC) - Neil Haller (Bellcore) - Richard Pitkin (DEC) - Tim Redmond (TIS) - Doug Tygar (CMU) - -Table of Contents - - 1. Introduction........................................... 3 - 2. Requirements........................................... 4 - 3. Traditional Pseudo-Random Sequences.................... 5 - 4. Unpredictability....................................... 7 - 4.1 Problems with Clocks and Serial Numbers............... 7 - 4.2 Timing and Content of External Events................ 8 - 4.3 The Fallacy of Complex Manipulation.................. 8 - 4.4 The Fallacy of Selection from a Large Database....... 9 - 5. Hardware for Randomness............................... 10 - 5.1 Volume Required...................................... 10 - 5.2 Sensitivity to Skew.................................. 10 - 5.2.1 Using Stream Parity to De-Skew..................... 11 - 5.2.2 Using Transition Mappings to De-Skew............... 12 - 5.2.3 Using FFT to De-Skew............................... 13 - 5.2.4 Using Compression to De-Skew....................... 13 - 5.3 Existing Hardware Can Be Used For Randomness......... 14 - 5.3.1 Using Existing Sound/Video Input................... 14 - 5.3.2 Using Existing Disk Drives......................... 14 - 6. Recommended Non-Hardware Strategy..................... 14 - 6.1 Mixing Functions..................................... 15 - 6.1.1 A Trivial Mixing Function.......................... 15 - 6.1.2 Stronger Mixing Functions.......................... 16 - 6.1.3 Diff-Hellman as a Mixing Function.................. 17 - 6.1.4 Using a Mixing Function to Stretch Random Bits..... 17 - 6.1.5 Other Factors in Choosing a Mixing Function........ 18 - 6.2 Non-Hardware Sources of Randomness................... 19 - 6.3 Cryptographically Strong Sequences................... 19 - - - -Eastlake, Crocker & Schiller [Page 2] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - 6.3.1 Traditional Strong Sequences....................... 20 - 6.3.2 The Blum Blum Shub Sequence Generator.............. 21 - 7. Key Generation Standards.............................. 22 - 7.1 US DoD Recommendations for Password Generation....... 23 - 7.2 X9.17 Key Generation................................. 23 - 8. Examples of Randomness Required....................... 24 - 8.1 Password Generation................................. 24 - 8.2 A Very High Security Cryptographic Key............... 25 - 8.2.1 Effort per Key Trial............................... 25 - 8.2.2 Meet in the Middle Attacks......................... 26 - 8.2.3 Other Considerations............................... 26 - 9. Conclusion............................................ 27 - 10. Security Considerations.............................. 27 - References............................................... 28 - Authors' Addresses....................................... 30 - -1. Introduction - - Software cryptography is coming into wider use. Systems like - Kerberos, PEM, PGP, etc. are maturing and becoming a part of the - network landscape [PEM]. These systems provide substantial - protection against snooping and spoofing. However, there is a - potential flaw. At the heart of all cryptographic systems is the - generation of secret, unguessable (i.e., random) numbers. - - For the present, the lack of generally available facilities for - generating such unpredictable numbers is an open wound in the design - of cryptographic software. For the software developer who wants to - build a key or password generation procedure that runs on a wide - range of hardware, the only safe strategy so far has been to force - the local installation to supply a suitable routine to generate - random numbers. To say the least, this is an awkward, error-prone - and unpalatable solution. - - It is important to keep in mind that the requirement is for data that - an adversary has a very low probability of guessing or determining. - This will fail if pseudo-random data is used which only meets - traditional statistical tests for randomness or which is based on - limited range sources, such as clocks. Frequently such random - quantities are determinable by an adversary searching through an - embarrassingly small space of possibilities. - - This informational document suggests techniques for producing random - quantities that will be resistant to such attack. It recommends that - future systems include hardware random number generation or provide - access to existing hardware that can be used for this purpose. It - suggests methods for use if such hardware is not available. And it - gives some estimates of the number of random bits required for sample - - - -Eastlake, Crocker & Schiller [Page 3] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - applications. - -2. Requirements - - Probably the most commonly encountered randomness requirement today - is the user password. This is usually a simple character string. - Obviously, if a password can be guessed, it does not provide - security. (For re-usable passwords, it is desirable that users be - able to remember the password. This may make it advisable to use - pronounceable character strings or phrases composed on ordinary - words. But this only affects the format of the password information, - not the requirement that the password be very hard to guess.) - - Many other requirements come from the cryptographic arena. - Cryptographic techniques can be used to provide a variety of services - including confidentiality and authentication. Such services are - based on quantities, traditionally called "keys", that are unknown to - and unguessable by an adversary. - - In some cases, such as the use of symmetric encryption with the one - time pads [CRYPTO*] or the US Data Encryption Standard [DES], the - parties who wish to communicate confidentially and/or with - authentication must all know the same secret key. In other cases, - using what are called asymmetric or "public key" cryptographic - techniques, keys come in pairs. One key of the pair is private and - must be kept secret by one party, the other is public and can be - published to the world. It is computationally infeasible to - determine the private key from the public key [ASYMMETRIC, CRYPTO*]. - - The frequency and volume of the requirement for random quantities - differs greatly for different cryptographic systems. Using pure RSA - [CRYPTO*], random quantities are required when the key pair is - generated, but thereafter any number of messages can be signed - without any further need for randomness. The public key Digital - Signature Algorithm that has been proposed by the US National - Institute of Standards and Technology (NIST) requires good random - numbers for each signature. And encrypting with a one time pad, in - principle the strongest possible encryption technique, requires a - volume of randomness equal to all the messages to be processed. - - In most of these cases, an adversary can try to determine the - "secret" key by trial and error. (This is possible as long as the - key is enough smaller than the message that the correct key can be - uniquely identified.) The probability of an adversary succeeding at - this must be made acceptably low, depending on the particular - application. The size of the space the adversary must search is - related to the amount of key "information" present in the information - theoretic sense [SHANNON]. This depends on the number of different - - - -Eastlake, Crocker & Schiller [Page 4] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - secret values possible and the probability of each value as follows: - - ----- - \ - Bits-of-info = \ - p * log ( p ) - / i 2 i - / - ----- - - where i varies from 1 to the number of possible secret values and p - sub i is the probability of the value numbered i. (Since p sub i is - less than one, the log will be negative so each term in the sum will - be non-negative.) - - If there are 2^n different values of equal probability, then n bits - of information are present and an adversary would, on the average, - have to try half of the values, or 2^(n-1) , before guessing the - secret quantity. If the probability of different values is unequal, - then there is less information present and fewer guesses will, on - average, be required by an adversary. In particular, any values that - the adversary can know are impossible, or are of low probability, can - be initially ignored by an adversary, who will search through the - more probable values first. - - For example, consider a cryptographic system that uses 56 bit keys. - If these 56 bit keys are derived by using a fixed pseudo-random - number generator that is seeded with an 8 bit seed, then an adversary - needs to search through only 256 keys (by running the pseudo-random - number generator with every possible seed), not the 2^56 keys that - may at first appear to be the case. Only 8 bits of "information" are - in these 56 bit keys. - -3. Traditional Pseudo-Random Sequences - - Most traditional sources of random numbers use deterministic sources - of "pseudo-random" numbers. These typically start with a "seed" - quantity and use numeric or logical operations to produce a sequence - of values. - - [KNUTH] has a classic exposition on pseudo-random numbers. - Applications he mentions are simulation of natural phenomena, - sampling, numerical analysis, testing computer programs, decision - making, and games. None of these have the same characteristics as - the sort of security uses we are talking about. Only in the last two - could there be an adversary trying to find the random quantity. - However, in these cases, the adversary normally has only a single - chance to use a guessed value. In guessing passwords or attempting - to break an encryption scheme, the adversary normally has many, - - - -Eastlake, Crocker & Schiller [Page 5] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - perhaps unlimited, chances at guessing the correct value and should - be assumed to be aided by a computer. - - For testing the "randomness" of numbers, Knuth suggests a variety of - measures including statistical and spectral. These tests check - things like autocorrelation between different parts of a "random" - sequence or distribution of its values. They could be met by a - constant stored random sequence, such as the "random" sequence - printed in the CRC Standard Mathematical Tables [CRC]. - - A typical pseudo-random number generation technique, known as a - linear congruence pseudo-random number generator, is modular - arithmetic where the N+1th value is calculated from the Nth value by - - V = ( V * a + b )(Mod c) - N+1 N - - The above technique has a strong relationship to linear shift - register pseudo-random number generators, which are well understood - cryptographically [SHIFT*]. In such generators bits are introduced - at one end of a shift register as the Exclusive Or (binary sum - without carry) of bits from selected fixed taps into the register. - - For example: - - +----+ +----+ +----+ +----+ - | B | <-- | B | <-- | B | <-- . . . . . . <-- | B | <-+ - | 0 | | 1 | | 2 | | n | | - +----+ +----+ +----+ +----+ | - | | | | - | | V +-----+ - | V +----------------> | | - V +-----------------------------> | XOR | - +---------------------------------------------------> | | - +-----+ - - - V = ( ( V * 2 ) + B .xor. B ... )(Mod 2^n) - N+1 N 0 2 - - The goodness of traditional pseudo-random number generator algorithms - is measured by statistical tests on such sequences. Carefully chosen - values of the initial V and a, b, and c or the placement of shift - register tap in the above simple processes can produce excellent - statistics. - - - - - - -Eastlake, Crocker & Schiller [Page 6] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - These sequences may be adequate in simulations (Monte Carlo - experiments) as long as the sequence is orthogonal to the structure - of the space being explored. Even there, subtle patterns may cause - problems. However, such sequences are clearly bad for use in - security applications. They are fully predictable if the initial - state is known. Depending on the form of the pseudo-random number - generator, the sequence may be determinable from observation of a - short portion of the sequence [CRYPTO*, STERN]. For example, with - the generators above, one can determine V(n+1) given knowledge of - V(n). In fact, it has been shown that with these techniques, even if - only one bit of the pseudo-random values is released, the seed can be - determined from short sequences. - - Not only have linear congruent generators been broken, but techniques - are now known for breaking all polynomial congruent generators - [KRAWCZYK]. - -4. Unpredictability - - Randomness in the traditional sense described in section 3 is NOT the - same as the unpredictability required for security use. - - For example, use of a widely available constant sequence, such as - that from the CRC tables, is very weak against an adversary. Once - they learn of or guess it, they can easily break all security, future - and past, based on the sequence [CRC]. Yet the statistical - properties of these tables are good. - - The following sections describe the limitations of some randomness - generation techniques and sources. - -4.1 Problems with Clocks and Serial Numbers - - Computer clocks, or similar operating system or hardware values, - provide significantly fewer real bits of unpredictability than might - appear from their specifications. - - Tests have been done on clocks on numerous systems and it was found - that their behavior can vary widely and in unexpected ways. One - version of an operating system running on one set of hardware may - actually provide, say, microsecond resolution in a clock while a - different configuration of the "same" system may always provide the - same lower bits and only count in the upper bits at much lower - resolution. This means that successive reads on the clock may - produce identical values even if enough time has passed that the - value "should" change based on the nominal clock resolution. There - are also cases where frequently reading a clock can produce - artificial sequential values because of extra code that checks for - - - -Eastlake, Crocker & Schiller [Page 7] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - the clock being unchanged between two reads and increases it by one! - Designing portable application code to generate unpredictable numbers - based on such system clocks is particularly challenging because the - system designer does not always know the properties of the system - clocks that the code will execute on. - - Use of a hardware serial number such as an Ethernet address may also - provide fewer bits of uniqueness than one would guess. Such - quantities are usually heavily structured and subfields may have only - a limited range of possible values or values easily guessable based - on approximate date of manufacture or other data. For example, it is - likely that most of the Ethernet cards installed on Digital Equipment - Corporation (DEC) hardware within DEC were manufactured by DEC - itself, which significantly limits the range of built in addresses. - - Problems such as those described above related to clocks and serial - numbers make code to produce unpredictable quantities difficult if - the code is to be ported across a variety of computer platforms and - systems. - -4.2 Timing and Content of External Events - - It is possible to measure the timing and content of mouse movement, - key strokes, and similar user events. This is a reasonable source of - unguessable data with some qualifications. On some machines, inputs - such as key strokes are buffered. Even though the user's inter- - keystroke timing may have sufficient variation and unpredictability, - there might not be an easy way to access that variation. Another - problem is that no standard method exists to sample timing details. - This makes it hard to build standard software intended for - distribution to a large range of machines based on this technique. - - The amount of mouse movement or the keys actually hit are usually - easier to access than timings but may yield less unpredictability as - the user may provide highly repetitive input. - - Other external events, such as network packet arrival times, can also - be used with care. In particular, the possibility of manipulation of - such times by an adversary must be considered. - -4.3 The Fallacy of Complex Manipulation - - One strategy which may give a misleading appearance of - unpredictability is to take a very complex algorithm (or an excellent - traditional pseudo-random number generator with good statistical - properties) and calculate a cryptographic key by starting with the - current value of a computer system clock as the seed. An adversary - who knew roughly when the generator was started would have a - - - -Eastlake, Crocker & Schiller [Page 8] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - relatively small number of seed values to test as they would know - likely values of the system clock. Large numbers of pseudo-random - bits could be generated but the search space an adversary would need - to check could be quite small. - - Thus very strong and/or complex manipulation of data will not help if - the adversary can learn what the manipulation is and there is not - enough unpredictability in the starting seed value. Even if they can - not learn what the manipulation is, they may be able to use the - limited number of results stemming from a limited number of seed - values to defeat security. - - Another serious strategy error is to assume that a very complex - pseudo-random number generation algorithm will produce strong random - numbers when there has been no theory behind or analysis of the - algorithm. There is a excellent example of this fallacy right near - the beginning of chapter 3 in [KNUTH] where the author describes a - complex algorithm. It was intended that the machine language program - corresponding to the algorithm would be so complicated that a person - trying to read the code without comments wouldn't know what the - program was doing. Unfortunately, actual use of this algorithm - showed that it almost immediately converged to a single repeated - value in one case and a small cycle of values in another case. - - Not only does complex manipulation not help you if you have a limited - range of seeds but blindly chosen complex manipulation can destroy - the randomness in a good seed! - -4.4 The Fallacy of Selection from a Large Database - - Another strategy that can give a misleading appearance of - unpredictability is selection of a quantity randomly from a database - and assume that its strength is related to the total number of bits - in the database. For example, typical USENET servers as of this date - process over 35 megabytes of information per day. Assume a random - quantity was selected by fetching 32 bytes of data from a random - starting point in this data. This does not yield 32*8 = 256 bits - worth of unguessability. Even after allowing that much of the data - is human language and probably has more like 2 or 3 bits of - information per byte, it doesn't yield 32*2.5 = 80 bits of - unguessability. For an adversary with access to the same 35 - megabytes the unguessability rests only on the starting point of the - selection. That is, at best, about 25 bits of unguessability in this - case. - - The same argument applies to selecting sequences from the data on a - CD ROM or Audio CD recording or any other large public database. If - the adversary has access to the same database, this "selection from a - - - -Eastlake, Crocker & Schiller [Page 9] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - large volume of data" step buys very little. However, if a selection - can be made from data to which the adversary has no access, such as - system buffers on an active multi-user system, it may be of some - help. - -5. Hardware for Randomness - - Is there any hope for strong portable randomness in the future? - There might be. All that's needed is a physical source of - unpredictable numbers. - - A thermal noise or radioactive decay source and a fast, free-running - oscillator would do the trick directly [GIFFORD]. This is a trivial - amount of hardware, and could easily be included as a standard part - of a computer system's architecture. Furthermore, any system with a - spinning disk or the like has an adequate source of randomness - [DAVIS]. All that's needed is the common perception among computer - vendors that this small additional hardware and the software to - access it is necessary and useful. - -5.1 Volume Required - - How much unpredictability is needed? Is it possible to quantify the - requirement in, say, number of random bits per second? - - The answer is not very much is needed. For DES, the key is 56 bits - and, as we show in an example in Section 8, even the highest security - system is unlikely to require a keying material of over 200 bits. If - a series of keys are needed, it can be generated from a strong random - seed using a cryptographically strong sequence as explained in - Section 6.3. A few hundred random bits generated once a day would be - enough using such techniques. Even if the random bits are generated - as slowly as one per second and it is not possible to overlap the - generation process, it should be tolerable in high security - applications to wait 200 seconds occasionally. - - These numbers are trivial to achieve. It could be done by a person - repeatedly tossing a coin. Almost any hardware process is likely to - be much faster. - -5.2 Sensitivity to Skew - - Is there any specific requirement on the shape of the distribution of - the random numbers? The good news is the distribution need not be - uniform. All that is needed is a conservative estimate of how non- - uniform it is to bound performance. Two simple techniques to de-skew - the bit stream are given below and stronger techniques are mentioned - in Section 6.1.2 below. - - - -Eastlake, Crocker & Schiller [Page 10] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -5.2.1 Using Stream Parity to De-Skew - - Consider taking a sufficiently long string of bits and map the string - to "zero" or "one". The mapping will not yield a perfectly uniform - distribution, but it can be as close as desired. One mapping that - serves the purpose is to take the parity of the string. This has the - advantages that it is robust across all degrees of skew up to the - estimated maximum skew and is absolutely trivial to implement in - hardware. - - The following analysis gives the number of bits that must be sampled: - - Suppose the ratio of ones to zeros is 0.5 + e : 0.5 - e, where e is - between 0 and 0.5 and is a measure of the "eccentricity" of the - distribution. Consider the distribution of the parity function of N - bit samples. The probabilities that the parity will be one or zero - will be the sum of the odd or even terms in the binomial expansion of - (p + q)^N, where p = 0.5 + e, the probability of a one, and q = 0.5 - - e, the probability of a zero. - - These sums can be computed easily as - - N N - 1/2 * ( ( p + q ) + ( p - q ) ) - and - N N - 1/2 * ( ( p + q ) - ( p - q ) ). - - (Which one corresponds to the probability the parity will be 1 - depends on whether N is odd or even.) - - Since p + q = 1 and p - q = 2e, these expressions reduce to - - N - 1/2 * [1 + (2e) ] - and - N - 1/2 * [1 - (2e) ]. - - Neither of these will ever be exactly 0.5 unless e is zero, but we - can bring them arbitrarily close to 0.5. If we want the - probabilities to be within some delta d of 0.5, i.e. then - - N - ( 0.5 + ( 0.5 * (2e) ) ) < 0.5 + d. - - - - - - -Eastlake, Crocker & Schiller [Page 11] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Solving for N yields N > log(2d)/log(2e). (Note that 2e is less than - 1, so its log is negative. Division by a negative number reverses - the sense of an inequality.) - - The following table gives the length of the string which must be - sampled for various degrees of skew in order to come within 0.001 of - a 50/50 distribution. - - +---------+--------+-------+ - | Prob(1) | e | N | - +---------+--------+-------+ - | 0.5 | 0.00 | 1 | - | 0.6 | 0.10 | 4 | - | 0.7 | 0.20 | 7 | - | 0.8 | 0.30 | 13 | - | 0.9 | 0.40 | 28 | - | 0.95 | 0.45 | 59 | - | 0.99 | 0.49 | 308 | - +---------+--------+-------+ - - The last entry shows that even if the distribution is skewed 99% in - favor of ones, the parity of a string of 308 samples will be within - 0.001 of a 50/50 distribution. - -5.2.2 Using Transition Mappings to De-Skew - - Another technique, originally due to von Neumann [VON NEUMANN], is to - examine a bit stream as a sequence of non-overlapping pairs. You - could then discard any 00 or 11 pairs found, interpret 01 as a 0 and - 10 as a 1. Assume the probability of a 1 is 0.5+e and the - probability of a 0 is 0.5-e where e is the eccentricity of the source - and described in the previous section. Then the probability of each - pair is as follows: - - +------+-----------------------------------------+ - | pair | probability | - +------+-----------------------------------------+ - | 00 | (0.5 - e)^2 = 0.25 - e + e^2 | - | 01 | (0.5 - e)*(0.5 + e) = 0.25 - e^2 | - | 10 | (0.5 + e)*(0.5 - e) = 0.25 - e^2 | - | 11 | (0.5 + e)^2 = 0.25 + e + e^2 | - +------+-----------------------------------------+ - - This technique will completely eliminate any bias but at the expense - of taking an indeterminate number of input bits for any particular - desired number of output bits. The probability of any particular - pair being discarded is 0.5 + 2e^2 so the expected number of input - bits to produce X output bits is X/(0.25 - e^2). - - - -Eastlake, Crocker & Schiller [Page 12] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - This technique assumes that the bits are from a stream where each bit - has the same probability of being a 0 or 1 as any other bit in the - stream and that bits are not correlated, i.e., that the bits are - identical independent distributions. If alternate bits were from two - correlated sources, for example, the above analysis breaks down. - - The above technique also provides another illustration of how a - simple statistical analysis can mislead if one is not always on the - lookout for patterns that could be exploited by an adversary. If the - algorithm were mis-read slightly so that overlapping successive bits - pairs were used instead of non-overlapping pairs, the statistical - analysis given is the same; however, instead of provided an unbiased - uncorrelated series of random 1's and 0's, it instead produces a - totally predictable sequence of exactly alternating 1's and 0's. - -5.2.3 Using FFT to De-Skew - - When real world data consists of strongly biased or correlated bits, - it may still contain useful amounts of randomness. This randomness - can be extracted through use of the discrete Fourier transform or its - optimized variant, the FFT. - - Using the Fourier transform of the data, strong correlations can be - discarded. If adequate data is processed and remaining correlations - decay, spectral lines approaching statistical independence and - normally distributed randomness can be produced [BRILLINGER]. - -5.2.4 Using Compression to De-Skew - - Reversible compression techniques also provide a crude method of de- - skewing a skewed bit stream. This follows directly from the - definition of reversible compression and the formula in Section 2 - above for the amount of information in a sequence. Since the - compression is reversible, the same amount of information must be - present in the shorter output than was present in the longer input. - By the Shannon information equation, this is only possible if, on - average, the probabilities of the different shorter sequences are - more uniformly distributed than were the probabilities of the longer - sequences. Thus the shorter sequences are de-skewed relative to the - input. - - However, many compression techniques add a somewhat predicatable - preface to their output stream and may insert such a sequence again - periodically in their output or otherwise introduce subtle patterns - of their own. They should be considered only a rough technique - compared with those described above or in Section 6.1.2. At a - minimum, the beginning of the compressed sequence should be skipped - and only later bits used for applications requiring random bits. - - - -Eastlake, Crocker & Schiller [Page 13] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -5.3 Existing Hardware Can Be Used For Randomness - - As described below, many computers come with hardware that can, with - care, be used to generate truly random quantities. - -5.3.1 Using Existing Sound/Video Input - - Increasingly computers are being built with inputs that digitize some - real world analog source, such as sound from a microphone or video - input from a camera. Under appropriate circumstances, such input can - provide reasonably high quality random bits. The "input" from a - sound digitizer with no source plugged in or a camera with the lens - cap on, if the system has enough gain to detect anything, is - essentially thermal noise. - - For example, on a SPARCstation, one can read from the /dev/audio - device with nothing plugged into the microphone jack. Such data is - essentially random noise although it should not be trusted without - some checking in case of hardware failure. It will, in any case, - need to be de-skewed as described elsewhere. - - Combining this with compression to de-skew one can, in UNIXese, - generate a huge amount of medium quality random data by doing - - cat /dev/audio | compress - >random-bits-file - -5.3.2 Using Existing Disk Drives - - Disk drives have small random fluctuations in their rotational speed - due to chaotic air turbulence [DAVIS]. By adding low level disk seek - time instrumentation to a system, a series of measurements can be - obtained that include this randomness. Such data is usually highly - correlated so that significant processing is needed, including FFT - (see section 5.2.3). Nevertheless experimentation has shown that, - with such processing, disk drives easily produce 100 bits a minute or - more of excellent random data. - - Partly offsetting this need for processing is the fact that disk - drive failure will normally be rapidly noticed. Thus, problems with - this method of random number generation due to hardware failure are - very unlikely. - -6. Recommended Non-Hardware Strategy - - What is the best overall strategy for meeting the requirement for - unguessable random numbers in the absence of a reliable hardware - source? It is to obtain random input from a large number of - uncorrelated sources and to mix them with a strong mixing function. - - - -Eastlake, Crocker & Schiller [Page 14] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Such a function will preserve the randomness present in any of the - sources even if other quantities being combined are fixed or easily - guessable. This may be advisable even with a good hardware source as - hardware can also fail, though this should be weighed against any - increase in the chance of overall failure due to added software - complexity. - -6.1 Mixing Functions - - A strong mixing function is one which combines two or more inputs and - produces an output where each output bit is a different complex non- - linear function of all the input bits. On average, changing any - input bit will change about half the output bits. But because the - relationship is complex and non-linear, no particular output bit is - guaranteed to change when any particular input bit is changed. - - Consider the problem of converting a stream of bits that is skewed - towards 0 or 1 to a shorter stream which is more random, as discussed - in Section 5.2 above. This is simply another case where a strong - mixing function is desired, mixing the input bits to produce a - smaller number of output bits. The technique given in Section 5.2.1 - of using the parity of a number of bits is simply the result of - successively Exclusive Or'ing them which is examined as a trivial - mixing function immediately below. Use of stronger mixing functions - to extract more of the randomness in a stream of skewed bits is - examined in Section 6.1.2. - -6.1.1 A Trivial Mixing Function - - A trivial example for single bit inputs is the Exclusive Or function, - which is equivalent to addition without carry, as show in the table - below. This is a degenerate case in which the one output bit always - changes for a change in either input bit. But, despite its - simplicity, it will still provide a useful illustration. - - +-----------+-----------+----------+ - | input 1 | input 2 | output | - +-----------+-----------+----------+ - | 0 | 0 | 0 | - | 0 | 1 | 1 | - | 1 | 0 | 1 | - | 1 | 1 | 0 | - +-----------+-----------+----------+ - - If inputs 1 and 2 are uncorrelated and combined in this fashion then - the output will be an even better (less skewed) random bit than the - inputs. If we assume an "eccentricity" e as defined in Section 5.2 - above, then the output eccentricity relates to the input eccentricity - - - -Eastlake, Crocker & Schiller [Page 15] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - as follows: - - e = 2 * e * e - output input 1 input 2 - - Since e is never greater than 1/2, the eccentricity is always - improved except in the case where at least one input is a totally - skewed constant. This is illustrated in the following table where - the top and left side values are the two input eccentricities and the - entries are the output eccentricity: - - +--------+--------+--------+--------+--------+--------+--------+ - | e | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 | - +--------+--------+--------+--------+--------+--------+--------+ - | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | - | 0.10 | 0.00 | 0.02 | 0.04 | 0.06 | 0.08 | 0.10 | - | 0.20 | 0.00 | 0.04 | 0.08 | 0.12 | 0.16 | 0.20 | - | 0.30 | 0.00 | 0.06 | 0.12 | 0.18 | 0.24 | 0.30 | - | 0.40 | 0.00 | 0.08 | 0.16 | 0.24 | 0.32 | 0.40 | - | 0.50 | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 | - +--------+--------+--------+--------+--------+--------+--------+ - - However, keep in mind that the above calculations assume that the - inputs are not correlated. If the inputs were, say, the parity of - the number of minutes from midnight on two clocks accurate to a few - seconds, then each might appear random if sampled at random intervals - much longer than a minute. Yet if they were both sampled and - combined with xor, the result would be zero most of the time. - -6.1.2 Stronger Mixing Functions - - The US Government Data Encryption Standard [DES] is an example of a - strong mixing function for multiple bit quantities. It takes up to - 120 bits of input (64 bits of "data" and 56 bits of "key") and - produces 64 bits of output each of which is dependent on a complex - non-linear function of all input bits. Other strong encryption - functions with this characteristic can also be used by considering - them to mix all of their key and data input bits. - - Another good family of mixing functions are the "message digest" or - hashing functions such as The US Government Secure Hash Standard - [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series. These functions - all take an arbitrary amount of input and produce an output mixing - all the input bits. The MD* series produce 128 bits of output and SHS - produces 160 bits. - - - - - - -Eastlake, Crocker & Schiller [Page 16] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Although the message digest functions are designed for variable - amounts of input, DES and other encryption functions can also be used - to combine any number of inputs. If 64 bits of output is adequate, - the inputs can be packed into a 64 bit data quantity and successive - 56 bit keys, padding with zeros if needed, which are then used to - successively encrypt using DES in Electronic Codebook Mode [DES - MODES]. If more than 64 bits of output are needed, use more complex - mixing. For example, if inputs are packed into three quantities, A, - B, and C, use DES to encrypt A with B as a key and then with C as a - key to produce the 1st part of the output, then encrypt B with C and - then A for more output and, if necessary, encrypt C with A and then B - for yet more output. Still more output can be produced by reversing - the order of the keys given above to stretch things. The same can be - done with the hash functions by hashing various subsets of the input - data to produce multiple outputs. But keep in mind that it is - impossible to get more bits of "randomness" out than are put in. - - An example of using a strong mixing function would be to reconsider - the case of a string of 308 bits each of which is biased 99% towards - zero. The parity technique given in Section 5.2.1 above reduced this - to one bit with only a 1/1000 deviance from being equally likely a - zero or one. But, applying the equation for information given in - Section 2, this 308 bit sequence has 5 bits of information in it. - Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the - result would yield 5 unbiased random bits as opposed to the single - bit given by calculating the parity of the string. - -6.1.3 Diffie-Hellman as a Mixing Function - - Diffie-Hellman exponential key exchange is a technique that yields a - shared secret between two parties that can be made computationally - infeasible for a third party to determine even if they can observe - all the messages between the two communicating parties. This shared - secret is a mixture of initial quantities generated by each of them - [D-H]. If these initial quantities are random, then the shared - secret contains the combined randomness of them both, assuming they - are uncorrelated. - -6.1.4 Using a Mixing Function to Stretch Random Bits - - While it is not necessary for a mixing function to produce the same - or fewer bits than its inputs, mixing bits cannot "stretch" the - amount of random unpredictability present in the inputs. Thus four - inputs of 32 bits each where there is 12 bits worth of - unpredicatability (such as 4,096 equally probable values) in each - input cannot produce more than 48 bits worth of unpredictable output. - The output can be expanded to hundreds or thousands of bits by, for - example, mixing with successive integers, but the clever adversary's - - - -Eastlake, Crocker & Schiller [Page 17] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - search space is still 2^48 possibilities. Furthermore, mixing to - fewer bits than are input will tend to strengthen the randomness of - the output the way using Exclusive Or to produce one bit from two did - above. - - The last table in Section 6.1.1 shows that mixing a random bit with a - constant bit with Exclusive Or will produce a random bit. While this - is true, it does not provide a way to "stretch" one random bit into - more than one. If, for example, a random bit is mixed with a 0 and - then with a 1, this produces a two bit sequence but it will always be - either 01 or 10. Since there are only two possible values, there is - still only the one bit of original randomness. - -6.1.5 Other Factors in Choosing a Mixing Function - - For local use, DES has the advantages that it has been widely tested - for flaws, is widely documented, and is widely implemented with - hardware and software implementations available all over the world - including source code available by anonymous FTP. The SHS and MD* - family are younger algorithms which have been less tested but there - is no particular reason to believe they are flawed. Both MD5 and SHS - were derived from the earlier MD4 algorithm. They all have source - code available by anonymous FTP [SHS, MD2, MD4, MD5]. - - DES and SHS have been vouched for the the US National Security Agency - (NSA) on the basis of criteria that primarily remain secret. While - this is the cause of much speculation and doubt, investigation of DES - over the years has indicated that NSA involvement in modifications to - its design, which originated with IBM, was primarily to strengthen - it. No concealed or special weakness has been found in DES. It is - almost certain that the NSA modification to MD4 to produce the SHS - similarly strengthened the algorithm, possibly against threats not - yet known in the public cryptographic community. - - DES, SHS, MD4, and MD5 are royalty free for all purposes. MD2 has - been freely licensed only for non-profit use in connection with - Privacy Enhanced Mail [PEM]. Between the MD* algorithms, some people - believe that, as with "Goldilocks and the Three Bears", MD2 is strong - but too slow, MD4 is fast but too weak, and MD5 is just right. - - Another advantage of the MD* or similar hashing algorithms over - encryption algorithms is that they are not subject to the same - regulations imposed by the US Government prohibiting the unlicensed - export or import of encryption/decryption software and hardware. The - same should be true of DES rigged to produce an irreversible hash - code but most DES packages are oriented to reversible encryption. - - - - - -Eastlake, Crocker & Schiller [Page 18] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -6.2 Non-Hardware Sources of Randomness - - The best source of input for mixing would be a hardware randomness - such as disk drive timing affected by air turbulence, audio input - with thermal noise, or radioactive decay. However, if that is not - available there are other possibilities. These include system - clocks, system or input/output buffers, user/system/hardware/network - serial numbers and/or addresses and timing, and user input. - Unfortunately, any of these sources can produce limited or - predicatable values under some circumstances. - - Some of the sources listed above would be quite strong on multi-user - systems where, in essence, each user of the system is a source of - randomness. However, on a small single user system, such as a - typical IBM PC or Apple Macintosh, it might be possible for an - adversary to assemble a similar configuration. This could give the - adversary inputs to the mixing process that were sufficiently - correlated to those used originally as to make exhaustive search - practical. - - The use of multiple random inputs with a strong mixing function is - recommended and can overcome weakness in any particular input. For - example, the timing and content of requested "random" user keystrokes - can yield hundreds of random bits but conservative assumptions need - to be made. For example, assuming a few bits of randomness if the - inter-keystroke interval is unique in the sequence up to that point - and a similar assumption if the key hit is unique but assuming that - no bits of randomness are present in the initial key value or if the - timing or key value duplicate previous values. The results of mixing - these timings and characters typed could be further combined with - clock values and other inputs. - - This strategy may make practical portable code to produce good random - numbers for security even if some of the inputs are very weak on some - of the target systems. However, it may still fail against a high - grade attack on small single user systems, especially if the - adversary has ever been able to observe the generation process in the - past. A hardware based random source is still preferable. - -6.3 Cryptographically Strong Sequences - - In cases where a series of random quantities must be generated, an - adversary may learn some values in the sequence. In general, they - should not be able to predict other values from the ones that they - know. - - - - - - -Eastlake, Crocker & Schiller [Page 19] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - The correct technique is to start with a strong random seed, take - cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and - do not reveal the complete state of the generator in the sequence - elements. If each value in the sequence can be calculated in a fixed - way from the previous value, then when any value is compromised, all - future values can be determined. This would be the case, for - example, if each value were a constant function of the previously - used values, even if the function were a very strong, non-invertible - message digest function. - - It should be noted that if your technique for generating a sequence - of key values is fast enough, it can trivially be used as the basis - for a confidentiality system. If two parties use the same sequence - generating technique and start with the same seed material, they will - generate identical sequences. These could, for example, be xor'ed at - one end with data being send, encrypting it, and xor'ed with this - data as received, decrypting it due to the reversible properties of - the xor operation. - -6.3.1 Traditional Strong Sequences - - A traditional way to achieve a strong sequence has been to have the - values be produced by hashing the quantities produced by - concatenating the seed with successive integers or the like and then - mask the values obtained so as to limit the amount of generator state - available to the adversary. - - It may also be possible to use an "encryption" algorithm with a - random key and seed value to encrypt and feedback some or all of the - output encrypted value into the value to be encrypted for the next - iteration. Appropriate feedback techniques will usually be - recommended with the encryption algorithm. An example is shown below - where shifting and masking are used to combine the cypher output - feedback. This type of feedback is recommended by the US Government - in connection with DES [DES MODES]. - - - - - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 20] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - +---------------+ - | V | - | | n | - +--+------------+ - | | +---------+ - | +---------> | | +-----+ - +--+ | Encrypt | <--- | Key | - | +-------- | | +-----+ - | | +---------+ - V V - +------------+--+ - | V | | - | n+1 | - +---------------+ - - Note that if a shift of one is used, this is the same as the shift - register technique described in Section 3 above but with the all - important difference that the feedback is determined by a complex - non-linear function of all bits rather than a simple linear or - polynomial combination of output from a few bit position taps. - - It has been shown by Donald W. Davies that this sort of shifted - partial output feedback significantly weakens an algorithm compared - will feeding all of the output bits back as input. In particular, - for DES, repeated encrypting a full 64 bit quantity will give an - expected repeat in about 2^63 iterations. Feeding back anything less - than 64 (and more than 0) bits will give an expected repeat in - between 2**31 and 2**32 iterations! - - To predict values of a sequence from others when the sequence was - generated by these techniques is equivalent to breaking the - cryptosystem or inverting the "non-invertible" hashing involved with - only partial information available. The less information revealed - each iteration, the harder it will be for an adversary to predict the - sequence. Thus it is best to use only one bit from each value. It - has been shown that in some cases this makes it impossible to break a - system even when the cryptographic system is invertible and can be - broken if all of each generated value was revealed. - -6.3.2 The Blum Blum Shub Sequence Generator - - Currently the generator which has the strongest public proof of - strength is called the Blum Blum Shub generator after its inventors - [BBS]. It is also very simple and is based on quadratic residues. - It's only disadvantage is that is is computationally intensive - compared with the traditional techniques give in 6.3.1 above. This - is not a serious draw back if it is used for moderately infrequent - purposes, such as generating session keys. - - - -Eastlake, Crocker & Schiller [Page 21] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Simply choose two large prime numbers, say p and q, which both have - the property that you get a remainder of 3 if you divide them by 4. - Let n = p * q. Then you choose a random number x relatively prime to - n. The initial seed for the generator and the method for calculating - subsequent values are then - - 2 - s = ( x )(Mod n) - 0 - - 2 - s = ( s )(Mod n) - i+1 i - - You must be careful to use only a few bits from the bottom of each s. - It is always safe to use only the lowest order bit. If you use no - more than the - - log ( log ( s ) ) - 2 2 i - - low order bits, then predicting any additional bits from a sequence - generated in this manner is provable as hard as factoring n. As long - as the initial x is secret, you can even make n public if you want. - - An intersting characteristic of this generator is that you can - directly calculate any of the s values. In particular - - i - ( ( 2 )(Mod (( p - 1 ) * ( q - 1 )) ) ) - s = ( s )(Mod n) - i 0 - - This means that in applications where many keys are generated in this - fashion, it is not necessary to save them all. Each key can be - effectively indexed and recovered from that small index and the - initial s and n. - -7. Key Generation Standards - - Several public standards are now in place for the generation of keys. - Two of these are described below. Both use DES but any equally - strong or stronger mixing function could be substituted. - - - - - - - - -Eastlake, Crocker & Schiller [Page 22] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -7.1 US DoD Recommendations for Password Generation - - The United States Department of Defense has specific recommendations - for password generation [DoD]. They suggest using the US Data - Encryption Standard [DES] in Output Feedback Mode [DES MODES] as - follows: - - use an initialization vector determined from - the system clock, - system ID, - user ID, and - date and time; - use a key determined from - system interrupt registers, - system status registers, and - system counters; and, - as plain text, use an external randomly generated 64 bit - quantity such as 8 characters typed in by a system - administrator. - - The password can then be calculated from the 64 bit "cipher text" - generated in 64-bit Output Feedback Mode. As many bits as are needed - can be taken from these 64 bits and expanded into a pronounceable - word, phrase, or other format if a human being needs to remember the - password. - -7.2 X9.17 Key Generation - - The American National Standards Institute has specified a method for - generating a sequence of keys as follows: - - s is the initial 64 bit seed - 0 - - g is the sequence of generated 64 bit key quantities - n - - k is a random key reserved for generating this key sequence - - t is the time at which a key is generated to as fine a resolution - as is available (up to 64 bits). - - DES ( K, Q ) is the DES encryption of quantity Q with key K - - - - - - - - -Eastlake, Crocker & Schiller [Page 23] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - g = DES ( k, DES ( k, t ) .xor. s ) - n n - - s = DES ( k, DES ( k, t ) .xor. g ) - n+1 n - - If g sub n is to be used as a DES key, then every eighth bit should - be adjusted for parity for that use but the entire 64 bit unmodified - g should be used in calculating the next s. - -8. Examples of Randomness Required - - Below are two examples showing rough calculations of needed - randomness for security. The first is for moderate security - passwords while the second assumes a need for a very high security - cryptographic key. - -8.1 Password Generation - - Assume that user passwords change once a year and it is desired that - the probability that an adversary could guess the password for a - particular account be less than one in a thousand. Further assume - that sending a password to the system is the only way to try a - password. Then the crucial question is how often an adversary can - try possibilities. Assume that delays have been introduced into a - system so that, at most, an adversary can make one password try every - six seconds. That's 600 per hour or about 15,000 per day or about - 5,000,000 tries in a year. Assuming any sort of monitoring, it is - unlikely someone could actually try continuously for a year. In - fact, even if log files are only checked monthly, 500,000 tries is - more plausible before the attack is noticed and steps taken to change - passwords and make it harder to try more passwords. - - To have a one in a thousand chance of guessing the password in - 500,000 tries implies a universe of at least 500,000,000 passwords or - about 2^29. Thus 29 bits of randomness are needed. This can probably - be achieved using the US DoD recommended inputs for password - generation as it has 8 inputs which probably average over 5 bits of - randomness each (see section 7.1). Using a list of 1000 words, the - password could be expressed as a three word phrase (1,000,000,000 - possibilities) or, using case insensitive letters and digits, six - would suffice ((26+10)^6 = 2,176,782,336 possibilities). - - For a higher security password, the number of bits required goes up. - To decrease the probability by 1,000 requires increasing the universe - of passwords by the same factor which adds about 10 bits. Thus to - have only a one in a million chance of a password being guessed under - the above scenario would require 39 bits of randomness and a password - - - -Eastlake, Crocker & Schiller [Page 24] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - that was a four word phrase from a 1000 word list or eight - letters/digits. To go to a one in 10^9 chance, 49 bits of randomness - are needed implying a five word phrase or ten letter/digit password. - - In a real system, of course, there are also other factors. For - example, the larger and harder to remember passwords are, the more - likely users are to write them down resulting in an additional risk - of compromise. - -8.2 A Very High Security Cryptographic Key - - Assume that a very high security key is needed for symmetric - encryption / decryption between two parties. Assume an adversary can - observe communications and knows the algorithm being used. Within - the field of random possibilities, the adversary can try key values - in hopes of finding the one in use. Assume further that brute force - trial of keys is the best the adversary can do. - -8.2.1 Effort per Key Trial - - How much effort will it take to try each key? For very high security - applications it is best to assume a low value of effort. Even if it - would clearly take tens of thousands of computer cycles or more to - try a single key, there may be some pattern that enables huge blocks - of key values to be tested with much less effort per key. Thus it is - probably best to assume no more than a couple hundred cycles per key. - (There is no clear lower bound on this as computers operate in - parallel on a number of bits and a poor encryption algorithm could - allow many keys or even groups of keys to be tested in parallel. - However, we need to assume some value and can hope that a reasonably - strong algorithm has been chosen for our hypothetical high security - task.) - - If the adversary can command a highly parallel processor or a large - network of work stations, 2*10^10 cycles per second is probably a - minimum assumption for availability today. Looking forward just a - couple years, there should be at least an order of magnitude - improvement. Thus assuming 10^9 keys could be checked per second or - 3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is - reasonable. This implies a need for a minimum of 51 bits of - randomness in keys to be sure they cannot be found in a month. Even - then it is possible that, a few years from now, a highly determined - and resourceful adversary could break the key in 2 weeks (on average - they need try only half the keys). - - - - - - - -Eastlake, Crocker & Schiller [Page 25] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -8.2.2 Meet in the Middle Attacks - - If chosen or known plain text and the resulting encrypted text are - available, a "meet in the middle" attack is possible if the structure - of the encryption algorithm allows it. (In a known plain text - attack, the adversary knows all or part of the messages being - encrypted, possibly some standard header or trailer fields. In a - chosen plain text attack, the adversary can force some chosen plain - text to be encrypted, possibly by "leaking" an exciting text that - would then be sent by the adversary over an encrypted channel.) - - An oversimplified explanation of the meet in the middle attack is as - follows: the adversary can half-encrypt the known or chosen plain - text with all possible first half-keys, sort the output, then half- - decrypt the encoded text with all the second half-keys. If a match - is found, the full key can be assembled from the halves and used to - decrypt other parts of the message or other messages. At its best, - this type of attack can halve the exponent of the work required by - the adversary while adding a large but roughly constant factor of - effort. To be assured of safety against this, a doubling of the - amount of randomness in the key to a minimum of 102 bits is required. - - The meet in the middle attack assumes that the cryptographic - algorithm can be decomposed in this way but we can not rule that out - without a deep knowledge of the algorithm. Even if a basic algorithm - is not subject to a meet in the middle attack, an attempt to produce - a stronger algorithm by applying the basic algorithm twice (or two - different algorithms sequentially) with different keys may gain less - added security than would be expected. Such a composite algorithm - would be subject to a meet in the middle attack. - - Enormous resources may be required to mount a meet in the middle - attack but they are probably within the range of the national - security services of a major nation. Essentially all nations spy on - other nations government traffic and several nations are believed to - spy on commercial traffic for economic advantage. - -8.2.3 Other Considerations - - Since we have not even considered the possibilities of special - purpose code breaking hardware or just how much of a safety margin we - want beyond our assumptions above, probably a good minimum for a very - high security cryptographic key is 128 bits of randomness which - implies a minimum key length of 128 bits. If the two parties agree - on a key by Diffie-Hellman exchange [D-H], then in principle only - half of this randomness would have to be supplied by each party. - However, there is probably some correlation between their random - inputs so it is probably best to assume that each party needs to - - - -Eastlake, Crocker & Schiller [Page 26] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - provide at least 96 bits worth of randomness for very high security - if Diffie-Hellman is used. - - This amount of randomness is beyond the limit of that in the inputs - recommended by the US DoD for password generation and could require - user typing timing, hardware random number generation, or other - sources. - - It should be noted that key length calculations such at those above - are controversial and depend on various assumptions about the - cryptographic algorithms in use. In some cases, a professional with - a deep knowledge of code breaking techniques and of the strength of - the algorithm in use could be satisfied with less than half of the - key size derived above. - -9. Conclusion - - Generation of unguessable "random" secret quantities for security use - is an essential but difficult task. - - We have shown that hardware techniques to produce such randomness - would be relatively simple. In particular, the volume and quality - would not need to be high and existing computer hardware, such as - disk drives, can be used. Computational techniques are available to - process low quality random quantities from multiple sources or a - larger quantity of such low quality input from one source and produce - a smaller quantity of higher quality, less predictable key material. - In the absence of hardware sources of randomness, a variety of user - and software sources can frequently be used instead with care; - however, most modern systems already have hardware, such as disk - drives or audio input, that could be used to produce high quality - randomness. - - Once a sufficient quantity of high quality seed key material (a few - hundred bits) is available, strong computational techniques are - available to produce cryptographically strong sequences of - unpredicatable quantities from this seed material. - -10. Security Considerations - - The entirety of this document concerns techniques and recommendations - for generating unguessable "random" quantities for use as passwords, - cryptographic keys, and similar security uses. - - - - - - - - -Eastlake, Crocker & Schiller [Page 27] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -References - - [ASYMMETRIC] - Secure Communications and Asymmetric Cryptosystems, - edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview - Press, Inc. - - [BBS] - A Simple Unpredictable Pseudo-Random Number Generator, SIAM - Journal on Computing, v. 15, n. 2, 1986, L. Blum, M. Blum, & M. Shub. - - [BRILLINGER] - Time Series: Data Analysis and Theory, Holden-Day, - 1981, David Brillinger. - - [CRC] - C.R.C. Standard Mathematical Tables, Chemical Rubber - Publishing Company. - - [CRYPTO1] - Cryptography: A Primer, A Wiley-Interscience Publication, - John Wiley & Sons, 1981, Alan G. Konheim. - - [CRYPTO2] - Cryptography: A New Dimension in Computer Data Security, - A Wiley-Interscience Publication, John Wiley & Sons, 1982, Carl H. - Meyer & Stephen M. Matyas. - - [CRYPTO3] - Applied Cryptography: Protocols, Algorithms, and Source - Code in C, John Wiley & Sons, 1994, Bruce Schneier. - - [DAVIS] - Cryptographic Randomness from Air Turbulence in Disk - Drives, Advances in Cryptology - Crypto '94, Springer-Verlag Lecture - Notes in Computer Science #839, 1984, Don Davis, Ross Ihaka, and - Philip Fenstermacher. - - [DES] - Data Encryption Standard, United States of America, - Department of Commerce, National Institute of Standards and - Technology, Federal Information Processing Standard (FIPS) 46-1. - - Data Encryption Algorithm, American National Standards Institute, - ANSI X3.92-1981. - (See also FIPS 112, Password Usage, which includes FORTRAN code for - performing DES.) - - [DES MODES] - DES Modes of Operation, United States of America, - Department of Commerce, National Institute of Standards and - Technology, Federal Information Processing Standard (FIPS) 81. - - Data Encryption Algorithm - Modes of Operation, American National - Standards Institute, ANSI X3.106-1983. - - [D-H] - New Directions in Cryptography, IEEE Transactions on - Information Technology, November, 1976, Whitfield Diffie and Martin - E. Hellman. - - - - -Eastlake, Crocker & Schiller [Page 28] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - [DoD] - Password Management Guideline, United States of America, - Department of Defense, Computer Security Center, CSC-STD-002-85. - (See also FIPS 112, Password Usage, which incorporates CSC-STD-002-85 - as one of its appendices.) - - [GIFFORD] - Natural Random Number, MIT/LCS/TM-371, September 1988, - David K. Gifford - - [KNUTH] - The Art of Computer Programming, Volume 2: Seminumerical - Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing - Company, Second Edition 1982, Donald E. Knuth. - - [KRAWCZYK] - How to Predict Congruential Generators, Journal of - Algorithms, V. 13, N. 4, December 1992, H. Krawczyk - - [MD2] - The MD2 Message-Digest Algorithm, RFC1319, April 1992, B. - Kaliski - [MD4] - The MD4 Message-Digest Algorithm, RFC1320, April 1992, R. - Rivest - [MD5] - The MD5 Message-Digest Algorithm, RFC1321, April 1992, R. - Rivest - - [PEM] - RFCs 1421 through 1424: - - RFC 1424, Privacy Enhancement for Internet Electronic Mail: Part - IV: Key Certification and Related Services, 02/10/1993, B. Kaliski - - RFC 1423, Privacy Enhancement for Internet Electronic Mail: Part - III: Algorithms, Modes, and Identifiers, 02/10/1993, D. Balenson - - RFC 1422, Privacy Enhancement for Internet Electronic Mail: Part - II: Certificate-Based Key Management, 02/10/1993, S. Kent - - RFC 1421, Privacy Enhancement for Internet Electronic Mail: Part I: - Message Encryption and Authentication Procedures, 02/10/1993, J. Linn - - [SHANNON] - The Mathematical Theory of Communication, University of - Illinois Press, 1963, Claude E. Shannon. (originally from: Bell - System Technical Journal, July and October 1948) - - [SHIFT1] - Shift Register Sequences, Aegean Park Press, Revised - Edition 1982, Solomon W. Golomb. - - [SHIFT2] - Cryptanalysis of Shift-Register Generated Stream Cypher - Systems, Aegean Park Press, 1984, Wayne G. Barker. - - [SHS] - Secure Hash Standard, United States of American, National - Institute of Science and Technology, Federal Information Processing - Standard (FIPS) 180, April 1993. - - [STERN] - Secret Linear Congruential Generators are not - Cryptograhically Secure, Proceedings of IEEE STOC, 1987, J. Stern. - - - -Eastlake, Crocker & Schiller [Page 29] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - [VON NEUMANN] - Various techniques used in connection with random - digits, von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963, - J. von Neumann. - -Authors' Addresses - - Donald E. Eastlake 3rd - Digital Equipment Corporation - 550 King Street, LKG2-1/BB3 - Littleton, MA 01460 - - Phone: +1 508 486 6577(w) +1 508 287 4877(h) - EMail: dee@lkg.dec.com - - - Stephen D. Crocker - CyberCash Inc. - 2086 Hunters Crest Way - Vienna, VA 22181 - - Phone: +1 703-620-1222(w) +1 703-391-2651 (fax) - EMail: crocker@cybercash.com - - - Jeffrey I. Schiller - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 253 0161(w) - EMail: jis@mit.edu - - - - - - - - - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 30] - diff --git a/crypto/heimdal/doc/standardisation/rfc1831.txt b/crypto/heimdal/doc/standardisation/rfc1831.txt deleted file mode 100644 index 0556c9e83f3b..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc1831.txt +++ /dev/null @@ -1,1011 +0,0 @@ - - - - - - -Network Working Group R. Srinivasan -Request for Comments: 1831 Sun Microsystems -Category: Standards Track August 1995 - - - RPC: Remote Procedure Call Protocol Specification Version 2 - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -ABSTRACT - - This document describes the ONC Remote Procedure Call (ONC RPC - Version 2) protocol as it is currently deployed and accepted. "ONC" - stands for "Open Network Computing". - -TABLE OF CONTENTS - - 1. INTRODUCTION 2 - 2. TERMINOLOGY 2 - 3. THE RPC MODEL 2 - 4. TRANSPORTS AND SEMANTICS 4 - 5. BINDING AND RENDEZVOUS INDEPENDENCE 5 - 6. AUTHENTICATION 5 - 7. RPC PROTOCOL REQUIREMENTS 5 - 7.1 RPC Programs and Procedures 6 - 7.2 Authentication 7 - 7.3 Program Number Assignment 8 - 7.4 Other Uses of the RPC Protocol 8 - 7.4.1 Batching 8 - 7.4.2 Broadcast Remote Procedure Calls 8 - 8. THE RPC MESSAGE PROTOCOL 9 - 9. AUTHENTICATION PROTOCOLS 12 - 9.1 Null Authentication 13 - 10. RECORD MARKING STANDARD 13 - 11. THE RPC LANGUAGE 13 - 11.1 An Example Service Described in the RPC Language 13 - 11.2 The RPC Language Specification 14 - 11.3 Syntax Notes 15 - APPENDIX A: SYSTEM AUTHENTICATION 16 - REFERENCES 17 - Security Considerations 18 - Author's Address 18 - - - -Srinivasan Standards Track [Page 1] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -1. INTRODUCTION - - This document specifies version two of the message protocol used in - ONC Remote Procedure Call (RPC). The message protocol is specified - with the eXternal Data Representation (XDR) language [9]. This - document assumes that the reader is familiar with XDR. It does not - attempt to justify remote procedure calls systems or describe their - use. The paper by Birrell and Nelson [1] is recommended as an - excellent background for the remote procedure call concept. - -2. TERMINOLOGY - - This document discusses clients, calls, servers, replies, services, - programs, procedures, and versions. Each remote procedure call has - two sides: an active client side that makes the call to a server, - which sends back a reply. A network service is a collection of one - or more remote programs. A remote program implements one or more - remote procedures; the procedures, their parameters, and results are - documented in the specific program's protocol specification. A - server may support more than one version of a remote program in order - to be compatible with changing protocols. - - For example, a network file service may be composed of two programs. - One program may deal with high-level applications such as file system - access control and locking. The other may deal with low-level file - input and output and have procedures like "read" and "write". A - client of the network file service would call the procedures - associated with the two programs of the service on behalf of the - client. - - The terms client and server only apply to a particular transaction; a - particular hardware entity (host) or software entity (process or - program) could operate in both roles at different times. For - example, a program that supplies remote execution service could also - be a client of a network file service. - -3. THE RPC MODEL - - The ONC RPC protocol is based on the remote procedure call model, - which is similar to the local procedure call model. In the local - case, the caller places arguments to a procedure in some well- - specified location (such as a register window). It then transfers - control to the procedure, and eventually regains control. At that - point, the results of the procedure are extracted from the well- - specified location, and the caller continues execution. - - - - - - -Srinivasan Standards Track [Page 2] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - The remote procedure call model is similar. One thread of control - logically winds through two processes: the caller's process, and a - server's process. The caller process first sends a call message to - the server process and waits (blocks) for a reply message. The call - message includes the procedure's parameters, and the reply message - includes the procedure's results. Once the reply message is - received, the results of the procedure are extracted, and caller's - execution is resumed. - - On the server side, a process is dormant awaiting the arrival of a - call message. When one arrives, the server process extracts the - procedure's parameters, computes the results, sends a reply message, - and then awaits the next call message. - - In this model, only one of the two processes is active at any given - time. However, this model is only given as an example. The ONC RPC - protocol makes no restrictions on the concurrency model implemented, - and others are possible. For example, an implementation may choose - to have RPC calls be asynchronous, so that the client may do useful - work while waiting for the reply from the server. Another - possibility is to have the server create a separate task to process - an incoming call, so that the original server can be free to receive - other requests. - - There are a few important ways in which remote procedure calls differ - from local procedure calls: - - 1. Error handling: failures of the remote server or network must - be handled when using remote procedure calls. - - 2. Global variables and side-effects: since the server does not - have access to the client's address space, hidden arguments cannot - be passed as global variables or returned as side effects. - - 3. Performance: remote procedures usually operate one or more - orders of magnitude slower than local procedure calls. - - 4. Authentication: since remote procedure calls can be transported - over unsecured networks, authentication may be necessary. - Authentication prevents one entity from masquerading as some other - entity. - - The conclusion is that even though there are tools to automatically - generate client and server libraries for a given service, protocols - must still be designed carefully. - - - - - - -Srinivasan Standards Track [Page 3] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -4. TRANSPORTS AND SEMANTICS - - The RPC protocol can be implemented on several different transport - protocols. The RPC protocol does not care how a message is passed - from one process to another, but only with specification and - interpretation of messages. However, the application may wish to - obtain information about (and perhaps control over) the transport - layer through an interface not specified in this document. For - example, the transport protocol may impose a restriction on the - maximum size of RPC messages, or it may be stream-oriented like TCP - with no size limit. The client and server must agree on their - transport protocol choices. - - It is important to point out that RPC does not try to implement any - kind of reliability and that the application may need to be aware of - the type of transport protocol underneath RPC. If it knows it is - running on top of a reliable transport such as TCP [6], then most of - the work is already done for it. On the other hand, if it is running - on top of an unreliable transport such as UDP [7], it must implement - its own time-out, retransmission, and duplicate detection policies as - the RPC protocol does not provide these services. - - Because of transport independence, the RPC protocol does not attach - specific semantics to the remote procedures or their execution - requirements. Semantics can be inferred from (but should be - explicitly specified by) the underlying transport protocol. For - example, consider RPC running on top of an unreliable transport such - as UDP. If an application retransmits RPC call messages after time- - outs, and does not receive a reply, it cannot infer anything about - the number of times the procedure was executed. If it does receive a - reply, then it can infer that the procedure was executed at least - once. - - A server may wish to remember previously granted requests from a - client and not regrant them in order to insure some degree of - execute-at-most-once semantics. A server can do this by taking - advantage of the transaction ID that is packaged with every RPC - message. The main use of this transaction ID is by the client RPC - entity in matching replies to calls. However, a client application - may choose to reuse its previous transaction ID when retransmitting a - call. The server may choose to remember this ID after executing a - call and not execute calls with the same ID in order to achieve some - degree of execute-at-most-once semantics. The server is not allowed - to examine this ID in any other way except as a test for equality. - - On the other hand, if using a "reliable" transport such as TCP, the - application can infer from a reply message that the procedure was - executed exactly once, but if it receives no reply message, it cannot - - - -Srinivasan Standards Track [Page 4] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - assume that the remote procedure was not executed. Note that even if - a connection-oriented protocol like TCP is used, an application still - needs time-outs and reconnection to handle server crashes. - - There are other possibilities for transports besides datagram- or - connection-oriented protocols. For example, a request-reply protocol - such as VMTP [2] is perhaps a natural transport for RPC. ONC RPC - uses both TCP and UDP transport protocols. Section 10 (RECORD - MARKING STANDARD) describes the mechanism employed by ONC RPC to - utilize a connection-oriented, stream-oriented transport such as TCP. - -5. BINDING AND RENDEZVOUS INDEPENDENCE - - The act of binding a particular client to a particular service and - transport parameters is NOT part of this RPC protocol specification. - This important and necessary function is left up to some higher-level - software. - - Implementors could think of the RPC protocol as the jump-subroutine - instruction ("JSR") of a network; the loader (binder) makes JSR - useful, and the loader itself uses JSR to accomplish its task. - Likewise, the binding software makes RPC useful, possibly using RPC - to accomplish this task. - -6. AUTHENTICATION - - The RPC protocol provides the fields necessary for a client to - identify itself to a service, and vice-versa, in each call and reply - message. Security and access control mechanisms can be built on top - of this message authentication. Several different authentication - protocols can be supported. A field in the RPC header indicates - which protocol is being used. More information on specific - authentication protocols is in section 9: "Authentication Protocols". - -7. RPC PROTOCOL REQUIREMENTS - - The RPC protocol must provide for the following: - - (1) Unique specification of a procedure to be called. - (2) Provisions for matching response messages to request messages. - (3) Provisions for authenticating the caller to service and - vice-versa. - - - - - - - - - -Srinivasan Standards Track [Page 5] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - Besides these requirements, features that detect the following are - worth supporting because of protocol roll-over errors, implementation - bugs, user error, and network administration: - - (1) RPC protocol mismatches. - (2) Remote program protocol version mismatches. - (3) Protocol errors (such as misspecification of a procedure's - parameters). - (4) Reasons why remote authentication failed. - (5) Any other reasons why the desired procedure was not called. - -7.1 RPC Programs and Procedures - - The RPC call message has three unsigned integer fields -- remote - program number, remote program version number, and remote procedure - number -- which uniquely identify the procedure to be called. - Program numbers are administered by a central authority - (rpc@sun.com). Once implementors have a program number, they can - implement their remote program; the first implementation would most - likely have the version number 1. Because most new protocols evolve, - a version field of the call message identifies which version of the - protocol the caller is using. Version numbers enable support of both - old and new protocols through the same server process. - - The procedure number identifies the procedure to be called. These - numbers are documented in the specific program's protocol - specification. For example, a file service's protocol specification - may state that its procedure number 5 is "read" and procedure number - 12 is "write". - - Just as remote program protocols may change over several versions, - the actual RPC message protocol could also change. Therefore, the - call message also has in it the RPC version number, which is always - equal to two for the version of RPC described here. - - The reply message to a request message has enough information to - distinguish the following error conditions: - - (1) The remote implementation of RPC does not support protocol - version 2. The lowest and highest supported RPC version numbers - are returned. - - (2) The remote program is not available on the remote system. - - (3) The remote program does not support the requested version - number. The lowest and highest supported remote program version - numbers are returned. - - - - -Srinivasan Standards Track [Page 6] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - (4) The requested procedure number does not exist. (This is - usually a client side protocol or programming error.) - - (5) The parameters to the remote procedure appear to be garbage - from the server's point of view. (Again, this is usually caused - by a disagreement about the protocol between client and service.) - -7.2 Authentication - - Provisions for authentication of caller to service and vice-versa are - provided as a part of the RPC protocol. The call message has two - authentication fields, the credential and verifier. The reply - message has one authentication field, the response verifier. The RPC - protocol specification defines all three fields to be the following - opaque type (in the eXternal Data Representation (XDR) language [9]): - - enum auth_flavor { - AUTH_NONE = 0, - AUTH_SYS = 1, - AUTH_SHORT = 2 - /* and more to be defined */ - }; - - struct opaque_auth { - auth_flavor flavor; - opaque body<400>; - }; - - In other words, any "opaque_auth" structure is an "auth_flavor" - enumeration followed by up to 400 bytes which are opaque to - (uninterpreted by) the RPC protocol implementation. - - The interpretation and semantics of the data contained within the - authentication fields is specified by individual, independent - authentication protocol specifications. (Section 9 defines the - various authentication protocols.) - - If authentication parameters were rejected, the reply message - contains information stating why they were rejected. - - - - - - - - - - - - -Srinivasan Standards Track [Page 7] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -7.3 Program Number Assignment - - Program numbers are given out in groups of hexadecimal 20000000 - (decimal 536870912) according to the following chart: - - 0 - 1fffffff defined by rpc@sun.com - 20000000 - 3fffffff defined by user - 40000000 - 5fffffff transient - 60000000 - 7fffffff reserved - 80000000 - 9fffffff reserved - a0000000 - bfffffff reserved - c0000000 - dfffffff reserved - e0000000 - ffffffff reserved - - The first group is a range of numbers administered by rpc@sun.com and - should be identical for all sites. The second range is for - applications peculiar to a particular site. This range is intended - primarily for debugging new programs. When a site develops an - application that might be of general interest, that application - should be given an assigned number in the first range. Application - developers may apply for blocks of RPC program numbers in the first - range by sending electronic mail to "rpc@sun.com". The third group - is for applications that generate program numbers dynamically. The - final groups are reserved for future use, and should not be used. - -7.4 Other Uses of the RPC Protocol - - The intended use of this protocol is for calling remote procedures. - Normally, each call message is matched with a reply message. - However, the protocol itself is a message-passing protocol with which - other (non-procedure call) protocols can be implemented. - -7.4.1 Batching - - Batching is useful when a client wishes to send an arbitrarily large - sequence of call messages to a server. Batching typically uses - reliable byte stream protocols (like TCP) for its transport. In the - case of batching, the client never waits for a reply from the server, - and the server does not send replies to batch calls. A sequence of - batch calls is usually terminated by a legitimate remote procedure - call operation in order to flush the pipeline and get positive - acknowledgement. - -7.4.2 Broadcast Remote Procedure Calls - - In broadcast protocols, the client sends a broadcast call to the - network and waits for numerous replies. This requires the use of - packet-based protocols (like UDP) as its transport protocol. Servers - - - -Srinivasan Standards Track [Page 8] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - that support broadcast protocols usually respond only when the call - is successfully processed and are silent in the face of errors, but - this varies with the application. - - The principles of broadcast RPC also apply to multicasting - an RPC - request can be sent to a multicast address. - -8. THE RPC MESSAGE PROTOCOL - - This section defines the RPC message protocol in the XDR data - description language [9]. - - enum msg_type { - CALL = 0, - REPLY = 1 - }; - - A reply to a call message can take on two forms: The message was - either accepted or rejected. - - enum reply_stat { - MSG_ACCEPTED = 0, - MSG_DENIED = 1 - }; - - Given that a call message was accepted, the following is the status - of an attempt to call a remote procedure. - - enum accept_stat { - SUCCESS = 0, /* RPC executed successfully */ - PROG_UNAVAIL = 1, /* remote hasn't exported program */ - PROG_MISMATCH = 2, /* remote can't support version # */ - PROC_UNAVAIL = 3, /* program can't support procedure */ - GARBAGE_ARGS = 4, /* procedure can't decode params */ - SYSTEM_ERR = 5 /* errors like memory allocation failure */ - }; - - Reasons why a call message was rejected: - - enum reject_stat { - RPC_MISMATCH = 0, /* RPC version number != 2 */ - AUTH_ERROR = 1 /* remote can't authenticate caller */ - }; - - Why authentication failed: - - enum auth_stat { - AUTH_OK = 0, /* success */ - - - -Srinivasan Standards Track [Page 9] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - /* - * failed at remote end - */ - AUTH_BADCRED = 1, /* bad credential (seal broken) */ - AUTH_REJECTEDCRED = 2, /* client must begin new session */ - AUTH_BADVERF = 3, /* bad verifier (seal broken) */ - AUTH_REJECTEDVERF = 4, /* verifier expired or replayed */ - AUTH_TOOWEAK = 5, /* rejected for security reasons */ - /* - * failed locally - */ - AUTH_INVALIDRESP = 6, /* bogus response verifier */ - AUTH_FAILED = 7 /* reason unknown */ - }; - - The RPC message: - - All messages start with a transaction identifier, xid, followed by a - two-armed discriminated union. The union's discriminant is a - msg_type which switches to one of the two types of the message. The - xid of a REPLY message always matches that of the initiating CALL - message. NB: The xid field is only used for clients matching reply - messages with call messages or for servers detecting retransmissions; - the service side cannot treat this id as any type of sequence number. - - struct rpc_msg { - unsigned int xid; - union switch (msg_type mtype) { - case CALL: - call_body cbody; - case REPLY: - reply_body rbody; - } body; - }; - - Body of an RPC call: - - In version 2 of the RPC protocol specification, rpcvers must be equal - to 2. The fields prog, vers, and proc specify the remote program, - its version number, and the procedure within the remote program to be - called. After these fields are two authentication parameters: cred - (authentication credential) and verf (authentication verifier). The - two authentication parameters are followed by the parameters to the - remote procedure, which are specified by the specific program - protocol. - - The purpose of the authentication verifier is to validate the - authentication credential. Note that these two items are - - - -Srinivasan Standards Track [Page 10] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - historically separate, but are always used together as one logical - entity. - - struct call_body { - unsigned int rpcvers; /* must be equal to two (2) */ - unsigned int prog; - unsigned int vers; - unsigned int proc; - opaque_auth cred; - opaque_auth verf; - /* procedure specific parameters start here */ - }; - - Body of a reply to an RPC call: - - union reply_body switch (reply_stat stat) { - case MSG_ACCEPTED: - accepted_reply areply; - case MSG_DENIED: - rejected_reply rreply; - } reply; - - Reply to an RPC call that was accepted by the server: - - There could be an error even though the call was accepted. The first - field is an authentication verifier that the server generates in - order to validate itself to the client. It is followed by a union - whose discriminant is an enum accept_stat. The SUCCESS arm of the - union is protocol specific. The PROG_UNAVAIL, PROC_UNAVAIL, - GARBAGE_ARGS, and SYSTEM_ERR arms of the union are void. The - PROG_MISMATCH arm specifies the lowest and highest version numbers of - the remote program supported by the server. - - struct accepted_reply { - opaque_auth verf; - union switch (accept_stat stat) { - case SUCCESS: - opaque results[0]; - /* - * procedure-specific results start here - */ - case PROG_MISMATCH: - struct { - unsigned int low; - unsigned int high; - } mismatch_info; - default: - /* - - - -Srinivasan Standards Track [Page 11] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - * Void. Cases include PROG_UNAVAIL, PROC_UNAVAIL, - * GARBAGE_ARGS, and SYSTEM_ERR. - */ - void; - } reply_data; - }; - - Reply to an RPC call that was rejected by the server: - - The call can be rejected for two reasons: either the server is not - running a compatible version of the RPC protocol (RPC_MISMATCH), or - the server rejects the identity of the caller (AUTH_ERROR). In case - of an RPC version mismatch, the server returns the lowest and highest - supported RPC version numbers. In case of invalid authentication, - failure status is returned. - - union rejected_reply switch (reject_stat stat) { - case RPC_MISMATCH: - struct { - unsigned int low; - unsigned int high; - } mismatch_info; - case AUTH_ERROR: - auth_stat stat; - }; - -9. AUTHENTICATION PROTOCOLS - - As previously stated, authentication parameters are opaque, but - open-ended to the rest of the RPC protocol. This section defines two - standard "flavors" of authentication. Implementors are free to - invent new authentication types, with the same rules of flavor number - assignment as there is for program number assignment. The "flavor" - of a credential or verifier refers to the value of the "flavor" field - in the opaque_auth structure. Flavor numbers, like RPC program - numbers, are also administered centrally, and developers may assign - new flavor numbers by applying through electronic mail to - "rpc@sun.com". Credentials and verifiers are represented as variable - length opaque data (the "body" field in the opaque_auth structure). - - In this document, two flavors of authentication are described. Of - these, Null authentication (described in the next subsection) is - mandatory - it must be available in all implementations. System - authentication is described in Appendix A. It is strongly - recommended that implementors include System authentication in their - implementations. Many applications use this style of authentication, - and availability of this flavor in an implementation will enhance - interoperability. - - - -Srinivasan Standards Track [Page 12] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -9.1 Null Authentication - - Often calls must be made where the client does not care about its - identity or the server does not care who the client is. In this - case, the flavor of the RPC message's credential, verifier, and reply - verifier is "AUTH_NONE". Opaque data associated with "AUTH_NONE" is - undefined. It is recommended that the length of the opaque data be - zero. - -10. RECORD MARKING STANDARD - - When RPC messages are passed on top of a byte stream transport - protocol (like TCP), it is necessary to delimit one message from - another in order to detect and possibly recover from protocol errors. - This is called record marking (RM). One RPC message fits into one RM - record. - - A record is composed of one or more record fragments. A record - fragment is a four-byte header followed by 0 to (2**31) - 1 bytes of - fragment data. The bytes encode an unsigned binary number; as with - XDR integers, the byte order is from highest to lowest. The number - encodes two values -- a boolean which indicates whether the fragment - is the last fragment of the record (bit value 1 implies the fragment - is the last fragment) and a 31-bit unsigned binary value which is the - length in bytes of the fragment's data. The boolean value is the - highest-order bit of the header; the length is the 31 low-order bits. - (Note that this record specification is NOT in XDR standard form!) - -11. THE RPC LANGUAGE - - Just as there was a need to describe the XDR data-types in a formal - language, there is also need to describe the procedures that operate - on these XDR data-types in a formal language as well. The RPC - Language is an extension to the XDR language, with the addition of - "program", "procedure", and "version" declarations. The following - example is used to describe the essence of the language. - -11.1 An Example Service Described in the RPC Language - - Here is an example of the specification of a simple ping program. - - program PING_PROG { - /* - * Latest and greatest version - */ - version PING_VERS_PINGBACK { - void - PINGPROC_NULL(void) = 0; - - - -Srinivasan Standards Track [Page 13] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - /* - * Ping the client, return the round-trip time - * (in microseconds). Returns -1 if the operation - * timed out. - */ - int - PINGPROC_PINGBACK(void) = 1; - } = 2; - - /* - * Original version - */ - version PING_VERS_ORIG { - void - PINGPROC_NULL(void) = 0; - } = 1; - } = 1; - - const PING_VERS = 2; /* latest version */ - - The first version described is PING_VERS_PINGBACK with two - procedures, PINGPROC_NULL and PINGPROC_PINGBACK. PINGPROC_NULL takes - no arguments and returns no results, but it is useful for computing - round-trip times from the client to the server and back again. By - convention, procedure 0 of any RPC protocol should have the same - semantics, and never require any kind of authentication. The second - procedure is used for the client to have the server do a reverse ping - operation back to the client, and it returns the amount of time (in - microseconds) that the operation used. The next version, - PING_VERS_ORIG, is the original version of the protocol and it does - not contain PINGPROC_PINGBACK procedure. It is useful for - compatibility with old client programs, and as this program matures - it may be dropped from the protocol entirely. - -11.2 The RPC Language Specification - - The RPC language is identical to the XDR language defined in RFC - 1014, except for the added definition of a "program-def" described - below. - - program-def: - "program" identifier "{" - version-def - version-def * - "}" "=" constant ";" - - version-def: - "version" identifier "{" - - - -Srinivasan Standards Track [Page 14] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - - procedure-def - procedure-def * - "}" "=" constant ";" - - procedure-def: - type-specifier identifier "(" type-specifier - ("," type-specifier )* ")" "=" constant ";" - -11.3 Syntax Notes - - (1) The following keywords are added and cannot be used as - identifiers: "program" and "version"; - - (2) A version name cannot occur more than once within the scope of a - program definition. Nor can a version number occur more than once - within the scope of a program definition. - - (3) A procedure name cannot occur more than once within the scope of - a version definition. Nor can a procedure number occur more than once - within the scope of version definition. - - (4) Program identifiers are in the same name space as constant and - type identifiers. - - (5) Only unsigned constants can be assigned to programs, versions and - procedures. - - - - - - - - - - - - - - - - - - - - - - - - - -Srinivasan Standards Track [Page 15] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -APPENDIX A: SYSTEM AUTHENTICATION - - The client may wish to identify itself, for example, as it is - identified on a UNIX(tm) system. The flavor of the client credential - is "AUTH_SYS". The opaque data constituting the credential encodes - the following structure: - - struct authsys_parms { - unsigned int stamp; - string machinename<255>; - unsigned int uid; - unsigned int gid; - unsigned int gids<16>; - }; - - The "stamp" is an arbitrary ID which the caller machine may generate. - The "machinename" is the name of the caller's machine (like - "krypton"). The "uid" is the caller's effective user ID. The "gid" - is the caller's effective group ID. The "gids" is a counted array of - groups which contain the caller as a member. The verifier - accompanying the credential should have "AUTH_NONE" flavor value - (defined above). Note this credential is only unique within a - particular domain of machine names, uids, and gids. - - The flavor value of the verifier received in the reply message from - the server may be "AUTH_NONE" or "AUTH_SHORT". In the case of - "AUTH_SHORT", the bytes of the reply verifier's string encode an - opaque structure. This new opaque structure may now be passed to the - server instead of the original "AUTH_SYS" flavor credential. The - server may keep a cache which maps shorthand opaque structures - (passed back by way of an "AUTH_SHORT" style reply verifier) to the - original credentials of the caller. The caller can save network - bandwidth and server cpu cycles by using the shorthand credential. - - The server may flush the shorthand opaque structure at any time. If - this happens, the remote procedure call message will be rejected due - to an authentication error. The reason for the failure will be - "AUTH_REJECTEDCRED". At this point, the client may wish to try the - original "AUTH_SYS" style of credential. - - It should be noted that use of this flavor of authentication does not - guarantee any security for the users or providers of a service, in - itself. The authentication provided by this scheme can be considered - legitimate only when applications using this scheme and the network - can be secured externally, and privileged transport addresses are - used for the communicating end-points (an example of this is the use - of privileged TCP/UDP ports in Unix systems - note that not all - systems enforce privileged transport address mechanisms). - - - -Srinivasan Standards Track [Page 16] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -REFERENCES - - [1] Birrell, A. D. & Nelson, B. J., "Implementing Remote Procedure - Calls", XEROX CSL-83-7, October 1983. - - [2] Cheriton, D., "VMTP: Versatile Message Transaction Protocol", - Preliminary Version 0.3, Stanford University, January 1987. - - [3] Diffie & Hellman, "New Directions in Cryptography", IEEE - Transactions on Information Theory IT-22, November 1976. - - [4] Mills, D., "Network Time Protocol", RFC 1305, UDEL, - March 1992. - - [5] National Bureau of Standards, "Data Encryption Standard", - Federal Information Processing Standards Publication 46, January - 1977. - - [6] Postel, J., "Transmission Control Protocol - DARPA Internet - Program Protocol Specification", STD 7, RFC 793, USC/Information - Sciences Institute, September 1981. - - [7] Postel, J., "User Datagram Protocol", STD 6, RFC 768, - USC/Information Sciences Institute, August 1980. - - [8] Reynolds, J., and Postel, J., "Assigned Numbers", STD 2, - RFC 1700, USC/Information Sciences Institute, October 1994. - - [9] Srinivasan, R., "XDR: External Data Representation Standard", - RFC 1832, Sun Microsystems, Inc., August 1995. - - [10] Miller, S., Neuman, C., Schiller, J., and J. Saltzer, "Section - E.2.1: Kerberos Authentication and Authorization System", - M.I.T. Project Athena, Cambridge, Massachusetts, December 21, - 1987. - - [11] Steiner, J., Neuman, C., and J. Schiller, "Kerberos: An - Authentication Service for Open Network Systems", pp. 191-202 in - Usenix Conference Proceedings, Dallas, Texas, February 1988. - - [12] Kohl, J. and C. Neuman, "The Kerberos Network Authentication - Service (V5)", RFC 1510, Digital Equipment Corporation, - USC/Information Sciences Institute, September 1993. - - - - - - - - -Srinivasan Standards Track [Page 17] - -RFC 1831 Remote Procedure Call Protocol Version 2 August 1995 - - -Security Considerations - - Security issues are not discussed in this memo. - -Author's Address - - Raj Srinivasan - Sun Microsystems, Inc. - ONC Technologies - 2550 Garcia Avenue - M/S MTV-5-40 - Mountain View, CA 94043 - USA - - Phone: 415-336-2478 - Fax: 415-336-6015 - EMail: raj@eng.sun.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Srinivasan Standards Track [Page 18] - diff --git a/crypto/heimdal/doc/standardisation/rfc1964.txt b/crypto/heimdal/doc/standardisation/rfc1964.txt deleted file mode 100644 index f2960b961dd6..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc1964.txt +++ /dev/null @@ -1,1123 +0,0 @@ - - - - - - -Network Working Group J. Linn -Request for Comments: 1964 OpenVision Technologies -Category: Standards Track June 1996 - - - The Kerberos Version 5 GSS-API Mechanism - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -ABSTRACT - - This specification defines protocols, procedures, and conventions to - be employed by peers implementing the Generic Security Service - Application Program Interface (as specified in RFCs 1508 and 1509) - when using Kerberos Version 5 technology (as specified in RFC 1510). - -ACKNOWLEDGMENTS - - Much of the material in this memo is based on working documents - drafted by John Wray of Digital Equipment Corporation and on - discussions, implementation activities, and interoperability testing - involving Marc Horowitz, Ted Ts'o, and John Wray. Particular thanks - are due to each of these individuals for their contributions towards - development and availability of GSS-API support within the Kerberos - Version 5 code base. - -1. Token Formats - - This section discusses protocol-visible characteristics of the GSS- - API mechanism to be implemented atop Kerberos V5 security technology - per RFC-1508 and RFC-1510; it defines elements of protocol for - interoperability and is independent of language bindings per RFC- - 1509. - - Tokens transferred between GSS-API peers (for security context - management and per-message protection purposes) are defined. The - data elements exchanged between a GSS-API endpoint implementation and - the Kerberos KDC are not specific to GSS-API usage and are therefore - defined within RFC-1510 rather than within this specification. - - - - - - -Linn Standards Track [Page 1] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - To support ongoing experimentation, testing, and evolution of the - specification, the Kerberos V5 GSS-API mechanism as defined in this - and any successor memos will be identified with the following Object - Identifier, as defined in RFC-1510, until the specification is - advanced to the level of Proposed Standard RFC: - - {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)} - - Upon advancement to the level of Proposed Standard RFC, the Kerberos - V5 GSS-API mechanism will be identified by an Object Identifier - having the value: - - {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - gssapi(2) krb5(2)} - -1.1. Context Establishment Tokens - - Per RFC-1508, Appendix B, the initial context establishment token - will be enclosed within framing as follows: - - InitialContextToken ::= - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType - -- MechType is OBJECT IDENTIFIER - -- representing "Kerberos V5" - innerContextToken ANY DEFINED BY thisMech - -- contents mechanism-specific; - -- ASN.1 usage within innerContextToken - -- is not required - } - - The innerContextToken of the initial context token will consist of a - Kerberos V5 KRB_AP_REQ message, preceded by a two-byte token-id - (TOK_ID) field, which shall contain the value 01 00. - - The above GSS-API framing shall be applied to all tokens emitted by - the Kerberos V5 GSS-API mechanism, including KRB_AP_REP, KRB_ERROR, - context-deletion, and per-message tokens, not just to the initial - token in a context establishment sequence. While not required by - RFC-1508, this enables implementations to perform enhanced error- - checking. The innerContextToken field of context establishment tokens - for the Kerberos V5 GSS-API mechanism will contain a Kerberos message - (KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID - field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP - messages and 03 00 for KRB_ERROR messages. - - - - - - -Linn Standards Track [Page 2] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - -1.1.1. Initial Token - - Relevant KRB_AP_REQ syntax (from RFC-1510) is as follows: - - AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno [0] INTEGER, -- indicates Version 5 - msg-type [1] INTEGER, -- indicates KRB_AP_REQ - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData - } - - APOptions ::= BIT STRING { - reserved (0), - use-session-key (1), - mutual-required (2) - } - - Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno [0] INTEGER, -- indicates Version 5 - realm [1] Realm, - sname [2] PrincipalName, - enc-part [3] EncryptedData - } - - -- Encrypted part of ticket - EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL - } - - -- Unencrypted authenticator - Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] INTEGER, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] INTEGER, - ctime[5] KerberosTime, - - - -Linn Standards Track [Page 3] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] INTEGER OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL - } - - For purposes of this specification, the authenticator shall include - the optional sequence number, and the checksum field shall be used to - convey channel binding, service flags, and optional delegation - information. The checksum will have a type of 0x8003 (a value being - registered within the Kerberos protocol specification), and a value - field of at least 24 bytes in length. The length of the value field - is extended beyond 24 bytes if and only if an optional facility to - carry a Kerberos-defined KRB_CRED message for delegation purposes is - supported by an implementation and active on a context. When - delegation is active, a TGT with its FORWARDABLE flag set will be - transferred within the KRB_CRED message. - - The checksum value field's format is as follows: - - Byte Name Description - 0..3 Lgth Number of bytes in Bnd field; - Currently contains hex 10 00 00 00 - (16, represented in little-endian form) - 4..19 Bnd MD5 hash of channel bindings, taken over all non-null - components of bindings, in order of declaration. - Integer fields within channel bindings are represented - in little-endian order for the purposes of the MD5 - calculation. - 20..23 Flags Bit vector of context-establishment flags, - with values consistent with RFC-1509, p. 41: - GSS_C_DELEG_FLAG: 1 - GSS_C_MUTUAL_FLAG: 2 - GSS_C_REPLAY_FLAG: 4 - GSS_C_SEQUENCE_FLAG: 8 - GSS_C_CONF_FLAG: 16 - GSS_C_INTEG_FLAG: 32 - The resulting bit vector is encoded into bytes 20..23 - in little-endian form. - 24..25 DlgOpt The Delegation Option identifier (=1) [optional] - 26..27 Dlgth The length of the Deleg field. [optional] - 28..n Deleg A KRB_CRED message (n = Dlgth + 29) [optional] - - In computing the contents of the "Bnd" field, the following detailed - points apply: - - (1) Each integer field shall be formatted into four bytes, using - little-endian byte ordering, for purposes of MD5 hash - computation. - - - -Linn Standards Track [Page 4] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - (2) All input length fields within gss_buffer_desc elements of a - gss_channel_bindings_struct, even those which are zero-valued, - shall be included in the hash calculation; the value elements of - gss_buffer_desc elements shall be dereferenced, and the - resulting data shall be included within the hash computation, - only for the case of gss_buffer_desc elements having non-zero - length specifiers. - - (3) If the caller passes the value GSS_C_NO_BINDINGS instead of - a valid channel bindings structure, the Bnd field shall be set - to 16 zero-valued bytes. - - In the initial Kerberos V5 GSS-API mechanism token (KRB_AP_REQ token) - from initiator to target, the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG, - GSS_C_REPLAY_FLAG, and GSS_C_SEQUENCE_FLAG values shall each be set - as the logical AND of the initiator's corresponding request flag to - GSS_Init_sec_context() and a Boolean indicator of whether that - optional service is available to GSS_Init_sec_context()'s caller. - GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG, for which no corresponding - context-level input indicator flags to GSS_Init_sec_context() exist, - shall each be set to indicate whether their respective per-message - protection services are available for use on the context being - established. - - When input source address channel binding values are provided by a - caller (i.e., unless the input argument is GSS_C_NO_BINDINGS or the - source address specifier value within the input structure is - GSS_C_NULL_ADDRTYPE), and the corresponding token received from the - context's peer bears address restrictions, it is recommended that an - implementation of the Kerberos V5 GSS-API mechanism should check that - the source address as provided by the caller matches that in the - received token, and should return the GSS_S_BAD_BINDINGS major_status - value if a mismatch is detected. Note: discussion is ongoing about - the strength of recommendation to be made in this area, and on the - circumstances under which such a recommendation should be applicable; - implementors are therefore advised that changes on this matter may be - included in subsequent versions of this specification. - -1.1.2. Response Tokens - - A context establishment sequence based on the Kerberos V5 mechanism - will perform one-way authentication (without confirmation or any - return token from target to initiator in response to the initiator's - KRB_AP_REQ) if the mutual_req bit is not set in the application's - call to GSS_Init_sec_context(). Applications requiring confirmation - that their authentication was successful should request mutual - authentication, resulting in a "mutual-required" indication within - KRB_AP_REQ APoptions and the setting of the mutual_req bit in the - - - -Linn Standards Track [Page 5] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - flags field of the authenticator checksum. In response to such a - request, the context target will reply to the initiator with a token - containing either a KRB_AP_REP or KRB_ERROR, completing the mutual - context establishment exchange. - - Relevant KRB_AP_REP syntax is as follows: - - AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno [0] INTEGER, -- represents Kerberos V5 - msg-type [1] INTEGER, -- represents KRB_AP_REP - enc-part [2] EncryptedData - } - - EncAPRepPart ::= [APPLICATION 27] SEQUENCE { - ctime [0] KerberosTime, - cusec [1] INTEGER, - subkey [2] EncryptionKey OPTIONAL, - seq-number [3] INTEGER OPTIONAL - } - - The optional seq-number element within the AP-REP's EncAPRepPart - shall be included. - - The syntax of KRB_ERROR is as follows: - - KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] INTEGER, - msg-type[1] INTEGER, - ctime[2] KerberosTime OPTIONAL, - cusec[3] INTEGER OPTIONAL, - stime[4] KerberosTime, - susec[5] INTEGER, - error-code[6] INTEGER, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL - } - - Values to be transferred in the error-code field of a KRB-ERROR - message are defined in [RFC-1510], not in this specification. - - - - - - - - -Linn Standards Track [Page 6] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - -1.2. Per-Message and Context Deletion Tokens - - Three classes of tokens are defined in this section: "MIC" tokens, - emitted by calls to GSS_GetMIC() (formerly GSS_Sign()) and consumed - by calls to GSS_VerifyMIC() (formerly GSS_Verify()), "Wrap" tokens, - emitted by calls to GSS_Wrap() (formerly GSS_Seal()) and consumed by - calls to GSS_Unwrap() (formerly GSS_Unseal()), and context deletion - tokens, emitted by calls to GSS_Delete_sec_context() and consumed by - calls to GSS_Process_context_token(). Note: References to GSS-API - per-message routines in the remainder of this specification will be - based on those routines' newer recommended names rather than those - names' predecessors. - - Several variants of cryptographic keys are used in generation and - processing of per-message tokens: - - (1) context key: uses Kerberos session key (or subkey, if - present in authenticator emitted by context initiator) directly - - (2) confidentiality key: forms variant of context key by - exclusive-OR with the hexadecimal constant f0f0f0f0f0f0f0f0. - - (3) MD2.5 seed key: forms variant of context key by reversing - the bytes of the context key (i.e. if the original key is the - 8-byte sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the seed key - will be {hh, gg, ff, ee, dd, cc, bb, aa}). - -1.2.1. Per-message Tokens - MIC - -Use of the GSS_GetMIC() call yields a token, separate from the user -data being protected, which can be used to verify the integrity of -that data as received. The token has the following format: - - Byte no Name Description - 0..1 TOK_ID Identification field. - Tokens emitted by GSS_GetMIC() contain - the hex value 01 01 in this field. - 2..3 SGN_ALG Integrity algorithm indicator. - 00 00 - DES MAC MD5 - 01 00 - MD2.5 - 02 00 - DES MAC - 4..7 Filler Contains ff ff ff ff - 8..15 SND_SEQ Sequence number field. - 16..23 SGN_CKSUM Checksum of "to-be-signed data", - calculated according to algorithm - specified in SGN_ALG field. - - - - - -Linn Standards Track [Page 7] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - GSS-API tokens must be encapsulated within the higher-level protocol - by the application; no embedded length field is necessary. - -1.2.1.1. Checksum - - Checksum calculation procedure (common to all algorithms): Checksums - are calculated over the data field, logically prepended by the first - 8 bytes of the plaintext packet header. The resulting value binds - the data to the packet type and signature algorithm identifier - fields. - - DES MAC MD5 algorithm: The checksum is formed by computing an MD5 - [RFC-1321] hash over the plaintext data, and then computing a DES-CBC - MAC on the 16-byte MD5 result. A standard 64-bit DES-CBC MAC is - computed per [FIPS-PUB-113], employing the context key and a zero IV. - The 8-byte result is stored in the SGN_CKSUM field. - - MD2.5 algorithm: The checksum is formed by first DES-CBC encrypting a - 16-byte zero-block, using a zero IV and a key formed by reversing the - bytes of the context key (i.e. if the original key is the 8-byte - sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the checksum key will be - {hh, gg, ff, ee, dd, cc, bb, aa}). The resulting 16-byte value is - logically prepended to the to-be-signed data. A standard MD5 - checksum is calculated over the combined data, and the first 8 bytes - of the result are stored in the SGN_CKSUM field. Note 1: we refer to - this algorithm informally as "MD2.5" to connote the fact that it uses - half of the 128 bits generated by MD5; use of only a subset of the - MD5 bits is intended to protect against the prospect that data could - be postfixed to an existing message with corresponding modifications - being made to the checksum. Note 2: This algorithm is fairly novel - and has received more limited evaluation than that to which other - integrity algorithms have been subjected. An initial, limited - evaluation indicates that it may be significantly weaker than DES MAC - MD5. - - DES-MAC algorithm: A standard 64-bit DES-CBC MAC is computed on the - plaintext data per [FIPS-PUB-113], employing the context key and a - zero IV. Padding procedures to accomodate plaintext data lengths - which may not be integral multiples of 8 bytes are defined in [FIPS- - PUB-113]. The result is an 8-byte value, which is stored in the - SGN_CKSUM field. Support for this algorithm may not be present in - all implementations. - -1.2.1.2. Sequence Number - - Sequence number field: The 8 byte plaintext sequence number field is - formed from the sender's four-byte sequence number as follows. If - the four bytes of the sender's sequence number are named s0, s1, s2 - - - -Linn Standards Track [Page 8] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - and s3 (from least to most significant), the plaintext sequence - number field is the 8 byte sequence: (s0, s1, s2, s3, di, di, di, - di), where 'di' is the direction-indicator (Hex 0 - sender is the - context initiator, Hex FF - sender is the context acceptor). The - field is then DES-CBC encrypted using the context key and an IV - formed from the first 8 bytes of the previously calculated SGN_CKSUM - field. After sending a GSS_GetMIC() or GSS_Wrap() token, the sender's - sequence number is incremented by one. - - The receiver of the token will first verify the SGN_CKSUM field. If - valid, the sequence number field may be decrypted and compared to the - expected sequence number. The repetition of the (effectively 1-bit) - direction indicator within the sequence number field provides - redundancy so that the receiver may verify that the decryption - succeeded. - - Since the checksum computation is used as an IV to the sequence - number decryption, attempts to splice a checksum and sequence number - from different messages will be detected. The direction indicator - will detect packets that have been maliciously reflected. - - The sequence number provides a basis for detection of replayed - tokens. Replay detection can be performed using state information - retained on received sequence numbers, interpreted in conjunction - with the security context on which they arrive. - - Provision of per-message replay and out-of-sequence detection - services is optional for implementations of the Kerberos V5 GSS-API - mechanism. Further, it is recommended that implementations of the - Kerberos V5 GSS-API mechanism which offer these services should honor - a caller's request that the services be disabled on a context. - Specifically, if replay_det_req_flag is input FALSE, replay_det_state - should be returned FALSE and the GSS_DUPLICATE_TOKEN and - GSS_OLD_TOKEN stati should not be indicated as a result of duplicate - detection when tokens are processed; if sequence_req_flag is input - FALSE, sequence_state should be returned FALSE and - GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN stati should - not be indicated as a result of out-of-sequence detection when tokens - are processed. - -1.2.2. Per-message Tokens - Wrap - - Use of the GSS_Wrap() call yields a token which encapsulates the - input user data (optionally encrypted) along with associated - integrity check quantities. The token emitted by GSS_Wrap() consists - of an integrity header whose format is identical to that emitted by - GSS_GetMIC() (except that the TOK_ID field contains the value 02 01), - followed by a body portion that contains either the plaintext data - - - -Linn Standards Track [Page 9] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - (if SEAL_ALG = ff ff) or encrypted data for any other supported value - of SEAL_ALG. Currently, only SEAL_ALG = 00 00 is supported, and - means that DES-CBC encryption is being used to protect the data. - - The GSS_Wrap() token has the following format: - - Byte no Name Description - 0..1 TOK_ID Identification field. - Tokens emitted by GSS_Wrap() contain - the hex value 02 01 in this field. - 2..3 SGN_ALG Checksum algorithm indicator. - 00 00 - DES MAC MD5 - 01 00 - MD2.5 - 02 00 - DES MAC - 4..5 SEAL_ALG ff ff - none - 00 00 - DES - 6..7 Filler Contains ff ff - 8..15 SND_SEQ Encrypted sequence number field. - 16..23 SGN_CKSUM Checksum of plaintext padded data, - calculated according to algorithm - specified in SGN_ALG field. - 24..last Data encrypted or plaintext padded data - - GSS-API tokens must be encapsulated within the higher-level protocol - by the application; no embedded length field is necessary. - -1.2.2.1. Checksum - - Checksum calculation procedure (common to all algorithms): Checksums - are calculated over the plaintext padded data field, logically - prepended by the first 8 bytes of the plaintext packet header. The - resulting signature binds the data to the packet type, protocol - version, and signature algorithm identifier fields. - - DES MAC MD5 algorithm: The checksum is formed by computing an MD5 - hash over the plaintext padded data, and then computing a DES-CBC MAC - on the 16-byte MD5 result. A standard 64-bit DES-CBC MAC is computed - per [FIPS-PUB-113], employing the context key and a zero IV. The 8- - byte result is stored in the SGN_CKSUM field. - - MD2.5 algorithm: The checksum is formed by first DES-CBC encrypting a - 16-byte zero-block, using a zero IV and a key formed by reversing the - bytes of the context key (i.e., if the original key is the 8-byte - sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the checksum key will be - {hh, gg, ff, ee, dd, cc, bb, aa}). The resulting 16-byte value is - logically pre-pended to the "to-be-signed data". A standard MD5 - checksum is calculated over the combined data, and the first 8 bytes - of the result are stored in the SGN_CKSUM field. - - - -Linn Standards Track [Page 10] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - DES-MAC algorithm: A standard 64-bit DES-CBC MAC is computed on the - plaintext padded data per [FIPS-PUB-113], employing the context key - and a zero IV. The plaintext padded data is already assured to be an - integral multiple of 8 bytes; no additional padding is required or - applied in order to accomplish MAC calculation. The result is an 8- - byte value, which is stored in the SGN_CKSUM field. Support for this - lgorithm may not be present in all implementations. - -1.2.2.2. Sequence Number - - Sequence number field: The 8 byte plaintext sequence number field is - formed from the sender's four-byte sequence number as follows. If - the four bytes of the sender's sequence number are named s0, s1, s2 - and s3 (from least to most significant), the plaintext sequence - number field is the 8 byte sequence: (s0, s1, s2, s3, di, di, di, - di), where 'di' is the direction-indicator (Hex 0 - sender is the - context initiator, Hex FF - sender is the context acceptor). - - The field is then DES-CBC encrypted using the context key and an IV - formed from the first 8 bytes of the SEAL_CKSUM field. - - After sending a GSS_GetMIC() or GSS_Wrap() token, the sender's - sequence numbers are incremented by one. - -1.2.2.3. Padding - - Data padding: Before encryption and/or signature calculation, - plaintext data is padded to the next highest multiple of 8 bytes, by - appending between 1 and 8 bytes, the value of each such byte being - the total number of pad bytes. For example, given data of length 20 - bytes, four pad bytes will be appended, and each byte will contain - the hex value 04. An 8-byte random confounder is prepended to the - data, and signatures are calculated over the resulting padded - plaintext. - - After padding, the data is encrypted according to the algorithm - specified in the SEAL_ALG field. For SEAL_ALG=DES (the only non-null - algorithm currently supported), the data is encrypted using DES-CBC, - with an IV of zero. The key used is derived from the established - context key by XOR-ing the context key with the hexadecimal constant - f0f0f0f0f0f0f0f0. - -1.2.3. Context deletion token - - The token emitted by GSS_Delete_sec_context() is based on the packet - format for tokens emitted by GSS_GetMIC(). The context-deletion - token has the following format: - - - - -Linn Standards Track [Page 11] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - Byte no Name Description - 0..1 TOK_ID Identification field. - Tokens emitted by - GSS_Delete_sec_context() contain - the hex value 01 02 in this field. - 2..3 SGN_ALG Integrity algorithm indicator. - 00 00 - DES MAC MD5 - 01 00 - MD2.5 - 02 00 - DES MAC - 4..7 Filler Contains ff ff ff ff - 8..15 SND_SEQ Sequence number field. - 16..23 SGN_CKSUM Checksum of "to-be-signed data", - calculated according to algorithm - specified in SGN_ALG field. - - SGN_ALG and SND_SEQ will be calculated as for tokens emitted by - GSS_GetMIC(). The SGN_CKSUM will be calculated as for tokens emitted - by GSS_GetMIC(), except that the user-data component of the "to-be- - signed" data will be a zero-length string. - -2. Name Types and Object Identifiers - - This section discusses the name types which may be passed as input to - the Kerberos V5 GSS-API mechanism's GSS_Import_name() call, and their - associated identifier values. It defines interface elements in - support of portability, and assumes use of C language bindings per - RFC-1509. In addition to specifying OID values for name type - identifiers, symbolic names are included and recommended to GSS-API - implementors in the interests of convenience to callers. It is - understood that not all implementations of the Kerberos V5 GSS-API - mechanism need support all name types in this list, and that - additional name forms will likely be added to this list over time. - Further, the definitions of some or all name types may later migrate - to other, mechanism-independent, specifications. The occurrence of a - name type in this specification is specifically not intended to - suggest that the type may be supported only by an implementation of - the Kerberos V5 mechanism. In particular, the occurrence of the - string "_KRB5_" in the symbolic name strings constitutes a means to - unambiguously register the name strings, avoiding collision with - other documents; it is not meant to limit the name types' usage or - applicability. - - For purposes of clarification to GSS-API implementors, this section's - discussion of some name forms describes means through which those - forms can be supported with existing Kerberos technology. These - discussions are not intended to preclude alternative implementation - strategies for support of the name forms within Kerberos mechanisms - or mechanisms based on other technologies. To enhance application - - - -Linn Standards Track [Page 12] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - portability, implementors of mechanisms are encouraged to support - name forms as defined in this section, even if their mechanisms are - independent of Kerberos V5. - -2.1. Mandatory Name Forms - - This section discusses name forms which are to be supported by all - conformant implementations of the Kerberos V5 GSS-API mechanism. - -2.1.1. Kerberos Principal Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - krb5(2) krb5_name(1)}. The recommended symbolic name for this type - is "GSS_KRB5_NT_PRINCIPAL_NAME". - - This name type corresponds to the single-string representation of a - Kerberos name. (Within the MIT Kerberos V5 implementation, such - names are parseable with the krb5_parse_name() function.) The - elements included within this name representation are as follows, - proceeding from the beginning of the string: - - (1) One or more principal name components; if more than one - principal name component is included, the components are - separated by `/`. Arbitrary octets may be included within - principal name components, with the following constraints and - special considerations: - - (1a) Any occurrence of the characters `@` or `/` within a - name component must be immediately preceded by the `\` - quoting character, to prevent interpretation as a component - or realm separator. - - (1b) The ASCII newline, tab, backspace, and null characters - may occur directly within the component or may be - represented, respectively, by `\n`, `\t`, `\b`, or `\0`. - - (1c) If the `\` quoting character occurs outside the contexts - described in (1a) and (1b) above, the following character is - interpreted literally. As a special case, this allows the - doubled representation `\\` to represent a single occurrence - of the quoting character. - - (1d) An occurrence of the `\` quoting character as the last - character of a component is illegal. - - - - - - -Linn Standards Track [Page 13] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - (2) Optionally, a `@` character, signifying that a realm name - immediately follows. If no realm name element is included, the - local realm name is assumed. The `/` , `:`, and null characters - may not occur within a realm name; the `@`, newline, tab, and - backspace characters may be included using the quoting - conventions described in (1a), (1b), and (1c) above. - -2.1.2. Host-Based Service Name Form - - This name form has been incorporated at the mechanism-independent - GSS-API level as of GSS-API, Version 2. This subsection retains the - Object Identifier and symbolic name assignments previously made at - the Kerberos V5 GSS-API mechanism level, and adopts the definition as - promoted to the mechanism-independent level. - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) service_name(4)}. The previously recommended symbolic - name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The - currently preferred symbolic name for this type is - "GSS_C_NT_HOSTBASED_SERVICE". - - This name type is used to represent services associated with host - computers. This name form is constructed using two elements, - "service" and "hostname", as follows: - - service@hostname - - When a reference to a name of this type is resolved, the "hostname" - is canonicalized by attempting a DNS lookup and using the fully- - qualified domain name which is returned, or by using the "hostname" - as provided if the DNS lookup fails. The canonicalization operation - also maps the host's name into lower-case characters. - - The "hostname" element may be omitted. If no "@" separator is - included, the entire name is interpreted as the service specifier, - with the "hostname" defaulted to the canonicalized name of the local - host. - - Values for the "service" element will be registered with the IANA. - -2.1.3. Exported Name Object Form for Kerberos V5 Mechanism - - Support for this name form is not required for GSS-V1 - implementations, but will be required for use in conjunction with the - GSS_Export_name() call planned for GSS-API Version 2. Use of this - name form will be signified by a "GSS-API Exported Name Object" OID - value which will be defined at the mechanism-independent level for - - - -Linn Standards Track [Page 14] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - GSS-API Version 2. - - This name type represents a self-describing object, whose framing - structure will be defined at the mechanism-independent level for - GSS-API Version 2. When generated by the Kerberos V5 mechanism, the - Mechanism OID within the exportable name shall be that of the - Kerberos V5 mechanism. The name component within the exportable name - shall be a contiguous string with structure as defined for the - Kerberos Principal Name Form. - - In order to achieve a distinguished encoding for comparison purposes, - the following additional constraints are imposed on the export - operation: - - (1) all occurrences of the characters `@`, `/`, and `\` within - principal components or realm names shall be quoted with an - immediately-preceding `\`. - - (2) all occurrences of the null, backspace, tab, or newline - characters within principal components or realm names will be - represented, respectively, with `\0`, `\b`, `\t`, or `\n`. - - (3) the `\` quoting character shall not be emitted within an - exported name except to accomodate cases (1) and (2). - -2.2. Optional Name Forms - - This section discusses additional name forms which may optionally be - supported by implementations of the Kerberos V5 GSS-API mechanism. - It is recognized that some of the name forms cited here are derived - from UNIX(tm) operating system platforms; some listed forms may be - irrelevant to non-UNIX platforms, and definition of additional forms - corresponding to such platforms may also be appropriate. It is also - recognized that OS-specific functions outside GSS-API are likely to - exist in order to perform translations among these forms, and that - GSS-API implementations supporting these forms may themselves be - layered atop such OS-specific functions. Inclusion of this support - within GSS-API implementations is intended as a convenience to - applications. - -2.2.1. User Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) user_name(1)}. The recommended symbolic name for this - type is "GSS_KRB5_NT_USER_NAME". - - This name type is used to indicate a named user on a local system. - - - -Linn Standards Track [Page 15] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - Its interpretation is OS-specific. This name form is constructed as: - - username - - Assuming that users' principal names are the same as their local - operating system names, an implementation of GSS_Import_name() based - on Kerberos V5 technology can process names of this form by - postfixing an "@" sign and the name of the local realm. - -2.2.2. Machine UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) machine_uid_name(2)}. The recommended symbolic name for - this type is "GSS_KRB5_NT_MACHINE_UID_NAME". - - This name type is used to indicate a numeric user identifier - corresponding to a user on a local system. Its interpretation is - OS-specific. The gss_buffer_desc representing a name of this type - should contain a locally-significant uid_t, represented in host byte - order. The GSS_Import_name() operation resolves this uid into a - username, which is then treated as the User Name Form. - -2.2.3. String UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) string_uid_name(3)}. The recommended symbolic name for - this type is "GSS_KRB5_NT_STRING_UID_NAME". - - This name type is used to indicate a string of digits representing - the numeric user identifier of a user on a local system. Its - interpretation is OS-specific. This name type is similar to the - Machine UID Form, except that the buffer contains a string - representing the uid_t. - -3. Credentials Management - - The Kerberos V5 protocol uses different credentials (in the GSSAPI - sense) for initiating and accepting security contexts. Normal - clients receive a ticket-granting ticket (TGT) and an associated - session key at "login" time; the pair of a TGT and its corresponding - session key forms a credential which is suitable for initiating - security contexts. A ticket-granting ticket, its session key, and - any other (ticket, key) pairs obtained through use of the ticket- - granting-ticket, are typically stored in a Kerberos V5 credentials - cache, sometimes known as a ticket file. - - - - -Linn Standards Track [Page 16] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - The encryption key used by the Kerberos server to seal tickets for a - particular application service forms the credentials suitable for - accepting security contexts. These service keys are typically stored - in a Kerberos V5 key table, or srvtab file. In addition to their use - as accepting credentials, these service keys may also be used to - obtain initiating credentials for their service principal. - - The Kerberos V5 mechanism's credential handle may contain references - to either or both types of credentials. It is a local matter how the - Kerberos V5 mechanism implementation finds the appropriate Kerberos - V5 credentials cache or key table. - - However, when the Kerberos V5 mechanism attempts to obtain initiating - credentials for a service principal which are not available in a - credentials cache, and the key for that service principal is - available in a Kerberos V5 key table, the mechanism should use the - service key to obtain initiating credentials for that service. This - should be accomplished by requesting a ticket-granting-ticket from - the Kerberos Key Distribution Center (KDC), and decrypting the KDC's - reply using the service key. - -4. Parameter Definitions - - This section defines parameter values used by the Kerberos V5 GSS-API - mechanism. It defines interface elements in support of portability, - and assumes use of C language bindings per RFC-1509. - -4.1. Minor Status Codes - - This section recommends common symbolic names for minor_status values - to be returned by the Kerberos V5 GSS-API mechanism. Use of these - definitions will enable independent implementors to enhance - application portability across different implementations of the - mechanism defined in this specification. (In all cases, - implementations of GSS_Display_status() will enable callers to - convert minor_status indicators to text representations.) Each - implementation should make available, through include files or other - means, a facility to translate these symbolic names into the concrete - values which a particular GSS-API implementation uses to represent - the minor_status values specified in this section. - - It is recognized that this list may grow over time, and that the need - for additional minor_status codes specific to particular - implementations may arise. It is recommended, however, that - implementations should return a minor_status value as defined on a - mechanism-wide basis within this section when that code is accurately - representative of reportable status rather than using a separate, - implementation-defined code. - - - -Linn Standards Track [Page 17] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - -4.1.1. Non-Kerberos-specific codes - - GSS_KRB5_S_G_BAD_SERVICE_NAME - /* "No @ in SERVICE-NAME name string" */ - GSS_KRB5_S_G_BAD_STRING_UID - /* "STRING-UID-NAME contains nondigits" */ - GSS_KRB5_S_G_NOUSER - /* "UID does not resolve to username" */ - GSS_KRB5_S_G_VALIDATE_FAILED - /* "Validation error" */ - GSS_KRB5_S_G_BUFFER_ALLOC - /* "Couldn't allocate gss_buffer_t data" */ - GSS_KRB5_S_G_BAD_MSG_CTX - /* "Message context invalid" */ - GSS_KRB5_S_G_WRONG_SIZE - /* "Buffer is the wrong size" */ - GSS_KRB5_S_G_BAD_USAGE - /* "Credential usage type is unknown" */ - GSS_KRB5_S_G_UNKNOWN_QOP - /* "Unknown quality of protection specified" */ - -4.1.2. Kerberos-specific-codes - - GSS_KRB5_S_KG_CCACHE_NOMATCH - /* "Principal in credential cache does not match desired name" */ - GSS_KRB5_S_KG_KEYTAB_NOMATCH - /* "No principal in keytab matches desired name" */ - GSS_KRB5_S_KG_TGT_MISSING - /* "Credential cache has no TGT" */ - GSS_KRB5_S_KG_NO_SUBKEY - /* "Authenticator has no subkey" */ - GSS_KRB5_S_KG_CONTEXT_ESTABLISHED - /* "Context is already fully established" */ - GSS_KRB5_S_KG_BAD_SIGN_TYPE - /* "Unknown signature type in token" */ - GSS_KRB5_S_KG_BAD_LENGTH - /* "Invalid field length in token" */ - GSS_KRB5_S_KG_CTX_INCOMPLETE - /* "Attempt to use incomplete security context" */ - -4.2. Quality of Protection Values - - This section defines Quality of Protection (QOP) values to be used - with the Kerberos V5 GSS-API mechanism as input to GSS_Wrap() and - GSS_GetMIC() routines in order to select among alternate integrity - and confidentiality algorithms. Additional QOP values may be added in - future versions of this specification. Non-overlapping bit positions - are and will be employed in order that both integrity and - - - -Linn Standards Track [Page 18] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - - confidentiality QOP may be selected within a single parameter, via - inclusive-OR of the specified integrity and confidentiality values. - -4.2.1. Integrity Algorithms - - The following Quality of Protection (QOP) values are currently - defined for the Kerberos V5 GSS-API mechanism, and are used to select - among alternate integrity checking algorithms. - - GSS_KRB5_INTEG_C_QOP_MD5 (numeric value: 1) - /* Integrity using partial MD5 ("MD2.5") of plaintext */ - - GSS_KRB5_INTEG_C_QOP_DES_MD5 (numeric value: 2) - /* Integrity using DES MAC of MD5 of plaintext */ - - GSS_KRB5_INTEG_C_QOP_DES_MAC (numeric value: 3) - /* Integrity using DES MAC of plaintext */ - -4.2.2. Confidentiality Algorithms - - Only one confidentiality QOP value is currently defined for the - Kerberos V5 GSS-API mechanism: - - GSS_KRB5_CONF_C_QOP_DES (numeric value: 0) - /* Confidentiality with DES */ - - Note: confidentiality QOP should be indicated only by GSS-API calls - capable of providing confidentiality services. If non-zero - confidentiality QOP values are defined in future to represent - different algorithms, therefore, the bit positions containing those - values should be cleared before being returned by implementations of - GSS_GetMIC() and GSS_VerifyMIC(). - -4.3. Buffer Sizes - - All implementations of this specification shall be capable of - accepting buffers of at least 16 Kbytes as input to GSS_GetMIC(), - GSS_VerifyMIC(), and GSS_Wrap(), and shall be capable of accepting - the output_token generated by GSS_Wrap() for a 16 Kbyte input buffer - as input to GSS_Unwrap(). Support for larger buffer sizes is optional - but recommended. - - - - - - - - - - -Linn Standards Track [Page 19] - -RFC 1964 Kerberos Version 5 GSS-API June 1996 - - -5. Security Considerations - - Security issues are discussed throughout this memo. - -6. References - - - [RFC-1321]: Rivest, R., "The MD5 Message-Digest Algorithm", RFC - 1321, April 1992. - - [RFC-1508]: Linn, J., "Generic Security Service Application Program - Interface", RFC 1508, September 1993. - - [RFC-1509]: Wray, J., "Generic Security Service Application Program - Interface: C-bindings", RFC 1509, September 1993. - - [RFC-1510]: Kohl, J., and C. Neuman, "The Kerberos Network - Authentication Service (V5)", RFC 1510, September 1993. - - [FIPS-PUB-113]: National Bureau of Standards, Federal Information - Processing Standard 113, "Computer Data Authentication", May 1985. - -AUTHOR'S ADDRESS - - John Linn - OpenVision Technologies - One Main St. - Cambridge, MA 02142 USA - - Phone: +1 617.374.2245 - EMail: John.Linn@ov.com - - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 20] - diff --git a/crypto/heimdal/doc/standardisation/rfc2078.txt b/crypto/heimdal/doc/standardisation/rfc2078.txt deleted file mode 100644 index 1dd1e4aebd2d..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc2078.txt +++ /dev/null @@ -1,4763 +0,0 @@ - - - - - - -Network Working Group J. Linn -Request for Comments: 2078 OpenVision Technologies -Category: Standards Track January 1997 -Obsoletes: 1508 - - - Generic Security Service Application Program Interface, Version 2 - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Abstract - - The Generic Security Service Application Program Interface (GSS-API), - as defined in RFC-1508, provides security services to callers in a - generic fashion, supportable with a range of underlying mechanisms - and technologies and hence allowing source-level portability of - applications to different environments. This specification defines - GSS-API services and primitives at a level independent of underlying - mechanism and programming language environment, and is to be - complemented by other, related specifications: - - documents defining specific parameter bindings for particular - language environments - - documents defining token formats, protocols, and procedures to be - implemented in order to realize GSS-API services atop particular - security mechanisms - - This memo revises RFC-1508, making specific, incremental changes in - response to implementation experience and liaison requests. It is - intended, therefore, that this memo or a successor version thereto - will become the basis for subsequent progression of the GSS-API - specification on the standards track. - -Table of Contents - - 1: GSS-API Characteristics and Concepts.......................... 3 - 1.1: GSS-API Constructs.......................................... 6 - 1.1.1: Credentials.............................................. 6 - 1.1.1.1: Credential Constructs and Concepts...................... 6 - 1.1.1.2: Credential Management................................... 7 - 1.1.1.3: Default Credential Resolution........................... 8 - - - -Linn Standards Track [Page 1] - -RFC 2078 GSS-API January 1997 - - - 1.1.2: Tokens.................................................... 9 - 1.1.3: Security Contexts........................................ 10 - 1.1.4: Mechanism Types.......................................... 11 - 1.1.5: Naming................................................... 12 - 1.1.6: Channel Bindings......................................... 14 - 1.2: GSS-API Features and Issues................................ 15 - 1.2.1: Status Reporting......................................... 15 - 1.2.2: Per-Message Security Service Availability................. 17 - 1.2.3: Per-Message Replay Detection and Sequencing............... 18 - 1.2.4: Quality of Protection.................................... 20 - 1.2.5: Anonymity Support......................................... 21 - 1.2.6: Initialization............................................ 22 - 1.2.7: Per-Message Protection During Context Establishment....... 22 - 1.2.8: Implementation Robustness................................. 23 - 2: Interface Descriptions....................................... 23 - 2.1: Credential management calls................................ 25 - 2.1.1: GSS_Acquire_cred call.................................... 26 - 2.1.2: GSS_Release_cred call.................................... 28 - 2.1.3: GSS_Inquire_cred call.................................... 29 - 2.1.4: GSS_Add_cred call........................................ 31 - 2.1.5: GSS_Inquire_cred_by_mech call............................ 33 - 2.2: Context-level calls........................................ 34 - 2.2.1: GSS_Init_sec_context call................................ 34 - 2.2.2: GSS_Accept_sec_context call.............................. 40 - 2.2.3: GSS_Delete_sec_context call.............................. 44 - 2.2.4: GSS_Process_context_token call........................... 46 - 2.2.5: GSS_Context_time call.................................... 47 - 2.2.6: GSS_Inquire_context call................................. 47 - 2.2.7: GSS_Wrap_size_limit call................................. 49 - 2.2.8: GSS_Export_sec_context call.............................. 50 - 2.2.9: GSS_Import_sec_context call.............................. 52 - 2.3: Per-message calls.......................................... 53 - 2.3.1: GSS_GetMIC call.......................................... 54 - 2.3.2: GSS_VerifyMIC call....................................... 55 - 2.3.3: GSS_Wrap call............................................ 56 - 2.3.4: GSS_Unwrap call.......................................... 58 - 2.4: Support calls.............................................. 59 - 2.4.1: GSS_Display_status call.................................. 60 - 2.4.2: GSS_Indicate_mechs call.................................. 60 - 2.4.3: GSS_Compare_name call.................................... 61 - 2.4.4: GSS_Display_name call.................................... 62 - 2.4.5: GSS_Import_name call..................................... 63 - 2.4.6: GSS_Release_name call.................................... 64 - 2.4.7: GSS_Release_buffer call.................................. 65 - 2.4.8: GSS_Release_OID_set call................................. 65 - 2.4.9: GSS_Create_empty_OID_set call............................ 66 - 2.4.10: GSS_Add_OID_set_member call.............................. 67 - 2.4.11: GSS_Test_OID_set_member call............................. 67 - - - -Linn Standards Track [Page 2] - -RFC 2078 GSS-API January 1997 - - - 2.4.12: GSS_Release_OID call..................................... 68 - 2.4.13: GSS_OID_to_str call...................................... 68 - 2.4.14: GSS_Str_to_OID call...................................... 69 - 2.4.15: GSS_Inquire_names_for_mech call.......................... 69 - 2.4.16: GSS_Inquire_mechs_for_name call.......................... 70 - 2.4.17: GSS_Canonicalize_name call............................... 71 - 2.4.18: GSS_Export_name call..................................... 72 - 2.4.19: GSS_Duplicate_name call.................................. 73 - 3: Data Structure Definitions for GSS-V2 Usage................... 73 - 3.1: Mechanism-Independent Token Format.......................... 74 - 3.2: Mechanism-Independent Exported Name Object Format........... 77 - 4: Name Type Definitions......................................... 77 - 4.1: Host-Based Service Name Form................................ 77 - 4.2: User Name Form.............................................. 78 - 4.3: Machine UID Form............................................ 78 - 4.4: String UID Form............................................. 79 - 5: Mechanism-Specific Example Scenarios......................... 79 - 5.1: Kerberos V5, single-TGT..................................... 79 - 5.2: Kerberos V5, double-TGT..................................... 80 - 5.3: X.509 Authentication Framework............................. 81 - 6: Security Considerations...................................... 82 - 7: Related Activities........................................... 82 - Appendix A: Mechanism Design Constraints......................... 83 - Appendix B: Compatibility with GSS-V1............................ 83 - -1: GSS-API Characteristics and Concepts - - GSS-API operates in the following paradigm. A typical GSS-API caller - is itself a communications protocol, calling on GSS-API in order to - protect its communications with authentication, integrity, and/or - confidentiality security services. A GSS-API caller accepts tokens - provided to it by its local GSS-API implementation and transfers the - tokens to a peer on a remote system; that peer passes the received - tokens to its local GSS-API implementation for processing. The - security services available through GSS-API in this fashion are - implementable (and have been implemented) over a range of underlying - mechanisms based on secret-key and public-key cryptographic - technologies. - - The GSS-API separates the operations of initializing a security - context between peers, achieving peer entity authentication (This - security service definition, and other definitions used in this - document, corresponds to that provided in International Standard ISO - 7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context() and - GSS_Accept_sec_context() calls), from the operations of providing - per-message data origin authentication and data integrity protection - (GSS_GetMIC() and GSS_VerifyMIC() calls) for messages subsequently - transferred in conjunction with that context. When establishing a - - - -Linn Standards Track [Page 3] - -RFC 2078 GSS-API January 1997 - - - security context, the GSS-API enables a context initiator to - optionally permit its credentials to be delegated, meaning that the - context acceptor may initiate further security contexts on behalf of - the initiating caller. Per-message GSS_Wrap() and GSS_Unwrap() calls - provide the data origin authentication and data integrity services - which GSS_GetMIC() and GSS_VerifyMIC() offer, and also support - selection of confidentiality services as a caller option. Additional - calls provide supportive functions to the GSS-API's users. - - The following paragraphs provide an example illustrating the - dataflows involved in use of the GSS-API by a client and server in a - mechanism-independent fashion, establishing a security context and - transferring a protected message. The example assumes that credential - acquisition has already been completed. The example assumes that the - underlying authentication technology is capable of authenticating a - client to a server using elements carried within a single token, and - of authenticating the server to the client (mutual authentication) - with a single returned token; this assumption holds for presently- - documented CAT mechanisms but is not necessarily true for other - cryptographic technologies and associated protocols. - - The client calls GSS_Init_sec_context() to establish a security - context to the server identified by targ_name, and elects to set the - mutual_req_flag so that mutual authentication is performed in the - course of context establishment. GSS_Init_sec_context() returns an - output_token to be passed to the server, and indicates - GSS_S_CONTINUE_NEEDED status pending completion of the mutual - authentication sequence. Had mutual_req_flag not been set, the - initial call to GSS_Init_sec_context() would have returned - GSS_S_COMPLETE status. The client sends the output_token to the - server. - - The server passes the received token as the input_token parameter to - GSS_Accept_sec_context(). GSS_Accept_sec_context indicates - GSS_S_COMPLETE status, provides the client's authenticated identity - in the src_name result, and provides an output_token to be passed to - the client. The server sends the output_token to the client. - - The client passes the received token as the input_token parameter to - a successor call to GSS_Init_sec_context(), which processes data - included in the token in order to achieve mutual authentication from - the client's viewpoint. This call to GSS_Init_sec_context() returns - GSS_S_COMPLETE status, indicating successful mutual authentication - and the completion of context establishment for this example. - - The client generates a data message and passes it to GSS_Wrap(). - GSS_Wrap() performs data origin authentication, data integrity, and - (optionally) confidentiality processing on the message and - - - -Linn Standards Track [Page 4] - -RFC 2078 GSS-API January 1997 - - - encapsulates the result into output_message, indicating - GSS_S_COMPLETE status. The client sends the output_message to the - server. - - The server passes the received message to GSS_Unwrap(). GSS_Unwrap() - inverts the encapsulation performed by GSS_Wrap(), deciphers the - message if the optional confidentiality feature was applied, and - validates the data origin authentication and data integrity checking - quantities. GSS_Unwrap() indicates successful validation by - returning GSS_S_COMPLETE status along with the resultant - output_message. - - For purposes of this example, we assume that the server knows by - out-of-band means that this context will have no further use after - one protected message is transferred from client to server. Given - this premise, the server now calls GSS_Delete_sec_context() to flush - context-level information. Optionally, the server-side application - may provide a token buffer to GSS_Delete_sec_context(), to receive a - context_token to be transferred to the client in order to request - that client-side context-level information be deleted. - - If a context_token is transferred, the client passes the - context_token to GSS_Process_context_token(), which returns - GSS_S_COMPLETE status after deleting context-level information at the - client system. - - The GSS-API design assumes and addresses several basic goals, - including: - - Mechanism independence: The GSS-API defines an interface to - cryptographically implemented strong authentication and other - security services at a generic level which is independent of - particular underlying mechanisms. For example, GSS-API-provided - services can be implemented by secret-key technologies (e.g., - Kerberos) or public-key approaches (e.g., X.509). - - Protocol environment independence: The GSS-API is independent of - the communications protocol suites with which it is employed, - permitting use in a broad range of protocol environments. In - appropriate environments, an intermediate implementation "veneer" - which is oriented to a particular communication protocol (e.g., - Remote Procedure Call (RPC)) may be interposed between - applications which call that protocol and the GSS-API, thereby - invoking GSS-API facilities in conjunction with that protocol's - communications invocations. - - Protocol association independence: The GSS-API's security context - construct is independent of communications protocol association - - - -Linn Standards Track [Page 5] - -RFC 2078 GSS-API January 1997 - - - constructs. This characteristic allows a single GSS-API - implementation to be utilized by a variety of invoking protocol - modules on behalf of those modules' calling applications. GSS-API - services can also be invoked directly by applications, wholly - independent of protocol associations. - - Suitability to a range of implementation placements: GSS-API - clients are not constrained to reside within any Trusted Computing - Base (TCB) perimeter defined on a system where the GSS-API is - implemented; security services are specified in a manner suitable - to both intra-TCB and extra-TCB callers. - -1.1: GSS-API Constructs - - This section describes the basic elements comprising the GSS-API. - -1.1.1: Credentials - -1.1.1.1: Credential Constructs and Concepts - - Credentials provide the prerequisites which permit GSS-API peers to - establish security contexts with each other. A caller may designate - that the credential elements which are to be applied for context - initiation or acceptance be selected by default. Alternately, those - GSS-API callers which need to make explicit selection of particular - credentials structures may make references to those credentials - through GSS-API-provided credential handles ("cred_handles"). In all - cases, callers' credential references are indirect, mediated by GSS- - API implementations and not requiring callers to access the selected - credential elements. - - A single credential structure may be used to initiate outbound - contexts and to accept inbound contexts. Callers needing to operate - in only one of these modes may designate this fact when credentials - are acquired for use, allowing underlying mechanisms to optimize - their processing and storage requirements. The credential elements - defined by a particular mechanism may contain multiple cryptographic - keys, e.g., to enable authentication and message encryption to be - performed with different algorithms. - - A GSS-API credential structure may contain multiple credential - elements, each containing mechanism-specific information for a - particular underlying mechanism (mech_type), but the set of elements - within a given credential structure represent a common entity. A - credential structure's contents will vary depending on the set of - mech_types supported by a particular GSS-API implementation. Each - credential element identifies the data needed by its mechanism in - order to establish contexts on behalf of a particular principal, and - - - -Linn Standards Track [Page 6] - -RFC 2078 GSS-API January 1997 - - - may contain separate credential references for use in context - initiation and context acceptance. Multiple credential elements - within a given credential having overlapping combinations of - mechanism, usage mode, and validity period are not permitted. - - Commonly, a single mech_type will be used for all security contexts - established by a particular initiator to a particular target. A major - motivation for supporting credential sets representing multiple - mech_types is to allow initiators on systems which are equipped to - handle multiple types to initiate contexts to targets on other - systems which can accommodate only a subset of the set supported at - the initiator's system. - -1.1.1.2: Credential Management - - It is the responsibility of underlying system-specific mechanisms and - OS functions below the GSS-API to ensure that the ability to acquire - and use credentials associated with a given identity is constrained - to appropriate processes within a system. This responsibility should - be taken seriously by implementors, as the ability for an entity to - utilize a principal's credentials is equivalent to the entity's - ability to successfully assert that principal's identity. - - Once a set of GSS-API credentials is established, the transferability - of that credentials set to other processes or analogous constructs - within a system is a local matter, not defined by the GSS-API. An - example local policy would be one in which any credentials received - as a result of login to a given user account, or of delegation of - rights to that account, are accessible by, or transferable to, - processes running under that account. - - The credential establishment process (particularly when performed on - behalf of users rather than server processes) is likely to require - access to passwords or other quantities which should be protected - locally and exposed for the shortest time possible. As a result, it - will often be appropriate for preliminary credential establishment to - be performed through local means at user login time, with the - result(s) cached for subsequent reference. These preliminary - credentials would be set aside (in a system-specific fashion) for - subsequent use, either: - - to be accessed by an invocation of the GSS-API GSS_Acquire_cred() - call, returning an explicit handle to reference that credential - - to comprise default credential elements to be installed, and to be - used when default credential behavior is requested on behalf of a - process - - - - -Linn Standards Track [Page 7] - -RFC 2078 GSS-API January 1997 - - -1.1.1.3: Default Credential Resolution - - The gss_init_sec_context and gss_accept_sec_context routines allow - the value GSS_C_NO_CREDENTIAL to be specified as their credential - handle parameter. This special credential-handle indicates a desire - by the application to act as a default principal. While individual - GSS-API implementations are free to determine such default behavior - as appropriate to the mechanism, the following default behavior by - these routines is recommended for portability: - - GSS_Init_sec_context: - - (i) If there is only a single principal capable of initiating - security contexts that the application is authorized to act on - behalf of, then that principal shall be used, otherwise - - (ii) If the platform maintains a concept of a default network- - identity, and if the application is authorized to act on behalf of - that identity for the purpose of initiating security contexts, - then the principal corresponding to that identity shall be used, - otherwise - - (iii) If the platform maintains a concept of a default local - identity, and provides a means to map local identities into - network-identities, and if the application is authorized to act on - behalf of the network-identity image of the default local identity - for the purpose of initiating security contexts, then the - principal corresponding to that identity shall be used, otherwise - - (iv) A user-configurable default identity should be used. - - GSS_Accept_sec_context: - - (i) If there is only a single authorized principal identity - capable of accepting security contexts, then that principal shall - be used, otherwise - - (ii) If the mechanism can determine the identity of the target - principal by examining the context-establishment token, and if the - accepting application is authorized to act as that principal for - the purpose of accepting security contexts, then that principal - identity shall be used, otherwise - - (iii) If the mechanism supports context acceptance by any - principal, and mutual authentication was not requested, any - principal that the application is authorized to accept security - contexts under may be used, otherwise - - - - -Linn Standards Track [Page 8] - -RFC 2078 GSS-API January 1997 - - - (iv) A user-configurable default identity shall be used. - - The purpose of the above rules is to allow security contexts to be - established by both initiator and acceptor using the default behavior - wherever possible. Applications requesting default behavior are - likely to be more portable across mechanisms and platforms than ones - that use GSS_Acquire_cred to request a specific identity. - -1.1.2: Tokens - - Tokens are data elements transferred between GSS-API callers, and are - divided into two classes. Context-level tokens are exchanged in order - to establish and manage a security context between peers. Per-message - tokens relate to an established context and are exchanged to provide - protective security services (i.e., data origin authentication, - integrity, and optional confidentiality) for corresponding data - messages. - - The first context-level token obtained from GSS_Init_sec_context() is - required to indicate at its very beginning a globally-interpretable - mechanism identifier, i.e., an Object Identifier (OID) of the - security mechanism. The remaining part of this token as well as the - whole content of all other tokens are specific to the particular - underlying mechanism used to support the GSS-API. Section 3 of this - document provides, for designers of GSS-API support mechanisms, the - description of the header of the first context-level token which is - then followed by mechanism-specific information. - - Tokens' contents are opaque from the viewpoint of GSS-API callers. - They are generated within the GSS-API implementation at an end - system, provided to a GSS-API caller to be transferred to the peer - GSS-API caller at a remote end system, and processed by the GSS-API - implementation at that remote end system. Tokens may be output by - GSS-API calls (and should be transferred to GSS-API peers) whether or - not the calls' status indicators indicate successful completion. - Token transfer may take place in an in-band manner, integrated into - the same protocol stream used by the GSS-API callers for other data - transfers, or in an out-of-band manner across a logically separate - channel. - - Different GSS-API tokens are used for different purposes (e.g., - context initiation, context acceptance, protected message data on an - established context), and it is the responsibility of a GSS-API - caller receiving tokens to distinguish their types, associate them - with corresponding security contexts, and pass them to appropriate - GSS-API processing routines. Depending on the caller protocol - environment, this distinction may be accomplished in several ways. - - - - -Linn Standards Track [Page 9] - -RFC 2078 GSS-API January 1997 - - - The following examples illustrate means through which tokens' types - may be distinguished: - - - implicit tagging based on state information (e.g., all tokens on - a new association are considered to be context establishment - tokens until context establishment is completed, at which point - all tokens are considered to be wrapped data objects for that - context), - - - explicit tagging at the caller protocol level, - - - a hybrid of these approaches. - - Commonly, the encapsulated data within a token includes internal - mechanism-specific tagging information, enabling mechanism-level - processing modules to distinguish tokens used within the mechanism - for different purposes. Such internal mechanism-level tagging is - recommended to mechanism designers, and enables mechanisms to - determine whether a caller has passed a particular token for - processing by an inappropriate GSS-API routine. - - Development of GSS-API support primitives based on a particular - underlying cryptographic technique and protocol (i.e., conformant to - a specific GSS-API mechanism definition) does not necessarily imply - that GSS-API callers using that GSS-API mechanism will be able to - interoperate with peers invoking the same technique and protocol - outside the GSS-API paradigm, or with peers implementing a different - GSS-API mechanism based on the same underlying technology. The - format of GSS-API tokens defined in conjunction with a particular - mechanism, and the techniques used to integrate those tokens into - callers' protocols, may not be interoperable with the tokens used by - non-GSS-API callers of the same underlying technique. - -1.1.3: Security Contexts - - Security contexts are established between peers, using credentials - established locally in conjunction with each peer or received by - peers via delegation. Multiple contexts may exist simultaneously - between a pair of peers, using the same or different sets of - credentials. Coexistence of multiple contexts using different - credentials allows graceful rollover when credentials expire. - Distinction among multiple contexts based on the same credentials - serves applications by distinguishing different message streams in a - security sense. - - The GSS-API is independent of underlying protocols and addressing - structure, and depends on its callers to transport GSS-API-provided - data elements. As a result of these factors, it is a caller - - - -Linn Standards Track [Page 10] - -RFC 2078 GSS-API January 1997 - - - responsibility to parse communicated messages, separating GSS-API- - related data elements from caller-provided data. The GSS-API is - independent of connection vs. connectionless orientation of the - underlying communications service. - - No correlation between security context and communications protocol - association is dictated. (The optional channel binding facility, - discussed in Section 1.1.6 of this document, represents an - intentional exception to this rule, supporting additional protection - features within GSS-API supporting mechanisms.) This separation - allows the GSS-API to be used in a wide range of communications - environments, and also simplifies the calling sequences of the - individual calls. In many cases (depending on underlying security - protocol, associated mechanism, and availability of cached - information), the state information required for context setup can be - sent concurrently with initial signed user data, without interposing - additional message exchanges. - -1.1.4: Mechanism Types - - In order to successfully establish a security context with a target - peer, it is necessary to identify an appropriate underlying mechanism - type (mech_type) which both initiator and target peers support. The - definition of a mechanism embodies not only the use of a particular - cryptographic technology (or a hybrid or choice among alternative - cryptographic technologies), but also definition of the syntax and - semantics of data element exchanges which that mechanism will employ - in order to support security services. - - It is recommended that callers initiating contexts specify the - "default" mech_type value, allowing system-specific functions within - or invoked by the GSS-API implementation to select the appropriate - mech_type, but callers may direct that a particular mech_type be - employed when necessary. - - The means for identifying a shared mech_type to establish a security - context with a peer will vary in different environments and - circumstances; examples include (but are not limited to): - - use of a fixed mech_type, defined by configuration, within an - environment - - syntactic convention on a target-specific basis, through - examination of a target's name - - lookup of a target's name in a naming service or other database in - order to identify mech_types supported by that target - - - - -Linn Standards Track [Page 11] - -RFC 2078 GSS-API January 1997 - - - explicit negotiation between GSS-API callers in advance of - security context setup - - When transferred between GSS-API peers, mech_type specifiers (per - Section 3, represented as Object Identifiers (OIDs)) serve to qualify - the interpretation of associated tokens. (The structure and encoding - of Object Identifiers is defined in ISO/IEC 8824, "Specification of - Abstract Syntax Notation One (ASN.1)" and in ISO/IEC 8825, - "Specification of Basic Encoding Rules for Abstract Syntax Notation - One (ASN.1)".) Use of hierarchically structured OIDs serves to - preclude ambiguous interpretation of mech_type specifiers. The OID - representing the DASS MechType, for example, is 1.3.12.2.1011.7.5, - and that of the Kerberos V5 mechanism, once advanced to the level of - Proposed Standard, will be 1.2.840.113554.1.2.2. - -1.1.5: Naming - - The GSS-API avoids prescribing naming structures, treating the names - which are transferred across the interface in order to initiate and - accept security contexts as opaque objects. This approach supports - the GSS-API's goal of implementability atop a range of underlying - security mechanisms, recognizing the fact that different mechanisms - process and authenticate names which are presented in different - forms. Generalized services offering translation functions among - arbitrary sets of naming environments are outside the scope of the - GSS-API; availability and use of local conversion functions to - translate among the naming formats supported within a given end - system is anticipated. - - Different classes of name representations are used in conjunction - with different GSS-API parameters: - - - Internal form (denoted in this document by INTERNAL NAME), - opaque to callers and defined by individual GSS-API - implementations. GSS-API implementations supporting multiple - namespace types must maintain internal tags to disambiguate the - interpretation of particular names. A Mechanism Name (MN) is a - special case of INTERNAL NAME, guaranteed to contain elements - corresponding to one and only one mechanism; calls which are - guaranteed to emit MNs or which require MNs as input are so - identified within this specification. - - - Contiguous string ("flat") form (denoted in this document by - OCTET STRING); accompanied by OID tags identifying the namespace - to which they correspond. Depending on tag value, flat names may - or may not be printable strings for direct acceptance from and - presentation to users. Tagging of flat names allows GSS-API - callers and underlying GSS-API mechanisms to disambiguate name - - - -Linn Standards Track [Page 12] - -RFC 2078 GSS-API January 1997 - - - types and to determine whether an associated name's type is one - which they are capable of processing, avoiding aliasing problems - which could result from misinterpreting a name of one type as a - name of another type. - - - The GSS-API Exported Name Object, a special case of flat name - designated by a reserved OID value, carries a canonicalized form - of a name suitable for binary comparisons. - - In addition to providing means for names to be tagged with types, - this specification defines primitives to support a level of naming - environment independence for certain calling applications. To provide - basic services oriented towards the requirements of callers which - need not themselves interpret the internal syntax and semantics of - names, GSS-API calls for name comparison (GSS_Compare_name()), - human-readable display (GSS_Display_name()), input conversion - (GSS_Import_name()), internal name deallocation (GSS_Release_name()), - and internal name duplication (GSS_Duplicate_name()) functions are - defined. (It is anticipated that these proposed GSS-API calls will be - implemented in many end systems based on system-specific name - manipulation primitives already extant within those end systems; - inclusion within the GSS-API is intended to offer GSS-API callers a - portable means to perform specific operations, supportive of - authorization and audit requirements, on authenticated names.) - - GSS_Import_name() implementations can, where appropriate, support - more than one printable syntax corresponding to a given namespace - (e.g., alternative printable representations for X.500 Distinguished - Names), allowing flexibility for their callers to select among - alternative representations. GSS_Display_name() implementations - output a printable syntax selected as appropriate to their - operational environments; this selection is a local matter. Callers - desiring portability across alternative printable syntaxes should - refrain from implementing comparisons based on printable name forms - and should instead use the GSS_Compare_name() call to determine - whether or not one internal-format name matches another. - - The GSS_Canonicalize_name() and GSS_Export_name() calls enable - callers to acquire and process Exported Name Objects, canonicalized - and translated in accordance with the procedures of a particular - GSS-API mechanism. Exported Name Objects can, in turn, be input to - GSS_Import_name(), yielding equivalent MNs. These facilities are - designed specifically to enable efficient storage and comparison of - names (e.g., for use in access control lists). - - - - - - - -Linn Standards Track [Page 13] - -RFC 2078 GSS-API January 1997 - - - The following diagram illustrates the intended dataflow among name- - related GSS-API processing routines. - - GSS-API library defaults - | - | - V text, for - text --------------> internal_name (IN) -----------> display only - import_name() / display_name() - / - / - / - accept_sec_context() / - | / - | / - | / canonicalize_name() - | / - | / - | / - | / - | / - | | - V V <--------------------- - single mechanism import_name() exported name: flat - internal_name (MN) binary "blob" usable - ----------------------> for access control - export_name() - -1.1.6: Channel Bindings - - The GSS-API accommodates the concept of caller-provided channel - binding ("chan_binding") information. Channel bindings are used to - strengthen the quality with which peer entity authentication is - provided during context establishment, by limiting the scope within - which an intercepted context establishment token can be reused by an - attacker. Specifically, they enable GSS-API callers to bind the - establishment of a security context to relevant characteristics - (e.g., addresses, transformed representations of encryption keys) of - the underlying communications channel, of protection mechanisms - applied to that communications channel, and to application-specific - data. - - The caller initiating a security context must determine the - appropriate channel binding values to provide as input to the - GSS_Init_sec_context() call, and consistent values must be provided - to GSS_Accept_sec_context() by the context's target, in order for - both peers' GSS-API mechanisms to validate that received tokens - possess correct channel-related characteristics. Use or non-use of - - - -Linn Standards Track [Page 14] - -RFC 2078 GSS-API January 1997 - - - the GSS-API channel binding facility is a caller option. GSS-API - mechanisms can operate in an environment where NULL channel bindings - are presented; mechanism implementors are encouraged, but not - required, to make use of caller-provided channel binding data within - their mechanisms. Callers should not assume that underlying - mechanisms provide confidentiality protection for channel binding - information. - - When non-NULL channel bindings are provided by callers, certain - mechanisms can offer enhanced security value by interpreting the - bindings' content (rather than simply representing those bindings, or - integrity check values computed on them, within tokens) and will - therefore depend on presentation of specific data in a defined - format. To this end, agreements among mechanism implementors are - defining conventional interpretations for the contents of channel - binding arguments, including address specifiers (with content - dependent on communications protocol environment) for context - initiators and acceptors. (These conventions are being incorporated - in GSS-API mechanism specifications and into the GSS-API C language - bindings specification.) In order for GSS-API callers to be portable - across multiple mechanisms and achieve the full security - functionality which each mechanism can provide, it is strongly - recommended that GSS-API callers provide channel bindings consistent - with these conventions and those of the networking environment in - which they operate. - -1.2: GSS-API Features and Issues - - This section describes aspects of GSS-API operations, of the security - services which the GSS-API provides, and provides commentary on - design issues. - -1.2.1: Status Reporting - - Each GSS-API call provides two status return values. Major_status - values provide a mechanism-independent indication of call status - (e.g., GSS_S_COMPLETE, GSS_S_FAILURE, GSS_S_CONTINUE_NEEDED), - sufficient to drive normal control flow within the caller in a - generic fashion. Table 1 summarizes the defined major_status return - codes in tabular fashion. - - - - - - - - - - - -Linn Standards Track [Page 15] - -RFC 2078 GSS-API January 1997 - - -Table 1: GSS-API Major Status Codes - - FATAL ERROR CODES - - GSS_S_BAD_BINDINGS channel binding mismatch - GSS_S_BAD_MECH unsupported mechanism requested - GSS_S_BAD_NAME invalid name provided - GSS_S_BAD_NAMETYPE name of unsupported type provided - GSS_S_BAD_STATUS invalid input status selector - GSS_S_BAD_SIG token had invalid integrity check - GSS_S_CONTEXT_EXPIRED specified security context expired - GSS_S_CREDENTIALS_EXPIRED expired credentials detected - GSS_S_DEFECTIVE_CREDENTIAL defective credential detected - GSS_S_DEFECTIVE_TOKEN defective token detected - GSS_S_FAILURE failure, unspecified at GSS-API - level - GSS_S_NO_CONTEXT no valid security context specified - GSS_S_NO_CRED no valid credentials provided - GSS_S_BAD_QOP unsupported QOP value - GSS_S_UNAUTHORIZED operation unauthorized - GSS_S_UNAVAILABLE operation unavailable - GSS_S_DUPLICATE_ELEMENT duplicate credential element requested - GSS_S_NAME_NOT_MN name contains multi-mechanism elements - - INFORMATORY STATUS CODES - - GSS_S_COMPLETE normal completion - GSS_S_CONTINUE_NEEDED continuation call to routine - required - GSS_S_DUPLICATE_TOKEN duplicate per-message token - detected - GSS_S_OLD_TOKEN timed-out per-message token - detected - GSS_S_UNSEQ_TOKEN reordered (early) per-message token - detected - GSS_S_GAP_TOKEN skipped predecessor token(s) - detected - - Minor_status provides more detailed status information which may - include status codes specific to the underlying security mechanism. - Minor_status values are not specified in this document. - - GSS_S_CONTINUE_NEEDED major_status returns, and optional message - outputs, are provided in GSS_Init_sec_context() and - GSS_Accept_sec_context() calls so that different mechanisms' - employment of different numbers of messages within their - authentication sequences need not be reflected in separate code paths - within calling applications. Instead, such cases are accommodated - - - -Linn Standards Track [Page 16] - -RFC 2078 GSS-API January 1997 - - - with sequences of continuation calls to GSS_Init_sec_context() and - GSS_Accept_sec_context(). The same mechanism is used to encapsulate - mutual authentication within the GSS-API's context initiation calls. - - For mech_types which require interactions with third-party servers in - order to establish a security context, GSS-API context establishment - calls may block pending completion of such third-party interactions. - - On the other hand, no GSS-API calls pend on serialized interactions - with GSS-API peer entities. As a result, local GSS-API status - returns cannot reflect unpredictable or asynchronous exceptions - occurring at remote peers, and reflection of such status information - is a caller responsibility outside the GSS-API. - -1.2.2: Per-Message Security Service Availability - - When a context is established, two flags are returned to indicate the - set of per-message protection security services which will be - available on the context: - - the integ_avail flag indicates whether per-message integrity and - data origin authentication services are available - - the conf_avail flag indicates whether per-message confidentiality - services are available, and will never be returned TRUE unless the - integ_avail flag is also returned TRUE - - GSS-API callers desiring per-message security services should - check the values of these flags at context establishment time, and - must be aware that a returned FALSE value for integ_avail means - that invocation of GSS_GetMIC() or GSS_Wrap() primitives on the - associated context will apply no cryptographic protection to user - data messages. - - The GSS-API per-message integrity and data origin authentication - services provide assurance to a receiving caller that protection was - applied to a message by the caller's peer on the security context, - corresponding to the entity named at context initiation. The GSS-API - per-message confidentiality service provides assurance to a sending - caller that the message's content is protected from access by - entities other than the context's named peer. - - - - - - - - - - -Linn Standards Track [Page 17] - -RFC 2078 GSS-API January 1997 - - - The GSS-API per-message protection service primitives, as the - category name implies, are oriented to operation at the granularity - of protocol data units. They perform cryptographic operations on the - data units, transfer cryptographic control information in tokens, - and, in the case of GSS_Wrap(), encapsulate the protected data unit. - As such, these primitives are not oriented to efficient data - protection for stream-paradigm protocols (e.g., Telnet) if - cryptography must be applied on an octet-by-octet basis. - -1.2.3: Per-Message Replay Detection and Sequencing - - Certain underlying mech_types offer support for replay detection - and/or sequencing of messages transferred on the contexts they - support. These optionally-selectable protection features are distinct - from replay detection and sequencing features applied to the context - establishment operation itself; the presence or absence of context- - level replay or sequencing features is wholly a function of the - underlying mech_type's capabilities, and is not selected or omitted - as a caller option. - - The caller initiating a context provides flags (replay_det_req_flag - and sequence_req_flag) to specify whether the use of per-message - replay detection and sequencing features is desired on the context - being established. The GSS-API implementation at the initiator system - can determine whether these features are supported (and whether they - are optionally selectable) as a function of mech_type, without need - for bilateral negotiation with the target. When enabled, these - features provide recipients with indicators as a result of GSS-API - processing of incoming messages, identifying whether those messages - were detected as duplicates or out-of-sequence. Detection of such - events does not prevent a suspect message from being provided to a - recipient; the appropriate course of action on a suspect message is a - matter of caller policy. - - The semantics of the replay detection and sequencing services applied - to received messages, as visible across the interface which the GSS- - API provides to its clients, are as follows: - - When replay_det_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_S_COMPLETE indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - and that the message was not a replay of a previously-processed - message within that window. - - - - - - -Linn Standards Track [Page 18] - -RFC 2078 GSS-API January 1997 - - - 2. GSS_S_DUPLICATE_TOKEN indicates that the cryptographic - checkvalue on the received message was correct, but that the - message was recognized as a duplicate of a previously-processed - message. - - 3. GSS_S_OLD_TOKEN indicates that the cryptographic checkvalue on - the received message was correct, but that the message is too old - to be checked for duplication. - - When sequence_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_S_COMPLETE indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - that the message was not a replay of a previously-processed - message within that window, and that no predecessor sequenced - messages are missing relative to the last received message (if - any) processed on the context with a correct cryptographic - checkvalue. - - 2. GSS_S_DUPLICATE_TOKEN indicates that the integrity check value - on the received message was correct, but that the message was - recognized as a duplicate of a previously-processed message. - - 3. GSS_S_OLD_TOKEN indicates that the integrity check value on the - received message was correct, but that the token is too old to be - checked for duplication. - - 4. GSS_S_UNSEQ_TOKEN indicates that the cryptographic checkvalue - on the received message was correct, but that it is earlier in a - sequenced stream than a message already processed on the context. - [Note: Mechanisms can be architected to provide a stricter form of - sequencing service, delivering particular messages to recipients - only after all predecessor messages in an ordered stream have been - delivered. This type of support is incompatible with the GSS-API - paradigm in which recipients receive all messages, whether in - order or not, and provide them (one at a time, without intra-GSS- - API message buffering) to GSS-API routines for validation. GSS- - API facilities provide supportive functions, aiding clients to - achieve strict message stream integrity in an efficient manner in - conjunction with sequencing provisions in communications - protocols, but the GSS-API does not offer this level of message - stream integrity service by itself.] - - - - - - - - -Linn Standards Track [Page 19] - -RFC 2078 GSS-API January 1997 - - - 5. GSS_S_GAP_TOKEN indicates that the cryptographic checkvalue on - the received message was correct, but that one or more predecessor - sequenced messages have not been successfully processed relative - to the last received message (if any) processed on the context - with a correct cryptographic checkvalue. - - As the message stream integrity features (especially sequencing) may - interfere with certain applications' intended communications - paradigms, and since support for such features is likely to be - resource intensive, it is highly recommended that mech_types - supporting these features allow them to be activated selectively on - initiator request when a context is established. A context initiator - and target are provided with corresponding indicators - (replay_det_state and sequence_state), signifying whether these - features are active on a given context. - - An example mech_type supporting per-message replay detection could - (when replay_det_state is TRUE) implement the feature as follows: The - underlying mechanism would insert timestamps in data elements output - by GSS_GetMIC() and GSS_Wrap(), and would maintain (within a time- - limited window) a cache (qualified by originator-recipient pair) - identifying received data elements processed by GSS_VerifyMIC() and - GSS_Unwrap(). When this feature is active, exception status returns - (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN) will be provided when - GSS_VerifyMIC() or GSS_Unwrap() is presented with a message which is - either a detected duplicate of a prior message or which is too old to - validate against a cache of recently received messages. - -1.2.4: Quality of Protection - - Some mech_types provide their users with fine granularity control - over the means used to provide per-message protection, allowing - callers to trade off security processing overhead dynamically against - the protection requirements of particular messages. A per-message - quality-of-protection parameter (analogous to quality-of-service, or - QOS) selects among different QOP options supported by that mechanism. - On context establishment for a multi-QOP mech_type, context-level - data provides the prerequisite data for a range of protection - qualities. - - It is expected that the majority of callers will not wish to exert - explicit mechanism-specific QOP control and will therefore request - selection of a default QOP. Definitions of, and choices among, non- - default QOP values are mechanism-specific, and no ordered sequences - of QOP values can be assumed equivalent across different mechanisms. - Meaningful use of non-default QOP values demands that callers be - familiar with the QOP definitions of an underlying mechanism or - mechanisms, and is therefore a non-portable construct. The - - - -Linn Standards Track [Page 20] - -RFC 2078 GSS-API January 1997 - - - GSS_S_BAD_QOP major_status value is defined in order to indicate that - a provided QOP value is unsupported for a security context, most - likely because that value is unrecognized by the underlying - mechanism. - -1.2.5: Anonymity Support - - In certain situations or environments, an application may wish to - authenticate a peer and/or protect communications using GSS-API per- - message services without revealing its own identity. For example, - consider an application which provides read access to a research - database, and which permits queries by arbitrary requestors. A - client of such a service might wish to authenticate the service, to - establish trust in the information received from it, but might not - wish to disclose its identity to the service for privacy reasons. - - In ordinary GSS-API usage, a context initiator's identity is made - available to the context acceptor as part of the context - establishment process. To provide for anonymity support, a facility - (input anon_req_flag to GSS_Init_sec_context()) is provided through - which context initiators may request that their identity not be - provided to the context acceptor. Mechanisms are not required to - honor this request, but a caller will be informed (via returned - anon_state indicator from GSS_Init_sec_context()) whether or not the - request is honored. Note that authentication as the anonymous - principal does not necessarily imply that credentials are not - required in order to establish a context. - - The following Object Identifier value is provided as a means to - identify anonymous names, and can be compared against in order to - determine, in a mechanism-independent fashion, whether a name refers - to an anonymous principal: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 3(gss-anonymous-name)} - - The recommended symbolic name corresponding to this definition is - GSS_C_NT_ANONYMOUS. - - Four possible combinations of anon_state and mutual_state are - possible, with the following results: - - anon_state == FALSE, mutual_state == FALSE: initiator - authenticated to target. - - anon_state == FALSE, mutual_state == TRUE: initiator authenticated - to target, target authenticated to initiator. - - - - -Linn Standards Track [Page 21] - -RFC 2078 GSS-API January 1997 - - - anon_state == TRUE, mutual_state == FALSE: initiator authenticated - as anonymous principal to target. - - anon_state == TRUE, mutual_state == TRUE: initiator authenticated - as anonymous principal to target, target authenticated to - initiator. - -1.2.6: Initialization - - No initialization calls (i.e., calls which must be invoked prior to - invocation of other facilities in the interface) are defined in GSS- - API. As an implication of this fact, GSS-API implementations must - themselves be self-initializing. - -1.2.7: Per-Message Protection During Context Establishment - - A facility is defined in GSS-V2 to enable protection and buffering of - data messages for later transfer while a security context's - establishment is in GSS_S_CONTINUE_NEEDED status, to be used in cases - where the caller side already possesses the necessary session key to - enable this processing. Specifically, a new state Boolean, called - prot_ready_state, is added to the set of information returned by - GSS_Init_sec_context(), GSS_Accept_sec_context(), and - GSS_Inquire_context(). - - For context establishment calls, this state Boolean is valid and - interpretable when the associated major_status is either - GSS_S_CONTINUE_NEEDED, or GSS_S_COMPLETE. Callers of GSS-API (both - initiators and acceptors) can assume that per-message protection (via - GSS_Wrap(), GSS_Unwrap(), GSS_GetMIC() and GSS_VerifyMIC()) is - available and ready for use if either: prot_ready_state == TRUE, or - major_status == GSS_S_COMPLETE, though mutual authentication (if - requested) cannot be guaranteed until GSS_S_COMPLETE is returned. - - This achieves full, transparent backward compatibility for GSS-API V1 - callers, who need not even know of the existence of prot_ready_state, - and who will get the expected behavior from GSS_S_COMPLETE, but who - will not be able to use per-message protection before GSS_S_COMPLETE - is returned. - - It is not a requirement that GSS-V2 mechanisms ever return TRUE - prot_ready_state before completion of context establishment (indeed, - some mechanisms will not evolve usable message protection keys, - especially at the context acceptor, before context establishment is - complete). It is expected but not required that GSS-V2 mechanisms - will return TRUE prot_ready_state upon completion of context - establishment if they support per-message protection at all (however - GSS-V2 applications should not assume that TRUE prot_ready_state will - - - -Linn Standards Track [Page 22] - -RFC 2078 GSS-API January 1997 - - - always be returned together with the GSS_S_COMPLETE major_status, - since GSS-V2 implementations may continue to support GSS-V1 mechanism - code, which will never return TRUE prot_ready_state). - - When prot_ready_state is returned TRUE, mechanisms shall also set - those context service indicator flags (deleg_state, mutual_state, - replay_det_state, sequence_state, anon_state, trans_state, - conf_avail, integ_avail) which represent facilities confirmed, at - that time, to be available on the context being established. In - situations where prot_ready_state is returned before GSS_S_COMPLETE, - it is possible that additional facilities may be confirmed and - subsequently indicated when GSS_S_COMPLETE is returned. - -1.2.8: Implementation Robustness - - This section recommends aspects of GSS-API implementation behavior in - the interests of overall robustness. - - If a token is presented for processing on a GSS-API security context - and that token is determined to be invalid for that context, the - context's state should not be disrupted for purposes of processing - subsequent valid tokens. - - Certain local conditions at a GSS-API implementation (e.g., - unavailability of memory) may preclude, temporarily or permanently, - the successful processing of tokens on a GSS-API security context, - typically generating GSS_S_FAILURE major_status returns along with - locally-significant minor_status. For robust operation under such - conditions, the following recommendations are made: - - Failing calls should free any memory they allocate, so that - callers may retry without causing further loss of resources. - - Failure of an individual call on an established context should not - preclude subsequent calls from succeeding on the same context. - - Whenever possible, it should be possible for - GSS_Delete_sec_context() calls to be successfully processed even - if other calls cannot succeed, thereby enabling context-related - resources to be released. - -2: Interface Descriptions - - This section describes the GSS-API's service interface, dividing the - set of calls offered into four groups. Credential management calls - are related to the acquisition and release of credentials by - principals. Context-level calls are related to the management of - security contexts between principals. Per-message calls are related - - - -Linn Standards Track [Page 23] - -RFC 2078 GSS-API January 1997 - - - to the protection of individual messages on established security - contexts. Support calls provide ancillary functions useful to GSS-API - callers. Table 2 groups and summarizes the calls in tabular fashion. - -Table 2: GSS-API Calls - - CREDENTIAL MANAGEMENT - - GSS_Acquire_cred acquire credentials for use - GSS_Release_cred release credentials after use - GSS_Inquire_cred display information about - credentials - GSS_Add_cred construct credentials incrementally - GSS_Inquire_cred_by_mech display per-mechanism credential - information - - CONTEXT-LEVEL CALLS - - GSS_Init_sec_context initiate outbound security context - GSS_Accept_sec_context accept inbound security context - GSS_Delete_sec_context flush context when no longer needed - GSS_Process_context_token process received control token on - context - GSS_Context_time indicate validity time remaining on - context - GSS_Inquire_context display information about context - GSS_Wrap_size_limit determine GSS_Wrap token size limit - GSS_Export_sec_context transfer context to other process - GSS_Import_sec_context import transferred context - - PER-MESSAGE CALLS - - GSS_GetMIC apply integrity check, receive as - token separate from message - GSS_VerifyMIC validate integrity check token - along with message - GSS_Wrap sign, optionally encrypt, - encapsulate - GSS_Unwrap decapsulate, decrypt if needed, - validate integrity check - - - - - - - - - - - -Linn Standards Track [Page 24] - -RFC 2078 GSS-API January 1997 - - - SUPPORT CALLS - - GSS_Display_status translate status codes to printable - form - GSS_Indicate_mechs indicate mech_types supported on - local system - GSS_Compare_name compare two names for equality - GSS_Display_name translate name to printable form - GSS_Import_name convert printable name to - normalized form - GSS_Release_name free storage of normalized-form - name - GSS_Release_buffer free storage of printable name - GSS_Release_OID free storage of OID object - GSS_Release_OID_set free storage of OID set object - GSS_Create_empty_OID_set create empty OID set - GSS_Add_OID_set_member add member to OID set - GSS_Test_OID_set_member test if OID is member of OID set - GSS_OID_to_str display OID as string - GSS_Str_to_OID construct OID from string - GSS_Inquire_names_for_mech indicate name types supported by - mechanism - GSS_Inquire_mechs_for_name indicates mechanisms supporting name - type - GSS_Canonicalize_name translate name to per-mechanism form - GSS_Export_name externalize per-mechanism name - GSS_Duplicate_name duplicate name object - -2.1: Credential management calls - - These GSS-API calls provide functions related to the management of - credentials. Their characterization with regard to whether or not - they may block pending exchanges with other network entities (e.g., - directories or authentication servers) depends in part on OS-specific - (extra-GSS-API) issues, so is not specified in this document. - - The GSS_Acquire_cred() call is defined within the GSS-API in support - of application portability, with a particular orientation towards - support of portable server applications. It is recognized that (for - certain systems and mechanisms) credentials for interactive users may - be managed differently from credentials for server processes; in such - environments, it is the GSS-API implementation's responsibility to - distinguish these cases and the procedures for making this - distinction are a local matter. The GSS_Release_cred() call provides - a means for callers to indicate to the GSS-API that use of a - credentials structure is no longer required. The GSS_Inquire_cred() - call allows callers to determine information about a credentials - structure. The GSS_Add_cred() call enables callers to append - - - -Linn Standards Track [Page 25] - -RFC 2078 GSS-API January 1997 - - - elements to an existing credential structure, allowing iterative - construction of a multi-mechanism credential. The - GSS_Inquire_cred_by_mech() call enables callers to extract per- - mechanism information describing a credentials structure. - -2.1.1: GSS_Acquire_cred call - - Inputs: - - o desired_name INTERNAL NAME, -NULL requests locally-determined - default - - o lifetime_req INTEGER,-in seconds; 0 requests default - - o desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests - system-selected default - - o cred_usage INTEGER -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle CREDENTIAL HANDLE, - - o actual_mechs SET OF OBJECT IDENTIFIER, - - o lifetime_rec INTEGER -in seconds, or reserved value for - INDEFINITE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that requested credentials were - successfully established, for the duration indicated in - lifetime_rec, suitable for the usage requested in cred_usage, - for the set of mech_types indicated in actual_mechs, and that - those credentials can be referenced for subsequent use with - the handle returned in output_cred_handle. - - o GSS_S_BAD_MECH indicates that a mech_type unsupported by the - GSS-API implementation type was requested, causing the - credential establishment operation to fail. - - - - - - -Linn Standards Track [Page 26] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_NAMETYPE indicates that the provided desired_name is - uninterpretable or of a type unsupported by the applicable - underlying GSS-API mechanism(s), so no credentials could be - established for the accompanying desired_name. - - o GSS_S_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so no credentials could be established for the - accompanying desired_name. - - o GSS_S_FAILURE indicates that credential establishment failed - for reasons unspecified at the GSS-API level, including lack - of authorization to establish and use credentials associated - with the identity named in the input desired_name argument. - - GSS_Acquire_cred() is used to acquire credentials so that a - principal can (as a function of the input cred_usage parameter) - initiate and/or accept security contexts under the identity - represented by the desired_name input argument. On successful - completion, the returned output_cred_handle result provides a handle - for subsequent references to the acquired credentials. Typically, - single-user client processes requesting that default credential - behavior be applied for context establishment purposes will have no - need to invoke this call. - - A caller may provide the value NULL for desired_name, signifying a - request for credentials corresponding to a principal identity - selected by default for the caller. The procedures used by GSS-API - implementations to select the appropriate principal identity in - response to such a request are local matters. It is possible that - multiple pre-established credentials may exist for the same principal - identity (for example, as a result of multiple user login sessions) - when GSS_Acquire_cred() is called; the means used in such cases to - select a specific credential are local matters. The input - lifetime_req argument to GSS_Acquire_cred() may provide useful - information for local GSS-API implementations to employ in making - this disambiguation in a manner which will best satisfy a caller's - intent. - - The lifetime_rec result indicates the length of time for which the - acquired credentials will be valid, as an offset from the present. A - mechanism may return a reserved value indicating INDEFINITE if no - constraints on credential lifetime are imposed. A caller of - GSS_Acquire_cred() can request a length of time for which acquired - credentials are to be valid (lifetime_req argument), beginning at the - present, or can request credentials with a default validity interval. - (Requests for postdated credentials are not supported within the - GSS-API.) Certain mechanisms and implementations may bind in - - - -Linn Standards Track [Page 27] - -RFC 2078 GSS-API January 1997 - - - credential validity period specifiers at a point preliminary to - invocation of the GSS_Acquire_cred() call (e.g., in conjunction with - user login procedures). As a result, callers requesting non-default - values for lifetime_req must recognize that such requests cannot - always be honored and must be prepared to accommodate the use of - returned credentials with different lifetimes as indicated in - lifetime_rec. - - The caller of GSS_Acquire_cred() can explicitly specify a set of - mech_types which are to be accommodated in the returned credentials - (desired_mechs argument), or can request credentials for a system- - defined default set of mech_types. Selection of the system-specified - default set is recommended in the interests of application - portability. The actual_mechs return value may be interrogated by the - caller to determine the set of mechanisms with which the returned - credentials may be used. - -2.1.2: GSS_Release_cred call - - Input: - - o cred_handle CREDENTIAL HANDLE - NULL specifies that - the credential elements used when default credential behavior - is requested be released. - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle were released for purposes of subsequent - access by the caller. The effect on other processes which may - be authorized shared access to such credentials is a local - matter. - - o GSS_S_NO_CRED indicates that no release operation was - performed, either because the input cred_handle was invalid or - because the caller lacks authorization to access the - referenced credentials. - - o GSS_S_FAILURE indicates that the release operation failed for - reasons unspecified at the GSS-API level. - - - - - -Linn Standards Track [Page 28] - -RFC 2078 GSS-API January 1997 - - - Provides a means for a caller to explicitly request that credentials - be released when their use is no longer required. Note that system- - specific credential management functions are also likely to exist, - for example to assure that credentials shared among processes are - properly deleted when all affected processes terminate, even if no - explicit release requests are issued by those processes. Given the - fact that multiple callers are not precluded from gaining authorized - access to the same credentials, invocation of GSS_Release_cred() - cannot be assumed to delete a particular set of credentials on a - system-wide basis. - -2.1.3: GSS_Inquire_cred call - - Input: - - o cred_handle CREDENTIAL HANDLE -NULL specifies that the - credential elements used when default credential behavior is - requested are to be queried - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, - - o lifetime_rec INTEGER -in seconds, or reserved value for - INDEFINITE - - o cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, and that the output - cred_name, lifetime_rec, and cred_usage values represent, - respectively, the credentials' associated principal name, - remaining lifetime, suitable usage modes, and supported - mechanism types. - - o GSS_S_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks - authorization to access the referenced credentials. - - - -Linn Standards Track [Page 29] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced - credentials are invalid. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the referenced - credentials have expired. - - o GSS_S_FAILURE indicates that the operation failed for - reasons unspecified at the GSS-API level. - - The GSS_Inquire_cred() call is defined primarily for the use of those - callers which request use of default credential behavior rather than - acquiring credentials explicitly with GSS_Acquire_cred(). It enables - callers to determine a credential structure's associated principal - name, remaining validity period, usability for security context - initiation and/or acceptance, and supported mechanisms. - - For a multi-mechanism credential, the returned "lifetime" specifier - indicates the shortest lifetime of any of the mechanisms' elements in - the credential (for either context initiation or acceptance - purposes). - - GSS_Inquire_cred() should indicate INITIATE-AND-ACCEPT for - "cred_usage" if both of the following conditions hold: - - (1) there exists in the credential an element which allows context - initiation using some mechanism - - (2) there exists in the credential an element which allows context - acceptance using some mechanism (allowably, but not necessarily, - one of the same mechanism(s) qualifying for (1)). - - If condition (1) holds but not condition (2), GSS_Inquire_cred() - should indicate INITIATE-ONLY for "cred_usage". If condition (2) - holds but not condition (1), GSS_Inquire_cred() should indicate - ACCEPT-ONLY for "cred_usage". - - Callers requiring finer disambiguation among available combinations - of lifetimes, usage modes, and mechanisms should call the - GSS_Inquire_cred_by_mech() routine, passing that routine one of the - mech OIDs returned by GSS_Inquire_cred(). - - - - - - - - - - - -Linn Standards Track [Page 30] - -RFC 2078 GSS-API January 1997 - - -2.1.4: GSS_Add_cred call - - Inputs: - - o input_cred_handle CREDENTIAL HANDLE - handle to credential - structure created with prior GSS_Acquire_cred() or - GSS_Add_cred() call, or NULL to append elements to the set - which are applied for the caller when default credential - behavior is specified. - - o desired_name INTERNAL NAME - NULL requests locally-determined - default - - o initiator_time_req INTEGER - in seconds; 0 requests default - - o acceptor_time_req INTEGER - in seconds; 0 requests default - - o desired_mech OBJECT IDENTIFIER - - o cred_usage INTEGER - 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle CREDENTIAL HANDLE, - NULL to request that - credential elements be added "in place" to the credential - structure identified by input_cred_handle, non-NULL pointer - to request that a new credential structure and handle be created. - - o actual_mechs SET OF OBJECT IDENTIFIER, - - o initiator_time_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - o acceptor_time_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - o cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER -- full set of mechanisms - supported by resulting credential. - - - - - -Linn Standards Track [Page 31] - -RFC 2078 GSS-API January 1997 - - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by - the input_cred_handle argument were valid, and that the - resulting credential from GSS_Add_cred() is valid for the - durations indicated in initiator_time_rec and acceptor_time_rec, - suitable for the usage requested in cred_usage, and for the - mechanisms indicated in actual_mechs. - - o GSS_S_DUPLICATE_ELEMENT indicates that the input desired_mech - specified a mechanism for which the referenced credential - already contained a credential element with overlapping - cred_usage and validity time specifiers. - - o GSS_S_BAD_MECH indicates that the input desired_mech specified - a mechanism unsupported by the GSS-API implementation, causing - the GSS_Add_cred() operation to fail. - - o GSS_S_BAD_NAMETYPE indicates that the provided desired_name - is uninterpretable or of a type unsupported by the applicable - underlying GSS-API mechanism(s), so the GSS_Add_cred() operation - could not be performed for that name. - - o GSS_S_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so the GSS_Add_cred() operation could not be - performed for that name. - - o GSS_S_NO_CRED indicates that the input_cred_handle referenced - invalid or inaccessible credentials. - - o GSS_S_FAILURE indicates that the operation failed for - reasons unspecified at the GSS-API level, including lack of - authorization to establish or use credentials representing - the requested identity. - - GSS_Add_cred() enables callers to construct credentials iteratively - by adding credential elements in successive operations, corresponding - to different mechanisms. This offers particular value in multi- - mechanism environments, as the major_status and minor_status values - returned on each iteration are individually visible and can therefore - be interpreted unambiguously on a per-mechanism basis. - - The same input desired_name, or default reference, should be used on - all GSS_Acquire_cred() and GSS_Add_cred() calls corresponding to a - particular credential. - - - - - -Linn Standards Track [Page 32] - -RFC 2078 GSS-API January 1997 - - -2.1.5: GSS_Inquire_cred_by_mech call - - Inputs: - - o cred_handle CREDENTIAL HANDLE -- NULL specifies that the - credential elements used when default credential behavior is - requested are to be queried - - o mech_type OBJECT IDENTIFIER -- specific mechanism for - which credentials are being queried - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, -- guaranteed to be MN - - o lifetime_rec_initiate INTEGER -- in seconds, or reserved value for - INDEFINITE - - o lifetime_rec_accept INTEGER -- in seconds, or reserved value for - INDEFINITE - - o cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - 2=ACCEPT-ONLY - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, that the mechanism - indicated by the input mech_type was represented with elements - within those credentials, and that the output cred_name, - lifetime_rec_initiate, lifetime_rec_accept, and cred_usage values - represent, respectively, the credentials' associated principal - name, remaining lifetimes, and suitable usage modes. - - o GSS_S_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks - authorization to access the referenced credentials. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced - credentials are invalid. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the referenced - credentials have expired. - - - -Linn Standards Track [Page 33] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_MECH indicates that the referenced credentials do not - contain elements for the requested mechanism. - - o GSS_S_FAILURE indicates that the operation failed for reasons - unspecified at the GSS-API level. - - The GSS_Inquire_cred_by_mech() call enables callers in multi- - mechanism environments to acquire specific data about available - combinations of lifetimes, usage modes, and mechanisms within a - credential structure. The lifetime_rec_initiate result indicates the - available lifetime for context initiation purposes; the - lifetime_rec_accept result indicates the available lifetime for - context acceptance purposes. - -2.2: Context-level calls - - This group of calls is devoted to the establishment and management of - security contexts between peers. A context's initiator calls - GSS_Init_sec_context(), resulting in generation of a token which the - caller passes to the target. At the target, that token is passed to - GSS_Accept_sec_context(). Depending on the underlying mech_type and - specified options, additional token exchanges may be performed in the - course of context establishment; such exchanges are accommodated by - GSS_S_CONTINUE_NEEDED status returns from GSS_Init_sec_context() and - GSS_Accept_sec_context(). - - Either party to an established context may invoke - GSS_Delete_sec_context() to flush context information when a context - is no longer required. GSS_Process_context_token() is used to - process received tokens carrying context-level control information. - GSS_Context_time() allows a caller to determine the length of time - for which an established context will remain valid. - GSS_Inquire_context() returns status information describing context - characteristics. GSS_Wrap_size_limit() allows a caller to determine - the size of a token which will be generated by a GSS_Wrap() - operation. GSS_Export_sec_context() and GSS_Import_sec_context() - enable transfer of active contexts between processes on an end - system. - -2.2.1: GSS_Init_sec_context call - - Inputs: - - o claimant_cred_handle CREDENTIAL HANDLE, -NULL specifies "use - default" - - o input_context_handle CONTEXT HANDLE, -0 specifies "none assigned - yet" - - - -Linn Standards Track [Page 34] - -RFC 2078 GSS-API January 1997 - - - o targ_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER, -NULL parameter specifies "use - default" - - o deleg_req_flag BOOLEAN, - - o mutual_req_flag BOOLEAN, - - o replay_det_req_flag BOOLEAN, - - o sequence_req_flag BOOLEAN, - - o anon_req_flag BOOLEAN, - - o lifetime_req INTEGER,-0 specifies default lifetime - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING-NULL or token received from target - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_context_handle CONTEXT HANDLE, - - o mech_type OBJECT IDENTIFIER, -actual mechanism always - indicated, never NULL - - o output_token OCTET STRING, -NULL or token to pass to context - target - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, -- see Section 1.2.7 - - - -Linn Standards Track [Page 35] - -RFC 2078 GSS-API January 1997 - - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - This call may block pending network interactions for those mech_types - in which an authentication server or other network entity must be - consulted on behalf of a context initiator in order to generate an - output_token suitable for presentation to a specified target. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that context-level information was - successfully initialized, and that the returned output_token - will provide sufficient information for the target to perform - per-message processing on the newly-established context. - - o GSS_S_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the target, and that a - reply must be received and passed as the input_token argument - to a continuation call to GSS_Init_sec_context(), before - per-message processing can be performed in conjunction with - this context. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks - performed on the input_token failed, preventing further - processing from being performed based on that token. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - claimant_cred_handle failed, preventing further processing from - being performed using that credential structure. - - o GSS_S_BAD_SIG indicates that the received input_token - contains an incorrect integrity check, so context setup cannot - be accomplished. - - o GSS_S_NO_CRED indicates that no context was established, - either because the input cred_handle was invalid, because the - referenced credentials are valid for context acceptor use - only, or because the caller lacks authorization to access the - referenced credentials. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the credentials - provided through the input claimant_cred_handle argument are no - longer valid, so context establishment cannot be completed. - - - -Linn Standards Track [Page 36] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_BINDINGS indicates that a mismatch between the - caller-provided chan_bindings and those extracted from the - input_token was detected, signifying a security-relevant - event and preventing context establishment. (This result will - be returned by GSS_Init_sec_context only for contexts where - mutual_state is TRUE.) - - o GSS_S_OLD_TOKEN indicates that the input_token is too old to - be checked for integrity. This is a fatal error during context - establishment. - - o GSS_S_DUPLICATE_TOKEN indicates that the input token has a - correct integrity check, but is a duplicate of a token already - processed. This is a fatal error during context establishment. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided; this major status will - be returned only for successor calls following GSS_S_CONTINUE_ - NEEDED status returns. - - o GSS_S_BAD_NAMETYPE indicates that the provided targ_name is - of a type uninterpretable or unsupported by the applicable - underlying GSS-API mechanism(s), so context establishment - cannot be completed. - - o GSS_S_BAD_NAME indicates that the provided targ_name is - inconsistent in terms of internally-incorporated type specifier - information, so context establishment cannot be accomplished. - - o GSS_S_BAD_MECH indicates receipt of a context establishment token - or of a caller request specifying a mechanism unsupported by - the local system or with the caller's active credentials - - o GSS_S_FAILURE indicates that context setup could not be - accomplished for reasons unspecified at the GSS-API level, and - that no interface-defined recovery action is available. - - This routine is used by a context initiator, and ordinarily emits one - (or, for the case of a multi-step exchange, more than one) - output_token suitable for use by the target within the selected - mech_type's protocol. Using information in the credentials structure - referenced by claimant_cred_handle, GSS_Init_sec_context() - initializes the data structures required to establish a security - context with target targ_name. The targ_name may be any valid - INTERNAL NAME; it need not be an MN. The claimant_cred_handle must - correspond to the same valid credentials structure on the initial - call to GSS_Init_sec_context() and on any successor calls resulting - from GSS_S_CONTINUE_NEEDED status returns; different protocol - - - -Linn Standards Track [Page 37] - -RFC 2078 GSS-API January 1997 - - - sequences modeled by the GSS_S_CONTINUE_NEEDED facility will require - access to credentials at different points in the context - establishment sequence. - - The input_context_handle argument is 0, specifying "not yet - assigned", on the first GSS_Init_sec_context() call relating to a - given context. If successful (i.e., if accompanied by major_status - GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and only if successful, the - initial GSS_Init_sec_context() call returns a non-zero - output_context_handle for use in future references to this context. - Once a non-zero output_context_handle has been returned, GSS-API - callers should call GSS_Delete_sec_context() to release context- - related resources if errors occur in later phases of context - establishment, or when an established context is no longer required. - - When continuation attempts to GSS_Init_sec_context() are needed to - perform context establishment, the previously-returned non-zero - handle value is entered into the input_context_handle argument and - will be echoed in the returned output_context_handle argument. On - such continuation attempts (and only on continuation attempts) the - input_token value is used, to provide the token returned from the - context's target. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The input_token argument contains a message received from the target, - and is significant only on a call to GSS_Init_sec_context() which - follows a previous return indicating GSS_S_CONTINUE_NEEDED - major_status. - - It is the caller's responsibility to establish a communications path - to the target, and to transmit any returned output_token (independent - of the accompanying returned major_status value) to the target over - that path. The output_token can, however, be transmitted along with - the first application-provided input message to be processed by - GSS_GetMIC() or GSS_Wrap() in conjunction with a successfully- - established context. - - The initiator may request various context-level functions through - input flags: the deleg_req_flag requests delegation of access rights, - the mutual_req_flag requests mutual authentication, the - replay_det_req_flag requests that replay detection features be - applied to messages transferred on the established context, and the - sequence_req_flag requests that sequencing be enforced. (See Section - - - -Linn Standards Track [Page 38] - -RFC 2078 GSS-API January 1997 - - - 1.2.3 for more information on replay detection and sequencing - features.) The anon_req_flag requests that the initiator's identity - not be transferred within tokens to be sent to the acceptor. - - Not all of the optionally-requestable features will be available in - all underlying mech_types. The corresponding return state values - deleg_state, mutual_state, replay_det_state, and sequence_state - indicate, as a function of mech_type processing capabilities and - initiator-provided input flags, the set of features which will be - active on the context. The returned trans_state value indicates - whether the context is transferable to other processes through use of - GSS_Export_sec_context(). These state indicators' values are - undefined unless either the routine's major_status indicates - GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with - GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is - possible that additional features, not confirmed or indicated along - with TRUE prot_ready_state, will be confirmed and indicated when - GSS_S_COMPLETE is subsequently returned. - - The returned anon_state and prot_ready_state values are significant - for both GSS_S_COMPLETE and GSS_S_CONTINUE_NEEDED major_status - returns from GSS_Init_sec_context(). When anon_state is returned - TRUE, this indicates that neither the current token nor its - predecessors delivers or has delivered the initiator's identity. - Callers wishing to perform context establishment only if anonymity - support is provided should transfer a returned token from - GSS_Init_sec_context() to the peer only if it is accompanied by a - TRUE anon_state indicator. When prot_ready_state is returned TRUE in - conjunction with GSS_S_CONTINUE_NEEDED major_status, this indicates - that per-message protection operations may be applied on the context: - see Section 1.2.7 for further discussion of this facility. - - Failure to provide the precise set of features requested by the - caller does not cause context establishment to fail; it is the - caller's prerogative to delete the context if the feature set - provided is unsuitable for the caller's use. - - The returned mech_type value indicates the specific mechanism - employed on the context, is valid only along with major_status - GSS_S_COMPLETE, and will never indicate the value for "default". - Note that, for the case of certain mechanisms which themselves - perform negotiation, the returned mech_type result may indicate - selection of a mechanism identified by an OID different than that - passed in the input mech_type argument. - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - - - -Linn Standards Track [Page 39] - -RFC 2078 GSS-API January 1997 - - - input to GSS_Wrap() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_GetMIC() or GSS_Wrap()) on - the established context. These state indicators' values are undefined - unless either the routine's major_status indicates GSS_S_COMPLETE, or - TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED - major_status. - - The lifetime_req input specifies a desired upper bound for the - lifetime of the context to be established, with a value of 0 used to - request a default lifetime. The lifetime_rec return value indicates - the length of time for which the context will be valid, expressed as - an offset from the present; depending on mechanism capabilities, - credential lifetimes, and local policy, it may not correspond to the - value requested in lifetime_req. If no constraints on context - lifetime are imposed, this may be indicated by returning a reserved - value representing INDEFINITE lifetime_req. The value of lifetime_rec - is undefined unless the routine's major_status indicates - GSS_S_COMPLETE. - - If the mutual_state is TRUE, this fact will be reflected within the - output_token. A call to GSS_Accept_sec_context() at the target in - conjunction with such a context will return a token, to be processed - by a continuation call to GSS_Init_sec_context(), in order to - achieve mutual authentication. - -2.2.2: GSS_Accept_sec_context call - - Inputs: - - o acceptor_cred_handle CREDENTIAL HANDLE, -- NULL specifies - "use default" - - o input_context_handle CONTEXT HANDLE, -- 0 specifies - "not yet assigned" - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o src_name INTERNAL NAME, -- guaranteed to be MN - - - - -Linn Standards Track [Page 40] - -RFC 2078 GSS-API January 1997 - - - o mech_type OBJECT IDENTIFIER, - - o output_context_handle CONTEXT HANDLE, - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, -- see Section 1.2.7 for discussion - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER, - in seconds, or reserved value for - INDEFINITE - - o delegated_cred_handle CREDENTIAL HANDLE, - - o output_token OCTET STRING -NULL or token to pass to context - initiator - - This call may block pending network interactions for those mech_types - in which a directory service or other network entity must be - consulted on behalf of a context acceptor in order to validate a - received input_token. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that context-level data structures - were successfully initialized, and that per-message processing - can now be performed in conjunction with this context. - - o GSS_S_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the initiator, and that - a response must be received and passed as the input_token - argument to a continuation call to GSS_Accept_sec_context(), - before per-message processing can be performed in conjunction - with this context. - - - - -Linn Standards Track [Page 41] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the input_token failed, preventing further processing from - being performed based on that token. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - acceptor_cred_handle failed, preventing further processing from - being performed using that credential structure. - - o GSS_S_BAD_SIG indicates that the received input_token contains - an incorrect integrity check, so context setup cannot be - accomplished. - - o GSS_S_DUPLICATE_TOKEN indicates that the integrity check on the - received input_token was correct, but that the input_token - was recognized as a duplicate of an input_token already - processed. No new context is established. - - o GSS_S_OLD_TOKEN indicates that the integrity check on the received - input_token was correct, but that the input_token is too old - to be checked for duplication against previously-processed - input_tokens. No new context is established. - - o GSS_S_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the - referenced credentials are valid for context initiator use - only, or because the caller lacks authorization to access the - referenced credentials. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input acceptor_cred_handle argument are no - longer valid, so context establishment cannot be completed. - - o GSS_S_BAD_BINDINGS indicates that a mismatch between the - caller-provided chan_bindings and those extracted from the - input_token was detected, signifying a security-relevant - event and preventing context establishment. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided; this major status will - be returned only for successor calls following GSS_S_CONTINUE_ - NEEDED status returns. - - o GSS_S_BAD_MECH indicates receipt of a context establishment token - specifying a mechanism unsupported by the local system or with - the caller's active credentials. - - - - - -Linn Standards Track [Page 42] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that context setup could not be - accomplished for reasons unspecified at the GSS-API level, and - that no interface-defined recovery action is available. - - The GSS_Accept_sec_context() routine is used by a context target. - Using information in the credentials structure referenced by the - input acceptor_cred_handle, it verifies the incoming input_token and - (following the successful completion of a context establishment - sequence) returns the authenticated src_name and the mech_type used. - The returned src_name is guaranteed to be an MN, processed by the - mechanism under which the context was established. The - acceptor_cred_handle must correspond to the same valid credentials - structure on the initial call to GSS_Accept_sec_context() and on any - successor calls resulting from GSS_S_CONTINUE_NEEDED status returns; - different protocol sequences modeled by the GSS_S_CONTINUE_NEEDED - mechanism will require access to credentials at different points in - the context establishment sequence. - - The input_context_handle argument is 0, specifying "not yet - assigned", on the first GSS_Accept_sec_context() call relating to a - given context. If successful (i.e., if accompanied by major_status - GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and only if successful, the - initial GSS_Accept_sec_context() call returns a non-zero - output_context_handle for use in future references to this context. - Once a non-zero output_context_handle has been returned, GSS-API - callers should call GSS_Delete_sec_context() to release context- - related resources if errors occur in later phases of context - establishment, or when an established context is no longer required. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The returned state results (deleg_state, mutual_state, - replay_det_state, sequence_state, anon_state, trans_state, and - prot_ready_state) reflect the same information as described for - GSS_Init_sec_context(), and their values are significant under the - same return state conditions. - - - - - - - - - - - -Linn Standards Track [Page 43] - -RFC 2078 GSS-API January 1997 - - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Wrap() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_GetMIC() or GSS_Wrap()) - on the established context. These values are significant under the - same return state conditions as described under - GSS_Init_sec_context(). - - The lifetime_rec return value is significant only in conjunction with - GSS_S_COMPLETE major_status, and indicates the length of time for - which the context will be valid, expressed as an offset from the - present. - - The mech_type return value indicates the specific mechanism employed - on the context, is valid only along with major_status GSS_S_COMPLETE, - and will never indicate the value for "default". - - The delegated_cred_handle result is significant only when deleg_state - is TRUE, and provides a means for the target to reference the - delegated credentials. The output_token result, when non-NULL, - provides a context-level token to be returned to the context - initiator to continue a multi-step context establishment sequence. As - noted with GSS_Init_sec_context(), any returned token should be - transferred to the context's peer (in this case, the context - initiator), independent of the value of the accompanying returned - major_status. - - Note: A target must be able to distinguish a context-level - input_token, which is passed to GSS_Accept_sec_context(), from the - per-message data elements passed to GSS_VerifyMIC() or GSS_Unwrap(). - These data elements may arrive in a single application message, and - GSS_Accept_sec_context() must be performed before per-message - processing can be performed successfully. - -2.2.3: GSS_Delete_sec_context call - - Input: - - o context_handle CONTEXT HANDLE - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 44] - -RFC 2078 GSS-API January 1997 - - - o output_context_token OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the context was recognized, and that - relevant context-specific information was flushed. If the caller - provides a non-null buffer to receive an output_context_token, and - the mechanism returns a non-NULL token into that buffer, the - returned output_context_token is ready for transfer to the - context's peer. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided, so no deletion was - performed. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_Delete_sec_context() operation could not be - performed for reasons unspecified at the GSS-API level. - - This call may block pending network interactions for mech_types in - which active notification must be made to a central server when a - security context is to be deleted. - - This call can be made by either peer in a security context, to flush - context-specific information. If a non-null output_context_token - parameter is provided by the caller, an output_context_token may be - returned to the caller. If an output_context_token is provided to - the caller, it can be passed to the context's peer to inform the - peer's GSS-API implementation that the peer's corresponding context - information can also be flushed. (Once a context is established, the - peers involved are expected to retain cached credential and context- - related information until the information's expiration time is - reached or until a GSS_Delete_sec_context() call is made.) - - The facility for context_token usage to signal context deletion is - retained for compatibility with GSS-API Version 1. For current - usage, it is recommended that both peers to a context invoke - GSS_Delete_sec_context() independently, passing a null - output_context_token buffer to indicate that no context_token is - required. Implementations of GSS_Delete_sec_context() should delete - relevant locally-stored context information. - - Attempts to perform per-message processing on a deleted context will - result in error returns. - - - - - - - -Linn Standards Track [Page 45] - -RFC 2078 GSS-API January 1997 - - -2.2.4: GSS_Process_context_token call - - Inputs: - - o context_handle CONTEXT HANDLE, - - o input_context_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_context_token was - successfully processed in conjunction with the context - referenced by context_handle. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks - performed on the received context_token failed, preventing - further processing from being performed with that token. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_Process_context_token() operation could not be - performed for reasons unspecified at the GSS-API level. - - This call is used to process context_tokens received from a peer once - a context has been established, with corresponding impact on - context-level state information. One use for this facility is - processing of the context_tokens generated by - GSS_Delete_sec_context(); GSS_Process_context_token() will not block - pending network interactions for that purpose. Another use is to - process tokens indicating remote-peer context establishment failures - after the point where the local GSS-API implementation has already - indicated GSS_S_COMPLETE status. - - - - - - - - - - - -Linn Standards Track [Page 46] - -RFC 2078 GSS-API January 1997 - - -2.2.5: GSS_Context_time call - - Input: - - o context_handle CONTEXT HANDLE, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o lifetime_rec INTEGER - in seconds, or reserved value for - INDEFINITE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context is valid, - and will remain valid for the amount of time indicated in - lifetime_rec. - - o GSS_S_CONTEXT_EXPIRED indicates that data items related to the - referenced context have expired. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is - recognized, but that its associated credentials have expired. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. - - This call is used to determine the amount of time for which a - currently established context will remain valid. - -2.2.6: GSS_Inquire_context call - - Input: - - o context_handle CONTEXT HANDLE, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 47] - -RFC 2078 GSS-API January 1997 - - - o src_name INTERNAL NAME, -- name of context initiator, - -- guaranteed to be MN - - o targ_name INTERNAL NAME, -- name of context target, - -- guaranteed to be MN - - - o lifetime_rec INTEGER -- in seconds, or reserved value for - INDEFINITE, - - o mech_type OBJECT IDENTIFIER, -- the mechanism supporting this - security context - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o locally_initiated BOOLEAN, -- TRUE if initiator, FALSE if acceptor - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context is valid - and that src_name, targ_name, lifetime_rec, mech_type, deleg_state, - mutual_state, replay_det_state, sequence_state, anon_state, - trans_state, prot_ready_state, conf_avail, integ_avail, and - locally_initiated return values describe the corresponding - characteristics of the context. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context - has expired. Return values other than major_status and - minor_status are undefined. - - - - - -Linn Standards Track [Page 48] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call is used to extract information describing characteristics - of a security context. - -2.2.7: GSS_Wrap_size_limit call - - Inputs: - - o context_handle CONTEXT HANDLE, - - o qop INTEGER, - - o output_size INTEGER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o max_input_size INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates a successful token size determination: - an input message with a length in octets equal to the - returned max_input_size value will, when passed to GSS_Wrap() - for processing on the context identified by the context_handle - parameter and with the quality of protection specifier provided - in the qop parameter, yield an output token no larger than the - value of the provided output_size parameter. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context - has expired. Return values other than major_status and - minor_status are undefined. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - - - -Linn Standards Track [Page 49] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call is used to determine the largest input datum which may be - passed to GSS_Wrap() without yielding an output token larger than a - caller-specified value. - -2.2.8: GSS_Export_sec_context call - - Inputs: - - o context_handle CONTEXT HANDLE - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o interprocess_token OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context has been - successfully exported to a representation in the interprocess_token, - and is no longer available for use by the caller. - - o GSS_S_UNAVAILABLE indicates that the context export facility - is not available for use on the referenced context. (This status - should occur only for contexts for which the trans_state value is - FALSE.) Return values other than major_status and minor_status are - undefined. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context has - expired. Return values other than major_status and minor_status are - undefined. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - - - - - -Linn Standards Track [Page 50] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call generates an interprocess token for transfer to another - process within an end system, in order to transfer control of a - security context to that process. The recipient of the interprocess - token will call GSS_Import_sec_context() to accept the transfer. The - GSS_Export_sec_context() operation is defined for use only with - security contexts which are fully and successfully established (i.e., - those for which GSS_Init_sec_context() and GSS_Accept_sec_context() - have returned GSS_S_COMPLETE major_status). - - To ensure portability, a caller of GSS_Export_sec_context() must not - assume that a context may continue to be used once it has been - exported; following export, the context referenced by the - context_handle cannot be assumed to remain valid. Further, portable - callers must not assume that a given interprocess token can be - imported by GSS_Import_sec_context() more than once, thereby creating - multiple instantiations of a single context. GSS-API implementations - may detect and reject attempted multiple imports, but are not - required to do so. - - The internal representation contained within the interprocess token - is an implementation-defined local matter. Interprocess tokens - cannot be assumed to be transferable across different GSS-API - implementations. - - It is recommended that GSS-API implementations adopt policies suited - to their operational environments in order to define the set of - processes eligible to import a context, but specific constraints in - this area are local matters. Candidate examples include transfers - between processes operating on behalf of the same user identity, or - processes comprising a common job. However, it may be impossible to - enforce such policies in some implementations. - - In support of the above goals, implementations may protect the - transferred context data by using cryptography to protect data within - the interprocess token, or by using interprocess tokens as a means to - reference local interprocess communication facilities (protected by - other means) rather than storing the context data directly within the - tokens. - - Transfer of an open context may, for certain mechanisms and - implementations, reveal data about the credential which was used to - establish the context. Callers should, therefore, be cautious about - the trustworthiness of processes to which they transfer contexts. - Although the GSS-API implementation may provide its own set of - - - -Linn Standards Track [Page 51] - -RFC 2078 GSS-API January 1997 - - - protections over the exported context, the caller is responsible for - protecting the interprocess token from disclosure, and for taking - care that the context is transferred to an appropriate destination - process. - -2.2.9: GSS_Import_sec_context call - - Inputs: - - o interprocess_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o context_handle CONTEXT HANDLE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the context represented by the - input interprocess_token has been successfully transferred to - the caller, and is available for future use via the output - context_handle. - - o GSS_S_CONTEXT_EXPIRED indicates that the context represented by - the input interprocess_token has expired. Return values other - than major_status and minor_status are undefined. - - o GSS_S_NO_CONTEXT indicates that the context represented by the - input interprocess_token was invalid. Return values other than - major_status and minor_status are undefined. - - o GSS_S_DEFECTIVE_TOKEN indicates that the input interprocess_token - was defective. Return values other than major_status and - minor_status are undefined. - - o GSS_S_UNAVAILABLE indicates that the context import facility - is not available for use on the referenced context. Return values - other than major_status and minor_status are undefined. - - o GSS_S_UNAUTHORIZED indicates that the context represented by - the input interprocess_token is unauthorized for transfer to the - caller. Return values other than major_status and minor_status - are undefined. - - - - - -Linn Standards Track [Page 52] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call processes an interprocess token generated by - GSS_Export_sec_context(), making the transferred context available - for use by the caller. After a successful GSS_Import_sec_context() - operation, the imported context is available for use by the importing - process. - - For further discussion of the security and authorization issues - regarding this call, please see the discussion in Section 2.2.8. - -2.3: Per-message calls - - This group of calls is used to perform per-message protection - processing on an established security context. None of these calls - block pending network interactions. These calls may be invoked by a - context's initiator or by the context's target. The four members of - this group should be considered as two pairs; the output from - GSS_GetMIC() is properly input to GSS_VerifyMIC(), and the output - from GSS_Wrap() is properly input to GSS_Unwrap(). - - GSS_GetMIC() and GSS_VerifyMIC() support data origin authentication - and data integrity services. When GSS_GetMIC() is invoked on an - input message, it yields a per-message token containing data items - which allow underlying mechanisms to provide the specified security - services. The original message, along with the generated per-message - token, is passed to the remote peer; these two data elements are - processed by GSS_VerifyMIC(), which validates the message in - conjunction with the separate token. - - GSS_Wrap() and GSS_Unwrap() support caller-requested confidentiality - in addition to the data origin authentication and data integrity - services offered by GSS_GetMIC() and GSS_VerifyMIC(). GSS_Wrap() - outputs a single data element, encapsulating optionally enciphered - user data as well as associated token data items. The data element - output from GSS_Wrap() is passed to the remote peer and processed by - GSS_Unwrap() at that system. GSS_Unwrap() combines decipherment (as - required) with validation of data items related to authentication and - integrity. - - - - - - - - - - -Linn Standards Track [Page 53] - -RFC 2078 GSS-API January 1997 - - -2.3.1: GSS_GetMIC call - - Note: This call is functionally equivalent to the GSS_Sign call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Sign are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o qop_req INTEGER,-0 specifies default QOP - - o message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o per_msg_token OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that an integrity check, suitable for an - established security context, was successfully applied and - that the message and corresponding per_msg_token are ready - for transmission. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data - items have expired, so that the requested operation cannot be - performed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is recognized, - but that its associated credentials have expired, so - that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the requested operation could not be performed for - reasons unspecified at the GSS-API level. - - - -Linn Standards Track [Page 54] - -RFC 2078 GSS-API January 1997 - - - Using the security context referenced by context_handle, apply an - integrity check to the input message (along with timestamps and/or - other data included in support of mech_type-specific mechanisms) and - return the result in per_msg_token. The qop_req parameter, - interpretation of which is discussed in Section 1.2.4, allows - quality-of-protection control. The caller passes the message and the - per_msg_token to the target. - - The GSS_GetMIC() function completes before the message and - per_msg_token is sent to the peer; successful application of - GSS_GetMIC() does not guarantee that a corresponding GSS_VerifyMIC() - has been (or can necessarily be) performed successfully when the - message arrives at the destination. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.2: GSS_VerifyMIC call - - Note: This call is functionally equivalent to the GSS_Verify call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Verify are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o message OCTET STRING, - - o per_msg_token OCTET STRING - - Outputs: - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the message was successfully - verified. - - - - - - -Linn Standards Track [Page 55] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the received per_msg_token failed, preventing - further processing from being performed with that token. - - o GSS_S_BAD_SIG indicates that the received per_msg_token contains - an incorrect integrity check for the message. - - o GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, - and GSS_S_GAP_TOKEN values appear in conjunction with the - optional per-message replay detection features described - in Section 1.2.3; their semantics are described in that section. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data - items have expired, so that the requested operation cannot be - performed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is - recognized, - but that its associated credentials have expired, so - that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_VerifyMIC() operation could not be performed for - reasons unspecified at the GSS-API level. - - Using the security context referenced by context_handle, verify that - the input per_msg_token contains an appropriate integrity check for - the input message, and apply any active replay detection or - sequencing features. Return an indication of the quality-of- - protection applied to the processed message in the qop_state result. - Since the GSS_VerifyMIC() routine never provides a confidentiality - service, its implementations should not return non-zero values in the - confidentiality fields of the output qop_state. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.3: GSS_Wrap call - - Note: This call is functionally equivalent to the GSS_Seal call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Seal are deprecated. - - - - -Linn Standards Track [Page 56] - -RFC 2078 GSS-API January 1997 - - - Inputs: - - o context_handle CONTEXT HANDLE, - - o conf_req_flag BOOLEAN, - - o qop_req INTEGER,-0 specifies default QOP - - o input_message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o conf_state BOOLEAN, - - o output_message OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_message was successfully - processed and that the output_message is ready for - transmission. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data - items have expired, so that the requested operation cannot be - performed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is - recognized, - but that its associated credentials have expired, so - that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_Wrap() operation could not be performed for - reasons unspecified at the GSS-API level. - - Performs the data origin authentication and data integrity functions - of GSS_GetMIC(). If the input conf_req_flag is TRUE, requests that - confidentiality be applied to the input_message. Confidentiality may - - - -Linn Standards Track [Page 57] - -RFC 2078 GSS-API January 1997 - - - not be supported in all mech_types or by all implementations; the - returned conf_state flag indicates whether confidentiality was - provided for the input_message. The qop_req parameter, interpretation - of which is discussed in Section 1.2.4, allows quality-of-protection - control. - - In all cases, the GSS_Wrap() call yields a single output_message - data element containing (optionally enciphered) user data as well as - control information. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.4: GSS_Unwrap call - - Note: This call is functionally equivalent to the GSS_Unseal call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Unseal are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o input_message OCTET STRING - - Outputs: - - o conf_state BOOLEAN, - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_message OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_message was - successfully processed and that the resulting output_message is - available. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the per_msg_token extracted from the input_message - failed, preventing further processing from being performed. - - - -Linn Standards Track [Page 58] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_SIG indicates that an incorrect integrity check was - detected - for the message. - - o GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, - and GSS_S_GAP_TOKEN values appear in conjunction with the - optional per-message replay detection features described - in Section 1.2.3; their semantics are described in that section. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data - items have expired, so that the requested operation cannot be - performed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the context is - recognized, - but that its associated credentials have expired, so - that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but - that the GSS_Unwrap() operation could not be performed for - reasons unspecified at the GSS-API level. - - Processes a data element generated (and optionally enciphered) by - GSS_Wrap(), provided as input_message. The returned conf_state value - indicates whether confidentiality was applied to the input_message. - If conf_state is TRUE, GSS_Unwrap() deciphers the input_message. - Returns an indication of the quality-of-protection applied to the - processed message in the qop_state result. GSS_Wrap() performs the - data integrity and data origin authentication checking functions of - GSS_VerifyMIC() on the plaintext data. Plaintext data is returned in - output_message. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.4: Support calls - - This group of calls provides support functions useful to GSS-API - callers, independent of the state of established contexts. Their - characterization with regard to blocking or non-blocking status in - terms of network interactions is unspecified. - - - - - - - -Linn Standards Track [Page 59] - -RFC 2078 GSS-API January 1997 - - -2.4.1: GSS_Display_status call - - Inputs: - - o status_value INTEGER,-GSS-API major_status or minor_status - return value - - o status_type INTEGER,-1 if major_status, 2 if minor_status - - o mech_type OBJECT IDENTIFIER-mech_type to be used for minor_ - status translation - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o status_string_set SET OF OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid printable status - representation (possibly representing more than one status event - encoded within the status_value) is available in the returned - status_string_set. - - o GSS_S_BAD_MECH indicates that translation in accordance with an - unsupported mech_type was requested, so translation could not - be performed. - - o GSS_S_BAD_STATUS indicates that the input status_value was - invalid, or that the input status_type carried a value other - than 1 or 2, so translation could not be performed. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Provides a means for callers to translate GSS-API-returned major and - minor status codes into printable string representations. - -2.4.2: GSS_Indicate_mechs call - - Input: - - o (none) - - - - - -Linn Standards Track [Page 60] - -RFC 2078 GSS-API January 1997 - - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o mech_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a set of available mechanisms has - been returned in mech_set. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of mechanism types available on - the local system. This call is intended for support of specialized - callers who need to request non-default mech_type sets from - GSS_Acquire_cred(), and should not be needed by other callers. - -2.4.3: GSS_Compare_name call - - Inputs: - - o name1 INTERNAL NAME, - - o name2 INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_equal BOOLEAN - - Return major_status codes: - - o GSS_S_COMPLETE indicates that name1 and name2 were comparable, - and that the name_equal result indicates whether name1 and - name2 represent the same entity. - - o GSS_S_BAD_NAMETYPE indicates that one or both of name1 and - name2 contained internal type specifiers uninterpretable - by the applicable underlying GSS-API mechanism(s), or that - the two names' types are different and incomparable, so that - the comparison operation could not be completed. - - - -Linn Standards Track [Page 61] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_BAD_NAME indicates that one or both of the input names - was ill-formed in terms of its internal type specifier, so - the comparison operation could not be completed. - - o GSS_S_FAILURE indicates that the call's operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to compare two internal name representations to - determine whether they refer to the same entity. If either name - presented to GSS_Compare_name() denotes an anonymous principal, - GSS_Compare_name() shall indicate FALSE. It is not required that - either or both inputs name1 and name2 be MNs; for some - implementations and cases, GSS_S_BAD_NAMETYPE may be returned, - indicating name incomparability, for the case where neither input - name is an MN. - -2.4.4: GSS_Display_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_string OCTET STRING, - - o name_type OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid printable name - representation is available in the returned name_string. - - o GSS_S_BAD_NAMETYPE indicates that the provided name was of a - type uninterpretable by the applicable underlying GSS-API - mechanism(s), so no printable representation could be generated. - - o GSS_S_BAD_NAME indicates that the contents of the provided name - were inconsistent with the internally-indicated name type, so - no printable representation could be generated. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - - - -Linn Standards Track [Page 62] - -RFC 2078 GSS-API January 1997 - - - Allows callers to translate an internal name representation into a - printable form with associated namespace type descriptor. The syntax - of the printable form is a local matter. - - If the input name represents an anonymous identity, a reserved value - (GSS_C_NT_ANONYMOUS) shall be returned for name_type. - -2.4.5: GSS_Import_name call - - Inputs: - - o input_name_string OCTET STRING, - - o input_name_type OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name INTERNAL NAME - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid name representation is - output in output_name and described by the type value in - output_name_type. - - o GSS_S_BAD_NAMETYPE indicates that the input_name_type is unsupported - by the applicable underlying GSS-API mechanism(s), so the import - operation could not be completed. - - o GSS_S_BAD_NAME indicates that the provided input_name_string - is ill-formed in terms of the input_name_type, so the import - operation could not be completed. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to provide a name representation as a contiguous octet - string, designate the type of namespace in conjunction with which it - should be parsed, and convert that representation to an internal form - suitable for input to other GSS-API routines. The syntax of the - input_name_string is defined in conjunction with its associated name - type; depending on the input_name_type, the associated - input_name_string may or may not be a printable string. Note: The - input_name_type argument serves to describe and qualify the - - - -Linn Standards Track [Page 63] - -RFC 2078 GSS-API January 1997 - - - interpretation of the associated input_name_string; it does not - specify the data type of the returned output_name. - - If a mechanism claims support for a particular name type, its - GSS_Import_name() operation shall be able to accept all possible - values conformant to the external name syntax as defined for that - name type. These imported values may correspond to: - - (1) locally registered entities (for which credentials may be - acquired), - - (2) non-local entities (for which local credentials cannot be - acquired, but which may be referenced as targets of initiated - security contexts or initiators of accepted security contexts), or - to - - (3) neither of the above. - - Determination of whether a particular name belongs to class (1), (2), - or (3) as described above is not guaranteed to be performed by the - GSS_Import_name() function. - - The internal name generated by a GSS_Import_name() operation may be a - single-mechanism MN, and is likely to be an MN within a single- - mechanism implementation, but portable callers must not depend on - this property (and must not, therefore, assume that the output from - GSS_Import_name() can be passed directly to GSS_Export_name() without - first being processed through GSS_Canonicalize_name()). - -2.4.6: GSS_Release_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input name was successfully released. - - o GSS_S_BAD_NAME indicates that the input name argument did not - contain a valid name. - - - -Linn Standards Track [Page 64] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an internal - name representation. This call's specific behavior depends on the - language and programming environment within which a GSS-API - implementation operates, and is therefore detailed within applicable - bindings specifications; in particular, this call may be superfluous - within bindings where memory management is automatic. - -2.4.7: GSS_Release_buffer call - - Inputs: - - o buffer OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input buffer was successfully released. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an OCTET STRING - buffer allocated by another GSS-API call. This call's specific - behavior depends on the language and programming environment within - which a GSS-API implementation operates, and is therefore detailed - within applicable bindings specifications; in particular, this call - may be superfluous within bindings where memory management is - automatic. - -2.4.8: GSS_Release_OID_set call - - Inputs: - - o buffer SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - - - -Linn Standards Track [Page 65] - -RFC 2078 GSS-API January 1997 - - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input object identifier set was successfully released. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an object - identifier set object allocated by another GSS-API call. This call's - specific behavior depends on the language and programming environment - within which a GSS-API implementation operates, and is therefore - detailed within applicable bindings specifications; in particular, - this call may be superfluous within bindings where memory management - is automatic. - -2.4.9: GSS_Create_empty_OID_set call - - Inputs: - - o (none) - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o oid_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Creates an object identifier set containing no object identifiers, to - which members may be subsequently added using the - GSS_Add_OID_set_member() routine. These routines are intended to be - used to construct sets of mechanism object identifiers, for input to - GSS_Acquire_cred(). - - - - - - - - -Linn Standards Track [Page 66] - -RFC 2078 GSS-API January 1997 - - -2.4.10: GSS_Add_OID_set_member call - - Inputs: - - o member_oid OBJECT IDENTIFIER, - - o oid_set SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Adds an Object Identifier to an Object Identifier set. This routine - is intended for use in conjunction with GSS_Create_empty_OID_set() - when constructing a set of mechanism OIDs for input to - GSS_Acquire_cred(). - -2.4.11: GSS_Test_OID_set_member call - - Inputs: - - o member OBJECT IDENTIFIER, - - o set SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o present BOOLEAN - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - - - - -Linn Standards Track [Page 67] - -RFC 2078 GSS-API January 1997 - - - Interrogates an Object Identifier set to determine whether a - specified Object Identifier is a member. This routine is intended to - be used with OID sets returned by GSS_Indicate_mechs(), - GSS_Acquire_cred(), and GSS_Inquire_cred(). - -2.4.12: GSS_Release_OID call - - Inputs: - - o oid OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Allows the caller to release the storage associated with an OBJECT - IDENTIFIER buffer allocated by another GSS-API call. This call's - specific behavior depends on the language and programming environment - within which a GSS-API implementation operates, and is therefore - detailed within applicable bindings specifications; in particular, - this call may be superfluous within bindings where memory management - is automatic. - -2.4.13: GSS_OID_to_str call - - Inputs: - - o oid OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o oid_str OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - - -Linn Standards Track [Page 68] - -RFC 2078 GSS-API January 1997 - - - o GSS_S_FAILURE indicates that the operation failed - - The function GSS_OID_to_str() returns a string representing the input - OID in numeric ASN.1 syntax format (curly-brace enclosed, space- - delimited, e.g., "{2 16 840 1 113687 1 2 1}"). The string is - releasable using GSS_Release_buffer(). If the input "oid" does not - represent a syntactically valid object identifier, GSS_S_FAILURE - status is returned and the returned oid_str result is NULL. - -2.4.14: GSS_Str_to_OID call - - Inputs: - - o oid_str OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o oid OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - The function GSS_Str_to_OID() constructs and returns an OID from its - printable form; implementations should be able to accept the numeric - ASN.1 syntax form as described for GSS_OID_to_str(), and this form - should be used for portability, but implementations of this routine - may also accept other formats (e.g., "1.2.3.3"). The OID is suitable - for release using the function GSS_Release_OID(). If the input - oid_str cannot be translated into an OID, GSS_S_FAILURE status is - returned and the "oid" result is NULL. - -2.4.15: GSS_Inquire_names_for_mech call - - Input: - - o input_mech_type OBJECT IDENTIFIER, -- mechanism type - - Outputs: - - o major_status INTEGER, - - - - -Linn Standards Track [Page 69] - -RFC 2078 GSS-API January 1997 - - - o minor_status INTEGER, - - o name_type_set SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the output name_type_set contains - a list of name types which are supported by the locally available - mechanism identified by input_mech_type. - - o GSS_S_BAD_MECH indicates that the mechanism identified by - input_mech_type was unsupported within the local implementation, - causing the query to fail. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of name types which are - supportable by a specific locally-available mechanism. - -2.4.16: GSS_Inquire_mechs_for_name call - - Inputs: - - o input_name INTERNAL NAME, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o mech_types SET OF OBJECT IDENTIFIER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a set of object identifiers, - corresponding to the set of mechanisms suitable for processing - the input_name, is available in mech_types. - - o GSS_S_BAD_NAME indicates that the input_name could not be - processed. - - o GSS_S_BAD_NAMETYPE indicates that the type of the input_name - is unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - - -Linn Standards Track [Page 70] - -RFC 2078 GSS-API January 1997 - - - This routine returns the mechanism set with which the input_name may - be processed. After use, the mech_types object should be freed by - the caller via the GSS_Release_OID_set() call. Note: it is - anticipated that implementations of GSS_Inquire_mechs_for_name() will - commonly operate based on type information describing the - capabilities of available mechanisms; it is not guaranteed that all - identified mechanisms will necessarily be able to canonicalize (via - GSS_Canonicalize_name()) a particular name. - -2.4.17: GSS_Canonicalize_name call - - Inputs: - - o input_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER -- must be explicit mechanism, - not "default" specifier - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name INTERNAL NAME - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a mechanism-specific reduction of - the input_name, as processed by the mechanism identified by - mech_type, is available in output_name. - - o GSS_S_BAD_MECH indicates that the identified mechanism is - unsupported. - - o GSS_S_BAD_NAMETYPE indicates that the input name does not - contain an element with suitable type for processing by the - identified mechanism. - - o GSS_S_BAD_NAME indicates that the input name contains an - element with suitable type for processing by the identified - mechanism, but that this element could not be processed - successfully. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - - - - -Linn Standards Track [Page 71] - -RFC 2078 GSS-API January 1997 - - - This routine reduces a GSS-API internal name, which may in general - contain elements corresponding to multiple mechanisms, to a - mechanism-specific Mechanism Name (MN) by applying the translations - corresponding to the mechanism identified by mech_type. - -2.4.18: GSS_Export_name call - - Inputs: - - o input_name INTERNAL NAME, -- required to be MN - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a flat representation of the - input name is available in output_name. - - o GSS_S_NAME_NOT_MN indicates that the input name contained - elements corresponding to multiple mechanisms, so cannot - be exported into a single-mechanism flat form. - - o GSS_S_BAD_NAME indicates that the input name was an MN, - but could not be processed. - - o GSS_S_BAD_NAMETYPE indicates that the input name was an MN, - but that its type is unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - This routine creates a flat name representation, suitable for - bytewise comparison or for input to GSS_Import_name() in conjunction - with the reserved GSS-API Exported Name Object OID, from a internal- - form Mechanism Name (MN) as emitted, e.g., by GSS_Canonicalize_name() - or GSS_Accept_sec_context(). - - The emitted GSS-API Exported Name Object is self-describing; no - associated parameter-level OID need be emitted by this call. This - flat representation consists of a mechanism-independent wrapper - layer, defined in Section 3.2 of this document, enclosing a - mechanism-defined name representation. - - - -Linn Standards Track [Page 72] - -RFC 2078 GSS-API January 1997 - - - In all cases, the flat name output by GSS_Export_name() to correspond - to a particular input MN must be invariant over time within a - particular installation. - - The GSS_S_NAME_NOT_MN status code is provided to enable - implementations to reject input names which are not MNs. It is not, - however, required for purposes of conformance to this specification - that all non-MN input names must necessarily be rejected. - -2.4.19: GSS_Duplicate_name call - - Inputs: - - o src_name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o dest_name INTERNAL NAME - - Return major_status codes: - - o GSS_S_COMPLETE indicates that dest_name references an internal - name object containing the same name as passed to src_name. - - o GSS_S_BAD_NAME indicates that the input name was invalid. - - o GSS_S_BAD_NAMETYPE indicates that the input name's type - is unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not - be performed for reasons unspecified at the GSS-API level. - - This routine takes input internal name src_name, and returns another - reference (dest_name) to that name which can be used even if src_name - is later freed. (Note: This may be implemented by copying or through - use of reference counts.) - -3: Data Structure Definitions for GSS-V2 Usage - - Subsections of this section define, for interoperability and - portability purposes, certain data structures for use with GSS-V2. - - - - - - -Linn Standards Track [Page 73] - -RFC 2078 GSS-API January 1997 - - -3.1: Mechanism-Independent Token Format - - This section specifies a mechanism-independent level of encapsulating - representation for the initial token of a GSS-API context - establishment sequence, incorporating an identifier of the mechanism - type to be used on that context and enabling tokens to be interpreted - unambiguously at GSS-API peers. Use of this format is required for - initial context establishment tokens of Internet standards-track - GSS-API mechanisms; use in non-initial tokens is optional. - - The encoding format for the token tag is derived from ASN.1 and DER - (per illustrative ASN.1 syntax included later within this - subsection), but its concrete representation is defined directly in - terms of octets rather than at the ASN.1 level in order to facilitate - interoperable implementation without use of general ASN.1 processing - code. The token tag consists of the following elements, in order: - - 1. 0x60 -- Tag for [APPLICATION 0] SEQUENCE; indicates that - constructed form, definite length encoding follows. - - 2. Token length octets, specifying length of subsequent data - (i.e., the summed lengths of elements 3-5 in this list, and of the - mechanism-defined token object following the tag). This element - comprises a variable number of octets: - - 2a. If the indicated value is less than 128, it shall be - represented in a single octet with bit 8 (high order) set to "0" - and the remaining bits representing the value. - - 2b. If the indicated value is 128 or more, it shall be represented - in two or more octets, with bit 8 of the first octet set to "1" - and the remaining bits of the first octet specifying the number of - additional octets. The subsequent octets carry the value, 8 bits - per octet, most significant digit first. The minimum number of - octets shall be used to encode the length (i.e., no octets - representing leading zeros shall be included within the length - encoding). - - 3. 0x06 -- Tag for OBJECT IDENTIFIER - - 4. Object identifier length -- length (number of octets) of the - encoded object identifier contained in element 5, encoded per - rules as described in 2a. and 2b. above. - - 5. Object identifier octets -- variable number of octets, encoded - per ASN.1 BER rules: - - - - - -Linn Standards Track [Page 74] - -RFC 2078 GSS-API January 1997 - - - 5a. The first octet contains the sum of two values: (1) the top- - level object identifier component, multiplied by 40 (decimal), and - (2) the second-level object identifier component. This special - case is the only point within an object identifier encoding where - a single octet represents contents of more than one component. - - 5b. Subsequent octets, if required, encode successively-lower - components in the represented object identifier. A component's - encoding may span multiple octets, encoding 7 bits per octet (most - significant bits first) and with bit 8 set to "1" on all but the - final octet in the component's encoding. The minimum number of - octets shall be used to encode each component (i.e., no octets - representing leading zeros shall be included within a component's - encoding). - - (Note: In many implementations, elements 3-5 may be stored and - referenced as a contiguous string constant.) - - The token tag is immediately followed by a mechanism-defined token - object. Note that no independent size specifier intervenes following - the object identifier value to indicate the size of the mechanism- - defined token object. While ASN.1 usage within mechanism-defined - tokens is permitted, there is no requirement that the mechanism- - specific innerContextToken, innerMsgToken, and sealedUserData data - elements must employ ASN.1 BER/DER encoding conventions. - - - - - - - - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 75] - -RFC 2078 GSS-API January 1997 - - - The following ASN.1 syntax is included for descriptive purposes only, - to illustrate structural relationships among token and tag objects. - For interoperability purposes, token and tag encoding shall be - performed using the concrete encoding procedures described earlier in - this subsection. - - GSS-API DEFINITIONS ::= - - BEGIN - - MechType ::= OBJECT IDENTIFIER - -- data structure definitions - - -- callers must be able to distinguish among - -- InitialContextToken, SubsequentContextToken, - -- PerMsgToken, and SealedMessage data elements - -- based on the usage in which they occur - - InitialContextToken ::= - -- option indication (delegation, etc.) indicated within - -- mechanism-specific token - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType, - innerContextToken ANY DEFINED BY thisMech - -- contents mechanism-specific - -- ASN.1 structure not required - } - - SubsequentContextToken ::= innerContextToken ANY - -- interpretation based on predecessor InitialContextToken - -- ASN.1 structure not required - - PerMsgToken ::= - -- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC - -- ASN.1 structure not required - innerMsgToken ANY - - SealedMessage ::= - -- as emitted by GSS_Wrap and processed by GSS_Unwrap - -- includes internal, mechanism-defined indicator - -- of whether or not encrypted - -- ASN.1 structure not required - sealedUserData ANY - - END - - - - - - -Linn Standards Track [Page 76] - -RFC 2078 GSS-API January 1997 - - -3.2: Mechanism-Independent Exported Name Object Format - - This section specifies a mechanism-independent level of encapsulating - representation for names exported via the GSS_Export_name() call, - including an object identifier representing the exporting mechanism. - The format of names encapsulated via this representation shall be - defined within individual mechanism drafts. Name objects of this - type will be identified with the following Object Identifier: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 4(gss-api-exported-name)} - - No name type OID is included in this mechanism-independent level of - format definition, since (depending on individual mechanism - specifications) the enclosed name may be implicitly typed or may be - explicitly typed using a means other than OID encoding. - - Length Name Description - - 2 TOK_ID Token Identifier - For exported name objects, this - must be hex 04 01. - 2 MECH_OID_LEN Length of the Mechanism OID - MECH_OID_LEN MECH_OID Mechanism OID, in DER - 4 NAME_LEN Length of name - NAME_LEN NAME Exported name; format defined in - applicable mechanism draft. - -4: Name Type Definitions - - This section includes definitions for name types and associated - syntaxes which are defined in a mechanism-independent fashion at the - GSS-API level rather than being defined in individual mechanism - specifications. - -4.1: Host-Based Service Name Form - - The following Object Identifier value is provided as a means to - identify this name form: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 2(gss-host-based-services)} - - The recommended symbolic name for this type is - "GSS_C_NT_HOSTBASED_SERVICE". - - - - - - -Linn Standards Track [Page 77] - -RFC 2078 GSS-API January 1997 - - - This name type is used to represent services associated with host - computers. This name form is constructed using two elements, - "service" and "hostname", as follows: - - service@hostname - - When a reference to a name of this type is resolved, the "hostname" - is canonicalized by attempting a DNS lookup and using the fully- - qualified domain name which is returned, or by using the "hostname" - as provided if the DNS lookup fails. The canonicalization operation - also maps the host's name into lower-case characters. - - The "hostname" element may be omitted. If no "@" separator is - included, the entire name is interpreted as the service specifier, - with the "hostname" defaulted to the canonicalized name of the local - host. - - Values for the "service" element are registered with the IANA. - -4.2: User Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) user_name(1)}. The recommended mechanism-independent - symbolic name for this type is "GSS_C_NT_USER_NAME". (Note: the same - name form and OID is defined within the Kerberos V5 GSS-API - mechanism, but the symbolic name recommended there begins with a - "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a named user on a local system. - Its interpretation is OS-specific. This name form is constructed as: - - username - -4.3: Machine UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) machine_uid_name(2)}. The recommended mechanism- - independent symbolic name for this type is - "GSS_C_NT_MACHINE_UID_NAME". (Note: the same name form and OID is - defined within the Kerberos V5 GSS-API mechanism, but the symbolic - name recommended there begins with a "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a numeric user identifier - corresponding to a user on a local system. Its interpretation is - OS-specific. The gss_buffer_desc representing a name of this type - should contain a locally-significant uid_t, represented in host byte - - - -Linn Standards Track [Page 78] - -RFC 2078 GSS-API January 1997 - - - order. The GSS_Import_name() operation resolves this uid into a - username, which is then treated as the User Name Form. - -4.4: String UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) string_uid_name(3)}. The recommended symbolic name for - this type is "GSS_C_NT_STRING_UID_NAME". (Note: the same name form - and OID is defined within the Kerberos V5 GSS-API mechanism, but the - symbolic name recommended there begins with a "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a string of digits representing - the numeric user identifier of a user on a local system. Its - interpretation is OS-specific. This name type is similar to the - Machine UID Form, except that the buffer contains a string - representing the uid_t. - -5: Mechanism-Specific Example Scenarios - - This section provides illustrative overviews of the use of various - candidate mechanism types to support the GSS-API. These discussions - are intended primarily for readers familiar with specific security - technologies, demonstrating how GSS-API functions can be used and - implemented by candidate underlying mechanisms. They should not be - regarded as constrictive to implementations or as defining the only - means through which GSS-API functions can be realized with a - particular underlying technology, and do not demonstrate all GSS-API - features with each technology. - -5.1: Kerberos V5, single-TGT - - OS-specific login functions yield a TGT to the local realm Kerberos - server; TGT is placed in a credentials structure for the client. - Client calls GSS_Acquire_cred() to acquire a cred_handle in order to - reference the credentials for use in establishing security contexts. - - Client calls GSS_Init_sec_context(). If the requested service is - located in a different realm, GSS_Init_sec_context() gets the - necessary TGT/key pairs needed to traverse the path from local to - target realm; these data are placed in the owner's TGT cache. After - any needed remote realm resolution, GSS_Init_sec_context() yields a - service ticket to the requested service with a corresponding session - key; these data are stored in conjunction with the context. GSS-API - code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP - response(s) (in the successful case) or KRB_ERROR. - - - - - -Linn Standards Track [Page 79] - -RFC 2078 GSS-API January 1997 - - - Assuming success, GSS_Init_sec_context() builds a Kerberos-formatted - KRB_AP_REQ message, and returns it in output_token. The client sends - the output_token to the service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which verifies the authenticator, provides - the service with the client's authenticated name, and returns an - output_context_handle. - - Both parties now hold the session key associated with the service - ticket, and can use this key in subsequent GSS_GetMIC(), - GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap() operations. - -5.2: Kerberos V5, double-TGT - - TGT acquisition as above. - - Note: To avoid unnecessary frequent invocations of error paths when - implementing the GSS-API atop Kerberos V5, it seems appropriate to - represent "single-TGT K-V5" and "double-TGT K-V5" with separate - mech_types, and this discussion makes that assumption. - - Based on the (specified or defaulted) mech_type, - GSS_Init_sec_context() determines that the double-TGT protocol - should be employed for the specified target. GSS_Init_sec_context() - returns GSS_S_CONTINUE_NEEDED major_status, and its returned - output_token contains a request to the service for the service's TGT. - (If a service TGT with suitably long remaining lifetime already - exists in a cache, it may be usable, obviating the need for this - step.) The client passes the output_token to the service. Note: this - scenario illustrates a different use for the GSS_S_CONTINUE_NEEDED - status return facility than for support of mutual authentication; - note that both uses can coexist as successive operations within a - single context establishment operation. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which recognizes it as a request for TGT. - (Note that current Kerberos V5 defines no intra-protocol mechanism to - represent such a request.) GSS_Accept_sec_context() returns - GSS_S_CONTINUE_NEEDED major_status and provides the service's TGT in - its output_token. The service sends the output_token to the client. - - The client passes the received token as the input_token argument to a - continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches - the received service TGT and uses it as part of a service ticket - request to the Kerberos authentication server, storing the returned - service ticket and session key in conjunction with the context. - GSS_Init_sec_context() builds a Kerberos-formatted authenticator, - - - -Linn Standards Track [Page 80] - -RFC 2078 GSS-API January 1997 - - - and returns it in output_token along with GSS_S_COMPLETE return - major_status. The client sends the output_token to the service. - - Service passes the received token as the input_token argument to a - continuation call to GSS_Accept_sec_context(). - GSS_Accept_sec_context() verifies the authenticator, provides the - service with the client's authenticated name, and returns - major_status GSS_S_COMPLETE. - - GSS_GetMIC(), GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap() as - above. - -5.3: X.509 Authentication Framework - - This example illustrates use of the GSS-API in conjunction with - public-key mechanisms, consistent with the X.509 Directory - Authentication Framework. - - The GSS_Acquire_cred() call establishes a credentials structure, - making the client's private key accessible for use on behalf of the - client. - - The client calls GSS_Init_sec_context(), which interrogates the - Directory to acquire (and validate) a chain of public-key - certificates, thereby collecting the public key of the service. The - certificate validation operation determines that suitable integrity - checks were applied by trusted authorities and that those - certificates have not expired. GSS_Init_sec_context() generates a - secret key for use in per-message protection operations on the - context, and enciphers that secret key under the service's public - key. - - The enciphered secret key, along with an authenticator quantity - signed with the client's private key, is included in the output_token - from GSS_Init_sec_context(). The output_token also carries a - certification path, consisting of a certificate chain leading from - the service to the client; a variant approach would defer this path - resolution to be performed by the service instead of being asserted - by the client. The client application sends the output_token to the - service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(). GSS_Accept_sec_context() validates the - certification path, and as a result determines a certified binding - between the client's distinguished name and the client's public key. - Given that public key, GSS_Accept_sec_context() can process the - input_token's authenticator quantity and verify that the client's - private key was used to sign the input_token. At this point, the - - - -Linn Standards Track [Page 81] - -RFC 2078 GSS-API January 1997 - - - client is authenticated to the service. The service uses its private - key to decipher the enciphered secret key provided to it for per- - message protection operations on the context. - - The client calls GSS_GetMIC() or GSS_Wrap() on a data message, which - causes per-message authentication, integrity, and (optional) - confidentiality facilities to be applied to that message. The service - uses the context's shared secret key to perform corresponding - GSS_VerifyMIC() and GSS_Unwrap() calls. - -6: Security Considerations - - Security issues are discussed throughout this memo. - -7: Related Activities - - In order to implement the GSS-API atop existing, emerging, and future - security mechanisms: - - object identifiers must be assigned to candidate GSS-API - mechanisms and the name types which they support - - concrete data element formats and processing procedures must be - defined for candidate mechanisms - - Calling applications must implement formatting conventions which will - enable them to distinguish GSS-API tokens from other data carried in - their application protocols. - - Concrete language bindings are required for the programming - environments in which the GSS-API is to be employed, as RFC-1509 - defines for the C programming language and GSS-V1. - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 82] - -RFC 2078 GSS-API January 1997 - - -APPENDIX A - -MECHANISM DESIGN CONSTRAINTS - - The following constraints on GSS-API mechanism designs are adopted in - response to observed caller protocol requirements, and adherence - thereto is anticipated in subsequent descriptions of GSS-API - mechanisms to be documented in standards-track Internet - specifications. - - It is strongly recommended that mechanisms offering per-message - protection services also offer at least one of the replay detection - and sequencing services, as mechanisms offering neither of the latter - will fail to satisfy recognized requirements of certain candidate - caller protocols. - -APPENDIX B - - COMPATIBILITY WITH GSS-V1 - - It is the intent of this document to define an interface and - procedures which preserve compatibility between GSS-V1 (RFC-1508) - callers and GSS- V2 providers. All calls defined in GSS-V1 are - preserved, and it has been a goal that GSS-V1 callers should be able - to operate atop GSS-V2 provider implementations. Certain detailed - changes, summarized in this section, have been made in order to - resolve omissions identified in GSS-V1. - - The following GSS-V1 constructs, while supported within GSS-V2, are - deprecated: - - Names for per-message processing routines: GSS_Seal() deprecated - in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of - GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap(); - GSS_Verify() deprecated in favor of GSS_VerifyMIC(). - - GSS_Delete_sec_context() facility for context_token usage, - allowing mechanisms to signal context deletion, is retained for - compatibility with GSS-V1. For current usage, it is recommended - that both peers to a context invoke GSS_Delete_sec_context() - independently, passing a null output_context_token buffer to - indicate that no context_token is required. Implementations of - GSS_Delete_sec_context() should delete relevant locally-stored - context information. - - - - - - - -Linn Standards Track [Page 83] - -RFC 2078 GSS-API January 1997 - - - This GSS-V2 specification adds the following calls which are not - present in GSS-V1: - - Credential management calls: GSS_Add_cred(), - GSS_Inquire_cred_by_mech(). - - Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(), - GSS_Export_sec_context(), GSS_Import_sec_context(). - - Per-message calls: No new calls. Existing calls have been renamed. - - Support calls: GSS_Create_empty_OID_set(), - GSS_Add_OID_set_member(), GSS_Test_OID_set_member(), - GSS_Release_OID(), GSS_OID_to_str(), GSS_Str_to_OID(), - GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(), - GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name(). - - This GSS-V2 specification introduces three new facilities applicable - to security contexts, indicated using the following context state - values which are not present in GSS-V1: - - anon_state, set TRUE to indicate that a context's initiator is - anonymous from the viewpoint of the target; Section 1.2.5 of this - specification provides a summary description of the GSS-V2 - anonymity support facility, support and use of which is optional. - - prot_ready_state, set TRUE to indicate that a context may be used - for per-message protection before final completion of context - establishment; Section 1.2.7 of this specification provides a - summary description of the GSS-V2 facility enabling mechanisms to - selectively permit per-message protection during context - establishment, support and use of which is optional. - - trans_state, set TRUE to indicate that a context is transferable to - another process using the GSS-V2 GSS_Export_sec_context() facility. - - These state values are represented (at the C bindings level) in - positions within a bit vector which are unused in GSS-V1, and may be - safely ignored by GSS-V1 callers. - - Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API - implementors in the following areas: implementation robustness, - credential management, behavior in multi-mechanism configurations, - naming support, and inclusion of optional sequencing services. The - token tagging facility as defined in GSS-V2, Section 3.1, is now - described directly in terms of octets to facilitate interoperable - implementation without general ASN.1 processing code; the - corresponding ASN.1 syntax, included for descriptive purposes, is - - - -Linn Standards Track [Page 84] - -RFC 2078 GSS-API January 1997 - - - unchanged from that in GSS-V1. For use in conjunction with added - naming support facilities, a new Exported Name Object construct is - added. Additional name types are introduced in Section 4. - - This GSS-V2 specification adds the following major_status values - which are not defined in GSS-V1: - - GSS_S_BAD_QOP unsupported QOP value - GSS_S_UNAUTHORIZED operation unauthorized - GSS_S_UNAVAILABLE operation unavailable - GSS_S_DUPLICATE_ELEMENT duplicate credential element requested - GSS_S_NAME_NOT_MN name contains multi-mechanism elements - GSS_S_GAP_TOKEN skipped predecessor token(s) - detected - - Of these added status codes, only two values are defined to be - returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by - GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by - GSS_VerifyMIC() and GSS_Unwrap()). - - Additionally, GSS-V2 descriptions of certain calls present in GSS-V1 - have been updated to allow return of additional major_status values - from the set as defined in GSS-V1: GSS_Inquire_cred() has - GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as - returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN, - GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and - GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable. - -Author's Address - - John Linn - OpenVision Technologies - One Main St. - Cambridge, MA 02142 USA - - Phone: +1 617.374.2245 - EMail: John.Linn@ov.com - - - - - - - - - - - - - - -Linn Standards Track [Page 85] - diff --git a/crypto/heimdal/doc/standardisation/rfc2203.txt b/crypto/heimdal/doc/standardisation/rfc2203.txt deleted file mode 100644 index 2f6a8a0d0f37..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc2203.txt +++ /dev/null @@ -1,1291 +0,0 @@ - - - - - - -Network Working Group M. Eisler -Request for Comments: 2203 A. Chiu -Category: Standards Track L. Ling - September 1997 - - - RPCSEC_GSS Protocol Specification - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Abstract - - This memo describes an ONC/RPC security flavor that allows RPC - protocols to access the Generic Security Services Application - Programming Interface (referred to henceforth as GSS-API). - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 - 2. The ONC RPC Message Protocol . . . . . . . . . . . . . . . . . 2 - 3. Flavor Number Assignment . . . . . . . . . . . . . . . . . . . 3 - 4. New auth_stat Values . . . . . . . . . . . . . . . . . . . . . 3 - 5. Elements of the RPCSEC_GSS Security Protocol . . . . . . . . . 3 - 5.1. Version Selection . . . . . . . . . . . . . . . . . . . . . 5 - 5.2. Context Creation . . . . . . . . . . . . . . . . . . . . . . 5 - 5.2.1. Mechanism and QOP Selection . . . . . . . . . . . . . . . 5 - 5.2.2. Context Creation Requests . . . . . . . . . . . . . . . . 6 - 5.2.3. Context Creation Responses . . . . . . . . . . . . . . . . 8 - 5.2.3.1. Context Creation Response - Successful Acceptance . . . 8 - 5.2.3.1.1. Client Processing of Successful Context Creation - Responses . . . . . . . . . . . . . . . . . . . . . . 9 - 5.2.3.2. Context Creation Response - Unsuccessful Cases . . . . . 9 - 5.3. RPC Data Exchange . . . . . . . . . . . . . . . . . . . . 10 - 5.3.1. RPC Request Header . . . . . . . . . . . . . . . . . . . 10 - 5.3.2. RPC Request Data . . . . . . . . . . . . . . . . . . . . 11 - 5.3.2.1. RPC Request Data - No Data Integrity . . . . . . . . . 11 - 5.3.2.2. RPC Request Data - With Data Integrity . . . . . . . . 11 - 5.3.2.3. RPC Request Data - With Data Privacy . . . . . . . . . 12 - 5.3.3. Server Processing of RPC Data Requests . . . . . . . . . 12 - 5.3.3.1. Context Management . . . . . . . . . . . . . . . . . . 12 - 5.3.3.2. Server Reply - Request Accepted . . . . . . . . . . . 14 - 5.3.3.3. Server Reply - Request Denied . . . . . . . . . . . . 15 - - - -Eisler, et. al. Standards Track [Page 1] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - 5.3.3.4. Mapping of GSS-API Errors to Server Responses . . . . 16 - 5.3.3.4.1. GSS_GetMIC() Failure . . . . . . . . . . . . . . . . 16 - 5.3.3.4.2. GSS_VerifyMIC() Failure . . . . . . . . . . . . . . 16 - 5.3.3.4.3. GSS_Unwrap() Failure . . . . . . . . . . . . . . . . 16 - 5.3.3.4.4. GSS_Wrap() Failure . . . . . . . . . . . . . . . . . 16 - 5.4. Context Destruction . . . . . . . . . . . . . . . . . . . 17 - 6. Set of GSS-API Mechanisms . . . . . . . . . . . . . . . . . 17 - 7. Security Considerations . . . . . . . . . . . . . . . . . . 18 - 7.1. Privacy of Call Header . . . . . . . . . . . . . . . . . . 18 - 7.2. Sequence Number Attacks . . . . . . . . . . . . . . . . . 18 - 7.2.1. Sequence Numbers Above the Window . . . . . . . . . . . 18 - 7.2.2. Sequence Numbers Within or Below the Window . . . . . . 18 - 7.3. Message Stealing Attacks . . . . . . . . . . . . . . . . . 19 - Appendix A. GSS-API Major Status Codes . . . . . . . . . . . . . 20 - Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 22 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 - -1. Introduction - - This document describes the protocol used by the RPCSEC_GSS security - flavor. Security flavors have been called authentication flavors for - historical reasons. This memo recognizes that there are two other - security services besides authentication, integrity, and privacy, and - so defines a new RPCSEC_GSS security flavor. - - The protocol is described using the XDR language [Srinivasan-xdr]. - The reader is assumed to be familiar with ONC RPC and the security - flavor mechanism [Srinivasan-rpc]. The reader is also assumed to be - familiar with the GSS-API framework [Linn]. The RPCSEC_GSS security - flavor uses GSS-API interfaces to provide security services that are - independent of the underlying security mechanism. - -2. The ONC RPC Message Protocol - - This memo refers to the following XDR types of the ONC RPC protocol, - which are described in the document entitled Remote Procedure Call - Protocol Specification Version 2 [Srinivasan-rpc]: - - msg_type - reply_stat - auth_flavor - accept_stat - reject_stat - auth_stat - opaque_auth - rpc_msg - call_body - reply_body - - - -Eisler, et. al. Standards Track [Page 2] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - accepted_reply - rejected_reply - -3. Flavor Number Assignment - - The RPCSEC_GSS security flavor has been assigned the value of 6: - - enum auth_flavor { - ... - RPCSEC_GSS = 6 /* RPCSEC_GSS security flavor */ - }; - -4. New auth_stat Values - - RPCSEC_GSS requires the addition of two new values to the auth_stat - enumerated type definition: - - enum auth_stat { - ... - /* - * RPCSEC_GSS errors - */ - RPCSEC_GSS_CREDPROBLEM = 13, - RPCSEC_GSS_CTXPROBLEM = 14 - }; - - The descriptions of these two new values are defined later in this - memo. - -5. Elements of the RPCSEC_GSS Security Protocol - - An RPC session based on the RPCSEC_GSS security flavor consists of - three phases: context creation, RPC data exchange, and context - destruction. In the following discussion, protocol elements for - these three phases are described. - - The following description of the RPCSEC_GSS protocol uses some of the - definitions within XDR language description of the RPC protocol. - - Context creation and destruction use control messages that are not - dispatched to service procedures registered by an RPC server. The - program and version numbers used in these control messages are the - same as the RPC service's program and version numbers. The procedure - number used is NULLPROC (zero). A field in the credential - information (the gss_proc field which is defined in the - rpc_gss_cred_t structure below) specifies whether a message is to be - interpreted as a control message or a regular RPC message. If this - field is set to RPCSEC_GSS_DATA, no control action is implied; in - - - -Eisler, et. al. Standards Track [Page 3] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - this case, it is a regular data message. If this field is set to any - other value, a control action is implied. This is described in the - following sections. - - Just as with normal RPC data exchange messages, the transaction - identifier (the xid field in struct rpc_msg), should be set to unique - values on each call for context creation and context destruction. - - The following definitions are used for describing the protocol. - - /* RPCSEC_GSS control procedures */ - - - enum rpc_gss_proc_t { - RPCSEC_GSS_DATA = 0, - RPCSEC_GSS_INIT = 1, - RPCSEC_GSS_CONTINUE_INIT = 2, - RPCSEC_GSS_DESTROY = 3 - }; - - /* RPCSEC_GSS services */ - - enum rpc_gss_service_t { - /* Note: the enumerated value for 0 is reserved. */ - rpc_gss_svc_none = 1, - rpc_gss_svc_integrity = 2, - rpc_gss_svc_privacy = 3 - }; - - /* Credential */ - - /* - * Note: version 0 is reserved for possible future - * definition of a version negotiation protocol - * - */ - #define RPCSEC_GSS_VERS_1 1 - - struct rpc_gss_cred_t { - union switch (unsigned int version) { /* version of - RPCSEC_GSS */ - case RPCSEC_GSS_VERS_1: - struct { - rpc_gss_proc_t gss_proc; /* control procedure */ - unsigned int seq_num; /* sequence number */ - rpc_gss_service_t service; /* service used */ - opaque handle<>; /* context handle */ - } rpc_gss_cred_vers_1_t; - - - -Eisler, et. al. Standards Track [Page 4] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - } - }; - - /* Maximum sequence number value */ - - #define MAXSEQ 0x80000000 - -5.1. Version Selection - - This document defines just one protocol version (RPCSEC_GSS_VERS_1). - The client should assume that the server supports RPCSEC_GSS_VERS_1 - and issue a Context Creation message (as described in the section - RPCSEC_GSS_VERS_1, the RPC response will have a reply_stat of - MSG_DENIED, a rejection status of AUTH_ERROR, and an auth_stat of - AUTH_REJECTED_CRED. - -5.2. Context Creation - - Before RPC data is exchanged on a session using the RPCSEC_GSS - flavor, a context must be set up between the client and the server. - Context creation may involve zero or more RPC exchanges. The number - of exchanges depends on the security mechanism. - -5.2.1. Mechanism and QOP Selection - - There is no facility in the RPCSEC_GSS protocol to negotiate GSS-API - mechanism identifiers or QOP values. At minimum, it is expected that - implementations of the RPCSEC_GSS protocol provide a means to: - - * specify mechanism identifiers, QOP values, and RPCSEC_GSS - service values on the client side, and to - - * enforce mechanism identifiers, QOP values, and RPCSEC_GSS - service values on a per-request basis on the server side. - - It is necessary that above capabilities exist so that applications - have the means to conform the required set of required set of - tuples (See the section entitled Set of - GSS-API Mechanisms). An application may negotiate selection within its protocol or via an out of band - protocol. Hence it may be necessary for RPCSEC_GSS implementations to - provide programming interfaces for the specification and enforcement - of . - - Additionally, implementations may depend on negotiation schemes - constructed as pseudo-mechanisms under the GSS-API. Because such - schemes are below the GSS-API layer, the RPCSEC_GSS protocol, as - specified in this document, can make use of them. - - - -Eisler, et. al. Standards Track [Page 5] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.2.2. Context Creation Requests - - The first RPC request from the client to the server initiates context - creation. Within the RPC message protocol's call_body structure, - rpcvers is set to 2. prog and vers are always those for the service - being accessed. The proc is always set to NULLPROC (zero). - - Within the RPC message protocol's cred structure, flavor is set to - RPCSEC_GSS (6). The opaque data of the cred structure (the body - field) constituting the credential encodes the rpc_gss_cred_t - structure defined previously. - - The values of the fields contained in the rpc_gss_cred_t structure - are set as follows. The version field is set to the version of the - RPCSEC_GSS protocol the client wants to use. The remainder of this - memo documents version RPCSEC_GSS_VERS_1 of RPCSEC_GSS, and so the - version field would be set to RPCSEC_GSS_VERS_1. The gss_proc field - must be set to RPCSEC_GSS_INIT for the first creation request. In - subsequent creation requests, the gss_proc field must be set to - RPCSEC_GSS_CONTINUE_INIT. In a creation request, the seq_num and - service fields are undefined and both must be ignored by the server. - In the first creation request, the handle field is NULL (opaque data - of zero length). In subsequent creation requests, handle must be - equal to the value returned by the server. The handle field serves - as the identifier for the context, and will not change for the - duration of the context, including responses to - RPCSEC_GSS_CONTINUE_INIT. - - The verifier field in the RPC message header is also described by the - opaque_auth structure. All creation requests have the NULL verifier - (AUTH_NONE flavor with zero length opaque data). - - Following the verifier are the call data (procedure specific - parameters). Note that the proc field of the call_body structure is - set to NULLPROC, and thus normally there would be zero octets - following the verifier. However, since there is no RPC data exchange - during a context creation, it is safe to transfer information - following the verifier. It is necessary to "overload" the call data - in this way, rather than pack the GSS-API token into the RPC header, - because RPC Version 2 restricts the amount of data that can be sent - in the header. The opaque body of the credential and verifier fields - can be each at most 400 octets long, and GSS tokens can be longer - than 800 octets. - - - - - - - - -Eisler, et. al. Standards Track [Page 6] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - The call data for a context creation request is described by the - following structure for all creation requests: - - struct rpc_gss_init_arg { - opaque gss_token<>; - }; - - Here, gss_token is the token returned by the call to GSS-API's - GSS_Init_sec_context() routine, opaquely encoded. The value of this - field will likely be different in each creation request, if there is - more than one creation request. If no token is returned by the call - to GSS_Init_sec_context(), the context must have been created - (assuming no errors), and there will not be any more creation - requests. - - When GSS_Init_sec_context() is called, the parameters - replay_det_req_flag and sequence_req_flag must be turned off. The - reasons for this are: - - * ONC RPC can be used over unreliable transports and provides no - layer to reliably re-assemble messages. Thus it is possible for - gaps in message sequencing to occur, as well as out of order - messages. - - * RPC servers can be multi-threaded, and thus the order in which - GSS-API messages are signed or wrapped can be different from the - order in which the messages are verified or unwrapped, even if - the requests are sent on reliable transports. - - * To maximize convenience of implementation, the order in which an - ONC RPC entity will verify the header and verify/unwrap the body - of an RPC call or reply is left unspecified. - - The RPCSEC_GSS protocol provides for protection from replay attack, - yet tolerates out-of-order delivery or processing of messages and - tolerates dropped requests. - - - - - - - - - - - - - - - -Eisler, et. al. Standards Track [Page 7] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.2.3. Context Creation Responses - -5.2.3.1. Context Creation Response - Successful Acceptance - - The response to a successful creation request has an MSG_ACCEPTED - response with a status of SUCCESS. The results field encodes a - response with the following structure: - - struct rpc_gss_init_res { - opaque handle<>; - unsigned int gss_major; - unsigned int gss_minor; - unsigned int seq_window; - opaque gss_token<>; - }; - - Here, handle is non-NULL opaque data that serves as the context - identifier. The client must use this value in all subsequent requests - whether control messages or otherwise). The gss_major and gss_minor - fields contain the results of the call to GSS_Accept_sec_context() - executed by the server. The values for the gss_major field are - defined in Appendix A of this document. The values for the gss_minor - field are GSS-API mechanism specific and are defined in the - mechanism's specification. If gss_major is not one of GSS_S_COMPLETE - or GSS_S_CONTINUE_NEEDED, the context setup has failed; in this case - handle and gss_token must be set to NULL by the server. The value of - gss_minor is dependent on the value of gss_major and the security - mechanism used. The gss_token field contains any token returned by - the GSS_Accept_sec_context() call executed by the server. A token - may be returned for both successful values of gss_major. If the - value is GSS_S_COMPLETE, it indicates that the server is not - expecting any more tokens, and the RPC Data Exchange phase must begin - on the subsequent request from the client. If the value is - GSS_S_CONTINUE_NEEDED, the server is expecting another token. Hence - the client must send at least one more creation request (with - gss_proc set to RPCSEC_GSS_CONTINUE_INIT in the request's credential) - carrying the required token. - - In a successful response, the seq_window field is set to the sequence - window length supported by the server for this context. This window - specifies the maximum number of client requests that may be - outstanding for this context. The server will accept "seq_window" - requests at a time, and these may be out of order. The client may - use this number to determine the number of threads that can - simultaneously send requests on this context. - - - - - - -Eisler, et. al. Standards Track [Page 8] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - If gss_major is GSS_S_COMPLETE, the verifier's (the verf element in - the response) flavor field is set to RPCSEC_GSS, and the body field - set to the checksum of the seq_window (in network order). The QOP - used for this checksum is 0 (zero), which is the default QOP. For - all other values of gss_major, a NULL verifier (AUTH_NONE flavor with - zero-length opaque data) is used. - -5.2.3.1.1. Client Processing of Successful Context Creation Responses - - If the value of gss_major in the response is GSS_S_CONTINUE_NEEDED, - then the client, per the GSS-API specification, must invoke - GSS_Init_sec_context() using the token returned in gss_token in the - context creation response. The client must then generate a context - creation request, with gss_proc set to RPCSEC_GSS_CONTINUE_INIT. - - If the value of gss_major in the response is GSS_S_COMPLETE, and if - the client's previous invocation of GSS_Init_sec_context() returned a - gss_major value of GSS_S_CONTINUE_NEEDED, then the client, per the - GSS-API specification, must invoke GSS_Init_sec_context() using the - token returned in gss_token in the context creation response. If - GSS_Init_sec_context() returns GSS_S_COMPLETE, the context is - successfully set up, and the RPC data exchange phase must begin on - the subsequent request from the client. - -5.2.3.2. Context Creation Response - Unsuccessful Cases - - An MSG_ACCEPTED reply (to a creation request) with an acceptance - status of other than SUCCESS has a NULL verifier (flavor set to - AUTH_NONE, and zero length opaque data in the body field), and is - formulated as usual for different status values. - - An MSG_DENIED reply (to a creation request) is also formulated as - usual. Note that MSG_DENIED could be returned because the server's - RPC implementation does not recognize the RPCSEC_GSS security flavor. - RFC 1831 does not specify the appropriate reply status in this - instance, but common implementation practice appears to be to return - a rejection status of AUTH_ERROR with an auth_stat of - AUTH_REJECTEDCRED. Even though two new values (RPCSEC_GSS_CREDPROBLEM - and RPCSEC_GSS_CTXPROBLEM) have been defined for the auth_stat type, - neither of these two can be returned in responses to context creation - requests. The auth_stat new values can be used for responses to - normal (data) requests. This is described later. - - MSG_DENIED might also be returned if the RPCSEC_GSS version number in - the credential is not supported on the server. In that case, the - server returns a rejection status of AUTH_ERROR, with an auth_stat of - - AUTH_REJECTED_CRED. - - - -Eisler, et. al. Standards Track [Page 9] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.3. RPC Data Exchange - - The data exchange phase is entered after a context has been - successfully set up. The format of the data exchanged depends on the - security service used for the request. Although clients can change - the security service and QOP used on a per-request basis, this may - not be acceptable to all RPC services; some RPC services may "lock" - the data exchange phase into using the QOP and service used on the - first data exchange message. For all three modes of service (no data - integrity, data integrity, data privacy), the RPC request header has - the same format. - -5.3.1. RPC Request Header - - The credential has the opaque_auth structure described earlier. The - flavor field is set to RPCSEC_GSS. The credential body is created by - XDR encoding the rpc_gss_cred_t structure listed earlier into an - octet stream, and then opaquely encoding this octet stream as the - body field. - - Values of the fields contained in the rpc_gss_cred_t structure are - set as follows. The version field is set to same version value that - was used to create the context, which within the scope of this memo - will always be RPCSEC_GSS_VERS_1. The gss_proc field is set to - RPCSEC_GSS_DATA. The service field is set to indicate the desired - service (one of rpc_gss_svc_none, rpc_gss_svc_integrity, or - rpc_gss_svc_privacy). The handle field is set to the context handle - value received from the RPC server during context creation. The - seq_num field can start at any value below MAXSEQ, and must be - incremented (by one or more) for successive requests. Use of - sequence numbers is described in detail when server processing of the - request is discussed. - - The verifier has the opaque_auth structure described earlier. The - flavor field is set to RPCSEC_GSS. The body field is set as follows. - The checksum of the RPC header (up to and including the credential) - is computed using the GSS_GetMIC() call with the desired QOP. This - returns the checksum as an opaque octet stream and its length. This - is encoded into the body field. Note that the QOP is not explicitly - specified anywhere in the request. It is implicit in the checksum or - encrypted data. The same QOP value as is used for the header - checksum must also be used for the data (for checksumming or - encrypting), unless the service used for the request is - rpc_gss_svc_none. - - - - - - - -Eisler, et. al. Standards Track [Page 10] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.3.2. RPC Request Data - -5.3.2.1. RPC Request Data - No Data Integrity - - If the service specified is rpc_gss_svc_none, the data (procedure - arguments) are not integrity or privacy protected. They are sent in - exactly the same way as they would be if the AUTH_NONE flavor were - used (following the verifier). Note, however, that since the RPC - header is integrity protected, the sender will still be authenticated - in this case. - -5.3.2.2. RPC Request Data - With Data Integrity - - When data integrity is used, the request data is represented as - follows: - - struct rpc_gss_integ_data { - opaque databody_integ<>; - opaque checksum<>; - }; - - The databody_integ field is created as follows. A structure - consisting of a sequence number followed by the procedure arguments - is constructed. This is shown below as the type rpc_gss_data_t: - - struct rpc_gss_data_t { - unsigned int seq_num; - proc_req_arg_t arg; - }; - - Here, seq_num must have the same value as in the credential. The - type proc_req_arg_t is the procedure specific XDR type describing the - procedure arguments (and so is not specified here). The octet stream - corresponding to the XDR encoded rpc_gss_data_t structure and its - length are placed in the databody_integ field. Note that because the - XDR type of databody_integ is opaque, the XDR encoding of - databody_integ will include an initial four octet length field, - followed by the XDR encoded octet stream of rpc_gss_data_t. - - The checksum field represents the checksum of the XDR encoded octet - stream corresponding to the XDR encoded rpc_gss_data_t structure - (note, this is not the checksum of the databody_integ field). This - is obtained using the GSS_GetMIC() call, with the same QOP as was - used to compute the header checksum (in the verifier). The - - - - - - - -Eisler, et. al. Standards Track [Page 11] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - GSS_GetMIC() call returns the checksum as an opaque octet stream and - its length. The checksum field of struct rpc_gss_integ_data has an - XDR type of opaque. Thus the checksum length from GSS_GetMIC() is - encoded as a four octet length field, followed by the checksum, - padded to a multiple of four octets. - -5.3.2.3. RPC Request Data - With Data Privacy - - When data privacy is used, the request data is represented as - follows: - - struct rpc_gss_priv_data { - opaque databody_priv<> - }; - - The databody_priv field is created as follows. The rpc_gss_data_t - structure described earlier is constructed again in the same way as - for the case of data integrity. Next, the GSS_Wrap() call is invoked - to encrypt the octet stream corresponding to the rpc_gss_data_t - structure, using the same value for QOP (argument qop_req to - GSS_Wrap()) as was used for the header checksum (in the verifier) and - conf_req_flag (an argument to GSS_Wrap()) of TRUE. The GSS_Wrap() - call returns an opaque octet stream (representing the encrypted - rpc_gss_data_t structure) and its length, and this is encoded as the - databody_priv field. Since databody_priv has an XDR type of opaque, - the length returned by GSS_Wrap() is encoded as the four octet - length, followed by the encrypted octet stream (padded to a multiple - of four octets). - -5.3.3. Server Processing of RPC Data Requests - -5.3.3.1. Context Management - - When a request is received by the server, the following are verified - to be acceptable: - - * the version number in the credential - - * the service specified in the credential - - * the context handle specified in the credential - - * the header checksum in the verifier (via GSS_VerifyMIC()) - - * the sequence number (seq_num) specified in the credential (more - on this follows) - - - - - -Eisler, et. al. Standards Track [Page 12] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - The gss_proc field in the credential must be set to RPCSEC_GSS_DATA - for data requests (otherwise, the message will be interpreted as a - control message). - - The server maintains a window of "seq_window" sequence numbers, - starting with the last sequence number seen and extending backwards. - If a sequence number higher than the last number seen is received - (AND if GSS_VerifyMIC() on the header checksum from the verifier - returns GSS_S_COMPLETE), the window is moved forward to the new - sequence number. If the last sequence number seen is N, the server - is prepared to receive requests with sequence numbers in the range N - through (N - seq_window + 1), both inclusive. If the sequence number - received falls below this range, it is silently discarded. If the - sequence number is within this range, and the server has not seen it, - the request is accepted, and the server turns on a bit to "remember" - that this sequence number has been seen. If the server determines - that it has already seen a sequence number within the window, the - request is silently discarded. The server should select a seq_window - value based on the number requests it expects to process - simultaneously. For example, in a threaded implementation seq_window - might be equal to the number of server threads. There are no known - security issues with selecting a large window. The primary issue is - how much space the server is willing to allocate to keep track of - requests received within the window. - - The reason for discarding requests silently is that the server is - unable to determine if the duplicate or out of range request was due - to a sequencing problem in the client, network, or the operating - system, or due to some quirk in routing, or a replay attack by an - intruder. Discarding the request allows the client to recover after - timing out, if indeed the duplication was unintentional or well - intended. Note that a consequence of the silent discard is that - clients may increment the seq_num by more than one. The effect of - this is that the window will move forward more quickly. It is not - believed that there is any benefit to doing this. - - Note that the sequence number algorithm requires that the client - increment the sequence number even if it is retrying a request with - the same RPC transaction identifier. It is not infrequent for - clients to get into a situation where they send two or more attempts - and a slow server sends the reply for the first attempt. With - RPCSEC_GSS, each request and reply will have a unique sequence - number. If the client wishes to improve turn around time on the RPC - call, it can cache the RPCSEC_GSS sequence number of each request it - sends. Then when it receives a response with a matching RPC - transaction identifier, it can compute the checksum of each sequence - number in the cache to try to match the checksum in the reply's - verifier. - - - -Eisler, et. al. Standards Track [Page 13] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - The data is decoded according to the service specified in the - credential. In the case of integrity or privacy, the server ensures - that the QOP value is acceptable, and that it is the same as that - used for the header checksum in the verifier. Also, in the case of - integrity or privacy, the server will reject the message (with a - reply status of MSG_ACCEPTED, and an acceptance status of - GARBAGE_ARGS) if the sequence number embedded in the request body is - different from the sequence number in the credential. - -5.3.3.2. Server Reply - Request Accepted - - An MSG_ACCEPTED reply to a request in the data exchange phase will - have the verifier's (the verf element in the response) flavor field - set to RPCSEC_GSS, and the body field set to the checksum (the output - of GSS_GetMIC()) of the sequence number (in network order) of the - corresponding request. The QOP used is the same as the QOP used for - the corresponding request. - - If the status of the reply is not SUCCESS, the rest of the message is - formatted as usual. - - If the status of the message is SUCCESS, the format of the rest of - the message depends on the service specified in the corresponding - request message. Basically, what follows the verifier in this case - are the procedure results, formatted in different ways depending on - the requested service. - - If no data integrity was requested, the procedure results are - formatted as for the AUTH_NONE security flavor. - - If data integrity was requested, the results are encoded in exactly - the same way as the procedure arguments were in the corresponding - request. See the section 'RPC Request Data - With Data Integrity.' - The only difference is that the structure representing the - procedure's result - proc_res_arg_t - must be substituted in place of - the request argument structure proc_req_arg_t. The QOP used for the - checksum must be the same as that used for constructing the reply - verifier. - - If data privacy was requested, the results are encoded in exactly the - same way as the procedure arguments were in the corresponding - request. See the section 'RPC Request Data - With Data Privacy.' The - QOP used for encryption must be the same as that used for - constructing the reply verifier. - - - - - - - -Eisler, et. al. Standards Track [Page 14] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -5.3.3.3. Server Reply - Request Denied - - An MSG_DENIED reply (to a data request) is formulated as usual. Two - new values (RPCSEC_GSS_CREDPROBLEM and RPCSEC_GSS_CTXPROBLEM) have - been defined for the auth_stat type. When the reason for denial of - the request is a reject_stat of AUTH_ERROR, one of the two new - auth_stat values could be returned in addition to the existing - values. These two new values have special significance from the - existing reasons for denial of a request. - - The server maintains a list of contexts for the clients that are - currently in session with it. Normally, a context is destroyed when - the client ends the session corresponding to it. However, due to - resource constraints, the server may destroy a context prematurely - (on an LRU basis, or if the server machine is rebooted, for example). - In this case, when a client request comes in, there may not be a - context corresponding to its handle. The server rejects the request, - with the reason RPCSEC_GSS_CREDPROBLEM in this case. Upon receiving - this error, the client must refresh the context - that is, - reestablish it after destroying the old one - and try the request - again. This error is also returned if the context handle matches - that of a different context that was allocated after the client's - context was destroyed (this will be detected by a failure in - verifying the header checksum). - - If the GSS_VerifyMIC() call on the header checksum (contained in the - verifier) fails to return GSS_S_COMPLETE, the server rejects the - request and returns an auth_stat of RPCSEC_GSS_CREDPROBLEM. - - When the client's sequence number exceeds the maximum the server will - allow, the server will reject the request with the reason - RPCSEC_GSS_CTXPROBLEM. Also, if security credentials become stale - while in use (due to ticket expiry in the case of the Kerberos V5 - mechanism, for example), the failures which result cause the - RPCSEC_GSS_CTXPROBLEM reason to be returned. In these cases also, - the client must refresh the context, and retry the request. - - For other errors, retrying will not rectify the problem and the - client must not refresh the context until the problem causing the - client request to be denied is rectified. - - If the version field in the credential does not match the version of - RPCSEC_GSS that was used when the context was created, the - AUTH_BADCRED value is returned. - - If there is a problem with the credential, such a bad length, illegal - control procedure, or an illegal service, the appropriate auth_stat - status is AUTH_BADCRED. - - - -Eisler, et. al. Standards Track [Page 15] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - Other errors can be returned as appropriate. - -5.3.3.4. Mapping of GSS-API Errors to Server Responses - - During the data exchange phase, the server may invoke GSS_GetMIC(), - GSS_VerifyMIC(), GSS_Unwrap(), and GSS_Wrap(). If any of these - routines fail to return GSS_S_COMPLETE, then various unsuccessful - responses can be returned. The are described as follows for each of - the aforementioned four interfaces. - -5.3.3.4.1. GSS_GetMIC() Failure - - When GSS_GetMIC() is called to generate the verifier in the response, - a failure results in an RPC response with a reply status of - MSG_DENIED, reject status of AUTH_ERROR and an auth status of - RPCSEC_GSS_CTXPROBLEM. - - When GSS_GetMIC() is called to sign the call results (service is - rpc_gss_svc_integrity), a failure results in no RPC response being - sent. Since ONC RPC server applications will typically control when a - response is sent, the failure indication will be returned to the - server application and it can take appropriate action (such as - logging the error). - -5.3.3.4.2. GSS_VerifyMIC() Failure - - When GSS_VerifyMIC() is called to verify the verifier in request, a - failure results in an RPC response with a reply status of MSG_DENIED, - reject status of AUTH_ERROR and an auth status of - RPCSEC_GSS_CREDPROBLEM. - - When GSS_VerifyMIC() is called to verify the call arguments (service - is rpc_gss_svc_integrity), a failure results in an RPC response with - a reply status of MSG_ACCEPTED, and an acceptance status of - GARBAGE_ARGS. - -5.3.3.4.3. GSS_Unwrap() Failure - - When GSS_Unwrap() is called to decrypt the call arguments (service is - rpc_gss_svc_privacy), a failure results in an RPC response with a - reply status of MSG_ACCEPTED, and an acceptance status of - GARBAGE_ARGS. - -5.3.3.4.4. GSS_Wrap() Failure - - When GSS_Wrap() is called to encrypt the call results (service is - rpc_gss_svc_privacy), a failure results in no RPC response being - sent. Since ONC RPC server applications will typically control when a - - - -Eisler, et. al. Standards Track [Page 16] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - response is sent, the failure indication will be returned to the - application and it can take appropriate action (such as logging the - error). - -5.4. Context Destruction - - When the client is done using the session, it must send a control - message informing the server that it no longer requires the context. - This message is formulated just like a data request packet, with the - following differences: the credential has gss_proc set to - RPCSEC_GSS_DESTROY, the procedure specified in the header is - NULLPROC, and there are no procedure arguments. The sequence number - in the request must be valid, and the header checksum in the verifier - must be valid, for the server to accept the message. The server - sends a response as it would to a data request. The client and - server must then destroy the context for the session. - - If the request to destroy the context fails for some reason, the - client need not take any special action. The server must be prepared - to deal with situations where clients never inform the server that - they no longer are in session and so don't need the server to - maintain a context. An LRU mechanism or an aging mechanism should be - employed by the server to clean up in such cases. - -6. Set of GSS-API Mechanisms - - RPCSEC_GSS is effectively a "pass-through" to the GSS-API layer, and - as such it is inappropriate for the RPCSEC_GSS specification to - enumerate a minimum set of required security mechanisms and/or - quality of protections. - - If an application protocol specification references RPCSEC_GSS, the - protocol specification must list a mandatory set of { mechanism, QOP, - service } triples, such that an implementation cannot claim - conformance to the protocol specification unless it implements the - set of triples. Within each triple, mechanism is a GSS-API security - mechanism, QOP is a valid quality-of-protection within the mechanism, - and service is either rpc_gss_svc_integrity or rpc_gss_svc_privacy. - - For example, a network filing protocol built on RPC that depends on - RPCSEC_GSS for security, might require that Kerberos V5 with the - default QOP using the rpc_gss_svc_integrity service be supported by - implementations conforming to the network filing protocol - specification. - - - - - - - -Eisler, et. al. Standards Track [Page 17] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -7. Security Considerations - -7.1. Privacy of Call Header - - The reader will note that for the privacy option, only the call - arguments and results are encrypted. Information about the - application in the form of RPC program number, program version - number, and program procedure number is transmitted in the clear. - Encrypting these fields in the RPC call header would have changed the - size and format of the call header. This would have required revising - the RPC protocol which was beyond the scope of this proposal. Storing - the encrypted numbers in the credential would have obviated a - protocol change, but would have introduced more overloading of fields - and would have made implementations of RPC more complex. Even if the - fields were encrypted somehow, in most cases an attacker can - determine the program number and version number by examining the - destination address of the request and querying the rpcbind service - on the destination host [Srinivasan-bind]. In any case, even by not - encrypting the three numbers, RPCSEC_GSS still improves the state of - security over what existing RPC services have had available - previously. Implementors of new RPC services that are concerned about - this risk may opt to design in a "sub-procedure" field that is - included in the service specific call arguments. - -7.2. Sequence Number Attacks - -7.2.1. Sequence Numbers Above the Window - - An attacker cannot coax the server into raising the sequence number - beyond the range the legitimate client is aware of (and thus engineer - a denial of server attack) without constructing an RPC request that - will pass the header checksum. If the cost of verifying the header - checksum is sufficiently large (depending on the speed of the - processor doing the checksum and the cost of checksum algorithm), it - is possible to envision a denial of service attack (vandalism, in the - form of wasting processing resources) whereby the attacker sends - requests that are above the window. The simplest method might be for - the attacker to monitor the network traffic and then choose a - sequence number that is far above the current sequence number. Then - the attacker can send bogus requests using the above window sequence - number. - -7.2.2. Sequence Numbers Within or Below the Window - - If the attacker sends requests that are within or below the window, - then even if the header checksum is successfully verified, the server - will silently discard the requests because the server assumes it has - already processed the request. In this case, a server can optimize by - - - -Eisler, et. al. Standards Track [Page 18] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - skipping the header checksum verification if the sequence number is - below the window, or if it is within the window, not attempt the - checksum verification if the sequence number has already been seen. - -7.3. Message Stealing Attacks - - This proposal does not address attacks where an attacker can block or - steal messages without being detected by the server. To implement - such protection would be tantamount to assuming a state in the RPC - service. RPCSEC_GSS does not worsen this situation. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Eisler, et. al. Standards Track [Page 19] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -Appendix A. GSS-API Major Status Codes - - The GSS-API definition [Linn] does not include numerical values for - the various GSS-API major status codes. It is expected that this will - be addressed in future RFC. Until then, this appendix defines the - values for each GSS-API major status code listed in the GSS-API - definition. If in the future, the GSS-API definition defines values - for the codes that are different than what follows, then implementors - of RPCSEC_GSS will be obliged to map them into the values defined - below. If in the future, the GSS-API definition defines additional - status codes not defined below, then the RPCSEC_GSS definition will - subsume those additional values. - - Here are the definitions of each GSS_S_* major status that the - implementor of RPCSEC_GSS can expect in the gss_major major field of - rpc_gss_init_res. These definitions are not in RPC description - language form. The numbers are in base 16 (hexadecimal): - - GSS_S_COMPLETE 0x00000000 - GSS_S_CONTINUE_NEEDED 0x00000001 - GSS_S_DUPLICATE_TOKEN 0x00000002 - GSS_S_OLD_TOKEN 0x00000004 - GSS_S_UNSEQ_TOKEN 0x00000008 - GSS_S_GAP_TOKEN 0x00000010 - GSS_S_BAD_MECH 0x00010000 - GSS_S_BAD_NAME 0x00020000 - GSS_S_BAD_NAMETYPE 0x00030000 - GSS_S_BAD_BINDINGS 0x00040000 - GSS_S_BAD_STATUS 0x00050000 - GSS_S_BAD_MIC 0x00060000 - GSS_S_BAD_SIG 0x00060000 - GSS_S_NO_CRED 0x00070000 - GSS_S_NO_CONTEXT 0x00080000 - GSS_S_DEFECTIVE_TOKEN 0x00090000 - GSS_S_DEFECTIVE_CREDENTIAL 0x000a0000 - GSS_S_CREDENTIALS_EXPIRED 0x000b0000 - GSS_S_CONTEXT_EXPIRED 0x000c0000 - GSS_S_FAILURE 0x000d0000 - GSS_S_BAD_QOP 0x000e0000 - GSS_S_UNAUTHORIZED 0x000f0000 - GSS_S_UNAVAILABLE 0x00100000 - GSS_S_DUPLICATE_ELEMENT 0x00110000 - GSS_S_NAME_NOT_MN 0x00120000 - GSS_S_CALL_INACCESSIBLE_READ 0x01000000 - GSS_S_CALL_INACCESSIBLE_WRITE 0x02000000 - GSS_S_CALL_BAD_STRUCTURE 0x03000000 - - - - - -Eisler, et. al. Standards Track [Page 20] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - - Note that the GSS-API major status is split into three fields as - follows: - - Most Significant Bit Least Significant Bit - |------------------------------------------------------------| - | Calling Error | Routine Error | Supplementary Info | - |------------------------------------------------------------| - Bit 31 24 23 16 15 0 - - Up to one status in the Calling Error field can be logically ORed - with up to one status in the Routine Error field which in turn can be - logically ORed with zero or more statuses in the Supplementary Info - field. If the resulting major status has a non-zero Calling Error - and/or a non-zero Routine Error, then the applicable GSS-API - operation has failed. For purposes of RPCSEC_GSS, this means that - the GSS_Accept_sec_context() call executed by the server has failed. - - If the major status is equal GSS_S_COMPLETE, then this indicates the - absence of any Errors or Supplementary Info. - - The meanings of most of the GSS_S_* status are defined in the GSS-API - definition, which the exceptions of: - - GSS_S_BAD_MIC This code has the same meaning as GSS_S_BAD_SIG. - - GSS_S_CALL_INACCESSIBLE_READ - A required input parameter could not be read. - - GSS_S_CALL_INACCESSIBLE_WRITE - A required input parameter could not be written. - - GSS_S_CALL_BAD_STRUCTURE - A parameter was malformed. - - - - - - - - - - - - - - - - - - -Eisler, et. al. Standards Track [Page 21] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -Acknowledgements - - Much of the protocol was based on the AUTH_GSSAPI security flavor - developed by Open Vision Technologies [Jaspan]. In particular, we - acknowledge Barry Jaspan, Marc Horowitz, John Linn, and Ellen - McDermott. - - Raj Srinivasan designed RPCSEC_GSS [Eisler] with input from Mike - Eisler. Raj, Roland Schemers, Lin Ling, and Alex Chiu contributed to - Sun Microsystems' implementation of RPCSEC_GSS. - - Brent Callaghan, Marc Horowitz, Barry Jaspan, John Linn, Hilarie - Orman, Martin Rex, Ted Ts'o, and John Wroclawski analyzed the - specification and gave valuable feedback. - - Steve Nahm and Kathy Slattery reviewed various drafts of this - specification. - - Much of content of Appendix A was excerpted from John Wray's Work in - Progress on GSS-API Version 2 C-bindings. - -References - - [Eisler] Eisler, M., Schemers, R., and Srinivasan, R. - (1996). "Security Mechanism Independence in ONC - RPC," Proceedings of the Sixth Annual USENIX - Security Symposium, pp. 51-65. - - [Jaspan] Jaspan, B. (1995). "GSS-API Security for ONC - RPC," `95 Proceedings of The Internet Society - Symposium on Network and Distributed System - Security, pp. 144- 151. - - [Linn] Linn, J., "Generic Security Service Application - Program Interface, Version 2", RFC 2078, January - 1997. - - [Srinivasan-bind] Srinivasan, R., "Binding Protocols for - ONC RPC Version 2", RFC 1833, August 1995. - - [Srinivasan-rpc] Srinivasan, R., "RPC: Remote Procedure Call - Protocol Specification Version 2", RFC 1831, - August 1995. - - [Srinivasan-xdr] Srinivasan, R., "XDR: External Data - Representation Standard", RFC 1832, August 1995. - - - - - -Eisler, et. al. Standards Track [Page 22] - -RFC 2203 RPCSEC_GSS Protocol Specification September 1997 - - -Authors' Addresses - - Michael Eisler - Sun Microsystems, Inc. - M/S UCOS03 - 2550 Garcia Avenue - Mountain View, CA 94043 - - Phone: +1 (719) 599-9026 - EMail: mre@eng.sun.com - - - Alex Chiu - Sun Microsystems, Inc. - M/S UMPK17-203 - 2550 Garcia Avenue - Mountain View, CA 94043 - - Phone: +1 (415) 786-6465 - EMail: hacker@eng.sun.com - - - Lin Ling - Sun Microsystems, Inc. - M/S UMPK17-201 - 2550 Garcia Avenue - Mountain View, CA 94043 - - Phone: +1 (415) 786-5084 - EMail: lling@eng.sun.com - - - - - - - - - - - - - - - - - - - - - -Eisler, et. al. Standards Track [Page 23] - diff --git a/crypto/heimdal/doc/standardisation/rfc2228.txt b/crypto/heimdal/doc/standardisation/rfc2228.txt deleted file mode 100644 index 1fbfcbfa09fc..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc2228.txt +++ /dev/null @@ -1,1515 +0,0 @@ - - - - - - -Network Working Group M. Horowitz -Request for Comments: 2228 Cygnus Solutions -Updates: 959 S. Lunt -Category: Standards Track Bellcore - October 1997 - - FTP Security Extensions - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (1997). All Rights Reserved. - -Abstract - - This document defines extensions to the FTP specification STD 9, RFC - 959, "FILE TRANSFER PROTOCOL (FTP)" (October 1985). These extensions - provide strong authentication, integrity, and confidentiality on both - the control and data channels with the introduction of new optional - commands, replies, and file transfer encodings. - - The following new optional commands are introduced in this - specification: - - AUTH (Authentication/Security Mechanism), - ADAT (Authentication/Security Data), - PROT (Data Channel Protection Level), - PBSZ (Protection Buffer Size), - CCC (Clear Command Channel), - MIC (Integrity Protected Command), - CONF (Confidentiality Protected Command), and - ENC (Privacy Protected Command). - - A new class of reply types (6yz) is also introduced for protected - replies. - - None of the above commands are required to be implemented, but - interdependencies exist. These dependencies are documented with the - commands. - - Note that this specification is compatible with STD 9, RFC 959. - - - -Horowitz & Lunt Standards Track [Page 1] - -RFC 2228 FTP Security Extensions October 1997 - - -1. Introduction - - The File Transfer Protocol (FTP) currently defined in STD 9, RFC 959 - and in place on the Internet uses usernames and passwords passed in - cleartext to authenticate clients to servers (via the USER and PASS - commands). Except for services such as "anonymous" FTP archives, - this represents a security risk whereby passwords can be stolen - through monitoring of local and wide-area networks. This either aids - potential attackers through password exposure and/or limits - accessibility of files by FTP servers who cannot or will not accept - the inherent security risks. - - Aside from the problem of authenticating users in a secure manner, - there is also the problem of authenticating servers, protecting - sensitive data and/or verifying its integrity. An attacker may be - able to access valuable or sensitive data merely by monitoring a - network, or through active means may be able to delete or modify the - data being transferred so as to corrupt its integrity. An active - attacker may also initiate spurious file transfers to and from a site - of the attacker's choice, and may invoke other commands on the - server. FTP does not currently have any provision for the encryption - or verification of the authenticity of commands, replies, or - transferred data. Note that these security services have value even - to anonymous file access. - - Current practice for sending files securely is generally either: - - 1. via FTP of files pre-encrypted under keys which are manually - distributed, - - 2. via electronic mail containing an encoding of a file encrypted - under keys which are manually distributed, - - 3. via a PEM message, or - - 4. via the rcp command enhanced to use Kerberos. - - None of these means could be considered even a de facto standard, and - none are truly interactive. A need exists to securely transfer files - using FTP in a secure manner which is supported within the FTP - protocol in a consistent manner and which takes advantage of existing - security infrastructure and technology. Extensions are necessary to - the FTP specification if these security services are to be introduced - into the protocol in an interoperable way. - - - - - - - -Horowitz & Lunt Standards Track [Page 2] - -RFC 2228 FTP Security Extensions October 1997 - - - Although the FTP control connection follows the Telnet protocol, and - Telnet has defined an authentication and encryption option [TELNET- - SEC], [RFC-1123] explicitly forbids the use of Telnet option - negotiation over the control connection (other than Synch and IP). - - Also, the Telnet authentication and encryption option does not - provide for integrity protection only (without confidentiality), and - does not address the protection of the data channel. - -2. FTP Security Overview - - At the highest level, the FTP security extensions seek to provide an - abstract mechanism for authenticating and/or authorizing connections, - and integrity and/or confidentiality protecting commands, replies, - and data transfers. - - In the context of FTP security, authentication is the establishment - of a client's identity and/or a server's identity in a secure way, - usually using cryptographic techniques. The basic FTP protocol does - not have a concept of authentication. - - Authorization is the process of validating a user for login. The - basic authorization process involves the USER, PASS, and ACCT - commands. With the FTP security extensions, authentication - established using a security mechanism may also be used to make the - authorization decision. - - Without the security extensions, authentication of the client, as - this term is usually understood, never happens. FTP authorization is - accomplished with a password, passed on the network in the clear as - the argument to the PASS command. The possessor of this password is - assumed to be authorized to transfer files as the user named in the - USER command, but the identity of the client is never securely - established. - - An FTP security interaction begins with a client telling the server - what security mechanism it wants to use with the AUTH command. The - server will either accept this mechanism, reject this mechanism, or, - in the case of a server which does not implement the security - extensions, reject the command completely. The client may try - multiple security mechanisms until it requests one which the server - accepts. This allows a rudimentary form of negotiation to take - place. (If more complex negotiation is desired, this may be - implemented as a security mechanism.) The server's reply will - indicate if the client must respond with additional data for the - - - - - - -Horowitz & Lunt Standards Track [Page 3] - -RFC 2228 FTP Security Extensions October 1997 - - - security mechanism to interpret. If none is needed, this will - usually mean that the mechanism is one where the password (specified - by the PASS command) is to be interpreted differently, such as with a - token or one-time password system. - - If the server requires additional security information, then the - client and server will enter into a security data exchange. The - client will send an ADAT command containing the first block of - security data. The server's reply will indicate if the data exchange - is complete, if there was an error, or if more data is needed. The - server's reply can optionally contain security data for the client to - interpret. If more data is needed, the client will send another ADAT - command containing the next block of data, and await the server's - reply. This exchange can continue as many times as necessary. Once - this exchange completes, the client and server have established a - security association. This security association may include - authentication (client, server, or mutual) and keying information for - integrity and/or confidentiality, depending on the mechanism in use. - - The term "security data" here is carefully chosen. The purpose of - the security data exchange is to establish a security association, - which might not actually include any authentication at all, between - the client and the server as described above. For instance, a - Diffie-Hellman exchange establishes a secret key, but no - authentication takes place. If an FTP server has an RSA key pair but - the client does not, then the client can authenticate the server, but - the server cannot authenticate the client. - - Once a security association is established, authentication which is a - part of this association may be used instead of or in addition to the - standard username/password exchange for authorizing a user to connect - to the server. A username specified by the USER command is always - required to specify the identity to be used on the server. - - In order to prevent an attacker from inserting or deleting commands - on the control stream, if the security association supports - integrity, then the server and client must use integrity protection - on the control stream, unless it first transmits a CCC command to - turn off this requirement. Integrity protection is performed with - the MIC and ENC commands, and the 63z reply codes. The CCC command - and its reply must be transmitted with integrity protection. - Commands and replies may be transmitted without integrity (that is, - in the clear or with confidentiality only) only if no security - association is established, the negotiated security association does - not support integrity, or the CCC command has succeeded. - - - - - - -Horowitz & Lunt Standards Track [Page 4] - -RFC 2228 FTP Security Extensions October 1997 - - - Once the client and server have negotiated with the PBSZ command an - acceptable buffer size for encapsulating protected data over the data - channel, the security mechanism may also be used to protect data - channel transfers. - - Policy is not specified by this document. In particular, client and - server implementations may choose to implement restrictions on what - operations can be performed depending on the security association - which exists. For example, a server may require that a client - authorize via a security mechanism rather than using a password, - require that the client provide a one-time password from a token, - require at least integrity protection on the command channel, or - require that certain files only be transmitted encrypted. An - anonymous ftp client might refuse to do file transfers without - integrity protection in order to insure the validity of files - downloaded. - - No particular set of functionality is required, except as - dependencies described in the next section. This means that none of - authentication, integrity, or confidentiality are required of an - implementation, although a mechanism which does none of these is not - of much use. For example, it is acceptable for a mechanism to - implement only integrity protection, one-way authentication and/or - encryption, encryption without any authentication or integrity - protection, or any other subset of functionality if policy or - technical considerations make this desirable. Of course, one peer - might require as a matter of policy stronger protection than the - other is able to provide, preventing perfect interoperability. - -3. New FTP Commands - - The following commands are optional, but dependent on each other. - They are extensions to the FTP Access Control Commands. - - The reply codes documented here are generally described as - recommended, rather than required. The intent is that reply codes - describing the full range of success and failure modes exist, but - that servers be allowed to limit information presented to the client. - For example, a server might implement a particular security - mechanism, but have a policy restriction against using it. The - server should respond with a 534 reply code in this case, but may - respond with a 504 reply code if it does not wish to divulge that the - disallowed mechanism is supported. If the server does choose to use - a different reply code than the recommended one, it should try to use - a reply code which only differs in the last digit. In all cases, the - server must use a reply code which is documented as returnable from - the command received, and this reply code must begin with the same - digit as the recommended reply code for the situation. - - - -Horowitz & Lunt Standards Track [Page 5] - -RFC 2228 FTP Security Extensions October 1997 - - - AUTHENTICATION/SECURITY MECHANISM (AUTH) - - The argument field is a Telnet string identifying a supported - mechanism. This string is case-insensitive. Values must be - registered with the IANA, except that values beginning with "X-" - are reserved for local use. - - If the server does not recognize the AUTH command, it must respond - with reply code 500. This is intended to encompass the large - deployed base of non-security-aware ftp servers, which will - respond with reply code 500 to any unrecognized command. If the - server does recognize the AUTH command but does not implement the - security extensions, it should respond with reply code 502. - - If the server does not understand the named security mechanism, it - should respond with reply code 504. - - If the server is not willing to accept the named security - mechanism, it should respond with reply code 534. - - If the server is not able to accept the named security mechanism, - such as if a required resource is unavailable, it should respond - with reply code 431. - - If the server is willing to accept the named security mechanism, - but requires security data, it must respond with reply code 334. - - If the server is willing to accept the named security mechanism, - and does not require any security data, it must respond with reply - code 234. - - If the server is responding with a 334 reply code, it may include - security data as described in the next section. - - Some servers will allow the AUTH command to be reissued in order - to establish new authentication. The AUTH command, if accepted, - removes any state associated with prior FTP Security commands. - The server must also require that the user reauthorize (that is, - reissue some or all of the USER, PASS, and ACCT commands) in this - case (see section 4 for an explanation of "authorize" in this - context). - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 6] - -RFC 2228 FTP Security Extensions October 1997 - - - AUTHENTICATION/SECURITY DATA (ADAT) - - The argument field is a Telnet string representing base 64 encoded - security data (see Section 9, "Base 64 Encoding"). If a reply - code indicating success is returned, the server may also use a - string of the form "ADAT=base64data" as the text part of the reply - if it wishes to convey security data back to the client. - - The data in both cases is specific to the security mechanism - specified by the previous AUTH command. The ADAT command, and the - associated replies, allow the client and server to conduct an - arbitrary security protocol. The security data exchange must - include enough information for both peers to be aware of which - optional features are available. For example, if the client does - not support data encryption, the server must be made aware of - this, so it will know not to send encrypted command channel - replies. It is strongly recommended that the security mechanism - provide sequencing on the command channel, to insure that commands - are not deleted, reordered, or replayed. - - The ADAT command must be preceded by a successful AUTH command, - and cannot be issued once a security data exchange completes - (successfully or unsuccessfully), unless it is preceded by an AUTH - command to reset the security state. - - If the server has not yet received an AUTH command, or if a prior - security data exchange completed, but the security state has not - been reset with an AUTH command, it should respond with reply code - 503. - - If the server cannot base 64 decode the argument, it should - respond with reply code 501. - - If the server rejects the security data (if a checksum fails, for - instance), it should respond with reply code 535. - - If the server accepts the security data, and requires additional - data, it should respond with reply code 335. - - If the server accepts the security data, but does not require any - additional data (i.e., the security data exchange has completed - successfully), it must respond with reply code 235. - - If the server is responding with a 235 or 335 reply code, then it - may include security data in the text part of the reply as - specified above. - - - - - -Horowitz & Lunt Standards Track [Page 7] - -RFC 2228 FTP Security Extensions October 1997 - - - If the ADAT command returns an error, the security data exchange - will fail, and the client must reset its internal security state. - If the client becomes unsynchronized with the server (for example, - the server sends a 234 reply code to an AUTH command, but the - client has more data to transmit), then the client must reset the - server's security state. - - PROTECTION BUFFER SIZE (PBSZ) - - The argument is a decimal integer representing the maximum size, - in bytes, of the encoded data blocks to be sent or received during - file transfer. This number shall be no greater than can be - represented in a 32-bit unsigned integer. - - This command allows the FTP client and server to negotiate a - maximum protected buffer size for the connection. There is no - default size; the client must issue a PBSZ command before it can - issue the first PROT command. - - The PBSZ command must be preceded by a successful security data - exchange. - - If the server cannot parse the argument, or if it will not fit in - 32 bits, it should respond with a 501 reply code. - - If the server has not completed a security data exchange with the - client, it should respond with a 503 reply code. - - Otherwise, the server must reply with a 200 reply code. If the - size provided by the client is too large for the server, it must - use a string of the form "PBSZ=number" in the text part of the - reply to indicate a smaller buffer size. The client and the - server must use the smaller of the two buffer sizes if both buffer - sizes are specified. - - DATA CHANNEL PROTECTION LEVEL (PROT) - - The argument is a single Telnet character code specifying the data - channel protection level. - - This command indicates to the server what type of data channel - protection the client and server will be using. The following - codes are assigned: - - C - Clear - S - Safe - E - Confidential - P - Private - - - -Horowitz & Lunt Standards Track [Page 8] - -RFC 2228 FTP Security Extensions October 1997 - - - The default protection level if no other level is specified is - Clear. The Clear protection level indicates that the data channel - will carry the raw data of the file transfer, with no security - applied. The Safe protection level indicates that the data will - be integrity protected. The Confidential protection level - indicates that the data will be confidentiality protected. The - Private protection level indicates that the data will be integrity - and confidentiality protected. - - It is reasonable for a security mechanism not to provide all data - channel protection levels. It is also reasonable for a mechanism - to provide more protection at a level than is required (for - instance, a mechanism might provide Confidential protection, but - include integrity-protection in that encoding, due to API or other - considerations). - - The PROT command must be preceded by a successful protection - buffer size negotiation. - - If the server does not understand the specified protection level, - it should respond with reply code 504. - - If the current security mechanism does not support the specified - protection level, the server should respond with reply code 536. - - If the server has not completed a protection buffer size - negotiation with the client, it should respond with a 503 reply - code. - - The PROT command will be rejected and the server should reply 503 - if no previous PBSZ command was issued. - - If the server is not willing to accept the specified protection - level, it should respond with reply code 534. - - If the server is not able to accept the specified protection - level, such as if a required resource is unavailable, it should - respond with reply code 431. - - Otherwise, the server must reply with a 200 reply code to indicate - that the specified protection level is accepted. - - CLEAR COMMAND CHANNEL (CCC) - - This command does not take an argument. - - - - - - -Horowitz & Lunt Standards Track [Page 9] - -RFC 2228 FTP Security Extensions October 1997 - - - It is desirable in some environments to use a security mechanism - to authenticate and/or authorize the client and server, but not to - perform any integrity checking on the subsequent commands. This - might be used in an environment where IP security is in place, - insuring that the hosts are authenticated and that TCP streams - cannot be tampered, but where user authentication is desired. - - If unprotected commands are allowed on any connection, then an - attacker could insert a command on the control stream, and the - server would have no way to know that it was invalid. In order to - prevent such attacks, once a security data exchange completes - successfully, if the security mechanism supports integrity, then - integrity (via the MIC or ENC command, and 631 or 632 reply) must - be used, until the CCC command is issued to enable non-integrity - protected control channel messages. The CCC command itself must - be integrity protected. - - Once the CCC command completes successfully, if a command is not - protected, then the reply to that command must also not be - protected. This is to support interoperability with clients which - do not support protection once the CCC command has been issued. - - This command must be preceded by a successful security data - exchange. - - If the command is not integrity-protected, the server must respond - with a 533 reply code. - - If the server is not willing to turn off the integrity - requirement, it should respond with a 534 reply code. - - Otherwise, the server must reply with a 200 reply code to indicate - that unprotected commands and replies may now be used on the - command channel. - - INTEGRITY PROTECTED COMMAND (MIC) and - CONFIDENTIALITY PROTECTED COMMAND (CONF) and - PRIVACY PROTECTED COMMAND (ENC) - - The argument field of MIC is a Telnet string consisting of a base - 64 encoded "safe" message produced by a security mechanism - specific message integrity procedure. The argument field of CONF - is a Telnet string consisting of a base 64 encoded "confidential" - message produced by a security mechanism specific confidentiality - procedure. The argument field of ENC is a Telnet string - consisting of a base 64 encoded "private" message produced by a - security mechanism specific message integrity and confidentiality - procedure. - - - -Horowitz & Lunt Standards Track [Page 10] - -RFC 2228 FTP Security Extensions October 1997 - - - The server will decode and/or verify the encoded message. - - This command must be preceded by a successful security data - exchange. - - A server may require that the first command after a successful - security data exchange be CCC, and not implement the protection - commands at all. In this case, the server should respond with a - 502 reply code. - - If the server cannot base 64 decode the argument, it should - respond with a 501 reply code. - - If the server has not completed a security data exchange with the - client, it should respond with a 503 reply code. - - If the server has completed a security data exchange with the - client using a mechanism which supports integrity, and requires a - CCC command due to policy or implementation limitations, it should - respond with a 503 reply code. - - If the server rejects the command because it is not supported by - the current security mechanism, the server should respond with - reply code 537. - - If the server rejects the command (if a checksum fails, for - instance), it should respond with reply code 535. - - If the server is not willing to accept the command (if privacy is - required by policy, for instance, or if a CONF command is received - before a CCC command), it should respond with reply code 533. - - Otherwise, the command will be interpreted as an FTP command. An - end-of-line code need not be included, but if one is included, it - must be a Telnet end-of-line code, not a local end-of-line code. - - The server may require that, under some or all circumstances, all - commands be protected. In this case, it should make a 533 reply - to commands other than MIC, CONF, and ENC. - -4. Login Authorization - - The security data exchange may, among other things, establish the - identity of the client in a secure way to the server. This identity - may be used as one input to the login authorization process. - - - - - - -Horowitz & Lunt Standards Track [Page 11] - -RFC 2228 FTP Security Extensions October 1997 - - - In response to the FTP login commands (AUTH, PASS, ACCT), the server - may choose to change the sequence of commands and replies specified - by RFC 959 as follows. There are also some new replies available. - - If the server is willing to allow the user named by the USER command - to log in based on the identity established by the security data - exchange, it should respond with reply code 232. - - If the security mechanism requires a challenge/response password, it - should respond to the USER command with reply code 336. The text - part of the reply should contain the challenge. The client must - display the challenge to the user before prompting for the password - in this case. This is particularly relevant to more sophisticated - clients or graphical user interfaces which provide dialog boxes or - other modal input. These clients should be careful not to prompt for - the password before the username has been sent to the server, in case - the user needs the challenge in the 336 reply to construct a valid - password. - -5. New FTP Replies - - The new reply codes are divided into two classes. The first class is - new replies made necessary by the new FTP Security commands. The - second class is a new reply type to indicate protected replies. - - 5.1. New individual reply codes - - 232 User logged in, authorized by security data exchange. - 234 Security data exchange complete. - 235 [ADAT=base64data] - ; This reply indicates that the security data exchange - ; completed successfully. The square brackets are not - ; to be included in the reply, but indicate that - ; security data in the reply is optional. - - 334 [ADAT=base64data] - ; This reply indicates that the requested security mechanism - ; is ok, and includes security data to be used by the client - ; to construct the next command. The square brackets are not - ; to be included in the reply, but indicate that - ; security data in the reply is optional. - 335 [ADAT=base64data] - ; This reply indicates that the security data is - ; acceptable, and more is required to complete the - ; security data exchange. The square brackets - ; are not to be included in the reply, but indicate - ; that security data in the reply is optional. - - - - -Horowitz & Lunt Standards Track [Page 12] - -RFC 2228 FTP Security Extensions October 1997 - - - 336 Username okay, need password. Challenge is "...." - ; The exact representation of the challenge should be chosen - ; by the mechanism to be sensible to the human user of the - ; system. - - 431 Need some unavailable resource to process security. - - 533 Command protection level denied for policy reasons. - 534 Request denied for policy reasons. - 535 Failed security check (hash, sequence, etc). - 536 Requested PROT level not supported by mechanism. - 537 Command protection level not supported by security mechanism. - - 5.2. Protected replies. - - One new reply type is introduced: - - 6yz Protected reply - - There are three reply codes of this type. The first, reply - code 631 indicates an integrity protected reply. The - second, reply code 632, indicates a confidentiality and - integrity protected reply. the third, reply code 633, - indicates a confidentiality protected reply. - - The text part of a 631 reply is a Telnet string consisting - of a base 64 encoded "safe" message produced by a security - mechanism specific message integrity procedure. The text - part of a 632 reply is a Telnet string consisting of a base - 64 encoded "private" message produced by a security - mechanism specific message confidentiality and integrity - procedure. The text part of a 633 reply is a Telnet string - consisting of a base 64 encoded "confidential" message - produced by a security mechanism specific message - confidentiality procedure. - - The client will decode and verify the encoded reply. How - failures decoding or verifying replies are handled is - implementation-specific. An end-of-line code need not be - included, but if one is included, it must be a Telnet end- - of-line code, not a local end-of-line code. - - A protected reply may only be sent if a security data - exchange has succeeded. - - The 63z reply may be a multiline reply. In this case, the - plaintext reply must be broken up into a number of - fragments. Each fragment must be protected, then base 64 - - - -Horowitz & Lunt Standards Track [Page 13] - -RFC 2228 FTP Security Extensions October 1997 - - - encoded in order into a separate line of the multiline - reply. There need not be any correspondence between the - line breaks in the plaintext reply and the encoded reply. - Telnet end-of-line codes must appear in the plaintext of the - encoded reply, except for the final end-of-line code, which - is optional. - - The multiline reply must be formatted more strictly than the - continuation specification in RFC 959. In particular, each - line before the last must be formed by the reply code, - followed immediately by a hyphen, followed by a base 64 - encoded fragment of the reply. - - For example, if the plaintext reply is - - 123-First line - Second line - 234 A line beginning with numbers - 123 The last line - - then the resulting protected reply could be any of the - following (the first example has a line break only to fit - within the margins): - - 631 base64(protect("123-First line\r\nSecond line\r\n 234 A line - 631-base64(protect("123-First line\r\n")) - 631-base64(protect("Second line\r\n")) - 631-base64(protect(" 234 A line beginning with numbers\r\n")) - 631 base64(protect("123 The last line")) - - 631-base64(protect("123-First line\r\nSecond line\r\n 234 A line b")) - 631 base64(protect("eginning with numbers\r\n123 The last line\r\n")) - -6. Data Channel Encapsulation - - When data transfers are protected between the client and server (in - either direction), certain transformations and encapsulations must be - performed so that the recipient can properly decode the transmitted - file. - - The sender must apply all protection services after transformations - associated with the representation type, file structure, and transfer - mode have been performed. The data sent over the data channel is, - for the purposes of protection, to be treated as a byte stream. - - When performing a data transfer in an authenticated manner, the - authentication checks are performed on individual blocks of the file, - rather than on the file as a whole. Consequently, it is possible for - - - -Horowitz & Lunt Standards Track [Page 14] - -RFC 2228 FTP Security Extensions October 1997 - - - insertion attacks to insert blocks into the data stream (i.e., - replays) that authenticate correctly, but result in a corrupted file - being undetected by the receiver. To guard against such attacks, the - specific security mechanism employed should include mechanisms to - protect against such attacks. Many GSS-API mechanisms usable with - the specification in Appendix I, and the Kerberos mechanism in - Appendix II do so. - - The sender must take the input byte stream, and break it up into - blocks such that each block, when encoded using a security mechanism - specific procedure, will be no larger than the buffer size negotiated - by the client with the PBSZ command. Each block must be encoded, - then transmitted with the length of the encoded block prepended as a - four byte unsigned integer, most significant byte first. - - When the end of the file is reached, the sender must encode a block - of zero bytes, and send this final block to the recipient before - closing the data connection. - - The recipient will read the four byte length, read a block of data - that many bytes long, then decode and verify this block with a - security mechanism specific procedure. This must be repeated until a - block encoding a buffer of zero bytes is received. This indicates - the end of the encoded byte stream. - - Any transformations associated with the representation type, file - structure, and transfer mode are to be performed by the recipient on - the byte stream resulting from the above process. - - When using block transfer mode, the sender's (cleartext) buffer size - is independent of the block size. - - The server will reply 534 to a STOR, STOU, RETR, LIST, NLST, or APPE - command if the current protection level is not at the level dictated - by the server's security requirements for the particular file - transfer. - - If any data protection services fail at any time during data transfer - at the server end (including an attempt to send a buffer size greater - than the negotiated maximum), the server will send a 535 reply to the - data transfer command (either STOR, STOU, RETR, LIST, NLST, or APPE). - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 15] - -RFC 2228 FTP Security Extensions October 1997 - - -7. Potential policy considerations - - While there are no restrictions on client and server policy, there - are a few recommendations which an implementation should implement. - - - Once a security data exchange takes place, a server should require - all commands be protected (with integrity and/or confidentiality), - and it should protect all replies. Replies should use the same - level of protection as the command which produced them. This - includes replies which indicate failure of the MIC, CONF, and ENC - commands. In particular, it is not meaningful to require that - AUTH and ADAT be protected; it is meaningful and useful to require - that PROT and PBSZ be protected. In particular, the use of CCC is - not recommended, but is defined in the interest of - interoperability between implementations which might desire such - functionality. - - - A client should encrypt the PASS command whenever possible. It is - reasonable for the server to refuse to accept a non-encrypted PASS - command if the server knows encryption is available. - - - Although no security commands are required to be implemented, it - is recommended that an implementation provide all commands which - can be implemented, given the mechanisms supported and the policy - considerations of the site (export controls, for instance). - -8. Declarative specifications - - These sections are modelled after sections 5.3 and 5.4 of RFC 959, - which describe the same information, except for the standard FTP - commands and replies. - - 8.1. FTP Security commands and arguments - - AUTH - ADAT - PROT - PBSZ - MIC - CONF - ENC - - ::= - ::= - ; must be formatted as described in section 9 - ::= C | S | E | P - ::= any decimal integer from 1 to (2^32)-1 - - - - -Horowitz & Lunt Standards Track [Page 16] - -RFC 2228 FTP Security Extensions October 1997 - - - 8.2. Command-Reply sequences - - Security Association Setup - AUTH - 234 - 334 - 502, 504, 534, 431 - 500, 501, 421 - ADAT - 235 - 335 - 503, 501, 535 - 500, 501, 421 - Data protection negotiation commands - PBSZ - 200 - 503 - 500, 501, 421, 530 - PROT - 200 - 504, 536, 503, 534, 431 - 500, 501, 421, 530 - Command channel protection commands - MIC - 535, 533 - 500, 501, 421 - CONF - 535, 533 - 500, 501, 421 - ENC - 535, 533 - 500, 501, 421 - Security-Enhanced login commands (only new replies listed) - USER - 232 - 336 - Data channel commands (only new replies listed) - STOR - 534, 535 - STOU - 534, 535 - RETR - 534, 535 - - - - - - - - -Horowitz & Lunt Standards Track [Page 17] - -RFC 2228 FTP Security Extensions October 1997 - - - LIST - 534, 535 - NLST - 534, 535 - APPE - 534, 535 - - In addition to these reply codes, any security command can return - 500, 501, 502, 533, or 421. Any ftp command can return a reply - code encapsulated in a 631, 632, or 633 reply once a security data - exchange has completed successfully. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 18] - -RFC 2228 FTP Security Extensions October 1997 - - -9. State Diagrams - - This section includes a state diagram which demonstrates the flow of - authentication and authorization in a security enhanced FTP - implementation. The rectangular blocks show states where the client - must issue a command, and the diamond blocks show states where the - server must issue a response. - - - ,------------------, USER - __\| Unauthenticated |_________\ - | /| (new connection) | /| - | `------------------' | - | | | - | | AUTH | - | V | - | / \ | - | 4yz,5yz / \ 234 | - |<--------< >------------->. | - | \ / | | - | \_/ | | - | | | | - | | 334 | | - | V | | - | ,--------------------, | | - | | Need Security Data |<--. | | - | `--------------------' | | | - | | | | | - | | ADAT | | | - | V | | | - | / \ | | | - | 4yz,5yz / \ 335 | | | - `<--------< >-----------' | | - \ / | | - \_/ | | - | | | - | 235 | | - V | | - ,---------------. | | - ,--->| Authenticated |<--------' | After the client and server - | `---------------' | have completed authenti- - | | | cation, command must be - | | USER | integrity-protected if - | | | integrity is available. The - | |<-------------------' CCC command may be issued to - | V relax this restriction. - - - - - -Horowitz & Lunt Standards Track [Page 19] - -RFC 2228 FTP Security Extensions October 1997 - - - | / \ - | 4yz,5yz / \ 2yz - |<--------< >------------->. - | \ / | - | \_/ | - | | | - | | 3yz | - | V | - | ,---------------. | - | | Need Password | | - | `---------------' | - | | | - | | PASS | - | V | - | / \ | - | 4yz,5yz / \ 2yz | - |<--------< >------------->| - | \ / | - | \_/ | - | | | - | | 3yz | - | V | - | ,--------------. | - | | Need Account | | - | `--------------' | - | | | - | | ACCT | - | V | - | / \ | - | 4yz,5yz / \ 2yz | - `<--------< >------------->| - \ / | - \_/ | - | | - | 3yz | - V | - ,-------------. | - | Authorized |/________| - | (Logged in) |\ - `-------------' - - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 20] - -RFC 2228 FTP Security Extensions October 1997 - - -10. Base 64 Encoding - - Base 64 encoding is the same as the Printable Encoding described in - Section 4.3.2.4 of [RFC-1421], except that line breaks must not be - included. This encoding is defined as follows. - - Proceeding from left to right, the bit string resulting from the - mechanism specific protection routine is encoded into characters - which are universally representable at all sites, though not - necessarily with the same bit patterns (e.g., although the character - "E" is represented in an ASCII-based system as hexadecimal 45 and as - hexadecimal C5 in an EBCDIC-based system, the local significance of - the two representations is equivalent). - - A 64-character subset of International Alphabet IA5 is used, enabling - 6 bits to be represented per printable character. (The proposed - subset of characters is represented identically in IA5 and ASCII.) - The character "=" signifies a special processing function used for - padding within the printable encoding procedure. - - The encoding process represents 24-bit groups of input bits as output - strings of 4 encoded characters. Proceeding from left to right - across a 24-bit input group output from the security mechanism - specific message protection procedure, each 6-bit group is used as an - index into an array of 64 printable characters, namely "[A-Z][a- - z][0-9]+/". The character referenced by the index is placed in the - output string. These characters are selected so as to be universally - representable, and the set excludes characters with particular - significance to Telnet (e.g., "", "", IAC). - - Special processing is performed if fewer than 24 bits are available - in an input group at the end of a message. A full encoding quantum - is always completed at the end of a message. When fewer than 24 - input bits are available in an input group, zero bits are added (on - the right) to form an integral number of 6-bit groups. Output - character positions which are not required to represent actual input - data are set to the character "=". Since all canonically encoded - output is an integral number of octets, only the following cases can - arise: (1) the final quantum of encoding input is an integral - multiple of 24 bits; here, the final unit of encoded output will be - an integral multiple of 4 characters with no "=" padding, (2) the - final quantum of encoding input is exactly 8 bits; here, the final - unit of encoded output will be two characters followed by two "=" - padding characters, or (3) the final quantum of encoding input is - exactly 16 bits; here, the final unit of encoded output will be three - characters followed by one "=" padding character. - - - - - -Horowitz & Lunt Standards Track [Page 21] - -RFC 2228 FTP Security Extensions October 1997 - - - Implementors must keep in mind that the base 64 encodings in ADAT, - MIC, CONF, and ENC commands, and in 63z replies may be arbitrarily - long. Thus, the entire line must be read before it can be processed. - Several successive reads on the control channel may be necessary. It - is not appropriate to for a server to reject a command containing a - base 64 encoding simply because it is too long (assuming that the - decoding is otherwise well formed in the context in which it was - sent). - - Case must not be ignored when reading commands and replies containing - base 64 encodings. - -11. Security Considerations - - This entire document deals with security considerations related to - the File Transfer Protocol. - - Third party file transfers cannot be secured using these extensions, - since a security context cannot be established between two servers - using these facilities (no control connection exists between servers - over which to pass ADAT tokens). Further work in this area is - deferred. - -12. Acknowledgements - - I would like to thank the members of the CAT WG, as well as all - participants in discussions on the "cat-ietf@mit.edu" mailing list, - for their contributions to this document. I would especially like to - thank Sam Sjogren, John Linn, Ted Ts'o, Jordan Brown, Michael Kogut, - Derrick Brashear, John Gardiner Myers, Denis Pinkas, and Karri Balk - for their contributions to this work. Of course, without Steve Lunt, - the author of the first six revisions of this document, it would not - exist at all. - -13. References - - [TELNET-SEC] Borman, D., "Telnet Authentication and Encryption - Option", Work in Progress. - - [RFC-1123] Braden, R., "Requirements for Internet Hosts -- - Application and Support", STD 3, RFC 1123, October 1989. - - [RFC-1421] Linn, J., "Privacy Enhancement for Internet Electronic - Mail: Part I: Message Encryption and Authentication Procedures", - RFC 1421, February 1993. - - - - - - -Horowitz & Lunt Standards Track [Page 22] - -RFC 2228 FTP Security Extensions October 1997 - - -14. Author's Address - - Marc Horowitz - Cygnus Solutions - 955 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 354 7688 - EMail: marc@cygnus.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 23] - -RFC 2228 FTP Security Extensions October 1997 - - -Appendix I: Specification under the GSSAPI - - In order to maximise the utility of new security mechanisms, it is - desirable that new mechanisms be implemented as GSSAPI mechanisms - rather than as FTP security mechanisms. This will enable existing - ftp implementations to support the new mechanisms more easily, since - little or no code will need to be changed. In addition, the - mechanism will be usable by other protocols, such as IMAP, which are - built on top of the GSSAPI, with no additional specification or - implementation work needed by the mechanism designers. - - The security mechanism name (for the AUTH command) associated with - all mechanisms employing the GSSAPI is GSSAPI. If the server - supports a security mechanism employing the GSSAPI, it must respond - with a 334 reply code indicating that an ADAT command is expected - next. - - The client must begin the authentication exchange by calling - GSS_Init_Sec_Context, passing in 0 for input_context_handle - (initially), and a targ_name equal to output_name from - GSS_Import_Name called with input_name_type of Host-Based Service and - input_name_string of "ftp@hostname" where "hostname" is the fully - qualified host name of the server with all letters in lower case. - (Failing this, the client may try again using input_name_string of - "host@hostname".) The output_token must then be base 64 encoded and - sent to the server as the argument to an ADAT command. If - GSS_Init_Sec_Context returns GSS_S_CONTINUE_NEEDED, then the client - must expect a token to be returned in the reply to the ADAT command. - This token must subsequently be passed to another call to - GSS_Init_Sec_Context. In this case, if GSS_Init_Sec_Context returns - no output_token, then the reply code from the server for the previous - ADAT command must have been 235. If GSS_Init_Sec_Context returns - GSS_S_COMPLETE, then no further tokens are expected from the server, - and the client must consider the server authenticated. - - The server must base 64 decode the argument to the ADAT command and - pass the resultant token to GSS_Accept_Sec_Context as input_token, - setting acceptor_cred_handle to NULL (for "use default credentials"), - and 0 for input_context_handle (initially). If an output_token is - returned, it must be base 64 encoded and returned to the client by - including "ADAT=base64string" in the text of the reply. If - GSS_Accept_Sec_Context returns GSS_S_COMPLETE, the reply code must be - 235, and the server must consider the client authenticated. If - GSS_Accept_Sec_Context returns GSS_S_CONTINUE_NEEDED, the reply code - must be 335. Otherwise, the reply code should be 535, and the text - of the reply should contain a descriptive error message. - - - - - -Horowitz & Lunt Standards Track [Page 24] - -RFC 2228 FTP Security Extensions October 1997 - - - The chan_bindings input to GSS_Init_Sec_Context and - GSS_Accept_Sec_Context should use the client internet address and - server internet address as the initiator and acceptor addresses, - respectively. The address type for both should be GSS_C_AF_INET. No - application data should be specified. - - Since GSSAPI supports anonymous peers to security contexts, it is - possible that the client's authentication of the server does not - actually establish an identity. - - The procedure associated with MIC commands, 631 replies, and Safe - file transfers is: - - GSS_Wrap for the sender, with conf_flag == FALSE - - GSS_Unwrap for the receiver - - The procedure associated with ENC commands, 632 replies, and Private - file transfers is: - - GSS_Wrap for the sender, with conf_flag == TRUE - GSS_Unwrap for the receiver - - CONF commands and 633 replies are not supported. - - Both the client and server should inspect the value of conf_avail to - determine whether the peer supports confidentiality services. - - When the security state is reset (when AUTH is received a second - time, or when REIN is received), this should be done by calling the - GSS_Delete_sec_context function. - -Appendix II: Specification under Kerberos version 4 - - The security mechanism name (for the AUTH command) associated with - Kerberos Version 4 is KERBEROS_V4. If the server supports - KERBEROS_V4, it must respond with a 334 reply code indicating that an - ADAT command is expected next. - - The client must retrieve a ticket for the Kerberos principal - "ftp.hostname@realm" by calling krb_mk_req(3) with a principal name - of "ftp", an instance equal to the first part of the canonical host - name of the server with all letters in lower case (as returned by - krb_get_phost(3)), the server's realm name (as returned by - krb_realmofhost(3)), and an arbitrary checksum. The ticket must then - be base 64 encoded and sent as the argument to an ADAT command. - - - - - -Horowitz & Lunt Standards Track [Page 25] - -RFC 2228 FTP Security Extensions October 1997 - - - If the "ftp" principal name is not a registered principal in the - Kerberos database, then the client may fall back on the "rcmd" - principal name (same instance and realm). However, servers must - accept only one or the other of these principal names, and must not - be willing to accept either. Generally, if the server has a key for - the "ftp" principal in its srvtab, then that principal only must be - used, otherwise the "rcmd" principal only must be used. - - The server must base 64 decode the argument to the ADAT command and - pass the result to krb_rd_req(3). The server must add one to the - checksum from the authenticator, convert the result to network byte - order (most significant byte first), and sign it using - krb_mk_safe(3), and base 64 encode the result. Upon success, the - server must reply to the client with a 235 code and include - "ADAT=base64string" in the text of the reply. Upon failure, the - server should reply 535. - - Upon receipt of the 235 reply from the server, the client must parse - the text of the reply for the base 64 encoded data, decode it, - convert it from network byte order, and pass the result to - krb_rd_safe(3). The client must consider the server authenticated if - the resultant checksum is equal to one plus the value previously - sent. - - The procedure associated with MIC commands, 631 replies, and Safe - file transfers is: - - krb_mk_safe(3) for the sender - krb_rd_safe(3) for the receiver - - The procedure associated with ENC commands, 632 replies, and Private - file transfers is: - - krb_mk_priv(3) for the sender - krb_rd_priv(3) for the receiver - - CONF commands and 633 replies are not supported. - - Note that this specification for KERBEROS_V4 contains no provision - for negotiating alternate means for integrity and confidentiality - routines. Note also that the ADAT exchange does not convey whether - the peer supports confidentiality services. - - In order to stay within the allowed PBSZ, implementors must take note - that a cleartext buffer will grow by 31 bytes when processed by - krb_mk_safe(3) and will grow by 26 bytes when processed by - krb_mk_priv(3). - - - - -Horowitz & Lunt Standards Track [Page 26] - -RFC 2228 FTP Security Extensions October 1997 - - -Full Copyright Statement - - Copyright (C) The Internet Society (1997). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implmentation may be prepared, copied, published - andand distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - - - - - - - - - - - - - - - - - - - - - - - -Horowitz & Lunt Standards Track [Page 27] - diff --git a/crypto/heimdal/doc/standardisation/rfc2743.txt b/crypto/heimdal/doc/standardisation/rfc2743.txt deleted file mode 100644 index e5da571abb4a..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc2743.txt +++ /dev/null @@ -1,5659 +0,0 @@ - - - - - - -Network Working Group J. Linn -Request for Comments: 2743 RSA Laboratories -Obsoletes: 2078 January 2000 -Category: Standards Track - - - Generic Security Service Application Program Interface - Version 2, Update 1 - - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2000). All Rights Reserved. - -Abstract - - The Generic Security Service Application Program Interface (GSS-API), - Version 2, as defined in [RFC-2078], provides security services to - callers in a generic fashion, supportable with a range of underlying - mechanisms and technologies and hence allowing source-level - portability of applications to different environments. This - specification defines GSS-API services and primitives at a level - independent of underlying mechanism and programming language - environment, and is to be complemented by other, related - specifications: - - documents defining specific parameter bindings for particular - language environments - - documents defining token formats, protocols, and procedures to be - implemented in order to realize GSS-API services atop particular - security mechanisms - - This memo obsoletes [RFC-2078], making specific, incremental changes - in response to implementation experience and liaison requests. It is - intended, therefore, that this memo or a successor version thereto - will become the basis for subsequent progression of the GSS-API - specification on the standards track. - - - - - -Linn Standards Track [Page 1] - -RFC 2743 GSS-API January 2000 - - -TABLE OF CONTENTS - - 1: GSS-API Characteristics and Concepts . . . . . . . . . . . . 4 - 1.1: GSS-API Constructs . . . . . . . . . . . . . . . . . . . . 6 - 1.1.1: Credentials . . . . . . . . . . . . . . . . . . . . . . 6 - 1.1.1.1: Credential Constructs and Concepts . . . . . . . . . . 6 - 1.1.1.2: Credential Management . . . . . . . . . . . . . . . . 7 - 1.1.1.3: Default Credential Resolution . . . . . . . . . . . . 8 - 1.1.2: Tokens . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 1.1.3: Security Contexts . . . . . . . . . . . . . . . . . . . 11 - 1.1.4: Mechanism Types . . . . . . . . . . . . . . . . . . . . 12 - 1.1.5: Naming . . . . . . . . . . . . . . . . . . . . . . . . 13 - 1.1.6: Channel Bindings . . . . . . . . . . . . . . . . . . . 16 - 1.2: GSS-API Features and Issues . . . . . . . . . . . . . . . 17 - 1.2.1: Status Reporting and Optional Service Support . . . . 17 - 1.2.1.1: Status Reporting . . . . . . . . . . . . . . . . . . . 17 - 1.2.1.2: Optional Service Support . . . . . . . . . . . . . . . 19 - 1.2.2: Per-Message Security Service Availability . . . . . . . 20 - 1.2.3: Per-Message Replay Detection and Sequencing . . . . . . 21 - 1.2.4: Quality of Protection . . . . . . . . . . . . . . . . . 24 - 1.2.5: Anonymity Support . . . . . . . . . . . . . . . . . . . 25 - 1.2.6: Initialization . . . . . . . . . . . . . . . . . . . . . 25 - 1.2.7: Per-Message Protection During Context Establishment . . 26 - 1.2.8: Implementation Robustness . . . . . . . . . . . . . . . 27 - 1.2.9: Delegation . . . . . . . . . . . . . . . . . . . . . . . 28 - 1.2.10: Interprocess Context Transfer . . . . . . . . . . . . . 28 - 2: Interface Descriptions . . . . . . . . . . . . . . . . . . 29 - 2.1: Credential management calls . . . . . . . . . . . . . . . 31 - 2.1.1: GSS_Acquire_cred call . . . . . . . . . . . . . . . . . 31 - 2.1.2: GSS_Release_cred call . . . . . . . . . . . . . . . . . 34 - 2.1.3: GSS_Inquire_cred call . . . . . . . . . . . . . . . . . 35 - 2.1.4: GSS_Add_cred call . . . . . . . . . . . . . . . . . . . 37 - 2.1.5: GSS_Inquire_cred_by_mech call . . . . . . . . . . . . . 40 - 2.2: Context-level calls . . . . . . . . . . . . . . . . . . . 41 - 2.2.1: GSS_Init_sec_context call . . . . . . . . . . . . . . . 42 - 2.2.2: GSS_Accept_sec_context call . . . . . . . . . . . . . . 49 - 2.2.3: GSS_Delete_sec_context call . . . . . . . . . . . . . . 53 - 2.2.4: GSS_Process_context_token call . . . . . . . . . . . . 54 - 2.2.5: GSS_Context_time call . . . . . . . . . . . . . . . . . 55 - 2.2.6: GSS_Inquire_context call . . . . . . . . . . . . . . . 56 - 2.2.7: GSS_Wrap_size_limit call . . . . . . . . . . . . . . . 57 - 2.2.8: GSS_Export_sec_context call . . . . . . . . . . . . . . 59 - 2.2.9: GSS_Import_sec_context call . . . . . . . . . . . . . . 61 - 2.3: Per-message calls . . . . . . . . . . . . . . . . . . . . 62 - 2.3.1: GSS_GetMIC call . . . . . . . . . . . . . . . . . . . . 63 - 2.3.2: GSS_VerifyMIC call . . . . . . . . . . . . . . . . . . 64 - 2.3.3: GSS_Wrap call . . . . . . . . . . . . . . . . . . . . . 65 - 2.3.4: GSS_Unwrap call . . . . . . . . . . . . . . . . . . . . 66 - - - -Linn Standards Track [Page 2] - -RFC 2743 GSS-API January 2000 - - - 2.4: Support calls . . . . . . . . . . . . . . . . . . . . . . 68 - 2.4.1: GSS_Display_status call . . . . . . . . . . . . . . . . 68 - 2.4.2: GSS_Indicate_mechs call . . . . . . . . . . . . . . . . 69 - 2.4.3: GSS_Compare_name call . . . . . . . . . . . . . . . . . 70 - 2.4.4: GSS_Display_name call . . . . . . . . . . . . . . . . . 71 - 2.4.5: GSS_Import_name call . . . . . . . . . . . . . . . . . 72 - 2.4.6: GSS_Release_name call . . . . . . . . . . . . . . . . . 73 - 2.4.7: GSS_Release_buffer call . . . . . . . . . . . . . . . . 74 - 2.4.8: GSS_Release_OID_set call . . . . . . . . . . . . . . . 74 - 2.4.9: GSS_Create_empty_OID_set call . . . . . . . . . . . . . 75 - 2.4.10: GSS_Add_OID_set_member call . . . . . . . . . . . . . . 76 - 2.4.11: GSS_Test_OID_set_member call . . . . . . . . . . . . . 76 - 2.4.12: GSS_Inquire_names_for_mech call . . . . . . . . . . . . 77 - 2.4.13: GSS_Inquire_mechs_for_name call . . . . . . . . . . . . 77 - 2.4.14: GSS_Canonicalize_name call . . . . . . . . . . . . . . 78 - 2.4.15: GSS_Export_name call . . . . . . . . . . . . . . . . . 79 - 2.4.16: GSS_Duplicate_name call . . . . . . . . . . . . . . . . 80 - 3: Data Structure Definitions for GSS-V2 Usage . . . . . . . . 81 - 3.1: Mechanism-Independent Token Format . . . . . . . . . . . . 81 - 3.2: Mechanism-Independent Exported Name Object Format . . . . 84 - 4: Name Type Definitions . . . . . . . . . . . . . . . . . . . 85 - 4.1: Host-Based Service Name Form . . . . . . . . . . . . . . . 85 - 4.2: User Name Form . . . . . . . . . . . . . . . . . . . . . . 86 - 4.3: Machine UID Form . . . . . . . . . . . . . . . . . . . . . 87 - 4.4: String UID Form . . . . . . . . . . . . . . . . . . . . . 87 - 4.5: Anonymous Nametype . . . . . . . . . . . . . . . . . . . . 87 - 4.6: GSS_C_NO_OID . . . . . . . . . . . . . . . . . . . . . . . 88 - 4.7: Exported Name Object . . . . . . . . . . . . . . . . . . . 88 - 4.8: GSS_C_NO_NAME . . . . . . . . . . . . . . . . . . . . . . 88 - 5: Mechanism-Specific Example Scenarios . . . . . . . . . . . 88 - 5.1: Kerberos V5, single-TGT . . . . . . . . . . . . . . . . . 89 - 5.2: Kerberos V5, double-TGT . . . . . . . . . . . . . . . . . 89 - 5.3: X.509 Authentication Framework . . . . . . . . . . . . . 90 - 6: Security Considerations . . . . . . . . . . . . . . . . . . 91 - 7: Related Activities . . . . . . . . . . . . . . . . . . . . 92 - 8: Referenced Documents . . . . . . . . . . . . . . . . . . . 93 - Appendix A: Mechanism Design Constraints . . . . . . . . . . . 94 - Appendix B: Compatibility with GSS-V1 . . . . . . . . . . . . . 94 - Appendix C: Changes Relative to RFC-2078 . . . . . . . . . . . 96 - Author's Address . . . . . . . . . . . . . . . . . . . . . . .100 - Full Copyright Statement . . . . . . . . . . . . . . . . . . .101 - - - - - - - - - - -Linn Standards Track [Page 3] - -RFC 2743 GSS-API January 2000 - - -1: GSS-API Characteristics and Concepts - - GSS-API operates in the following paradigm. A typical GSS-API caller - is itself a communications protocol, calling on GSS-API in order to - protect its communications with authentication, integrity, and/or - confidentiality security services. A GSS-API caller accepts tokens - provided to it by its local GSS-API implementation and transfers the - tokens to a peer on a remote system; that peer passes the received - tokens to its local GSS-API implementation for processing. The - security services available through GSS-API in this fashion are - implementable (and have been implemented) over a range of underlying - mechanisms based on secret-key and public-key cryptographic - technologies. - - The GSS-API separates the operations of initializing a security - context between peers, achieving peer entity authentication - (GSS_Init_sec_context() and GSS_Accept_sec_context() calls), from the - operations of providing per-message data origin authentication and - data integrity protection (GSS_GetMIC() and GSS_VerifyMIC() calls) - for messages subsequently transferred in conjunction with that - context. (The definition for the peer entity authentication service, - and other definitions used in this document, corresponds to that - provided in [ISO-7498-2].) When establishing a security context, the - GSS-API enables a context initiator to optionally permit its - credentials to be delegated, meaning that the context acceptor may - initiate further security contexts on behalf of the initiating - caller. Per-message GSS_Wrap() and GSS_Unwrap() calls provide the - data origin authentication and data integrity services which - GSS_GetMIC() and GSS_VerifyMIC() offer, and also support selection of - confidentiality services as a caller option. Additional calls provide - supportive functions to the GSS-API's users. - - The following paragraphs provide an example illustrating the - dataflows involved in use of the GSS-API by a client and server in a - mechanism-independent fashion, establishing a security context and - transferring a protected message. The example assumes that credential - acquisition has already been completed. The example also assumes - that the underlying authentication technology is capable of - authenticating a client to a server using elements carried within a - single token, and of authenticating the server to the client (mutual - authentication) with a single returned token; this assumption holds - for some presently-documented CAT mechanisms but is not necessarily - true for other cryptographic technologies and associated protocols. - - The client calls GSS_Init_sec_context() to establish a security - context to the server identified by targ_name, and elects to set the - mutual_req_flag so that mutual authentication is performed in the - course of context establishment. GSS_Init_sec_context() returns an - - - -Linn Standards Track [Page 4] - -RFC 2743 GSS-API January 2000 - - - output_token to be passed to the server, and indicates - GSS_S_CONTINUE_NEEDED status pending completion of the mutual - authentication sequence. Had mutual_req_flag not been set, the - initial call to GSS_Init_sec_context() would have returned - GSS_S_COMPLETE status. The client sends the output_token to the - server. - - The server passes the received token as the input_token parameter to - GSS_Accept_sec_context(). GSS_Accept_sec_context indicates - GSS_S_COMPLETE status, provides the client's authenticated identity - in the src_name result, and provides an output_token to be passed to - the client. The server sends the output_token to the client. - - The client passes the received token as the input_token parameter to - a successor call to GSS_Init_sec_context(), which processes data - included in the token in order to achieve mutual authentication from - the client's viewpoint. This call to GSS_Init_sec_context() returns - GSS_S_COMPLETE status, indicating successful mutual authentication - and the completion of context establishment for this example. - - The client generates a data message and passes it to GSS_Wrap(). - GSS_Wrap() performs data origin authentication, data integrity, and - (optionally) confidentiality processing on the message and - encapsulates the result into output_message, indicating - GSS_S_COMPLETE status. The client sends the output_message to the - server. - - The server passes the received message to GSS_Unwrap(). GSS_Unwrap() - inverts the encapsulation performed by GSS_Wrap(), deciphers the - message if the optional confidentiality feature was applied, and - validates the data origin authentication and data integrity checking - quantities. GSS_Unwrap() indicates successful validation by returning - GSS_S_COMPLETE status along with the resultant output_message. - - For purposes of this example, we assume that the server knows by - out-of-band means that this context will have no further use after - one protected message is transferred from client to server. Given - this premise, the server now calls GSS_Delete_sec_context() to flush - context-level information. Optionally, the server-side application - may provide a token buffer to GSS_Delete_sec_context(), to receive a - context_token to be transferred to the client in order to request - that client-side context-level information be deleted. - - If a context_token is transferred, the client passes the - context_token to GSS_Process_context_token(), which returns - GSS_S_COMPLETE status after deleting context-level information at the - client system. - - - - -Linn Standards Track [Page 5] - -RFC 2743 GSS-API January 2000 - - - The GSS-API design assumes and addresses several basic goals, - including: - - Mechanism independence: The GSS-API defines an interface to - cryptographically implemented strong authentication and other - security services at a generic level which is independent of - particular underlying mechanisms. For example, GSS-API-provided - services have been implemented using secret-key technologies - (e.g., Kerberos, per [RFC-1964]) and with public-key approaches - (e.g., SPKM, per [RFC-2025]). - - Protocol environment independence: The GSS-API is independent of - the communications protocol suites with which it is employed, - permitting use in a broad range of protocol environments. In - appropriate environments, an intermediate implementation "veneer" - which is oriented to a particular communication protocol may be - interposed between applications which call that protocol and the - GSS-API (e.g., as defined in [RFC-2203] for Open Network Computing - Remote Procedure Call (RPC)), thereby invoking GSS-API facilities - in conjunction with that protocol's communications invocations. - - Protocol association independence: The GSS-API's security context - construct is independent of communications protocol association - constructs. This characteristic allows a single GSS-API - implementation to be utilized by a variety of invoking protocol - modules on behalf of those modules' calling applications. GSS-API - services can also be invoked directly by applications, wholly - independent of protocol associations. - - Suitability to a range of implementation placements: GSS-API - clients are not constrained to reside within any Trusted Computing - Base (TCB) perimeter defined on a system where the GSS-API is - implemented; security services are specified in a manner suitable - to both intra-TCB and extra-TCB callers. - -1.1: GSS-API Constructs - - This section describes the basic elements comprising the GSS-API. - -1.1.1: Credentials - -1.1.1.1: Credential Constructs and Concepts - - Credentials provide the prerequisites which permit GSS-API peers to - establish security contexts with each other. A caller may designate - that the credential elements which are to be applied for context - initiation or acceptance be selected by default. Alternately, those - GSS-API callers which need to make explicit selection of particular - - - -Linn Standards Track [Page 6] - -RFC 2743 GSS-API January 2000 - - - credentials structures may make references to those credentials - through GSS-API-provided credential handles ("cred_handles"). In all - cases, callers' credential references are indirect, mediated by GSS- - API implementations and not requiring callers to access the selected - credential elements. - - A single credential structure may be used to initiate outbound - contexts and to accept inbound contexts. Callers needing to operate - in only one of these modes may designate this fact when credentials - are acquired for use, allowing underlying mechanisms to optimize - their processing and storage requirements. The credential elements - defined by a particular mechanism may contain multiple cryptographic - keys, e.g., to enable authentication and message encryption to be - performed with different algorithms. - - A GSS-API credential structure may contain multiple credential - elements, each containing mechanism-specific information for a - particular underlying mechanism (mech_type), but the set of elements - within a given credential structure represent a common entity. A - credential structure's contents will vary depending on the set of - mech_types supported by a particular GSS-API implementation. Each - credential element identifies the data needed by its mechanism in - order to establish contexts on behalf of a particular principal, and - may contain separate credential references for use in context - initiation and context acceptance. Multiple credential elements - within a given credential having overlapping combinations of - mechanism, usage mode, and validity period are not permitted. - - Commonly, a single mech_type will be used for all security contexts - established by a particular initiator to a particular target. A major - motivation for supporting credential sets representing multiple - mech_types is to allow initiators on systems which are equipped to - handle multiple types to initiate contexts to targets on other - systems which can accommodate only a subset of the set supported at - the initiator's system. - -1.1.1.2: Credential Management - - It is the responsibility of underlying system-specific mechanisms and - OS functions below the GSS-API to ensure that the ability to acquire - and use credentials associated with a given identity is constrained - to appropriate processes within a system. This responsibility should - be taken seriously by implementors, as the ability for an entity to - utilize a principal's credentials is equivalent to the entity's - ability to successfully assert that principal's identity. - - - - - - -Linn Standards Track [Page 7] - -RFC 2743 GSS-API January 2000 - - - Once a set of GSS-API credentials is established, the transferability - of that credentials set to other processes or analogous constructs - within a system is a local matter, not defined by the GSS-API. An - example local policy would be one in which any credentials received - as a result of login to a given user account, or of delegation of - rights to that account, are accessible by, or transferable to, - processes running under that account. - - The credential establishment process (particularly when performed on - behalf of users rather than server processes) is likely to require - access to passwords or other quantities which should be protected - locally and exposed for the shortest time possible. As a result, it - will often be appropriate for preliminary credential establishment to - be performed through local means at user login time, with the - result(s) cached for subsequent reference. These preliminary - credentials would be set aside (in a system-specific fashion) for - subsequent use, either: - - to be accessed by an invocation of the GSS-API GSS_Acquire_cred() - call, returning an explicit handle to reference that credential - - to comprise default credential elements to be installed, and to be - used when default credential behavior is requested on behalf of a - process - -1.1.1.3: Default Credential Resolution - - The GSS_Init_sec_context() and GSS_Accept_sec_context() routines - allow the value GSS_C_NO_CREDENTIAL to be specified as their - credential handle parameter. This special credential handle - indicates a desire by the application to act as a default principal. - In support of application portability, support for the default - resolution behavior described below for initiator credentials - (GSS_Init_sec_context() usage) is mandated; support for the default - resolution behavior described below for acceptor credentials - (GSS_Accept_sec_context() usage) is recommended. If default - credential resolution fails, GSS_S_NO_CRED status is to be returned. - - GSS_Init_sec_context: - - (i) If there is only a single principal capable of initiating - security contexts that the application is authorized to act on - behalf of, then that principal shall be used, otherwise - - - - - - - - -Linn Standards Track [Page 8] - -RFC 2743 GSS-API January 2000 - - - (ii) If the platform maintains a concept of a default network- - identity, and if the application is authorized to act on behalf - of that identity for the purpose of initiating security - contexts, then the principal corresponding to that identity - shall be used, otherwise - - (iii) If the platform maintains a concept of a default local - identity, and provides a means to map local identities into - network-identities, and if the application is authorized to act - on behalf of the network-identity image of the default local - identity for the purpose of initiating security contexts, then - the principal corresponding to that identity shall be used, - otherwise - - (iv) A user-configurable default identity should be used. - - GSS_Accept_sec_context: - - (i) If there is only a single authorized principal identity - capable of accepting security contexts, then that principal - shall be used, otherwise - - (ii) If the mechanism can determine the identity of the target - principal by examining the context-establishment token, and if - the accepting application is authorized to act as that - principal for the purpose of accepting security contexts, then - that principal identity shall be used, otherwise - - (iii) If the mechanism supports context acceptance by any - principal, and mutual authentication was not requested, any - principal that the application is authorized to accept security - contexts under may be used, otherwise - - (iv) A user-configurable default identity shall be used. - - The purpose of the above rules is to allow security contexts to be - established by both initiator and acceptor using the default behavior - wherever possible. Applications requesting default behavior are - likely to be more portable across mechanisms and platforms than those - that use GSS_Acquire_cred() to request a specific identity. - -1.1.2: Tokens - - Tokens are data elements transferred between GSS-API callers, and are - divided into two classes. Context-level tokens are exchanged in order - to establish and manage a security context between peers. Per-message - tokens relate to an established context and are exchanged to provide - - - - -Linn Standards Track [Page 9] - -RFC 2743 GSS-API January 2000 - - - protective security services (i.e., data origin authentication, - integrity, and optional confidentiality) for corresponding data - messages. - - The first context-level token obtained from GSS_Init_sec_context() is - required to indicate at its very beginning a globally-interpretable - mechanism identifier, i.e., an Object Identifier (OID) of the - security mechanism. The remaining part of this token as well as the - whole content of all other tokens are specific to the particular - underlying mechanism used to support the GSS-API. Section 3.1 of this - document provides, for designers of GSS-API mechanisms, the - description of the header of the first context-level token which is - then followed by mechanism-specific information. - - Tokens' contents are opaque from the viewpoint of GSS-API callers. - They are generated within the GSS-API implementation at an end - system, provided to a GSS-API caller to be transferred to the peer - GSS-API caller at a remote end system, and processed by the GSS-API - implementation at that remote end system. - - Context-level tokens may be output by GSS-API calls (and should be - transferred to GSS-API peers) whether or not the calls' status - indicators indicate successful completion. Per-message tokens, in - contrast, are to be returned only upon successful completion of per- - message calls. Zero-length tokens are never returned by GSS routines - for transfer to a peer. Token transfer may take place in an in-band - manner, integrated into the same protocol stream used by the GSS-API - callers for other data transfers, or in an out-of-band manner across - a logically separate channel. - - Different GSS-API tokens are used for different purposes (e.g., - context initiation, context acceptance, protected message data on an - established context), and it is the responsibility of a GSS-API - caller receiving tokens to distinguish their types, associate them - with corresponding security contexts, and pass them to appropriate - GSS-API processing routines. Depending on the caller protocol - environment, this distinction may be accomplished in several ways. - - The following examples illustrate means through which tokens' types - may be distinguished: - - - implicit tagging based on state information (e.g., all tokens on - a new association are considered to be context establishment - tokens until context establishment is completed, at which point - all tokens are considered to be wrapped data objects for that - context), - - - - - -Linn Standards Track [Page 10] - -RFC 2743 GSS-API January 2000 - - - - explicit tagging at the caller protocol level, - - - a hybrid of these approaches. - - Commonly, the encapsulated data within a token includes internal - mechanism-specific tagging information, enabling mechanism-level - processing modules to distinguish tokens used within the mechanism - for different purposes. Such internal mechanism-level tagging is - recommended to mechanism designers, and enables mechanisms to - determine whether a caller has passed a particular token for - processing by an inappropriate GSS-API routine. - - Development of GSS-API mechanisms based on a particular underlying - cryptographic technique and protocol (i.e., conformant to a specific - GSS-API mechanism definition) does not necessarily imply that GSS-API - callers using that GSS-API mechanism will be able to interoperate - with peers invoking the same technique and protocol outside the GSS- - API paradigm, or with peers implementing a different GSS-API - mechanism based on the same underlying technology. The format of - GSS-API tokens defined in conjunction with a particular mechanism, - and the techniques used to integrate those tokens into callers' - protocols, may not be interoperable with the tokens used by non-GSS- - API callers of the same underlying technique. - -1.1.3: Security Contexts - - Security contexts are established between peers, using credentials - established locally in conjunction with each peer or received by - peers via delegation. Multiple contexts may exist simultaneously - between a pair of peers, using the same or different sets of - credentials. Coexistence of multiple contexts using different - credentials allows graceful rollover when credentials expire. - Distinction among multiple contexts based on the same credentials - serves applications by distinguishing different message streams in a - security sense. - - The GSS-API is independent of underlying protocols and addressing - structure, and depends on its callers to transport GSS-API-provided - data elements. As a result of these factors, it is a caller - responsibility to parse communicated messages, separating GSS-API- - related data elements from caller-provided data. The GSS-API is - independent of connection vs. connectionless orientation of the - underlying communications service. - - No correlation between security context and communications protocol - association is dictated. (The optional channel binding facility, - discussed in Section 1.1.6 of this document, represents an - intentional exception to this rule, supporting additional protection - - - -Linn Standards Track [Page 11] - -RFC 2743 GSS-API January 2000 - - - features within GSS-API supporting mechanisms.) This separation - allows the GSS-API to be used in a wide range of communications - environments, and also simplifies the calling sequences of the - individual calls. In many cases (depending on underlying security - protocol, associated mechanism, and availability of cached - information), the state information required for context setup can be - sent concurrently with initial signed user data, without interposing - additional message exchanges. Messages may be protected and - transferred in both directions on an established GSS-API security - context concurrently; protection of messages in one direction does - not interfere with protection of messages in the reverse direction. - - GSS-API implementations are expected to retain inquirable context - data on a context until the context is released by a caller, even - after the context has expired, although underlying cryptographic data - elements may be deleted after expiration in order to limit their - exposure. - -1.1.4: Mechanism Types - - In order to successfully establish a security context with a target - peer, it is necessary to identify an appropriate underlying mechanism - type (mech_type) which both initiator and target peers support. The - definition of a mechanism embodies not only the use of a particular - cryptographic technology (or a hybrid or choice among alternative - cryptographic technologies), but also definition of the syntax and - semantics of data element exchanges which that mechanism will employ - in order to support security services. - - It is recommended that callers initiating contexts specify the - "default" mech_type value, allowing system-specific functions within - or invoked by the GSS-API implementation to select the appropriate - mech_type, but callers may direct that a particular mech_type be - employed when necessary. - - For GSS-API purposes, the phrase "negotiating mechanism" refers to a - mechanism which itself performs negotiation in order to select a - concrete mechanism which is shared between peers and is then used for - context establishment. Only those mechanisms which are defined in - their specifications as negotiating mechanisms are to yield selected - mechanisms with different identifier values than the value which is - input by a GSS-API caller, except for the case of a caller requesting - the "default" mech_type. - - The means for identifying a shared mech_type to establish a security - context with a peer will vary in different environments and - circumstances; examples include (but are not limited to): - - - - -Linn Standards Track [Page 12] - -RFC 2743 GSS-API January 2000 - - - use of a fixed mech_type, defined by configuration, within an - environment - - syntactic convention on a target-specific basis, through - examination of a target's name lookup of a target's name in a - naming service or other database in order to identify mech_types - supported by that target - - explicit negotiation between GSS-API callers in advance of - security context setup - - use of a negotiating mechanism - - When transferred between GSS-API peers, mech_type specifiers (per - Section 3 of this document, represented as Object Identifiers (OIDs)) - serve to qualify the interpretation of associated tokens. (The - structure and encoding of Object Identifiers is defined in [ISOIEC- - 8824] and [ISOIEC-8825].) Use of hierarchically structured OIDs - serves to preclude ambiguous interpretation of mech_type specifiers. - The OID representing the DASS ([RFC-1507]) MechType, for example, is - 1.3.12.2.1011.7.5, and that of the Kerberos V5 mechanism ([RFC- - 1964]), having been advanced to the level of Proposed Standard, is - 1.2.840.113554.1.2.2. - -1.1.5: Naming - - The GSS-API avoids prescribing naming structures, treating the names - which are transferred across the interface in order to initiate and - accept security contexts as opaque objects. This approach supports - the GSS-API's goal of implementability atop a range of underlying - security mechanisms, recognizing the fact that different mechanisms - process and authenticate names which are presented in different - forms. Generalized services offering translation functions among - arbitrary sets of naming environments are outside the scope of the - GSS-API; availability and use of local conversion functions to - translate among the naming formats supported within a given end - system is anticipated. - - Different classes of name representations are used in conjunction - with different GSS-API parameters: - - - Internal form (denoted in this document by INTERNAL NAME), - opaque to callers and defined by individual GSS-API - implementations. GSS-API implementations supporting multiple - namespace types must maintain internal tags to disambiguate the - interpretation of particular names. A Mechanism Name (MN) is a - special case of INTERNAL NAME, guaranteed to contain elements - - - - -Linn Standards Track [Page 13] - -RFC 2743 GSS-API January 2000 - - - corresponding to one and only one mechanism; calls which are - guaranteed to emit MNs or which require MNs as input are so - identified within this specification. - - - Contiguous string ("flat") form (denoted in this document by - OCTET STRING); accompanied by OID tags identifying the namespace - to which they correspond. Depending on tag value, flat names may - or may not be printable strings for direct acceptance from and - presentation to users. Tagging of flat names allows GSS-API - callers and underlying GSS-API mechanisms to disambiguate name - types and to determine whether an associated name's type is one - which they are capable of processing, avoiding aliasing problems - which could result from misinterpreting a name of one type as a - name of another type. - - - The GSS-API Exported Name Object, a special case of flat name - designated by a reserved OID value, carries a canonicalized form - of a name suitable for binary comparisons. - - In addition to providing means for names to be tagged with types, - this specification defines primitives to support a level of naming - environment independence for certain calling applications. To provide - basic services oriented towards the requirements of callers which - need not themselves interpret the internal syntax and semantics of - names, GSS-API calls for name comparison (GSS_Compare_name()), - human-readable display (GSS_Display_name()), input conversion - (GSS_Import_name()), internal name deallocation (GSS_Release_name()), - and internal name duplication (GSS_Duplicate_name()) functions are - defined. (It is anticipated that these proposed GSS-API calls will be - implemented in many end systems based on system-specific name - manipulation primitives already extant within those end systems; - inclusion within the GSS-API is intended to offer GSS-API callers a - portable means to perform specific operations, supportive of - authorization and audit requirements, on authenticated names.) - - GSS_Import_name() implementations can, where appropriate, support - more than one printable syntax corresponding to a given namespace - (e.g., alternative printable representations for X.500 Distinguished - Names), allowing flexibility for their callers to select among - alternative representations. GSS_Display_name() implementations - output a printable syntax selected as appropriate to their - operational environments; this selection is a local matter. Callers - desiring portability across alternative printable syntaxes should - refrain from implementing comparisons based on printable name forms - and should instead use the GSS_Compare_name() call to determine - whether or not one internal-format name matches another. - - - - - -Linn Standards Track [Page 14] - -RFC 2743 GSS-API January 2000 - - - When used in large access control lists, the overhead of invoking - GSS_Import_name() and GSS_Compare_name() on each name from the ACL - may be prohibitive. As an alternative way of supporting this case, - GSS-API defines a special form of the contiguous string name which - may be compared directly (e.g., with memcmp()). Contiguous names - suitable for comparison are generated by the GSS_Export_name() - routine, which requires an MN as input. Exported names may be re- - imported by the GSS_Import_name() routine, and the resulting internal - name will also be an MN. The symbolic constant GSS_C_NT_EXPORT_NAME - identifies the "export name" type. Structurally, an exported name - object consists of a header containing an OID identifying the - mechanism that authenticated the name, and a trailer containing the - name itself, where the syntax of the trailer is defined by the - individual mechanism specification. The precise format of an - exported name is defined in Section 3.2 of this specification. - - Note that the results obtained by using GSS_Compare_name() will in - general be different from those obtained by invoking - GSS_Canonicalize_name() and GSS_Export_name(), and then comparing the - exported names. The first series of operations determines whether - two (unauthenticated) names identify the same principal; the second - whether a particular mechanism would authenticate them as the same - principal. These two operations will in general give the same - results only for MNs. - - The following diagram illustrates the intended dataflow among name- - related GSS-API processing routines. - - - - - - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 15] - -RFC 2743 GSS-API January 2000 - - - GSS-API library defaults - | - | - V text, for - text --------------> internal_name (IN) -----------> display only - import_name() / display_name() - / - / - / - accept_sec_context() / - | / - | / - | / canonicalize_name() - | / - | / - | / - | / - | / - | | - V V <--------------------- - single mechanism import_name() exported name: flat - internal_name (MN) binary "blob" usable - ----------------------> for access control - export_name() - -1.1.6: Channel Bindings - - The GSS-API accommodates the concept of caller-provided channel - binding ("chan_binding") information. Channel bindings are used to - strengthen the quality with which peer entity authentication is - provided during context establishment, by limiting the scope within - which an intercepted context establishment token can be reused by an - attacker. Specifically, they enable GSS-API callers to bind the - establishment of a security context to relevant characteristics - (e.g., addresses, transformed representations of encryption keys) of - the underlying communications channel, of protection mechanisms - applied to that communications channel, and to application-specific - data. - - The caller initiating a security context must determine the - appropriate channel binding values to provide as input to the - GSS_Init_sec_context() call, and consistent values must be provided - to GSS_Accept_sec_context() by the context's target, in order for - both peers' GSS-API mechanisms to validate that received tokens - possess correct channel-related characteristics. Use or non-use of - the GSS-API channel binding facility is a caller option. GSS-API - mechanisms can operate in an environment where NULL channel bindings - are presented; mechanism implementors are encouraged, but not - - - -Linn Standards Track [Page 16] - -RFC 2743 GSS-API January 2000 - - - required, to make use of caller-provided channel binding data within - their mechanisms. Callers should not assume that underlying - mechanisms provide confidentiality protection for channel binding - information. - - When non-NULL channel bindings are provided by callers, certain - mechanisms can offer enhanced security value by interpreting the - bindings' content (rather than simply representing those bindings, or - integrity check values computed on them, within tokens) and will - therefore depend on presentation of specific data in a defined - format. To this end, agreements among mechanism implementors are - defining conventional interpretations for the contents of channel - binding arguments, including address specifiers (with content - dependent on communications protocol environment) for context - initiators and acceptors. (These conventions are being incorporated - in GSS-API mechanism specifications and into the GSS-API C language - bindings specification.) In order for GSS-API callers to be portable - across multiple mechanisms and achieve the full security - functionality which each mechanism can provide, it is strongly - recommended that GSS-API callers provide channel bindings consistent - with these conventions and those of the networking environment in - which they operate. - -1.2: GSS-API Features and Issues - - This section describes aspects of GSS-API operations, of the security - services which the GSS-API provides, and provides commentary on - design issues. - -1.2.1: Status Reporting and Optional Service Support - -1.2.1.1: Status Reporting - - Each GSS-API call provides two status return values. Major_status - values provide a mechanism-independent indication of call status - (e.g., GSS_S_COMPLETE, GSS_S_FAILURE, GSS_S_CONTINUE_NEEDED), - sufficient to drive normal control flow within the caller in a - generic fashion. Table 1 summarizes the defined major_status return - codes in tabular fashion. - - Sequencing-related informatory major_status codes - (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and - GSS_S_GAP_TOKEN) can be indicated in conjunction with either - GSS_S_COMPLETE or GSS_S_FAILURE status for GSS-API per-message calls. - For context establishment calls, these sequencing-related codes will - be indicated only in conjunction with GSS_S_FAILURE status (never in - - - - - -Linn Standards Track [Page 17] - -RFC 2743 GSS-API January 2000 - - - conjunction with GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and, - therefore, always correspond to fatal failures if encountered during - the context establishment phase. - - Table 1: GSS-API Major Status Codes - - FATAL ERROR CODES - - GSS_S_BAD_BINDINGS channel binding mismatch - GSS_S_BAD_MECH unsupported mechanism requested - GSS_S_BAD_NAME invalid name provided - GSS_S_BAD_NAMETYPE name of unsupported type provided - GSS_S_BAD_STATUS invalid input status selector - GSS_S_BAD_SIG token had invalid integrity check - GSS_S_BAD_MIC preferred alias for GSS_S_BAD_SIG - GSS_S_CONTEXT_EXPIRED specified security context expired - GSS_S_CREDENTIALS_EXPIRED expired credentials detected - GSS_S_DEFECTIVE_CREDENTIAL defective credential detected - GSS_S_DEFECTIVE_TOKEN defective token detected - GSS_S_FAILURE failure, unspecified at GSS-API - level - GSS_S_NO_CONTEXT no valid security context specified - GSS_S_NO_CRED no valid credentials provided - GSS_S_BAD_QOP unsupported QOP value - GSS_S_UNAUTHORIZED operation unauthorized - GSS_S_UNAVAILABLE operation unavailable - GSS_S_DUPLICATE_ELEMENT duplicate credential element requested - GSS_S_NAME_NOT_MN name contains multi-mechanism elements - - INFORMATORY STATUS CODES - - GSS_S_COMPLETE normal completion - GSS_S_CONTINUE_NEEDED continuation call to routine - required - GSS_S_DUPLICATE_TOKEN duplicate per-message token - detected - GSS_S_OLD_TOKEN timed-out per-message token - detected - GSS_S_UNSEQ_TOKEN reordered (early) per-message token - detected - GSS_S_GAP_TOKEN skipped predecessor token(s) - detected - - Minor_status provides more detailed status information which may - include status codes specific to the underlying security mechanism. - Minor_status values are not specified in this document. - - - - - -Linn Standards Track [Page 18] - -RFC 2743 GSS-API January 2000 - - - GSS_S_CONTINUE_NEEDED major_status returns, and optional message - outputs, are provided in GSS_Init_sec_context() and - GSS_Accept_sec_context() calls so that different mechanisms' - employment of different numbers of messages within their - authentication sequences need not be reflected in separate code paths - within calling applications. Instead, such cases are accommodated - with sequences of continuation calls to GSS_Init_sec_context() and - GSS_Accept_sec_context(). The same facility is used to encapsulate - mutual authentication within the GSS-API's context initiation calls. - - For mech_types which require interactions with third-party servers in - order to establish a security context, GSS-API context establishment - calls may block pending completion of such third-party interactions. - On the other hand, no GSS-API calls pend on serialized interactions - with GSS-API peer entities. As a result, local GSS-API status - returns cannot reflect unpredictable or asynchronous exceptions - occurring at remote peers, and reflection of such status information - is a caller responsibility outside the GSS-API. - -1.2.1.2: Optional Service Support - - A context initiator may request various optional services at context - establishment time. Each of these services is requested by setting a - flag in the req_flags input parameter to GSS_Init_sec_context(). - - The optional services currently defined are: - - - Delegation - The (usually temporary) transfer of rights from - initiator to acceptor, enabling the acceptor to authenticate - itself as an agent of the initiator. - - - Mutual Authentication - In addition to the initiator - authenticating its identity to the context acceptor, the context - acceptor should also authenticate itself to the initiator. - - - Replay detection - In addition to providing message integrity - services, GSS_GetMIC() and GSS_Wrap() should include message - numbering information to enable GSS_VerifyMIC() and GSS_Unwrap() - to detect if a message has been duplicated. - - - Out-of-sequence detection - In addition to providing message - integrity services, GSS_GetMIC() and GSS_Wrap() should include - message sequencing information to enable GSS_VerifyMIC() and - GSS_Unwrap() to detect if a message has been received out of - sequence. - - - - - - -Linn Standards Track [Page 19] - -RFC 2743 GSS-API January 2000 - - - - Anonymous authentication - The establishment of the security - context should not reveal the initiator's identity to the context - acceptor. - - - Available per-message confidentiality - requests that per- - message confidentiality services be available on the context. - - - Available per-message integrity - requests that per-message - integrity services be available on the context. - - Any currently undefined bits within such flag arguments should be - ignored by GSS-API implementations when presented by an application, - and should be set to zero when returned to the application by the - GSS-API implementation. - - Some mechanisms may not support all optional services, and some - mechanisms may only support some services in conjunction with others. - Both GSS_Init_sec_context() and GSS_Accept_sec_context() inform the - applications which services will be available from the context when - the establishment phase is complete, via the ret_flags output - parameter. In general, if the security mechanism is capable of - providing a requested service, it should do so, even if additional - services must be enabled in order to provide the requested service. - If the mechanism is incapable of providing a requested service, it - should proceed without the service, leaving the application to abort - the context establishment process if it considers the requested - service to be mandatory. - - Some mechanisms may specify that support for some services is - optional, and that implementors of the mechanism need not provide it. - This is most commonly true of the confidentiality service, often - because of legal restrictions on the use of data-encryption, but may - apply to any of the services. Such mechanisms are required to send - at least one token from acceptor to initiator during context - establishment when the initiator indicates a desire to use such a - service, so that the initiating GSS-API can correctly indicate - whether the service is supported by the acceptor's GSS-API. - -1.2.2: Per-Message Security Service Availability - - When a context is established, two flags are returned to indicate the - set of per-message protection security services which will be - available on the context: - - the integ_avail flag indicates whether per-message integrity and - data origin authentication services are available - - - - - -Linn Standards Track [Page 20] - -RFC 2743 GSS-API January 2000 - - - the conf_avail flag indicates whether per-message confidentiality - services are available, and will never be returned TRUE unless the - integ_avail flag is also returned TRUE - - GSS-API callers desiring per-message security services should check - the values of these flags at context establishment time, and must be - aware that a returned FALSE value for integ_avail means that - invocation of GSS_GetMIC() or GSS_Wrap() primitives on the associated - context will apply no cryptographic protection to user data messages. - - The GSS-API per-message integrity and data origin authentication - services provide assurance to a receiving caller that protection was - applied to a message by the caller's peer on the security context, - corresponding to the entity named at context initiation. The GSS-API - per-message confidentiality service provides assurance to a sending - caller that the message's content is protected from access by - entities other than the context's named peer. - - The GSS-API per-message protection service primitives, as the - category name implies, are oriented to operation at the granularity - of protocol data units. They perform cryptographic operations on the - data units, transfer cryptographic control information in tokens, - and, in the case of GSS_Wrap(), encapsulate the protected data unit. - As such, these primitives are not oriented to efficient data - protection for stream-paradigm protocols (e.g., Telnet) if - cryptography must be applied on an octet-by-octet basis. - -1.2.3: Per-Message Replay Detection and Sequencing - - Certain underlying mech_types offer support for replay detection - and/or sequencing of messages transferred on the contexts they - support. These optionally-selectable protection features are distinct - from replay detection and sequencing features applied to the context - establishment operation itself; the presence or absence of context- - level replay or sequencing features is wholly a function of the - underlying mech_type's capabilities, and is not selected or omitted - as a caller option. - - The caller initiating a context provides flags (replay_det_req_flag - and sequence_req_flag) to specify whether the use of per-message - replay detection and sequencing features is desired on the context - being established. The GSS-API implementation at the initiator system - can determine whether these features are supported (and whether they - are optionally selectable) as a function of the selected mechanism, - without need for bilateral negotiation with the target. When enabled, - these features provide recipients with indicators as a result of - GSS-API processing of incoming messages, identifying whether those - messages were detected as duplicates or out-of-sequence. Detection of - - - -Linn Standards Track [Page 21] - -RFC 2743 GSS-API January 2000 - - - such events does not prevent a suspect message from being provided to - a recipient; the appropriate course of action on a suspect message is - a matter of caller policy. - - The semantics of the replay detection and sequencing services applied - to received messages, as visible across the interface which the GSS- - API provides to its clients, are as follows: - - When replay_det_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_S_COMPLETE, without concurrent indication of - GSS_S_DUPLICATE_TOKEN or GSS_S_OLD_TOKEN, indicates that the - message was within the window (of time or sequence space) allowing - replay events to be detected, and that the message was not a - replay of a previously-processed message within that window. - - 2. GSS_S_DUPLICATE_TOKEN indicates that the cryptographic - checkvalue on the received message was correct, but that the - message was recognized as a duplicate of a previously-processed - message. In addition to identifying duplicated tokens originated - by a context's peer, this status may also be used to identify - reflected copies of locally-generated tokens; it is recommended - that mechanism designers include within their protocols facilities - to detect and report such tokens. - - 3. GSS_S_OLD_TOKEN indicates that the cryptographic checkvalue on - the received message was correct, but that the message is too old - to be checked for duplication. - - When sequence_state is TRUE, the possible major_status returns for - well-formed and correctly signed messages are as follows: - - 1. GSS_S_COMPLETE, without concurrent indication of - GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, or - GSS_S_GAP_TOKEN, indicates that the message was within the window - (of time or sequence space) allowing replay events to be detected, - that the message was not a replay of a previously-processed - message within that window, and that no predecessor sequenced - messages are missing relative to the last received message (if - any) processed on the context with a correct cryptographic - checkvalue. - - 2. GSS_S_DUPLICATE_TOKEN indicates that the integrity check value - on the received message was correct, but that the message was - recognized as a duplicate of a previously-processed message. In - addition to identifying duplicated tokens originated by a - context's peer, this status may also be used to identify reflected - - - -Linn Standards Track [Page 22] - -RFC 2743 GSS-API January 2000 - - - copies of locally-generated tokens; it is recommended that - mechanism designers include within their protocols facilities to - detect and report such tokens. - - 3. GSS_S_OLD_TOKEN indicates that the integrity check value on the - received message was correct, but that the token is too old to be - checked for duplication. - - 4. GSS_S_UNSEQ_TOKEN indicates that the cryptographic checkvalue - on the received message was correct, but that it is earlier in a - sequenced stream than a message already processed on the context. - [Note: Mechanisms can be architected to provide a stricter form of - sequencing service, delivering particular messages to recipients - only after all predecessor messages in an ordered stream have been - delivered. This type of support is incompatible with the GSS-API - paradigm in which recipients receive all messages, whether in - order or not, and provide them (one at a time, without intra-GSS- - API message buffering) to GSS-API routines for validation. GSS- - API facilities provide supportive functions, aiding clients to - achieve strict message stream integrity in an efficient manner in - conjunction with sequencing provisions in communications - protocols, but the GSS-API does not offer this level of message - stream integrity service by itself.] - - 5. GSS_S_GAP_TOKEN indicates that the cryptographic checkvalue on - the received message was correct, but that one or more predecessor - sequenced messages have not been successfully processed relative - to the last received message (if any) processed on the context - with a correct cryptographic checkvalue. - - As the message stream integrity features (especially sequencing) may - interfere with certain applications' intended communications - paradigms, and since support for such features is likely to be - resource intensive, it is highly recommended that mech_types - supporting these features allow them to be activated selectively on - initiator request when a context is established. A context initiator - and target are provided with corresponding indicators - (replay_det_state and sequence_state), signifying whether these - features are active on a given context. - - An example mech_type supporting per-message replay detection could - (when replay_det_state is TRUE) implement the feature as follows: The - underlying mechanism would insert timestamps in data elements output - by GSS_GetMIC() and GSS_Wrap(), and would maintain (within a time- - limited window) a cache (qualified by originator-recipient pair) - identifying received data elements processed by GSS_VerifyMIC() and - GSS_Unwrap(). When this feature is active, exception status returns - (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN) will be provided when - - - -Linn Standards Track [Page 23] - -RFC 2743 GSS-API January 2000 - - - GSS_VerifyMIC() or GSS_Unwrap() is presented with a message which is - either a detected duplicate of a prior message or which is too old to - validate against a cache of recently received messages. - -1.2.4: Quality of Protection - - Some mech_types provide their users with fine granularity control - over the means used to provide per-message protection, allowing - callers to trade off security processing overhead dynamically against - the protection requirements of particular messages. A per-message - quality-of-protection parameter (analogous to quality-of-service, or - QOS) selects among different QOP options supported by that mechanism. - On context establishment for a multi-QOP mech_type, context-level - data provides the prerequisite data for a range of protection - qualities. - - It is expected that the majority of callers will not wish to exert - explicit mechanism-specific QOP control and will therefore request - selection of a default QOP. Definitions of, and choices among, non- - default QOP values are mechanism-specific, and no ordered sequences - of QOP values can be assumed equivalent across different mechanisms. - Meaningful use of non-default QOP values demands that callers be - familiar with the QOP definitions of an underlying mechanism or - mechanisms, and is therefore a non-portable construct. The - GSS_S_BAD_QOP major_status value is defined in order to indicate that - a provided QOP value is unsupported for a security context, most - likely because that value is unrecognized by the underlying - mechanism. - - In the interests of interoperability, mechanisms which allow optional - support of particular QOP values shall satisfy one of the following - conditions. Either: - - (i) All implementations of the mechanism are required to be - capable of processing messages protected using any QOP value, - regardless of whether they can apply protection corresponding to - that QOP, or - - (ii) The set of mutually-supported receiver QOP values must be - determined during context establishment, and messages may be - protected by either peer using only QOP values from this - mutually-supported set. - - NOTE: (i) is just a special-case of (ii), where implementations are - required to support all QOP values on receipt. - - - - - - -Linn Standards Track [Page 24] - -RFC 2743 GSS-API January 2000 - - -1.2.5: Anonymity Support - - In certain situations or environments, an application may wish to - authenticate a peer and/or protect communications using GSS-API per- - message services without revealing its own identity. For example, - consider an application which provides read access to a research - database, and which permits queries by arbitrary requestors. A - client of such a service might wish to authenticate the service, to - establish trust in the information received from it, but might not - wish to disclose its identity to the service for privacy reasons. - - In ordinary GSS-API usage, a context initiator's identity is made - available to the context acceptor as part of the context - establishment process. To provide for anonymity support, a facility - (input anon_req_flag to GSS_Init_sec_context()) is provided through - which context initiators may request that their identity not be - provided to the context acceptor. Mechanisms are not required to - honor this request, but a caller will be informed (via returned - anon_state indicator from GSS_Init_sec_context()) whether or not the - request is honored. Note that authentication as the anonymous - principal does not necessarily imply that credentials are not - required in order to establish a context. - - Section 4.5 of this document defines the Object Identifier value used - to identify an anonymous principal. - - Four possible combinations of anon_state and mutual_state are - possible, with the following results: - - anon_state == FALSE, mutual_state == FALSE: initiator - authenticated to target. - - anon_state == FALSE, mutual_state == TRUE: initiator authenticated - to target, target authenticated to initiator. - - anon_state == TRUE, mutual_state == FALSE: initiator authenticated - as anonymous principal to target. - - anon_state == TRUE, mutual_state == TRUE: initiator authenticated - as anonymous principal to target, target authenticated to - initiator. - -1.2.6: Initialization - - No initialization calls (i.e., calls which must be invoked prior to - invocation of other facilities in the interface) are defined in GSS- - API. As an implication of this fact, GSS-API implementations must - themselves be self-initializing. - - - -Linn Standards Track [Page 25] - -RFC 2743 GSS-API January 2000 - - -1.2.7: Per-Message Protection During Context Establishment - - A facility is defined in GSS-V2 to enable protection and buffering of - data messages for later transfer while a security context's - establishment is in GSS_S_CONTINUE_NEEDED status, to be used in cases - where the caller side already possesses the necessary session key to - enable this processing. Specifically, a new state Boolean, called - prot_ready_state, is added to the set of information returned by - GSS_Init_sec_context(), GSS_Accept_sec_context(), and - GSS_Inquire_context(). - - For context establishment calls, this state Boolean is valid and - interpretable when the associated major_status is either - GSS_S_CONTINUE_NEEDED, or GSS_S_COMPLETE. Callers of GSS-API (both - initiators and acceptors) can assume that per-message protection (via - GSS_Wrap(), GSS_Unwrap(), GSS_GetMIC() and GSS_VerifyMIC()) is - available and ready for use if either: prot_ready_state == TRUE, or - major_status == GSS_S_COMPLETE, though mutual authentication (if - requested) cannot be guaranteed until GSS_S_COMPLETE is returned. - Callers making use of per-message protection services in advance of - GSS_S_COMPLETE status should be aware of the possibility that a - subsequent context establishment step may fail, and that certain - context data (e.g., mech_type) as returned for subsequent calls may - change. - - This approach achieves full, transparent backward compatibility for - GSS-API V1 callers, who need not even know of the existence of - prot_ready_state, and who will get the expected behavior from - GSS_S_COMPLETE, but who will not be able to use per-message - protection before GSS_S_COMPLETE is returned. - - It is not a requirement that GSS-V2 mechanisms ever return TRUE - prot_ready_state before completion of context establishment (indeed, - some mechanisms will not evolve usable message protection keys, - especially at the context acceptor, before context establishment is - complete). It is expected but not required that GSS-V2 mechanisms - will return TRUE prot_ready_state upon completion of context - establishment if they support per-message protection at all (however - GSS-V2 applications should not assume that TRUE prot_ready_state will - always be returned together with the GSS_S_COMPLETE major_status, - since GSS-V2 implementations may continue to support GSS-V1 mechanism - code, which will never return TRUE prot_ready_state). - - When prot_ready_state is returned TRUE, mechanisms shall also set - those context service indicator flags (deleg_state, mutual_state, - replay_det_state, sequence_state, anon_state, trans_state, - conf_avail, integ_avail) which represent facilities confirmed, at - that time, to be available on the context being established. In - - - -Linn Standards Track [Page 26] - -RFC 2743 GSS-API January 2000 - - - situations where prot_ready_state is returned before GSS_S_COMPLETE, - it is possible that additional facilities may be confirmed and - subsequently indicated when GSS_S_COMPLETE is returned. - -1.2.8: Implementation Robustness - - This section recommends aspects of GSS-API implementation behavior in - the interests of overall robustness. - - Invocation of GSS-API calls is to incur no undocumented side effects - visible at the GSS-API level. - - If a token is presented for processing on a GSS-API security context - and that token generates a fatal error in processing or is otherwise - determined to be invalid for that context, the context's state should - not be disrupted for purposes of processing subsequent valid tokens. - - Certain local conditions at a GSS-API implementation (e.g., - unavailability of memory) may preclude, temporarily or permanently, - the successful processing of tokens on a GSS-API security context, - typically generating GSS_S_FAILURE major_status returns along with - locally-significant minor_status. For robust operation under such - conditions, the following recommendations are made: - - Failing calls should free any memory they allocate, so that - callers may retry without causing further loss of resources. - - Failure of an individual call on an established context should not - preclude subsequent calls from succeeding on the same context. - - Whenever possible, it should be possible for - GSS_Delete_sec_context() calls to be successfully processed even - if other calls cannot succeed, thereby enabling context-related - resources to be released. - - A failure of GSS_GetMIC() or GSS_Wrap() due to an attempt to use an - unsupported QOP will not interfere with context validity, nor shall - such a failure impact the ability of the application to subsequently - invoke GSS_GetMIC() or GSS_Wrap() using a supported QOP. Any state - information concerning sequencing of outgoing messages shall be - unchanged by an unsuccessful call of GSS_GetMIC() or GSS_Wrap(). - - - - - - - - - - -Linn Standards Track [Page 27] - -RFC 2743 GSS-API January 2000 - - -1.2.9: Delegation - - The GSS-API allows delegation to be controlled by the initiating - application via a Boolean parameter to GSS_Init_sec_context(), the - routine that establishes a security context. Some mechanisms do not - support delegation, and for such mechanisms attempts by an - application to enable delegation are ignored. - - The acceptor of a security context for which the initiator enabled - delegation will receive (via the delegated_cred_handle parameter of - GSS_Accept_sec_context()) a credential handle that contains the - delegated identity, and this credential handle may be used to - initiate subsequent GSS-API security contexts as an agent or delegate - of the initiator. If the original initiator's identity is "A" and - the delegate's identity is "B", then, depending on the underlying - mechanism, the identity embodied by the delegated credential may be - either "A" or "B acting for A". - - For many mechanisms that support delegation, a simple Boolean does - not provide enough control. Examples of additional aspects of - delegation control that a mechanism might provide to an application - are duration of delegation, network addresses from which delegation - is valid, and constraints on the tasks that may be performed by a - delegate. Such controls are presently outside the scope of the GSS- - API. GSS-API implementations supporting mechanisms offering - additional controls should provide extension routines that allow - these controls to be exercised (perhaps by modifying the initiator's - GSS-API credential prior to its use in establishing a context). - However, the simple delegation control provided by GSS-API should - always be able to over-ride other mechanism-specific delegation - controls; if the application instructs GSS_Init_sec_context() that - delegation is not desired, then the implementation must not permit - delegation to occur. This is an exception to the general rule that a - mechanism may enable services even if they are not requested; - delegation may only be provided at the explicit request of the - application. - -1.2.10: Interprocess Context Transfer - - GSS-API V2 provides routines (GSS_Export_sec_context() and - GSS_Import_sec_context()) which allow a security context to be - transferred between processes on a single machine. The most common - use for such a feature is a client-server design where the server is - implemented as a single process that accepts incoming security - contexts, which then launches child processes to deal with the data - on these contexts. In such a design, the child processes must have - access to the security context data structure created within the - - - - -Linn Standards Track [Page 28] - -RFC 2743 GSS-API January 2000 - - - parent by its call to GSS_Accept_sec_context() so that they can use - per-message protection services and delete the security context when - the communication session ends. - - Since the security context data structure is expected to contain - sequencing information, it is impractical in general to share a - context between processes. Thus GSS-API provides a call - (GSS_Export_sec_context()) that the process which currently owns the - context can call to declare that it has no intention to use the - context subsequently, and to create an inter-process token containing - information needed by the adopting process to successfully import the - context. After successful completion of this call, the original - security context is made inaccessible to the calling process by GSS- - API, and any context handles referring to this context are no longer - valid. The originating process transfers the inter-process token to - the adopting process, which passes it to GSS_Import_sec_context(), - and a fresh context handle is created such that it is functionally - identical to the original context. - - The inter-process token may contain sensitive data from the original - security context (including cryptographic keys). Applications using - inter-process tokens to transfer security contexts must take - appropriate steps to protect these tokens in transit. - Implementations are not required to support the inter-process - transfer of security contexts. The ability to transfer a security - context is indicated when the context is created, by - GSS_Init_sec_context() or GSS_Accept_sec_context() indicating a TRUE - trans_state return value. - -2: Interface Descriptions - - This section describes the GSS-API's service interface, dividing the - set of calls offered into four groups. Credential management calls - are related to the acquisition and release of credentials by - principals. Context-level calls are related to the management of - security contexts between principals. Per-message calls are related - to the protection of individual messages on established security - contexts. Support calls provide ancillary functions useful to GSS-API - callers. Table 2 groups and summarizes the calls in tabular fashion. - - Table 2: GSS-API Calls - - CREDENTIAL MANAGEMENT - - GSS_Acquire_cred acquire credentials for use - GSS_Release_cred release credentials after use - GSS_Inquire_cred display information about - credentials - - - -Linn Standards Track [Page 29] - -RFC 2743 GSS-API January 2000 - - - GSS_Add_cred construct credentials incrementally - GSS_Inquire_cred_by_mech display per-mechanism credential - information - - CONTEXT-LEVEL CALLS - - GSS_Init_sec_context initiate outbound security context - GSS_Accept_sec_context accept inbound security context - GSS_Delete_sec_context flush context when no longer needed - GSS_Process_context_token process received control token on - context - GSS_Context_time indicate validity time remaining on - context - GSS_Inquire_context display information about context - GSS_Wrap_size_limit determine GSS_Wrap token size limit - GSS_Export_sec_context transfer context to other process - GSS_Import_sec_context import transferred context - - PER-MESSAGE CALLS - - GSS_GetMIC apply integrity check, receive as - token separate from message - GSS_VerifyMIC validate integrity check token - along with message - GSS_Wrap sign, optionally encrypt, - encapsulate - GSS_Unwrap decapsulate, decrypt if needed, - validate integrity check - - SUPPORT CALLS - - GSS_Display_status translate status codes to printable - form - GSS_Indicate_mechs indicate mech_types supported on - local system - GSS_Compare_name compare two names for equality - GSS_Display_name translate name to printable form - GSS_Import_name convert printable name to - normalized form - GSS_Release_name free storage of normalized-form - name - GSS_Release_buffer free storage of general GSS-allocated - object - GSS_Release_OID_set free storage of OID set object - GSS_Create_empty_OID_set create empty OID set - GSS_Add_OID_set_member add member to OID set - GSS_Test_OID_set_member test if OID is member of OID set - GSS_Inquire_names_for_mech indicate name types supported by - - - -Linn Standards Track [Page 30] - -RFC 2743 GSS-API January 2000 - - - mechanism - GSS_Inquire_mechs_for_name indicates mechanisms supporting name - type - GSS_Canonicalize_name translate name to per-mechanism form - GSS_Export_name externalize per-mechanism name - GSS_Duplicate_name duplicate name object - -2.1: Credential management calls - - These GSS-API calls provide functions related to the management of - credentials. Their characterization with regard to whether or not - they may block pending exchanges with other network entities (e.g., - directories or authentication servers) depends in part on OS-specific - (extra-GSS-API) issues, so is not specified in this document. - - The GSS_Acquire_cred() call is defined within the GSS-API in support - of application portability, with a particular orientation towards - support of portable server applications. It is recognized that (for - certain systems and mechanisms) credentials for interactive users may - be managed differently from credentials for server processes; in such - environments, it is the GSS-API implementation's responsibility to - distinguish these cases and the procedures for making this - distinction are a local matter. The GSS_Release_cred() call provides - a means for callers to indicate to the GSS-API that use of a - credentials structure is no longer required. The GSS_Inquire_cred() - call allows callers to determine information about a credentials - structure. The GSS_Add_cred() call enables callers to append - elements to an existing credential structure, allowing iterative - construction of a multi-mechanism credential. The - GSS_Inquire_cred_by_mech() call enables callers to extract per- - mechanism information describing a credentials structure. - -2.1.1: GSS_Acquire_cred call - - Inputs: - - o desired_name INTERNAL NAME, -- NULL requests locally-determined - -- default - - o lifetime_req INTEGER, -- in seconds; 0 requests default - - o desired_mechs SET OF OBJECT IDENTIFIER, -- NULL requests - -- system-selected default - - o cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - - - - -Linn Standards Track [Page 31] - -RFC 2743 GSS-API January 2000 - - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle CREDENTIAL HANDLE, -- if returned non-NULL, - -- caller must release with GSS_Release_cred() - - o actual_mechs SET OF OBJECT IDENTIFIER, -- if returned non-NULL, - -- caller must release with GSS_Release_oid_set() - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that requested credentials were - successfully established, for the duration indicated in lifetime_rec, - suitable for the usage requested in cred_usage, for the set of - mech_types indicated in actual_mechs, and that those credentials can - be referenced for subsequent use with the handle returned in - output_cred_handle. - - o GSS_S_BAD_MECH indicates that a mech_type unsupported by the GSS- - API implementation type was requested, causing the credential - establishment operation to fail. - - o GSS_S_BAD_NAMETYPE indicates that the provided desired_name is - uninterpretable or of a type unsupported by the applicable underlying - GSS-API mechanism(s), so no credentials could be established for the - accompanying desired_name. - - o GSS_S_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so no credentials could be established for the - accompanying desired_name. - - o GSS_S_CREDENTIALS_EXPIRED indicates that underlying credential - elements corresponding to the requested desired_name have expired, so - requested credentials could not be established. - - o GSS_S_NO_CRED indicates that no credential elements corresponding - to the requested desired_name and usage could be accessed, so - requested credentials could not be established. In particular, this - status should be returned upon temporary user-fixable conditions - - - - - -Linn Standards Track [Page 32] - -RFC 2743 GSS-API January 2000 - - - preventing successful credential establishment and upon lack of - authorization to establish and use credentials associated with the - identity named in the input desired_name argument. - - o GSS_S_FAILURE indicates that credential establishment failed for - reasons unspecified at the GSS-API level. - - GSS_Acquire_cred() is used to acquire credentials so that a principal - can (as a function of the input cred_usage parameter) initiate and/or - accept security contexts under the identity represented by the - desired_name input argument. On successful completion, the returned - output_cred_handle result provides a handle for subsequent references - to the acquired credentials. Typically, single-user client processes - requesting that default credential behavior be applied for context - establishment purposes will have no need to invoke this call. - - A caller may provide the value NULL (GSS_C_NO_NAME) for desired_name, - which will be interpreted as a request for a credential handle that - will invoke default behavior when passed to GSS_Init_sec_context(), - if cred_usage is GSS_C_INITIATE or GSS_C_BOTH, or - GSS_Accept_sec_context(), if cred_usage is GSS_C_ACCEPT or - GSS_C_BOTH. It is possible that multiple pre-established credentials - may exist for the same principal identity (for example, as a result - of multiple user login sessions) when GSS_Acquire_cred() is called; - the means used in such cases to select a specific credential are - local matters. The input lifetime_req argument to GSS_Acquire_cred() - may provide useful information for local GSS-API implementations to - employ in making this disambiguation in a manner which will best - satisfy a caller's intent. - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways - of obtaining GSS-API initiator credentials from the system login - process. Some implementations may therefore not support the - acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via - GSS_Acquire_cred() for any name other than GSS_C_NO_NAME, or a name - resulting from applying GSS_Inquire_context() to an active context, - or a name resulting from applying GSS_Inquire_cred() against a - credential handle corresponding to default behavior. It is important - to recognize that the explicit name which is yielded by resolving a - default reference may change over time, e.g., as a result of local - credential element management operations outside GSS-API; once - resolved, however, the value of such an explicit name will remain - constant. - - The lifetime_rec result indicates the length of time for which the - acquired credentials will be valid, as an offset from the present. A - mechanism may return a reserved value indicating INDEFINITE if no - - - -Linn Standards Track [Page 33] - -RFC 2743 GSS-API January 2000 - - - constraints on credential lifetime are imposed. A caller of - GSS_Acquire_cred() can request a length of time for which acquired - credentials are to be valid (lifetime_req argument), beginning at the - present, or can request credentials with a default validity interval. - (Requests for postdated credentials are not supported within the - GSS-API.) Certain mechanisms and implementations may bind in - credential validity period specifiers at a point preliminary to - invocation of the GSS_Acquire_cred() call (e.g., in conjunction with - user login procedures). As a result, callers requesting non-default - values for lifetime_req must recognize that such requests cannot - always be honored and must be prepared to accommodate the use of - returned credentials with different lifetimes as indicated in - lifetime_rec. - - The caller of GSS_Acquire_cred() can explicitly specify a set of - mech_types which are to be accommodated in the returned credentials - (desired_mechs argument), or can request credentials for a system- - defined default set of mech_types. Selection of the system-specified - default set is recommended in the interests of application - portability. The actual_mechs return value may be interrogated by the - caller to determine the set of mechanisms with which the returned - credentials may be used. - -2.1.2: GSS_Release_cred call - - Input: - - o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL - -- is specified, the call will complete successfully, but - -- will have no effect; no credential elements will be - -- released. - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle were released for purposes of subsequent access by - the caller. The effect on other processes which may be authorized - shared access to such credentials is a local matter. - - - - - - - -Linn Standards Track [Page 34] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_NO_CRED indicates that no release operation was performed, - either because the input cred_handle was invalid or because the - caller lacks authorization to access the referenced credentials. - - o GSS_S_FAILURE indicates that the release operation failed for - reasons unspecified at the GSS-API level. - - Provides a means for a caller to explicitly request that credentials - be released when their use is no longer required. Note that system- - specific credential management functions are also likely to exist, - for example to assure that credentials shared among processes are - properly deleted when all affected processes terminate, even if no - explicit release requests are issued by those processes. Given the - fact that multiple callers are not precluded from gaining authorized - access to the same credentials, invocation of GSS_Release_cred() - cannot be assumed to delete a particular set of credentials on a - system-wide basis. - -2.1.3: GSS_Inquire_cred call - - Input: - - o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL - -- is specified, default initiator credentials are queried - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, -- caller must release with - -- GSS_Release_name() - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - o cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - - - - - - - - -Linn Standards Track [Page 35] - -RFC 2743 GSS-API January 2000 - - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, and that the output cred_name, - lifetime_rec, and cred_usage values represent, respectively, the - credentials' associated principal name, remaining lifetime, suitable - usage modes, and supported mechanism types. - - o GSS_S_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks authorization to - access the referenced credentials. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced - credentials are invalid. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the referenced - credentials have expired. - - o GSS_S_FAILURE indicates that the operation failed for reasons - unspecified at the GSS-API level. - - The GSS_Inquire_cred() call is defined primarily for the use of those - callers which request use of default credential behavior rather than - acquiring credentials explicitly with GSS_Acquire_cred(). It enables - callers to determine a credential structure's associated principal - name, remaining validity period, usability for security context - initiation and/or acceptance, and supported mechanisms. - - For a multi-mechanism credential, the returned "lifetime" specifier - indicates the shortest lifetime of any of the mechanisms' elements in - the credential (for either context initiation or acceptance - purposes). - - GSS_Inquire_cred() should indicate INITIATE-AND-ACCEPT for - "cred_usage" if both of the following conditions hold: - - (1) there exists in the credential an element which allows context - initiation using some mechanism - - (2) there exists in the credential an element which allows context - acceptance using some mechanism (allowably, but not necessarily, - one of the same mechanism(s) qualifying for (1)). - - If condition (1) holds but not condition (2), GSS_Inquire_cred() - should indicate INITIATE-ONLY for "cred_usage". If condition (2) - holds but not condition (1), GSS_Inquire_cred() should indicate - ACCEPT-ONLY for "cred_usage". - - - -Linn Standards Track [Page 36] - -RFC 2743 GSS-API January 2000 - - - Callers requiring finer disambiguation among available combinations - of lifetimes, usage modes, and mechanisms should call the - GSS_Inquire_cred_by_mech() routine, passing that routine one of the - mech OIDs returned by GSS_Inquire_cred(). - -2.1.4: GSS_Add_cred call - - Inputs: - - o input_cred_handle CREDENTIAL HANDLE -- handle to credential - -- structure created with prior GSS_Acquire_cred() or - -- GSS_Add_cred() call; see text for definition of behavior - -- when GSS_C_NO_CREDENTIAL provided. - - o desired_name INTERNAL NAME - - o initiator_time_req INTEGER -- in seconds; 0 requests default - - o acceptor_time_req INTEGER -- in seconds; 0 requests default - - o desired_mech OBJECT IDENTIFIER - - o cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_cred_handle CREDENTIAL HANDLE, -- NULL to request that - -- credential elements be added "in place" to the credential - -- structure identified by input_cred_handle, - -- non-NULL pointer to request that - -- a new credential structure and handle be created. - -- if credential handle returned, caller must release with - -- GSS_Release_cred() - - o actual_mechs SET OF OBJECT IDENTIFIER, -- if returned, caller must - -- release with GSS_Release_oid_set() - - o initiator_time_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - o acceptor_time_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - - - -Linn Standards Track [Page 37] - -RFC 2743 GSS-API January 2000 - - - o cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - o mech_set SET OF OBJECT IDENTIFIER -- full set of mechanisms - -- supported by resulting credential. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input_cred_handle argument were valid, and that the resulting - credential from GSS_Add_cred() is valid for the durations indicated - in initiator_time_rec and acceptor_time_rec, suitable for the usage - requested in cred_usage, and for the mechanisms indicated in - actual_mechs. - - o GSS_S_DUPLICATE_ELEMENT indicates that the input desired_mech - specified a mechanism for which the referenced credential already - contained a credential element with overlapping cred_usage and - validity time specifiers. - - o GSS_S_BAD_MECH indicates that the input desired_mech specified a - mechanism unsupported by the GSS-API implementation, causing the - GSS_Add_cred() operation to fail. - - o GSS_S_BAD_NAMETYPE indicates that the provided desired_name is - uninterpretable or of a type unsupported by the applicable underlying - GSS-API mechanism(s), so the GSS_Add_cred() operation could not be - performed for that name. - - o GSS_S_BAD_NAME indicates that the provided desired_name is - inconsistent in terms of internally-incorporated type specifier - information, so the GSS_Add_cred() operation could not be performed - for that name. - - o GSS_S_NO_CRED indicates that the input_cred_handle referenced - invalid or inaccessible credentials. In particular, this status - should be returned upon temporary user-fixable conditions preventing - successful credential establishment or upon lack of authorization to - establish or use credentials representing the requested identity. - - o GSS_S_CREDENTIALS_EXPIRED indicates that referenced credential - elements have expired, so the GSS_Add_cred() operation could not be - performed. - - o GSS_S_FAILURE indicates that the operation failed for reasons - unspecified at the GSS-API level. - - - - - -Linn Standards Track [Page 38] - -RFC 2743 GSS-API January 2000 - - - GSS_Add_cred() enables callers to construct credentials iteratively - by adding credential elements in successive operations, corresponding - to different mechanisms. This offers particular value in multi- - mechanism environments, as the major_status and minor_status values - returned on each iteration are individually visible and can therefore - be interpreted unambiguously on a per-mechanism basis. A credential - element is identified by the name of the principal to which it - refers. GSS-API implementations must impose a local access control - policy on callers of this routine to prevent unauthorized callers - from acquiring credential elements to which they are not entitled. - This routine is not intended to provide a "login to the network" - function, as such a function would involve the creation of new - mechanism-specific authentication data, rather than merely acquiring - a GSS-API handle to existing data. Such functions, if required, - should be defined in implementation-specific extension routines. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may choose to delay the actual acquisition until the - credential is required (e.g. by GSS_Init_sec_context() or - GSS_Accept_sec_context()). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call - of GSS_Inquire_cred() immediately following the call of - GSS_Acquire_cred() must return valid credential data, and may - therefore incur the overhead of a deferred credential acquisition. - - If GSS_C_NO_CREDENTIAL is specified as input_cred_handle, a non-NULL - output_cred_handle must be supplied. For the case of - GSS_C_NO_CREDENTIAL as input_cred_handle, GSS_Add_cred() will create - the credential referenced by its output_cred_handle based on default - behavior. That is, the call will have the same effect as if the - caller had previously called GSS_Acquire_cred(), specifying the same - usage and passing GSS_C_NO_NAME as the desired_name parameter - (thereby obtaining an explicit credential handle corresponding to - default behavior), had passed that credential handle to - GSS_Add_cred(), and had finally called GSS_Release_cred() on the - credential handle received from GSS_Acquire_cred(). - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways - of obtaining GSS-API initiator credentials from the system login - process. Some implementations may therefore not support the - acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via - GSS_Acquire_cred() for any name other than GSS_C_NO_NAME, or a name - resulting from applying GSS_Inquire_context() to an active context, - or a name resulting from applying GSS_Inquire_cred() against a - credential handle corresponding to default behavior. It is important - to recognize that the explicit name which is yielded by resolving a - default reference may change over time, e.g., as a result of local - - - -Linn Standards Track [Page 39] - -RFC 2743 GSS-API January 2000 - - - credential element management operations outside GSS-API; once - resolved, however, the value of such an explicit name will remain - constant. - - A caller may provide the value NULL (GSS_C_NO_NAME) for desired_name, - which will be interpreted as a request for a credential handle that - will invoke default behavior when passed to GSS_Init_sec_context(), - if cred_usage is GSS_C_INITIATE or GSS_C_BOTH, or - GSS_Accept_sec_context(), if cred_usage is GSS_C_ACCEPT or - GSS_C_BOTH. - - The same input desired_name, or default reference, should be used on - all GSS_Acquire_cred() and GSS_Add_cred() calls corresponding to a - particular credential. - -2.1.5: GSS_Inquire_cred_by_mech call - - Inputs: - - o cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL - -- specified, default initiator credentials are queried - - o mech_type OBJECT IDENTIFIER -- specific mechanism for - -- which credentials are being queried - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o cred_name INTERNAL NAME, -- guaranteed to be MN; caller must - -- release with GSS_Release_name() - - o lifetime_rec_initiate INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - o lifetime_rec_accept INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - o cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, - -- 2=ACCEPT-ONLY - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the credentials referenced by the - input cred_handle argument were valid, that the mechanism indicated - by the input mech_type was represented with elements within those - - - -Linn Standards Track [Page 40] - -RFC 2743 GSS-API January 2000 - - - credentials, and that the output cred_name, lifetime_rec_initiate, - lifetime_rec_accept, and cred_usage values represent, respectively, - the credentials' associated principal name, remaining lifetimes, and - suitable usage modes. - - o GSS_S_NO_CRED indicates that no information could be returned - about the referenced credentials, either because the input - cred_handle was invalid or because the caller lacks authorization to - access the referenced credentials. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced - credentials are invalid. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the referenced - credentials have expired. - - o GSS_S_BAD_MECH indicates that the referenced credentials do not - contain elements for the requested mechanism. - - o GSS_S_FAILURE indicates that the operation failed for reasons - unspecified at the GSS-API level. - - The GSS_Inquire_cred_by_mech() call enables callers in multi- - mechanism environments to acquire specific data about available - combinations of lifetimes, usage modes, and mechanisms within a - credential structure. The lifetime_rec_initiate result indicates the - available lifetime for context initiation purposes; the - lifetime_rec_accept result indicates the available lifetime for - context acceptance purposes. - -2.2: Context-level calls - - This group of calls is devoted to the establishment and management of - security contexts between peers. A context's initiator calls - GSS_Init_sec_context(), resulting in generation of a token which the - caller passes to the target. At the target, that token is passed to - GSS_Accept_sec_context(). Depending on the underlying mech_type and - specified options, additional token exchanges may be performed in the - course of context establishment; such exchanges are accommodated by - GSS_S_CONTINUE_NEEDED status returns from GSS_Init_sec_context() and - GSS_Accept_sec_context(). - - Either party to an established context may invoke - GSS_Delete_sec_context() to flush context information when a context - is no longer required. GSS_Process_context_token() is used to process - received tokens carrying context-level control information. - GSS_Context_time() allows a caller to determine the length of time - for which an established context will remain valid. - - - -Linn Standards Track [Page 41] - -RFC 2743 GSS-API January 2000 - - - GSS_Inquire_context() returns status information describing context - characteristics. GSS_Wrap_size_limit() allows a caller to determine - the size of a token which will be generated by a GSS_Wrap() - operation. GSS_Export_sec_context() and GSS_Import_sec_context() - enable transfer of active contexts between processes on an end - system. - -2.2.1: GSS_Init_sec_context call - - Inputs: - - o claimant_cred_handle CREDENTIAL HANDLE, -- NULL specifies "use - -- default" - - o input_context_handle CONTEXT HANDLE, -- 0 - -- (GSS_C_NO_CONTEXT) specifies "none assigned yet" - - o targ_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER, -- NULL parameter specifies "use - -- default" - - o deleg_req_flag BOOLEAN, - - o mutual_req_flag BOOLEAN, - - o replay_det_req_flag BOOLEAN, - - o sequence_req_flag BOOLEAN, - - o anon_req_flag BOOLEAN, - - o conf_req_flag BOOLEAN, - - o integ_req_flag BOOLEAN, - - o lifetime_req INTEGER, -- 0 specifies default lifetime - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING -- NULL or token received from target - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 42] - -RFC 2743 GSS-API January 2000 - - - o output_context_handle CONTEXT HANDLE, -- once returned non-NULL, - -- caller must release with GSS_Delete_sec_context() - - o mech_type OBJECT IDENTIFIER, -- actual mechanism always - -- indicated, never NULL; caller should treat as read-only - -- and should not attempt to release - - o output_token OCTET STRING, -- NULL or token to pass to context - -- target; caller must release with GSS_Release_buffer() - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, -- see Section 1.2.7 - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - This call may block pending network interactions for those mech_types - in which an authentication server or other network entity must be - consulted on behalf of a context initiator in order to generate an - output_token suitable for presentation to a specified target. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that context-level information was - successfully initialized, and that the returned output_token will - provide sufficient information for the target to perform per-message - processing on the newly-established context. - - o GSS_S_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the target, and that a reply - must be received and passed as the input_token argument - - - - - -Linn Standards Track [Page 43] - -RFC 2743 GSS-API January 2000 - - - to a continuation call to GSS_Init_sec_context(), before per-message - processing can be performed in conjunction with this context (unless - the prot_ready_state value is concurrently returned TRUE). - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the input_token failed, preventing further processing from being - performed based on that token. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - claimant_cred_handle failed, preventing further processing from being - performed using that credential structure. - - o GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received - input_token contains an incorrect integrity check, so context setup - cannot be accomplished. - - o GSS_S_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the referenced - credentials are valid for context acceptor use only, because the - caller lacks authorization to access the referenced credentials, or - because the resolution of default credentials failed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input claimant_cred_handle argument are no longer valid, - so context establishment cannot be completed. - - o GSS_S_BAD_BINDINGS indicates that a mismatch between the caller- - provided chan_bindings and those extracted from the input_token was - detected, signifying a security-relevant event and preventing context - establishment. (This result will be returned by - GSS_Init_sec_context() only for contexts where mutual_state is TRUE.) - - o GSS_S_OLD_TOKEN indicates that the input_token is too old to be - checked for integrity. This is a fatal error during context - establishment. - - o GSS_S_DUPLICATE_TOKEN indicates that the input token has a correct - integrity check, but is a duplicate of a token already processed. - This is a fatal error during context establishment. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided; this major status will be - returned only for successor calls following GSS_S_CONTINUE_ NEEDED - status returns. - - - - - - -Linn Standards Track [Page 44] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_BAD_NAMETYPE indicates that the provided targ_name is of a - type uninterpretable or unsupported by the applicable underlying - GSS-API mechanism(s), so context establishment cannot be completed. - - o GSS_S_BAD_NAME indicates that the provided targ_name is - inconsistent in terms of internally-incorporated type specifier - information, so context establishment cannot be accomplished. - - o GSS_S_BAD_MECH indicates receipt of a context establishment token - or of a caller request specifying a mechanism unsupported by the - local system or with the caller's active credentials - - o GSS_S_FAILURE indicates that context setup could not be - accomplished for reasons unspecified at the GSS-API level, and that - no interface-defined recovery action is available. - - This routine is used by a context initiator, and ordinarily emits an - output_token suitable for use by the target within the selected - mech_type's protocol. For the case of a multi-step exchange, this - output_token will be one in a series, each generated by a successive - call. Using information in the credentials structure referenced by - claimant_cred_handle, GSS_Init_sec_context() initializes the data - structures required to establish a security context with target - targ_name. - - The targ_name may be any valid INTERNAL NAME; it need not be an MN. - In addition to support for other name types, it is recommended (newly - as of GSS-V2, Update 1) that mechanisms be able to accept - GSS_C_NO_NAME as an input type for targ_name. While recommended, - such support is not required, and it is recognized that not all - mechanisms can construct tokens without explicitly naming the context - target, even when mutual authentication of the target is not - obtained. Callers wishing to make use of this facility and concerned - with portability should be aware that support for GSS_C_NO_NAME as - input targ_name type is unlikely to be provided within mechanism - definitions specified prior to GSS-V2, Update 1. - - The claimant_cred_handle must correspond to the same valid - credentials structure on the initial call to GSS_Init_sec_context() - and on any successor calls resulting from GSS_S_CONTINUE_NEEDED - status returns; different protocol sequences modeled by the - GSS_S_CONTINUE_NEEDED facility will require access to credentials at - different points in the context establishment sequence. - - The caller-provided input_context_handle argument is to be 0 - (GSS_C_NO_CONTEXT), specifying "not yet assigned", on the first - GSS_Init_sec_context() call relating to a given context. If - successful (i.e., if accompanied by major_status GSS_S_COMPLETE or - - - -Linn Standards Track [Page 45] - -RFC 2743 GSS-API January 2000 - - - GSS_S_CONTINUE_NEEDED), and only if successful, the initial - GSS_Init_sec_context() call returns a non-zero output_context_handle - for use in future references to this context. Once a non-zero - output_context_handle has been returned, GSS-API callers should call - GSS_Delete_sec_context() to release context-related resources if - errors occur in later phases of context establishment, or when an - established context is no longer required. If GSS_Init_sec_context() - is passed the handle of a context which is already fully established, - GSS_S_FAILURE status is returned. - - When continuation attempts to GSS_Init_sec_context() are needed to - perform context establishment, the previously-returned non-zero - handle value is entered into the input_context_handle argument and - will be echoed in the returned output_context_handle argument. On - such continuation attempts (and only on continuation attempts) the - input_token value is used, to provide the token returned from the - context's target. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The input_token argument contains a message received from the target, - and is significant only on a call to GSS_Init_sec_context() which - follows a previous return indicating GSS_S_CONTINUE_NEEDED - major_status. - - It is the caller's responsibility to establish a communications path - to the target, and to transmit any returned output_token (independent - of the accompanying returned major_status value) to the target over - that path. The output_token can, however, be transmitted along with - the first application-provided input message to be processed by - GSS_GetMIC() or GSS_Wrap() in conjunction with a successfully- - established context. (Note: when the GSS-V2 prot_ready_state - indicator is returned TRUE, it can be possible to transfer a - protected message before context establishment is complete: see also - Section 1.2.7) - - The initiator may request various context-level functions through - input flags: the deleg_req_flag requests delegation of access rights, - the mutual_req_flag requests mutual authentication, the - replay_det_req_flag requests that replay detection features be - applied to messages transferred on the established context, and the - sequence_req_flag requests that sequencing be enforced. (See Section - - - - - -Linn Standards Track [Page 46] - -RFC 2743 GSS-API January 2000 - - - 1.2.3 for more information on replay detection and sequencing - features.) The anon_req_flag requests that the initiator's identity - not be transferred within tokens to be sent to the acceptor. - - The conf_req_flag and integ_req_flag provide informatory inputs to - the GSS-API implementation as to whether, respectively, per-message - confidentiality and per-message integrity services will be required - on the context. This information is important as an input to - negotiating mechanisms. It is important to recognize, however, that - the inclusion of these flags (which are newly defined for GSS-V2) - introduces a backward incompatibility with callers implemented to - GSS-V1, where the flags were not defined. Since no GSS-V1 callers - would set these flags, even if per-message services are desired, - GSS-V2 mechanism implementations which enable such services - selectively based on the flags' values may fail to provide them to - contexts established for GSS-V1 callers. It may be appropriate under - certain circumstances, therefore, for such mechanism implementations - to infer these service request flags to be set if a caller is known - to be implemented to GSS-V1. - - Not all of the optionally-requestable features will be available in - all underlying mech_types. The corresponding return state values - deleg_state, mutual_state, replay_det_state, and sequence_state - indicate, as a function of mech_type processing capabilities and - initiator-provided input flags, the set of features which will be - active on the context. The returned trans_state value indicates - whether the context is transferable to other processes through use of - GSS_Export_sec_context(). These state indicators' values are - undefined unless either the routine's major_status indicates - GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with - GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is - possible that additional features, not confirmed or indicated along - with TRUE prot_ready_state, will be confirmed and indicated when - GSS_S_COMPLETE is subsequently returned. - - The returned anon_state and prot_ready_state values are significant - for both GSS_S_COMPLETE and GSS_S_CONTINUE_NEEDED major_status - returns from GSS_Init_sec_context(). When anon_state is returned - TRUE, this indicates that neither the current token nor its - predecessors delivers or has delivered the initiator's identity. - Callers wishing to perform context establishment only if anonymity - support is provided should transfer a returned token from - GSS_Init_sec_context() to the peer only if it is accompanied by a - TRUE anon_state indicator. When prot_ready_state is returned TRUE in - conjunction with GSS_S_CONTINUE_NEEDED major_status, this indicates - that per-message protection operations may be applied on the context: - see Section 1.2.7 for further discussion of this facility. - - - - -Linn Standards Track [Page 47] - -RFC 2743 GSS-API January 2000 - - - Failure to provide the precise set of features requested by the - caller does not cause context establishment to fail; it is the - caller's prerogative to delete the context if the feature set - provided is unsuitable for the caller's use. - - The returned mech_type value indicates the specific mechanism - employed on the context; it will never indicate the value for - "default". A valid mech_type result must be returned along with a - GSS_S_COMPLETE status return; GSS-API implementations may (but are - not required to) also return mech_type along with predecessor calls - indicating GSS_S_CONTINUE_NEEDED status or (if a mechanism is - determinable) in conjunction with fatal error cases. For the case of - mechanisms which themselves perform negotiation, the returned - mech_type result may indicate selection of a mechanism identified by - an OID different than that passed in the input mech_type argument, - and the returned value may change between successive calls returning - GSS_S_CONTINUE_NEEDED and the final call returning GSS_S_COMPLETE. - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Wrap() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_GetMIC() or GSS_Wrap()) on - the established context. These state indicators' values are undefined - unless either the routine's major_status indicates GSS_S_COMPLETE, or - TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED - major_status. - - The lifetime_req input specifies a desired upper bound for the - lifetime of the context to be established, with a value of 0 used to - request a default lifetime. The lifetime_rec return value indicates - the length of time for which the context will be valid, expressed as - an offset from the present; depending on mechanism capabilities, - credential lifetimes, and local policy, it may not correspond to the - value requested in lifetime_req. If no constraints on context - lifetime are imposed, this may be indicated by returning a reserved - value representing INDEFINITE lifetime_req. The value of lifetime_rec - is undefined unless the routine's major_status indicates - GSS_S_COMPLETE. - - If the mutual_state is TRUE, this fact will be reflected within the - output_token. A call to GSS_Accept_sec_context() at the target in - conjunction with such a context will return a token, to be processed - by a continuation call to GSS_Init_sec_context(), in order to achieve - mutual authentication. - - - - - -Linn Standards Track [Page 48] - -RFC 2743 GSS-API January 2000 - - -2.2.2: GSS_Accept_sec_context call - - Inputs: - - o acceptor_cred_handle CREDENTIAL HANDLE, -- NULL specifies - -- "use default" - - o input_context_handle CONTEXT HANDLE, -- 0 - -- (GSS_C_NO_CONTEXT) specifies "not yet assigned" - - o chan_bindings OCTET STRING, - - o input_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o src_name INTERNAL NAME, -- guaranteed to be MN - -- once returned, caller must release with GSS_Release_name() - - o mech_type OBJECT IDENTIFIER, -- caller should treat as - -- read-only; does not need to be released - - o output_context_handle CONTEXT HANDLE, -- once returned - -- non-NULL in context establishment sequence, caller - -- must release with GSS_Delete_sec_context() - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, -- see Section 1.2.7 for discussion - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - - - -Linn Standards Track [Page 49] - -RFC 2743 GSS-API January 2000 - - - o lifetime_rec INTEGER, -- in seconds, or reserved value for - -- INDEFINITE - - o delegated_cred_handle CREDENTIAL HANDLE, -- if returned non-NULL, - -- caller must release with GSS_Release_cred() - - o output_token OCTET STRING -- NULL or token to pass to context - -- initiator; if returned non-NULL, caller must release with - -- GSS_Release_buffer() - - This call may block pending network interactions for those mech_types - in which a directory service or other network entity must be - consulted on behalf of a context acceptor in order to validate a - received input_token. - - Return major_status codes: - - o GSS_S_COMPLETE indicates that context-level data structures were - successfully initialized, and that per-message processing can now be - performed in conjunction with this context. - - o GSS_S_CONTINUE_NEEDED indicates that control information in the - returned output_token must be sent to the initiator, and that a - response must be received and passed as the input_token argument to a - continuation call to GSS_Accept_sec_context(), before per-message - processing can be performed in conjunction with this context. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the input_token failed, preventing further processing from being - performed based on that token. - - o GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks - performed on the credential structure referenced by - acceptor_cred_handle failed, preventing further processing from being - performed using that credential structure. - - o GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received - input_token contains an incorrect integrity check, so context setup - cannot be accomplished. - - o GSS_S_DUPLICATE_TOKEN indicates that the integrity check on the - received input_token was correct, but that the input_token was - recognized as a duplicate of an input_token already processed. No new - context is established. - - - - - - - -Linn Standards Track [Page 50] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_OLD_TOKEN indicates that the integrity check on the received - input_token was correct, but that the input_token is too old to be - checked for duplication against previously-processed input_tokens. No - new context is established. - - o GSS_S_NO_CRED indicates that no context was established, either - because the input cred_handle was invalid, because the referenced - credentials are valid for context initiator use only, because the - caller lacks authorization to access the referenced credentials, or - because the procedure for default credential resolution failed. - - o GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided - through the input acceptor_cred_handle argument are no longer valid, - so context establishment cannot be completed. - - o GSS_S_BAD_BINDINGS indicates that a mismatch between the caller- - provided chan_bindings and those extracted from the input_token was - detected, signifying a security-relevant event and preventing context - establishment. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided; this major status will be - returned only for successor calls following GSS_S_CONTINUE_ NEEDED - status returns. - - o GSS_S_BAD_MECH indicates receipt of a context establishment token - specifying a mechanism unsupported by the local system or with the - caller's active credentials. - - o GSS_S_FAILURE indicates that context setup could not be - accomplished for reasons unspecified at the GSS-API level, and that - no interface-defined recovery action is available. - - The GSS_Accept_sec_context() routine is used by a context target. - Using information in the credentials structure referenced by the - input acceptor_cred_handle, it verifies the incoming input_token and - (following the successful completion of a context establishment - sequence) returns the authenticated src_name and the mech_type used. - The returned src_name is guaranteed to be an MN, processed by the - mechanism under which the context was established. The - acceptor_cred_handle must correspond to the same valid credentials - structure on the initial call to GSS_Accept_sec_context() and on any - successor calls resulting from GSS_S_CONTINUE_NEEDED status returns; - different protocol sequences modeled by the GSS_S_CONTINUE_NEEDED - mechanism will require access to credentials at different points in - the context establishment sequence. - - - - - -Linn Standards Track [Page 51] - -RFC 2743 GSS-API January 2000 - - - The caller-provided input_context_handle argument is to be 0 - (GSS_C_NO_CONTEXT), specifying "not yet assigned", on the first - GSS_Accept_sec_context() call relating to a given context. If - successful (i.e., if accompanied by major_status GSS_S_COMPLETE or - GSS_S_CONTINUE_NEEDED), and only if successful, the initial - GSS_Accept_sec_context() call returns a non-zero - output_context_handle for use in future references to this context. - Once a non-zero output_context_handle has been returned, GSS-API - callers should call GSS_Delete_sec_context() to release context- - related resources if errors occur in later phases of context - establishment, or when an established context is no longer required. - If GSS_Accept_sec_context() is passed the handle of a context which - is already fully established, GSS_S_FAILURE status is returned. - - The chan_bindings argument is used by the caller to provide - information binding the security context to security-related - characteristics (e.g., addresses, cryptographic keys) of the - underlying communications channel. See Section 1.1.6 of this document - for more discussion of this argument's usage. - - The returned state results (deleg_state, mutual_state, - replay_det_state, sequence_state, anon_state, trans_state, and - prot_ready_state) reflect the same information as described for - GSS_Init_sec_context(), and their values are significant under the - same return state conditions. - - The conf_avail return value indicates whether the context supports - per-message confidentiality services, and so informs the caller - whether or not a request for encryption through the conf_req_flag - input to GSS_Wrap() can be honored. In similar fashion, the - integ_avail return value indicates whether per-message integrity - services are available (through either GSS_GetMIC() or GSS_Wrap()) - on the established context. These values are significant under the - same return state conditions as described under - GSS_Init_sec_context(). - - The lifetime_rec return value is significant only in conjunction with - GSS_S_COMPLETE major_status, and indicates the length of time for - which the context will be valid, expressed as an offset from the - present. - - The returned mech_type value indicates the specific mechanism - employed on the context; it will never indicate the value for - "default". A valid mech_type result must be returned whenever - GSS_S_COMPLETE status is indicated; GSS-API implementations may (but - are not required to) also return mech_type along with predecessor - calls indicating GSS_S_CONTINUE_NEEDED status or (if a mechanism is - determinable) in conjunction with fatal error cases. For the case of - - - -Linn Standards Track [Page 52] - -RFC 2743 GSS-API January 2000 - - - mechanisms which themselves perform negotiation, the returned - mech_type result may indicate selection of a mechanism identified by - an OID different than that passed in the input mech_type argument, - and the returned value may change between successive calls returning - GSS_S_CONTINUE_NEEDED and the final call returning GSS_S_COMPLETE. - - The delegated_cred_handle result is significant only when deleg_state - is TRUE, and provides a means for the target to reference the - delegated credentials. The output_token result, when non-NULL, - provides a context-level token to be returned to the context - initiator to continue a multi-step context establishment sequence. As - noted with GSS_Init_sec_context(), any returned token should be - transferred to the context's peer (in this case, the context - initiator), independent of the value of the accompanying returned - major_status. - - Note: A target must be able to distinguish a context-level - input_token, which is passed to GSS_Accept_sec_context(), from the - per-message data elements passed to GSS_VerifyMIC() or GSS_Unwrap(). - These data elements may arrive in a single application message, and - GSS_Accept_sec_context() must be performed before per-message - processing can be performed successfully. - -2.2.3: GSS_Delete_sec_context call - - Input: - - o context_handle CONTEXT HANDLE - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_context_token OCTET STRING - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the context was recognized, and that - relevant context-specific information was flushed. If the caller - provides a non-null buffer to receive an output_context_token, and - the mechanism returns a non-NULL token into that buffer, the returned - output_context_token is ready for transfer to the context's peer. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided, so no deletion was performed. - - - - -Linn Standards Track [Page 53] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_Delete_sec_context() operation could not be performed for - reasons unspecified at the GSS-API level. - - This call can be made by either peer in a security context, to flush - context-specific information. Once a non-zero output_context_handle - has been returned by context establishment calls, GSS-API callers - should call GSS_Delete_sec_context() to release context-related - resources if errors occur in later phases of context establishment, - or when an established context is no longer required. This call may - block pending network interactions for mech_types in which active - notification must be made to a central server when a security context - is to be deleted. - - If a non-null output_context_token parameter is provided by the - caller, an output_context_token may be returned to the caller. If an - output_context_token is provided to the caller, it can be passed to - the context's peer to inform the peer's GSS-API implementation that - the peer's corresponding context information can also be flushed. - (Once a context is established, the peers involved are expected to - retain cached credential and context-related information until the - information's expiration time is reached or until a - GSS_Delete_sec_context() call is made.) - - The facility for context_token usage to signal context deletion is - retained for compatibility with GSS-API Version 1. For current - usage, it is recommended that both peers to a context invoke - GSS_Delete_sec_context() independently, passing a null - output_context_token buffer to indicate that no context_token is - required. Implementations of GSS_Delete_sec_context() should delete - relevant locally-stored context information. - - Attempts to perform per-message processing on a deleted context will - result in error returns. - -2.2.4: GSS_Process_context_token call - - Inputs: - - o context_handle CONTEXT HANDLE, - - o input_context_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - -Linn Standards Track [Page 54] - -RFC 2743 GSS-API January 2000 - - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_context_token was - successfully processed in conjunction with the context referenced by - context_handle. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the received context_token failed, preventing further processing - from being performed with that token. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_Process_context_token() operation could not be performed for - reasons unspecified at the GSS-API level. - - This call is used to process context_tokens received from a peer once - a context has been established, with corresponding impact on - context-level state information. One use for this facility is - processing of the context_tokens generated by - GSS_Delete_sec_context(); GSS_Process_context_token() will not block - pending network interactions for that purpose. Another use is to - process tokens indicating remote-peer context establishment failures - after the point where the local GSS-API implementation has already - indicated GSS_S_COMPLETE status. - -2.2.5: GSS_Context_time call - - Input: - - o context_handle CONTEXT HANDLE, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context is valid, and - will remain valid for the amount of time indicated in lifetime_rec. - - - - - -Linn Standards Track [Page 55] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_CONTEXT_EXPIRED indicates that data items related to the - referenced context have expired. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. - - This call is used to determine the amount of time for which a - currently established context will remain valid. - -2.2.6: GSS_Inquire_context call - - Input: - - o context_handle CONTEXT HANDLE, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o src_name INTERNAL NAME, -- name of context initiator, - -- guaranteed to be MN; - -- caller must release with GSS_Release_name() if returned - - o targ_name INTERNAL NAME, -- name of context target, - -- guaranteed to be MN; - -- caller must release with GSS_Release_name() if returned - - o lifetime_rec INTEGER -- in seconds, or reserved value for - -- INDEFINITE or EXPIRED - - o mech_type OBJECT IDENTIFIER, -- the mechanism supporting this - -- security context; caller should treat as read-only and not - -- attempt to release - - o deleg_state BOOLEAN, - - o mutual_state BOOLEAN, - - o replay_det_state BOOLEAN, - - o sequence_state BOOLEAN, - - o anon_state BOOLEAN, - - - -Linn Standards Track [Page 56] - -RFC 2743 GSS-API January 2000 - - - o trans_state BOOLEAN, - - o prot_ready_state BOOLEAN, - - o conf_avail BOOLEAN, - - o integ_avail BOOLEAN, - - o locally_initiated BOOLEAN, -- TRUE if initiator, FALSE if acceptor - - o open BOOLEAN, -- TRUE if context fully established, FALSE - -- if partly established (in CONTINUE_NEEDED state) - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context is valid and - that deleg_state, mutual_state, replay_det_state, sequence_state, - anon_state, trans_state, prot_ready_state, conf_avail, integ_avail, - locally_initiated, and open return values describe the corresponding - characteristics of the context. If open is TRUE, lifetime_rec is - also returned: if open is TRUE and the context peer's name is known, - src_name and targ_name are valid in addition to the values listed - above. The mech_type value must be returned for contexts where open - is TRUE and may be returned for contexts where open is FALSE. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call is used to extract information describing characteristics - of a security context. Note that GSS-API implementations are - expected to retain inquirable context data on a context until the - context is released by a caller, even after the context has expired, - although underlying cryptographic data elements may be deleted after - expiration in order to limit their exposure. - -2.2.7: GSS_Wrap_size_limit call - - Inputs: - - o context_handle CONTEXT HANDLE, - - o conf_req_flag BOOLEAN, - - - - -Linn Standards Track [Page 57] - -RFC 2743 GSS-API January 2000 - - - o qop INTEGER, - - o output_size INTEGER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o max_input_size INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates a successful token size determination: - an input message with a length in octets equal to the returned - max_input_size value will, when passed to GSS_Wrap() for processing - on the context identified by the context_handle parameter with the - confidentiality request state as provided in conf_req_flag and with - the quality of protection specifier provided in the qop parameter, - yield an output token no larger than the value of the provided - output_size parameter. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context has - expired. Return values other than major_status and minor_status are - undefined. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call is used to determine the largest input datum which may be - passed to GSS_Wrap() without yielding an output token larger than a - caller-specified value. - - - - - - - - - -Linn Standards Track [Page 58] - -RFC 2743 GSS-API January 2000 - - -2.2.8: GSS_Export_sec_context call - - Inputs: - - o context_handle CONTEXT HANDLE - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o interprocess_token OCTET STRING -- caller must release - -- with GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the referenced context has been - successfully exported to a representation in the interprocess_token, - and is no longer available for use by the caller. - - o GSS_S_UNAVAILABLE indicates that the context export facility is - not available for use on the referenced context. (This status should - occur only for contexts for which the trans_state value is FALSE.) - Return values other than major_status and minor_status are undefined. - - o GSS_S_CONTEXT_EXPIRED indicates that the provided input - context_handle is recognized, but that the referenced context has - expired. Return values other than major_status and minor_status are - undefined. - - o GSS_S_NO_CONTEXT indicates that no valid context was recognized - for the input context_handle provided. Return values other than - major_status and minor_status are undefined. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call generates an interprocess token for transfer to another - process within an end system, in order to transfer control of a - security context to that process. The recipient of the interprocess - token will call GSS_Import_sec_context() to accept the transfer. The - GSS_Export_sec_context() operation is defined for use only with - security contexts which are fully and successfully established (i.e., - those for which GSS_Init_sec_context() and GSS_Accept_sec_context() - have returned GSS_S_COMPLETE major_status). - - - - -Linn Standards Track [Page 59] - -RFC 2743 GSS-API January 2000 - - - A successful GSS_Export_sec_context() operation deactivates the - security context for the calling process; for this case, the GSS-API - implementation shall deallocate all process-wide resources associated - with the security context and shall set the context_handle to - GSS_C_NO_CONTEXT. In the event of an error that makes it impossible - to complete export of the security context, the GSS-API - implementation must not return an interprocess token and should - strive to leave the security context referenced by the context_handle - untouched. If this is impossible, it is permissible for the - implementation to delete the security context, provided that it also - sets the context_handle parameter to GSS_C_NO_CONTEXT. - - Portable callers must not assume that a given interprocess token can - be imported by GSS_Import_sec_context() more than once, thereby - creating multiple instantiations of a single context. GSS-API - implementations may detect and reject attempted multiple imports, but - are not required to do so. - - The internal representation contained within the interprocess token - is an implementation-defined local matter. Interprocess tokens - cannot be assumed to be transferable across different GSS-API - implementations. - - It is recommended that GSS-API implementations adopt policies suited - to their operational environments in order to define the set of - processes eligible to import a context, but specific constraints in - this area are local matters. Candidate examples include transfers - between processes operating on behalf of the same user identity, or - processes comprising a common job. However, it may be impossible to - enforce such policies in some implementations. - - In support of the above goals, implementations may protect the - transferred context data by using cryptography to protect data within - the interprocess token, or by using interprocess tokens as a means to - reference local interprocess communication facilities (protected by - other means) rather than storing the context data directly within the - tokens. - - Transfer of an open context may, for certain mechanisms and - implementations, reveal data about the credential which was used to - establish the context. Callers should, therefore, be cautious about - the trustworthiness of processes to which they transfer contexts. - Although the GSS-API implementation may provide its own set of - protections over the exported context, the caller is responsible for - protecting the interprocess token from disclosure, and for taking - care that the context is transferred to an appropriate destination - process. - - - - -Linn Standards Track [Page 60] - -RFC 2743 GSS-API January 2000 - - -2.2.9: GSS_Import_sec_context call - - Inputs: - - o interprocess_token OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o context_handle CONTEXT HANDLE -- if successfully returned, - -- caller must release with GSS_Delete_sec_context() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the context represented by the input - interprocess_token has been successfully transferred to the caller, - and is available for future use via the output context_handle. - - o GSS_S_NO_CONTEXT indicates that the context represented by the - input interprocess_token was invalid. Return values other than - major_status and minor_status are undefined. - - o GSS_S_DEFECTIVE_TOKEN indicates that the input interprocess_token - was defective. Return values other than major_status and - minor_status are undefined. - - o GSS_S_UNAVAILABLE indicates that the context import facility is - not available for use on the referenced context. Return values other - than major_status and minor_status are undefined. - - o GSS_S_UNAUTHORIZED indicates that the context represented by the - input interprocess_token is unauthorized for transfer to the caller. - Return values other than major_status and minor_status are undefined. - - o GSS_S_FAILURE indicates that the requested operation failed for - reasons unspecified at the GSS-API level. Return values other than - major_status and minor_status are undefined. - - This call processes an interprocess token generated by - GSS_Export_sec_context(), making the transferred context available - for use by the caller. After a successful GSS_Import_sec_context() - operation, the imported context is available for use by the importing - process. In particular, the imported context is usable for all per- - message operations and may be deleted or exported by its importer. - The inability to receive delegated credentials through - - - -Linn Standards Track [Page 61] - -RFC 2743 GSS-API January 2000 - - - gss_import_sec_context() precludes establishment of new contexts - based on information delegated to the importer's end system within - the context which is being imported, unless those delegated - credentials are obtained through separate routines (e.g., XGSS-API - calls) outside the GSS-V2 definition. - - For further discussion of the security and authorization issues - regarding this call, please see the discussion in Section 2.2.8. - -2.3: Per-message calls - - This group of calls is used to perform per-message protection - processing on an established security context. None of these calls - block pending network interactions. These calls may be invoked by a - context's initiator or by the context's target. The four members of - this group should be considered as two pairs; the output from - GSS_GetMIC() is properly input to GSS_VerifyMIC(), and the output - from GSS_Wrap() is properly input to GSS_Unwrap(). - - GSS_GetMIC() and GSS_VerifyMIC() support data origin authentication - and data integrity services. When GSS_GetMIC() is invoked on an input - message, it yields a per-message token containing data items which - allow underlying mechanisms to provide the specified security - services. The original message, along with the generated per-message - token, is passed to the remote peer; these two data elements are - processed by GSS_VerifyMIC(), which validates the message in - conjunction with the separate token. - - GSS_Wrap() and GSS_Unwrap() support caller-requested confidentiality - in addition to the data origin authentication and data integrity - services offered by GSS_GetMIC() and GSS_VerifyMIC(). GSS_Wrap() - outputs a single data element, encapsulating optionally enciphered - user data as well as associated token data items. The data element - output from GSS_Wrap() is passed to the remote peer and processed by - GSS_Unwrap() at that system. GSS_Unwrap() combines decipherment (as - required) with validation of data items related to authentication and - integrity. - - Although zero-length tokens are never returned by GSS calls for - transfer to a context's peer, a zero-length object may be passed by a - caller into GSS_Wrap(), in which case the corresponding peer calling - GSS_Unwrap() on the transferred token will receive a zero-length - object as output from GSS_Unwrap(). Similarly, GSS_GetMIC() can be - called on an empty object, yielding a MIC which GSS_VerifyMIC() will - successfully verify against the active security context in - conjunction with a zero-length object. - - - - - -Linn Standards Track [Page 62] - -RFC 2743 GSS-API January 2000 - - -2.3.1: GSS_GetMIC call - - Note: This call is functionally equivalent to the GSS_Sign call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Sign are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o qop_req INTEGER, -- 0 specifies default QOP - - o message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o per_msg_token OCTET STRING -- caller must release - -- with GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that an integrity check, suitable for an - established security context, was successfully applied and that the - message and corresponding per_msg_token are ready for transmission. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data items - have expired, so that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no context was recognized for the - input context_handle provided. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the requested operation could not be performed for reasons - unspecified at the GSS-API level. - - Using the security context referenced by context_handle, apply an - integrity check to the input message (along with timestamps and/or - other data included in support of mech_type-specific mechanisms) and - (if GSS_S_COMPLETE status is indicated) return the result in - - - -Linn Standards Track [Page 63] - -RFC 2743 GSS-API January 2000 - - - per_msg_token. The qop_req parameter, interpretation of which is - discussed in Section 1.2.4, allows quality-of-protection control. The - caller passes the message and the per_msg_token to the target. - - The GSS_GetMIC() function completes before the message and - per_msg_token is sent to the peer; successful application of - GSS_GetMIC() does not guarantee that a corresponding GSS_VerifyMIC() - has been (or can necessarily be) performed successfully when the - message arrives at the destination. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.2: GSS_VerifyMIC call - - Note: This call is functionally equivalent to the GSS_Verify call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Verify are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o message OCTET STRING, - - o per_msg_token OCTET STRING - - Outputs: - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the message was successfully - verified. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the received per_msg_token failed, preventing further processing - from being performed with that token. - - o GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received - per_msg_token contains an incorrect integrity check for the message. - - - -Linn Standards Track [Page 64] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and - GSS_S_GAP_TOKEN values appear in conjunction with the optional per- - message replay detection features described in Section 1.2.3; their - semantics are described in that section. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data items - have expired, so that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no context was recognized for the - input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_VerifyMIC() operation could not be performed for reasons - unspecified at the GSS-API level. - - Using the security context referenced by context_handle, verify that - the input per_msg_token contains an appropriate integrity check for - the input message, and apply any active replay detection or - sequencing features. Returns an indication of the quality-of- - protection applied to the processed message in the qop_state result. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.3: GSS_Wrap call - - Note: This call is functionally equivalent to the GSS_Seal call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Seal are deprecated. - - Inputs: - - o context_handle CONTEXT HANDLE, - - o conf_req_flag BOOLEAN, - - o qop_req INTEGER, -- 0 specifies default QOP - - o input_message OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 65] - -RFC 2743 GSS-API January 2000 - - - o conf_state BOOLEAN, - - o output_message OCTET STRING -- caller must release with - -- GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_message was successfully - processed and that the output_message is ready for transmission. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data items - have expired, so that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no context was recognized for the - input context_handle provided. - - o GSS_S_BAD_QOP indicates that the provided QOP value is not - recognized or supported for the context. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_Wrap() operation could not be performed for reasons - unspecified at the GSS-API level. - - Performs the data origin authentication and data integrity functions - of GSS_GetMIC(). If the input conf_req_flag is TRUE, requests that - confidentiality be applied to the input_message. Confidentiality may - not be supported in all mech_types or by all implementations; the - returned conf_state flag indicates whether confidentiality was - provided for the input_message. The qop_req parameter, interpretation - of which is discussed in Section 1.2.4, allows quality-of-protection - control. - - When GSS_S_COMPLETE status is returned, the GSS_Wrap() call yields a - single output_message data element containing (optionally enciphered) - user data as well as control information. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.3.4: GSS_Unwrap call - - Note: This call is functionally equivalent to the GSS_Unseal call as - defined in previous versions of this specification. In the interests - of backward compatibility, it is recommended that implementations - support this function under both names for the present; future - references to this function as GSS_Unseal are deprecated. - - - - - -Linn Standards Track [Page 66] - -RFC 2743 GSS-API January 2000 - - - Inputs: - - o context_handle CONTEXT HANDLE, - - o input_message OCTET STRING - - Outputs: - - o conf_state BOOLEAN, - - o qop_state INTEGER, - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_message OCTET STRING -- caller must release with - -- GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the input_message was successfully - processed and that the resulting output_message is available. - - o GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed - on the per_msg_token extracted from the input_message failed, - preventing further processing from being performed. - - o GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that an incorrect - integrity check was detected for the message. - - o GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and - GSS_S_GAP_TOKEN values appear in conjunction with the optional per- - message replay detection features described in Section 1.2.3; their - semantics are described in that section. - - o GSS_S_CONTEXT_EXPIRED indicates that context-related data items - have expired, so that the requested operation cannot be performed. - - o GSS_S_NO_CONTEXT indicates that no context was recognized for the - input context_handle provided. - - o GSS_S_FAILURE indicates that the context is recognized, but that - the GSS_Unwrap() operation could not be performed for reasons - unspecified at the GSS-API level. - - - - - - -Linn Standards Track [Page 67] - -RFC 2743 GSS-API January 2000 - - - Processes a data element generated (and optionally enciphered) by - GSS_Wrap(), provided as input_message. The returned conf_state value - indicates whether confidentiality was applied to the input_message. - If conf_state is TRUE, GSS_Unwrap() has deciphered the input_message. - Returns an indication of the quality-of-protection applied to the - processed message in the qop_state result. GSS_Unwrap() performs the - data integrity and data origin authentication checking functions of - GSS_VerifyMIC() on the plaintext data. Plaintext data is returned in - output_message. - - Mechanisms which do not support per-message protection services - should return GSS_S_FAILURE if this routine is called. - -2.4: Support calls - - This group of calls provides support functions useful to GSS-API - callers, independent of the state of established contexts. Their - characterization with regard to blocking or non-blocking status in - terms of network interactions is unspecified. - -2.4.1: GSS_Display_status call - - Inputs: - - o status_value INTEGER, -- GSS-API major_status or minor_status - -- return value - - o status_type INTEGER, -- 1 if major_status, 2 if minor_status - - o mech_type OBJECT IDENTIFIER -- mech_type to be used for - -- minor_status translation - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o status_string_set SET OF OCTET STRING -- required calls for - -- release by caller are specific to language bindings - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid printable status - representation (possibly representing more than one status event - encoded within the status_value) is available in the returned - status_string_set. - - - - -Linn Standards Track [Page 68] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_BAD_MECH indicates that translation in accordance with an - unsupported mech_type was requested, so translation could not be - performed. - - o GSS_S_BAD_STATUS indicates that the input status_value was - invalid, or that the input status_type carried a value other than 1 - or 2, so translation could not be performed. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Provides a means for callers to translate GSS-API-returned major and - minor status codes into printable string representations. Note: some - language bindings may employ an iterative approach in order to emit - successive status components; this approach is acceptable but not - required for conformance with the current specification. - - Although not contemplated in [RFC-2078], it has been observed that - some existing GSS-API implementations return GSS_S_CONTINUE_NEEDED - status when iterating through successive messages returned from - GSS_Display_status(). This behavior is deprecated; - GSS_S_CONTINUE_NEEDED should be returned only by - GSS_Init_sec_context() and GSS_Accept_sec_context(). For maximal - portability, however, it is recommended that defensive callers be - able to accept and ignore GSS_S_CONTINUE_NEEDED status if indicated - by GSS_Display_status() or any other call other than - GSS_Init_sec_context() or GSS_Accept_sec_context(). - -2.4.2: GSS_Indicate_mechs call - - Input: - - o (none) - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o mech_set SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a set of available mechanisms has - been returned in mech_set. - - - - -Linn Standards Track [Page 69] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of mechanism types available on - the local system. This call is intended for support of specialized - callers who need to request non-default mech_type sets from GSS-API - calls which accept input mechanism type specifiers. - -2.4.3: GSS_Compare_name call - - Inputs: - - o name1 INTERNAL NAME, - - o name2 INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_equal BOOLEAN - - Return major_status codes: - - o GSS_S_COMPLETE indicates that name1 and name2 were comparable, and - that the name_equal result indicates whether name1 and name2 - represent the same entity. - - o GSS_S_BAD_NAMETYPE indicates that the two input names' types are - different and incomparable, so that the comparison operation could - not be completed. - - o GSS_S_BAD_NAME indicates that one or both of the input names was - ill-formed in terms of its internal type specifier, so the comparison - operation could not be completed. - - o GSS_S_FAILURE indicates that the call's operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to compare two internal name representations to - determine whether they refer to the same entity. If either name - presented to GSS_Compare_name() denotes an anonymous principal, - GSS_Compare_name() shall indicate FALSE. It is not required that - either or both inputs name1 and name2 be MNs; for some - - - - - -Linn Standards Track [Page 70] - -RFC 2743 GSS-API January 2000 - - - implementations and cases, GSS_S_BAD_NAMETYPE may be returned, - indicating name incomparability, for the case where neither input - name is an MN. - -2.4.4: GSS_Display_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_string OCTET STRING, -- caller must release - -- with GSS_Release_buffer() - - o name_type OBJECT IDENTIFIER -- caller should treat - -- as read-only; does not need to be released - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid printable name - representation is available in the returned name_string. - - o GSS_S_BAD_NAME indicates that the contents of the provided name - were inconsistent with the internally-indicated name type, so no - printable representation could be generated. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to translate an internal name representation into a - printable form with associated namespace type descriptor. The syntax - of the printable form is a local matter. - - If the input name represents an anonymous identity, a reserved value - (GSS_C_NT_ANONYMOUS) shall be returned for name_type. - - The GSS_C_NO_OID name type is to be returned only when the - corresponding internal name was created through import with - GSS_C_NO_OID. It is acceptable for mechanisms to normalize names - imported with GSS_C_NO_OID into other supported types and, therefore, - to display them with types other than GSS_C_NO_OID. - - - - - -Linn Standards Track [Page 71] - -RFC 2743 GSS-API January 2000 - - -2.4.5: GSS_Import_name call - - Inputs: - - o input_name_string OCTET STRING, - - o input_name_type OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o output_name INTERNAL NAME -- caller must release with - -- GSS_Release_name() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a valid name representation is - output in output_name and described by the type value in - output_name_type. - - o GSS_S_BAD_NAMETYPE indicates that the input_name_type is - unsupported by the applicable underlying GSS-API mechanism(s), so the - import operation could not be completed. - - o GSS_S_BAD_NAME indicates that the provided input_name_string is - ill-formed in terms of the input_name_type, so the import operation - could not be completed. - - o GSS_S_BAD_MECH indicates that the input presented for import was - an exported name object and that its enclosed mechanism type was not - recognized or was unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to provide a name representation as a contiguous octet - string, designate the type of namespace in conjunction with which it - should be parsed, and convert that representation to an internal form - suitable for input to other GSS-API routines. The syntax of the - input_name_string is defined in conjunction with its associated name - type; depending on the input_name_type, the associated - input_name_string may or may not be a printable string. If the - input_name_type's value is GSS_C_NO_OID, a mechanism-specific default - printable syntax (which shall be specified in the corresponding GSS- - V2 mechanism specification) is assumed for the input_name_string; - - - -Linn Standards Track [Page 72] - -RFC 2743 GSS-API January 2000 - - - other input_name_type values as registered by GSS-API implementations - can be used to indicate specific non-default name syntaxes. Note: The - input_name_type argument serves to describe and qualify the - interpretation of the associated input_name_string; it does not - specify the data type of the returned output_name. - - If a mechanism claims support for a particular name type, its - GSS_Import_name() operation shall be able to accept all possible - values conformant to the external name syntax as defined for that - name type. These imported values may correspond to: - - (1) locally registered entities (for which credentials may be - acquired), - - (2) non-local entities (for which local credentials cannot be - acquired, but which may be referenced as targets of initiated - security contexts or initiators of accepted security contexts), or - to - - (3) neither of the above. - - Determination of whether a particular name belongs to class (1), (2), - or (3) as described above is not guaranteed to be performed by the - GSS_Import_name() function. - - The internal name generated by a GSS_Import_name() operation may be a - single-mechanism MN, and is likely to be an MN within a single- - mechanism implementation, but portable callers must not depend on - this property (and must not, therefore, assume that the output from - GSS_Import_name() can be passed directly to GSS_Export_name() without - first being processed through GSS_Canonicalize_name()). - -2.4.6: GSS_Release_name call - - Inputs: - - o name INTERNAL NAME - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input name was successfully released. - - - -Linn Standards Track [Page 73] - -RFC 2743 GSS-API January 2000 - - - o GSS_S_BAD_NAME indicates that the input name argument did not - contain a valid name. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an internal - name representation. This call's specific behavior depends on the - language and programming environment within which a GSS-API - implementation operates, and is therefore detailed within applicable - bindings specifications; in particular, implementation and invocation - of this call may be superfluous (and may be omitted) within bindings - where memory management is automatic. - -2.4.7: GSS_Release_buffer call - - Inputs: - - o buffer OCTET STRING - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input buffer was successfully released. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an OCTET STRING - buffer allocated by another GSS-API call. This call's specific - behavior depends on the language and programming environment within - which a GSS-API implementation operates, and is therefore detailed - within applicable bindings specifications; in particular, - implementation and invocation of this call may be superfluous (and - may be omitted) within bindings where memory management is automatic. - -2.4.8: GSS_Release_OID_set call - - Inputs: - - o buffer SET OF OBJECT IDENTIFIER - - - - -Linn Standards Track [Page 74] - -RFC 2743 GSS-API January 2000 - - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the storage associated with the - input object identifier set was successfully released. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to release the storage associated with an object - identifier set object allocated by another GSS-API call. This call's - specific behavior depends on the language and programming environment - within which a GSS-API implementation operates, and is therefore - detailed within applicable bindings specifications; in particular, - implementation and invocation of this call may be superfluous (and - may be omitted) within bindings where memory management is automatic. - -2.4.9: GSS_Create_empty_OID_set call - - Inputs: - - o (none) - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o oid_set SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Creates an object identifier set containing no object identifiers, to - which members may be subsequently added using the - GSS_Add_OID_set_member() routine. These routines are intended to be - used to construct sets of mechanism object identifiers, for input to - GSS_Acquire_cred(). - - - -Linn Standards Track [Page 75] - -RFC 2743 GSS-API January 2000 - - -2.4.10: GSS_Add_OID_set_member call - - Inputs: - - o member_oid OBJECT IDENTIFIER, - - o oid_set SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - Adds an Object Identifier to an Object Identifier set. This routine - is intended for use in conjunction with GSS_Create_empty_OID_set() - when constructing a set of mechanism OIDs for input to - GSS_Acquire_cred(). - -2.4.11: GSS_Test_OID_set_member call - - Inputs: - - o member OBJECT IDENTIFIER, - - o set SET OF OBJECT IDENTIFIER - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o present BOOLEAN - - Return major_status codes: - - o GSS_S_COMPLETE indicates successful completion - - o GSS_S_FAILURE indicates that the operation failed - - - - - -Linn Standards Track [Page 76] - -RFC 2743 GSS-API January 2000 - - - Interrogates an Object Identifier set to determine whether a - specified Object Identifier is a member. This routine is intended to - be used with OID sets returned by GSS_Indicate_mechs(), - GSS_Acquire_cred(), and GSS_Inquire_cred(). - -2.4.12: GSS_Inquire_names_for_mech call - - Input: - - o input_mech_type OBJECT IDENTIFIER, -- mechanism type - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o name_type_set SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that the output name_type_set contains a - list of name types which are supported by the locally available - mechanism identified by input_mech_type. - - o GSS_S_BAD_MECH indicates that the mechanism identified by - input_mech_type was unsupported within the local implementation, - causing the query to fail. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - Allows callers to determine the set of name types which are - supportable by a specific locally-available mechanism. - -2.4.13: GSS_Inquire_mechs_for_name call - - Inputs: - - o input_name INTERNAL NAME, - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - - -Linn Standards Track [Page 77] - -RFC 2743 GSS-API January 2000 - - - o mech_types SET OF OBJECT IDENTIFIER -- caller must release - -- with GSS_Release_oid_set() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a set of object identifiers, - corresponding to the set of mechanisms suitable for processing the - input_name, is available in mech_types. - - o GSS_S_BAD_NAME indicates that the input_name was ill-formed and - could not be processed. - - o GSS_S_BAD_NAMETYPE indicates that the input_name parameter - contained an invalid name type or a name type unsupported by the - GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - This routine returns the mechanism set with which the input_name may - be processed. - - Each mechanism returned will recognize at least one element within - the name. It is permissible for this routine to be implemented within - a mechanism-independent GSS-API layer, using the type information - contained within the presented name, and based on registration - information provided by individual mechanism implementations. This - means that the returned mech_types result may indicate that a - particular mechanism will understand a particular name when in fact - it would refuse to accept that name as input to - GSS_Canonicalize_name(), GSS_Init_sec_context(), GSS_Acquire_cred(), - or GSS_Add_cred(), due to some property of the particular name rather - than a property of the name type. Thus, this routine should be used - only as a pre-filter for a call to a subsequent mechanism-specific - routine. - -2.4.14: GSS_Canonicalize_name call - - Inputs: - - o input_name INTERNAL NAME, - - o mech_type OBJECT IDENTIFIER -- must be explicit mechanism, - -- not "default" specifier or identifier of negotiating mechanism - - Outputs: - - o major_status INTEGER, - - - -Linn Standards Track [Page 78] - -RFC 2743 GSS-API January 2000 - - - o minor_status INTEGER, - - o output_name INTERNAL NAME -- caller must release with - -- GSS_Release_name() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a mechanism-specific reduction of - the input_name, as processed by the mechanism identified by - mech_type, is available in output_name. - - o GSS_S_BAD_MECH indicates that the identified mechanism is - unsupported for this operation; this may correspond either to a - mechanism wholly unsupported by the local GSS-API implementation or - to a negotiating mechanism with which the canonicalization operation - cannot be performed. - - o GSS_S_BAD_NAMETYPE indicates that the input name does not contain - an element with suitable type for processing by the identified - mechanism. - - o GSS_S_BAD_NAME indicates that the input name contains an element - with suitable type for processing by the identified mechanism, but - that this element could not be processed successfully. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - This routine reduces a GSS-API internal name input_name, which may in - general contain elements corresponding to multiple mechanisms, to a - mechanism-specific Mechanism Name (MN) output_name by applying the - translations corresponding to the mechanism identified by mech_type. - The contents of input_name are unaffected by the - GSS_Canonicalize_name() operation. References to output_name will - remain valid until output_name is released, independent of whether or - not input_name is subsequently released. - -2.4.15: GSS_Export_name call - - Inputs: - - o input_name INTERNAL NAME, -- required to be MN - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - - -Linn Standards Track [Page 79] - -RFC 2743 GSS-API January 2000 - - - o output_name OCTET STRING -- caller must release - -- with GSS_Release_buffer() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that a flat representation of the input - name is available in output_name. - - o GSS_S_NAME_NOT_MN indicates that the input name contained elements - corresponding to multiple mechanisms, so cannot be exported into a - single-mechanism flat form. - - o GSS_S_BAD_NAME indicates that the input name was an MN, but could - not be processed. - - o GSS_S_BAD_NAMETYPE indicates that the input name was an MN, but - that its type is unsupported by the GSS-API implementation. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - This routine creates a flat name representation, suitable for - bytewise comparison or for input to GSS_Import_name() in conjunction - with the reserved GSS-API Exported Name Object OID, from a internal- - form Mechanism Name (MN) as emitted, e.g., by GSS_Canonicalize_name() - or GSS_Accept_sec_context(). - - The emitted GSS-API Exported Name Object is self-describing; no - associated parameter-level OID need be emitted by this call. This - flat representation consists of a mechanism-independent wrapper - layer, defined in Section 3.2 of this document, enclosing a - mechanism-defined name representation. - - In all cases, the flat name output by GSS_Export_name() to correspond - to a particular input MN must be invariant over time within a - particular installation. - - The GSS_S_NAME_NOT_MN status code is provided to enable - implementations to reject input names which are not MNs. It is not, - however, required for purposes of conformance to this specification - that all non-MN input names must necessarily be rejected. - -2.4.16: GSS_Duplicate_name call - - Inputs: - - o src_name INTERNAL NAME - - - - -Linn Standards Track [Page 80] - -RFC 2743 GSS-API January 2000 - - - Outputs: - - o major_status INTEGER, - - o minor_status INTEGER, - - o dest_name INTERNAL NAME -- caller must release - -- with GSS_Release_name() - - Return major_status codes: - - o GSS_S_COMPLETE indicates that dest_name references an internal - name object containing the same name as passed to src_name. - - o GSS_S_BAD_NAME indicates that the input name was invalid. - - o GSS_S_FAILURE indicates that the requested operation could not be - performed for reasons unspecified at the GSS-API level. - - This routine takes input internal name src_name, and returns another - reference (dest_name) to that name which can be used even if src_name - is later freed. (Note: This may be implemented by copying or through - use of reference counts.) - -3: Data Structure Definitions for GSS-V2 Usage - - Subsections of this section define, for interoperability and - portability purposes, certain data structures for use with GSS-V2. - -3.1: Mechanism-Independent Token Format - - This section specifies a mechanism-independent level of encapsulating - representation for the initial token of a GSS-API context - establishment sequence, incorporating an identifier of the mechanism - type to be used on that context and enabling tokens to be interpreted - unambiguously at GSS-API peers. Use of this format is required for - initial context establishment tokens of Internet standards-track - GSS-API mechanisms; use in non-initial tokens is optional. - - The encoding format for the token tag is derived from ASN.1 and DER - (per illustrative ASN.1 syntax included later within this - subsection), but its concrete representation is defined directly in - terms of octets rather than at the ASN.1 level in order to facilitate - interoperable implementation without use of general ASN.1 processing - code. The token tag consists of the following elements, in order: - - 1. 0x60 -- Tag for [APPLICATION 0] SEQUENCE; indicates that - -- constructed form, definite length encoding follows. - - - -Linn Standards Track [Page 81] - -RFC 2743 GSS-API January 2000 - - - 2. Token length octets, specifying length of subsequent data - (i.e., the summed lengths of elements 3-5 in this list, and of the - mechanism-defined token object following the tag). This element - comprises a variable number of octets: - - 2a. If the indicated value is less than 128, it shall be - represented in a single octet with bit 8 (high order) set to - "0" and the remaining bits representing the value. - - 2b. If the indicated value is 128 or more, it shall be - represented in two or more octets, with bit 8 of the first - octet set to "1" and the remaining bits of the first octet - specifying the number of additional octets. The subsequent - octets carry the value, 8 bits per octet, most significant - digit first. The minimum number of octets shall be used to - encode the length (i.e., no octets representing leading zeros - shall be included within the length encoding). - - 3. 0x06 -- Tag for OBJECT IDENTIFIER - - 4. Object identifier length -- length (number of octets) of - -- the encoded object identifier contained in element 5, - -- encoded per rules as described in 2a. and 2b. above. - - 5. Object identifier octets -- variable number of octets, - -- encoded per ASN.1 BER rules: - - 5a. The first octet contains the sum of two values: (1) the - top-level object identifier component, multiplied by 40 - (decimal), and (2) the second-level object identifier - component. This special case is the only point within an - object identifier encoding where a single octet represents - contents of more than one component. - - 5b. Subsequent octets, if required, encode successively-lower - components in the represented object identifier. A component's - encoding may span multiple octets, encoding 7 bits per octet - (most significant bits first) and with bit 8 set to "1" on all - but the final octet in the component's encoding. The minimum - number of octets shall be used to encode each component (i.e., - no octets representing leading zeros shall be included within a - component's encoding). - - (Note: In many implementations, elements 3-5 may be stored and - referenced as a contiguous string constant.) - - - - - - -Linn Standards Track [Page 82] - -RFC 2743 GSS-API January 2000 - - - The token tag is immediately followed by a mechanism-defined token - object. Note that no independent size specifier intervenes following - the object identifier value to indicate the size of the mechanism- - defined token object. While ASN.1 usage within mechanism-defined - tokens is permitted, there is no requirement that the mechanism- - specific innerContextToken, innerMsgToken, and sealedUserData data - elements must employ ASN.1 BER/DER encoding conventions. - - The following ASN.1 syntax is included for descriptive purposes only, - to illustrate structural relationships among token and tag objects. - For interoperability purposes, token and tag encoding shall be - performed using the concrete encoding procedures described earlier in - this subsection. - - GSS-API DEFINITIONS ::= - - BEGIN - - MechType ::= OBJECT IDENTIFIER - -- data structure definitions - -- callers must be able to distinguish among - -- InitialContextToken, SubsequentContextToken, - -- PerMsgToken, and SealedMessage data elements - -- based on the usage in which they occur - - InitialContextToken ::= - -- option indication (delegation, etc.) indicated within - -- mechanism-specific token - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech MechType, - innerContextToken ANY DEFINED BY thisMech - -- contents mechanism-specific - -- ASN.1 structure not required - } - - SubsequentContextToken ::= innerContextToken ANY - -- interpretation based on predecessor InitialContextToken - -- ASN.1 structure not required - - PerMsgToken ::= - -- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC - -- ASN.1 structure not required - innerMsgToken ANY - - SealedMessage ::= - -- as emitted by GSS_Wrap and processed by GSS_Unwrap - -- includes internal, mechanism-defined indicator - -- of whether or not encrypted - - - -Linn Standards Track [Page 83] - -RFC 2743 GSS-API January 2000 - - - -- ASN.1 structure not required - sealedUserData ANY - - END - -3.2: Mechanism-Independent Exported Name Object Format - - This section specifies a mechanism-independent level of encapsulating - representation for names exported via the GSS_Export_name() call, - including an object identifier representing the exporting mechanism. - The format of names encapsulated via this representation shall be - defined within individual mechanism drafts. The Object Identifier - value to indicate names of this type is defined in Section 4.7 of - this document. - - No name type OID is included in this mechanism-independent level of - format definition, since (depending on individual mechanism - specifications) the enclosed name may be implicitly typed or may be - explicitly typed using a means other than OID encoding. - - The bytes within MECH_OID_LEN and NAME_LEN elements are represented - most significant byte first (equivalently, in IP network byte order). - - Length Name Description - - 2 TOK_ID Token Identifier - For exported name objects, this - must be hex 04 01. - 2 MECH_OID_LEN Length of the Mechanism OID - MECH_OID_LEN MECH_OID Mechanism OID, in DER - 4 NAME_LEN Length of name - NAME_LEN NAME Exported name; format defined in - applicable mechanism draft. - - A concrete example of the contents of an exported name object, - derived from the Kerberos Version 5 mechanism, is as follows: - - 04 01 00 0B 06 09 2A 86 48 86 F7 12 01 02 02 hx xx xx xl pp qq ... zz - - 04 01 mandatory token identifier - - 00 0B 2-byte length of the immediately following DER-encoded - ASN.1 value of type OID, most significant octet first - - - - - - - - -Linn Standards Track [Page 84] - -RFC 2743 GSS-API January 2000 - - - 06 09 2A 86 48 86 F7 12 01 02 02 DER-encoded ASN.1 value - of type OID; Kerberos V5 - mechanism OID indicates - Kerberos V5 exported name - - in Detail: 06 Identifier octet (6=OID) - 09 Length octet(s) - 2A 86 48 86 F7 12 01 02 02 Content octet(s) - - hx xx xx xl 4-byte length of the immediately following exported - name blob, most significant octet first - - pp qq ... zz exported name blob of specified length, - bits and bytes specified in the - (Kerberos 5) GSS-API v2 mechanism spec - -4: Name Type Definitions - - This section includes definitions for name types and associated - syntaxes which are defined in a mechanism-independent fashion at the - GSS-API level rather than being defined in individual mechanism - specifications. - -4.1: Host-Based Service Name Form - - This name form shall be represented by the Object Identifier: - - {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - "gssapi(2) generic(1) service_name(4)}. - - The recommended symbolic name for this type is - "GSS_C_NT_HOSTBASED_SERVICE". - - For reasons of compatibility with existing implementations, it is - recommended that this OID be used rather than the alternate value as - included in [RFC-2078]: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 2(gss-host-based-services)} - - While it is not recommended that this alternate value be emitted on - output by GSS implementations, it is recommended that it be accepted - on input as equivalent to the recommended value. - - - - - - - - -Linn Standards Track [Page 85] - -RFC 2743 GSS-API January 2000 - - - This name type is used to represent services associated with host - computers. Support for this name form is recommended to mechanism - designers in the interests of portability, but is not mandated by - this specification. This name form is constructed using two elements, - "service" and "hostname", as follows: - - service@hostname - - When a reference to a name of this type is resolved, the "hostname" - may (as an example implementation strategy) be canonicalized by - attempting a DNS lookup and using the fully-qualified domain name - which is returned, or by using the "hostname" as provided if the DNS - lookup fails. The canonicalization operation also maps the host's - name into lower-case characters. - - The "hostname" element may be omitted. If no "@" separator is - included, the entire name is interpreted as the service specifier, - with the "hostname" defaulted to the canonicalized name of the local - host. - - Documents specifying means for GSS integration into a particular - protocol should state either: - - (a) that a specific IANA-registered name associated with that - protocol shall be used for the "service" element (this admits, if - needed, the possibility that a single name can be registered and - shared among a related set of protocols), or - - (b) that the generic name "host" shall be used for the "service" - element, or - - (c) that, for that protocol, fallback in specified order (a, then - b) or (b, then a) shall be applied. - - IANA registration of specific names per (a) should be handled in - accordance with the "Specification Required" assignment policy, - defined by BCP 26, RFC 2434 as follows: "Values and their meaning - must be documented in an RFC or other available reference, in - sufficient detail so that interoperability between independent - implementations is possible." - -4.2: User Name Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) user_name(1)}. The recommended mechanism-independent - symbolic name for this type is "GSS_C_NT_USER_NAME". (Note: the same - - - - -Linn Standards Track [Page 86] - -RFC 2743 GSS-API January 2000 - - - name form and OID is defined within the Kerberos V5 GSS-API - mechanism, but the symbolic name recommended there begins with a - "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a named user on a local system. - Its syntax and interpretation may be OS-specific. This name form is - constructed as: - - username - -4.3: Machine UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) machine_uid_name(2)}. The recommended mechanism- - independent symbolic name for this type is - "GSS_C_NT_MACHINE_UID_NAME". (Note: the same name form and OID is - defined within the Kerberos V5 GSS-API mechanism, but the symbolic - name recommended there begins with a "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a numeric user identifier - corresponding to a user on a local system. Its interpretation is - OS-specific. The gss_buffer_desc representing a name of this type - should contain a locally-significant user ID, represented in host - byte order. The GSS_Import_name() operation resolves this uid into a - username, which is then treated as the User Name Form. - -4.4: String UID Form - - This name form shall be represented by the Object Identifier {iso(1) - member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - generic(1) string_uid_name(3)}. The recommended symbolic name for - this type is "GSS_C_NT_STRING_UID_NAME". (Note: the same name form - and OID is defined within the Kerberos V5 GSS-API mechanism, but the - symbolic name recommended there begins with a "GSS_KRB5_NT_" prefix.) - - This name type is used to indicate a string of digits representing - the numeric user identifier of a user on a local system. Its - interpretation is OS-specific. This name type is similar to the - Machine UID Form, except that the buffer contains a string - representing the user ID. - -4.5: Anonymous Nametype - - The following Object Identifier value is provided as a means to - identify anonymous names, and can be compared against in order to - determine, in a mechanism-independent fashion, whether a name refers - to an anonymous principal: - - - -Linn Standards Track [Page 87] - -RFC 2743 GSS-API January 2000 - - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 3(gss-anonymous-name)} - - The recommended symbolic name corresponding to this definition is - GSS_C_NT_ANONYMOUS. - -4.6: GSS_C_NO_OID - - The recommended symbolic name GSS_C_NO_OID corresponds to a null - input value instead of an actual object identifier. Where specified, - it indicates interpretation of an associated name based on a - mechanism-specific default printable syntax. - -4.7: Exported Name Object - - Name objects of the Mechanism-Independent Exported Name Object type, - as defined in Section 3.2 of this document, will be identified with - the following Object Identifier: - - {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), - 4(gss-api-exported-name)} - - The recommended symbolic name corresponding to this definition is - GSS_C_NT_EXPORT_NAME. - -4.8: GSS_C_NO_NAME - - The recommended symbolic name GSS_C_NO_NAME indicates that no name is - being passed within a particular value of a parameter used for the - purpose of transferring names. Note: GSS_C_NO_NAME is not an actual - name type, and is not represented by an OID; its acceptability in - lieu of an actual name is confined to specific calls - (GSS_Acquire_cred(), GSS_Add_cred(), and GSS_Init_sec_context()) with - usages as identified within this specification. - -5: Mechanism-Specific Example Scenarios - - This section provides illustrative overviews of the use of various - candidate mechanism types to support the GSS-API. These discussions - are intended primarily for readers familiar with specific security - technologies, demonstrating how GSS-API functions can be used and - implemented by candidate underlying mechanisms. They should not be - regarded as constrictive to implementations or as defining the only - means through which GSS-API functions can be realized with a - particular underlying technology, and do not demonstrate all GSS-API - features with each technology. - - - - - -Linn Standards Track [Page 88] - -RFC 2743 GSS-API January 2000 - - -5.1: Kerberos V5, single-TGT - - OS-specific login functions yield a TGT to the local realm Kerberos - server; TGT is placed in a credentials structure for the client. - Client calls GSS_Acquire_cred() to acquire a cred_handle in order to - reference the credentials for use in establishing security contexts. - - Client calls GSS_Init_sec_context(). If the requested service is - located in a different realm, GSS_Init_sec_context() gets the - necessary TGT/key pairs needed to traverse the path from local to - target realm; these data are placed in the owner's TGT cache. After - any needed remote realm resolution, GSS_Init_sec_context() yields a - service ticket to the requested service with a corresponding session - key; these data are stored in conjunction with the context. GSS-API - code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP - response(s) (in the successful case) or KRB_ERROR. - - Assuming success, GSS_Init_sec_context() builds a Kerberos-formatted - KRB_AP_REQ message, and returns it in output_token. The client sends - the output_token to the service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which verifies the authenticator, provides - the service with the client's authenticated name, and returns an - output_context_handle. - - Both parties now hold the session key associated with the service - ticket, and can use this key in subsequent GSS_GetMIC(), - GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap() operations. - -5.2: Kerberos V5, double-TGT - - TGT acquisition as above. - - Note: To avoid unnecessary frequent invocations of error paths when - implementing the GSS-API atop Kerberos V5, it seems appropriate to - represent "single-TGT K-V5" and "double-TGT K-V5" with separate - mech_types, and this discussion makes that assumption. - - Based on the (specified or defaulted) mech_type, - GSS_Init_sec_context() determines that the double-TGT protocol - should be employed for the specified target. GSS_Init_sec_context() - returns GSS_S_CONTINUE_NEEDED major_status, and its returned - output_token contains a request to the service for the service's TGT. - (If a service TGT with suitably long remaining lifetime already - exists in a cache, it may be usable, obviating the need for this - step.) The client passes the output_token to the service. Note: this - scenario illustrates a different use for the GSS_S_CONTINUE_NEEDED - - - -Linn Standards Track [Page 89] - -RFC 2743 GSS-API January 2000 - - - status return facility than for support of mutual authentication; - note that both uses can coexist as successive operations within a - single context establishment operation. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(), which recognizes it as a request for TGT. - (Note that current Kerberos V5 defines no intra-protocol mechanism to - represent such a request.) GSS_Accept_sec_context() returns - GSS_S_CONTINUE_NEEDED major_status and provides the service's TGT in - its output_token. The service sends the output_token to the client. - - The client passes the received token as the input_token argument to a - continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches - the received service TGT and uses it as part of a service ticket - request to the Kerberos authentication server, storing the returned - service ticket and session key in conjunction with the context. - GSS_Init_sec_context() builds a Kerberos-formatted authenticator, and - returns it in output_token along with GSS_S_COMPLETE return - major_status. The client sends the output_token to the service. - - Service passes the received token as the input_token argument to a - continuation call to GSS_Accept_sec_context(). - GSS_Accept_sec_context() verifies the authenticator, provides the - service with the client's authenticated name, and returns - major_status GSS_S_COMPLETE. - - GSS_GetMIC(), GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap() as - above. - -5.3: X.509 Authentication Framework - - This example illustrates use of the GSS-API in conjunction with - public-key mechanisms, consistent with the X.509 Directory - Authentication Framework. - - The GSS_Acquire_cred() call establishes a credentials structure, - making the client's private key accessible for use on behalf of the - client. - - The client calls GSS_Init_sec_context(), which interrogates the - Directory to acquire (and validate) a chain of public-key - certificates, thereby collecting the public key of the service. The - certificate validation operation determines that suitable integrity - checks were applied by trusted authorities and that those - certificates have not expired. GSS_Init_sec_context() generates a - secret key for use in per-message protection operations on the - context, and enciphers that secret key under the service's public - key. - - - -Linn Standards Track [Page 90] - -RFC 2743 GSS-API January 2000 - - - The enciphered secret key, along with an authenticator quantity - signed with the client's private key, is included in the output_token - from GSS_Init_sec_context(). The output_token also carries a - certification path, consisting of a certificate chain leading from - the service to the client; a variant approach would defer this path - resolution to be performed by the service instead of being asserted - by the client. The client application sends the output_token to the - service. - - The service passes the received token as the input_token argument to - GSS_Accept_sec_context(). GSS_Accept_sec_context() validates the - certification path, and as a result determines a certified binding - between the client's distinguished name and the client's public key. - Given that public key, GSS_Accept_sec_context() can process the - input_token's authenticator quantity and verify that the client's - private key was used to sign the input_token. At this point, the - client is authenticated to the service. The service uses its private - key to decipher the enciphered secret key provided to it for per- - message protection operations on the context. - - The client calls GSS_GetMIC() or GSS_Wrap() on a data message, which - causes per-message authentication, integrity, and (optional) - confidentiality facilities to be applied to that message. The service - uses the context's shared secret key to perform corresponding - GSS_VerifyMIC() and GSS_Unwrap() calls. - -6: Security Considerations - - This document specifies a service interface for security facilities - and services; as such, security considerations are considered - throughout the specification. Nonetheless, it is appropriate to - summarize certain specific points relevant to GSS-API implementors - and calling applications. Usage of the GSS-API interface does not in - itself provide security services or assurance; instead, these - attributes are dependent on the underlying mechanism(s) which support - a GSS-API implementation. Callers must be attentive to the requests - made to GSS-API calls and to the status indicators returned by GSS- - API, as these specify the security service characteristics which - GSS-API will provide. When the interprocess context transfer - facility is used, appropriate local controls should be applied to - constrain access to interprocess tokens and to the sensitive data - which they contain. - - - - - - - - - -Linn Standards Track [Page 91] - -RFC 2743 GSS-API January 2000 - - -7: Related Activities - - In order to implement the GSS-API atop existing, emerging, and future - security mechanisms: - - object identifiers must be assigned to candidate GSS-API - mechanisms and the name types which they support - - concrete data element formats and processing procedures must be - defined for candidate mechanisms - - Calling applications must implement formatting conventions which will - enable them to distinguish GSS-API tokens from other data carried in - their application protocols. - - Concrete language bindings are required for the programming - environments in which the GSS-API is to be employed, as [RFC-1509] - defines for the C programming language and GSS-V1. C Language - bindings for GSS-V2 are defined in [RFC-2744]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 92] - -RFC 2743 GSS-API January 2000 - - -8: Referenced Documents - - [ISO-7498-2] International Standard ISO 7498-2-1988(E), Security - Architecture. - - [ISOIEC-8824] ISO/IEC 8824, "Specification of Abstract Syntax - Notation One (ASN.1)". - - [ISOIEC-8825] ISO/IEC 8825, "Specification of Basic Encoding Rules - for Abstract Syntax Notation One (ASN.1)".) - - [RFC-1507]: Kaufman, C., "DASS: Distributed Authentication Security - Service", RFC 1507, September 1993. - - [RFC-1508]: Linn, J., "Generic Security Service Application Program - Interface", RFC 1508, September 1993. - - [RFC-1509]: Wray, J., "Generic Security Service API: C-bindings", - RFC 1509, September 1993. - - [RFC-1964]: Linn, J., "The Kerberos Version 5 GSS-API Mechanism", - RFC 1964, June 1996. - - [RFC-2025]: Adams, C., "The Simple Public-Key GSS-API Mechanism - (SPKM)", RFC 2025, October 1996. - - [RFC-2078]: Linn, J., "Generic Security Service Application Program - Interface, Version 2", RFC 2078, January 1997. - - [RFC-2203]: Eisler, M., Chiu, A. and L. Ling, "RPCSEC_GSS Protocol - Specification", RFC 2203, September 1997. - - [RFC-2744]: Wray, J., "Generic Security Service API Version 2 : - C-bindings", RFC 2744, January 2000. - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 93] - -RFC 2743 GSS-API January 2000 - - -APPENDIX A - -MECHANISM DESIGN CONSTRAINTS - - The following constraints on GSS-API mechanism designs are adopted in - response to observed caller protocol requirements, and adherence - thereto is anticipated in subsequent descriptions of GSS-API - mechanisms to be documented in standards-track Internet - specifications. - - It is strongly recommended that mechanisms offering per-message - protection services also offer at least one of the replay detection - and sequencing services, as mechanisms offering neither of the latter - will fail to satisfy recognized requirements of certain candidate - caller protocols. - -APPENDIX B - -COMPATIBILITY WITH GSS-V1 - - It is the intent of this document to define an interface and - procedures which preserve compatibility between GSS-V1 [RFC-1508] - callers and GSS-V2 providers. All calls defined in GSS-V1 are - preserved, and it has been a goal that GSS-V1 callers should be able - to operate atop GSS-V2 provider implementations. Certain detailed - changes, summarized in this section, have been made in order to - resolve omissions identified in GSS-V1. - - The following GSS-V1 constructs, while supported within GSS-V2, are - deprecated: - - Names for per-message processing routines: GSS_Seal() deprecated - in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of - GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap(); - GSS_Verify() deprecated in favor of GSS_VerifyMIC(). - - GSS_Delete_sec_context() facility for context_token usage, - allowing mechanisms to signal context deletion, is retained for - compatibility with GSS-V1. For current usage, it is recommended - that both peers to a context invoke GSS_Delete_sec_context() - independently, passing a null output_context_token buffer to - indicate that no context_token is required. Implementations of - GSS_Delete_sec_context() should delete relevant locally-stored - context information. - - This GSS-V2 specification adds the following calls which are not - present in GSS-V1: - - - - -Linn Standards Track [Page 94] - -RFC 2743 GSS-API January 2000 - - - Credential management calls: GSS_Add_cred(), - GSS_Inquire_cred_by_mech(). - - Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(), - GSS_Export_sec_context(), GSS_Import_sec_context(). - - Per-message calls: No new calls. Existing calls have been - renamed. - - Support calls: GSS_Create_empty_OID_set(), - GSS_Add_OID_set_member(), GSS_Test_OID_set_member(), - GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(), - GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name(). - - This GSS-V2 specification introduces three new facilities applicable - to security contexts, indicated using the following context state - values which are not present in GSS-V1: - - anon_state, set TRUE to indicate that a context's initiator is - anonymous from the viewpoint of the target; Section 1.2.5 of this - specification provides a summary description of the GSS-V2 - anonymity support facility, support and use of which is optional. - - prot_ready_state, set TRUE to indicate that a context may be used - for per-message protection before final completion of context - establishment; Section 1.2.7 of this specification provides a - summary description of the GSS-V2 facility enabling mechanisms to - selectively permit per-message protection during context - establishment, support and use of which is optional. - - trans_state, set TRUE to indicate that a context is transferable - to another process using the GSS-V2 GSS_Export_sec_context() - facility. - - These state values are represented (at the C bindings level) in - positions within a bit vector which are unused in GSS-V1, and may be - safely ignored by GSS-V1 callers. - - New conf_req_flag and integ_req_flag inputs are defined for - GSS_Init_sec_context(), primarily to provide information to - negotiating mechanisms. This introduces a compatibility issue with - GSS-V1 callers, discussed in section 2.2.1 of this specification. - - - - - - - - - -Linn Standards Track [Page 95] - -RFC 2743 GSS-API January 2000 - - - Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API - implementors in the following areas: implementation robustness, - credential management, behavior in multi-mechanism configurations, - naming support, and inclusion of optional sequencing services. The - token tagging facility as defined in GSS-V2, Section 3.1, is now - described directly in terms of octets to facilitate interoperable - implementation without general ASN.1 processing code; the - corresponding ASN.1 syntax, included for descriptive purposes, is - unchanged from that in GSS-V1. For use in conjunction with added - naming support facilities, a new Exported Name Object construct is - added. Additional name types are introduced in Section 4. - - This GSS-V2 specification adds the following major_status values - which are not defined in GSS-V1: - - GSS_S_BAD_QOP unsupported QOP value - GSS_S_UNAUTHORIZED operation unauthorized - GSS_S_UNAVAILABLE operation unavailable - GSS_S_DUPLICATE_ELEMENT duplicate credential element - requested - GSS_S_NAME_NOT_MN name contains multi-mechanism - elements - GSS_S_GAP_TOKEN skipped predecessor token(s) - detected - - Of these added status codes, only two values are defined to be - returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by - GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by - GSS_VerifyMIC() and GSS_Unwrap()). - - Additionally, GSS-V2 descriptions of certain calls present in GSS-V1 - have been updated to allow return of additional major_status values - from the set as defined in GSS-V1: GSS_Inquire_cred() has - GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as - returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN, - GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and - GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable. - -APPENDIX C - -CHANGES RELATIVE TO RFC-2078 - - This document incorporates a number of changes relative to RFC-2078, - made primarily in response to implementation experience, for purposes - of alignment with the GSS-V2 C language bindings document, and to add - informative clarification. This section summarizes technical changes - incorporated. - - - - -Linn Standards Track [Page 96] - -RFC 2743 GSS-API January 2000 - - - General: - - Clarified usage of object release routines, and incorporated - statement that some may be omitted within certain operating - environments. - - Removed GSS_Release_OID, GSS_OID_to_str(), and GSS_Str_to_OID() - routines. - - Clarified circumstances under which zero-length tokens may validly - exist as inputs and outputs to/from GSS-API calls. - - Added GSS_S_BAD_MIC status code as alias for GSS_S_BAD_SIG. - - For GSS_Display_status(), deferred to language bindings the choice - of whether to return multiple status values in parallel or via - iteration, and added commentary deprecating return of - GSS_S_CONTINUE_NEEDED. - - Adapted and incorporated clarifying material on optional service - support, delegation, and interprocess context transfer from C - bindings document. - - Added and updated references to related documents, and to current - status of cited Kerberos mechanism OID. - - Added general statement about GSS-API calls having no side effects - visible at the GSS-API level. - - Context-related (including per-message protection issues): - - Clarified GSS_Delete_sec_context() usage for partially-established - contexts. - - Added clarification on GSS_Export_sec_context() and - GSS_Import_sec_context() behavior and context usage following an - export-import sequence. - - Added informatory conf_req_flag, integ_req_flag inputs to - GSS_Init_sec_context(). (Note: this facility introduces a - backward incompatibility with GSS-V1 callers, discussed in Section - 2.2.1; this implication was recognized and accepted in working - group discussion.) - - Stated that GSS_S_FAILURE is to be returned if - GSS_Init_sec_context() or GSS_Accept_sec_context() is passed the - handle of a context which is already fully established. - - - - -Linn Standards Track [Page 97] - -RFC 2743 GSS-API January 2000 - - - Re GSS_Inquire_sec_context(), stated that src_name and targ_name - are not returned until GSS_S_COMPLETE status is reached; removed - use of GSS_S_CONTEXT_EXPIRED status code (replacing with EXPIRED - lifetime return value); stated requirement to retain inquirable - data until context released by caller; added result value - indicating whether or not context is fully open. - - Added discussion of interoperability conditions for mechanisms - permitting optional support of QOPs. Removed reference to - structured QOP elements in GSS_Verify_MIC(). - - Added discussion of use of GSS_S_DUPLICATE_TOKEN status to - indicate reflected per-message tokens. - - Clarified use of informational sequencing codes from per-message - protection calls in conjunction with GSS_S_COMPLETE and - GSS_S_FAILURE major_status returns, adjusting status code - descriptions accordingly. - - Added specific statements about impact of GSS_GetMIC() and - GSS_Wrap() failures on context state information, and generalized - existing statements about impact of processing failures on - received per-message tokens. - - For GSS_Init_sec_context() and GSS_Accept_sec_context(), permitted - returned mech_type to be valid before GSS_S_COMPLETE, recognizing - that the value may change on successive continuation calls in the - negotiated mechanism case. - - Deleted GSS_S_CONTEXT_EXPIRED status from - GSS_Import_sec_context(). - - Added conf_req_flag input to GSS_Wrap_size_limit(). - - Stated requirement for mechanisms' support of per-message - protection services to be usable concurrently in both directions - on a context. - - Credential-related: - - For GSS_Acquire_cred() and GSS_Add_cred(), aligned with C bindings - statement of likely non-support for INITIATE or BOTH credentials - if input name is neither empty nor a name resulting from applying - GSS_Inquire_cred() against the default credential. Further, - stated that an explicit name returned by GSS_Inquire_context() - should also be accepted. Added commentary about potentially - time-variant results of default resolution and attendant - implications. Aligned with C bindings re behavior when - - - -Linn Standards Track [Page 98] - -RFC 2743 GSS-API January 2000 - - - GSS_C_NO_NAME provided for desired_name. In GSS_Acquire_cred(), - stated that NULL, rather than empty OID set, should be used for - desired_mechs in order to request default mechanism set. - - Added GSS_S_CREDENTIALS_EXPIRED as returnable major_status for - GSS_Acquire_cred(), GSS_Add_cred(), also specifying GSS_S_NO_CRED - as appropriate return for temporary, user-fixable credential - unavailability. GSS_Acquire_cred() and GSS_Add_cred() are also to - return GSS_S_NO_CRED if an authorization failure is encountered - upon credential acquisition. - - Removed GSS_S_CREDENTIALS_EXPIRED status return from per-message - protection, GSS_Context_time(), and GSS_Inquire_context() calls. - - For GSS_Add_cred(), aligned with C bindings' description of - behavior when addition of elements to the default credential is - requested. - - Upgraded recommended default credential resolution algorithm to - status of requirement for initiator credentials. - - For GSS_Release_cred(), GSS_Inquire_cred(), and - GSS_Inquire_cred_by_mech(), clarified behavior for input - GSS_C_NO_CREDENTIAL. - - Name-related: - - Aligned GSS_Inquire_mechs_for_name() description with C bindings. - - Removed GSS_S_BAD_NAMETYPE status return from - GSS_Duplicate_name(), GSS_Display_name(); constrained its - applicability for GSS_Compare_name(). - - Aligned with C bindings statement re GSS_Import_name() behavior - with GSS_C_NO_OID input name type, and stated that GSS-V2 - mechanism specifications are to define processing procedures - applicable to their mechanisms. Also clarified GSS_C_NO_OID usage - with GSS_Display_name(). - - Downgraded reference to name canonicalization via DNS lookup to an - example. - - For GSS_Canonicalize_name(), stated that neither negotiated - mechanisms nor the default mechanism are supported input - mech_types for this operation, and specified GSS_S_BAD_MECH status - to be returned in this case. Clarified that the - GSS_Canonicalize_name() operation is non-destructive to its input - name. - - - -Linn Standards Track [Page 99] - -RFC 2743 GSS-API January 2000 - - - Clarified semantics of GSS_C_NT_USER_NAME name type. - - Added descriptions of additional name types. Also added - discussion of GSS_C_NO_NAME and its constrained usage with - specific GSS calls. - - Adapted and incorporated C bindings discussion about name - comparisons with exported name objects. - - Added recommendation to mechanism designers for support of host- - based service name type, deferring any requirement statement to - individual mechanism specifications. Added discussion of host- - based service's service name element and proposed approach for - IANA registration policy therefor. - - Clarified byte ordering within exported name object. Stated that - GSS_S_BAD_MECH is to be returned if, in the course of attempted - import of an exported name object, the name object's enclosed - mechanism type is unrecognized or unsupported. - - Stated that mechanisms may optionally accept GSS_C_NO_NAME as an - input target name to GSS_Init_sec_context(), with comment that - such support is unlikely within mechanisms predating GSS-V2, - Update 1. - -AUTHOR'S ADDRESS - - John Linn - RSA Laboratories - 20 Crosby Drive - Bedford, MA 01730 USA - - Phone: +1 781.687.7817 - EMail: jlinn@rsasecurity.com - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 100] - -RFC 2743 GSS-API January 2000 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Linn Standards Track [Page 101] - diff --git a/crypto/heimdal/doc/standardisation/rfc2744.txt b/crypto/heimdal/doc/standardisation/rfc2744.txt deleted file mode 100644 index 7f0c61946f24..000000000000 --- a/crypto/heimdal/doc/standardisation/rfc2744.txt +++ /dev/null @@ -1,5659 +0,0 @@ - - - - - - -Network Working Group J. Wray -Request for Comments: 2744 Iris Associates -Obsoletes: 1509 January 2000 -Category: Standards Track - - - Generic Security Service API Version 2 : C-bindings - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2000). All Rights Reserved. - -Abstract - - This document specifies C language bindings for Version 2, Update 1 - of the Generic Security Service Application Program Interface (GSS- - API), which is described at a language-independent conceptual level - in RFC-2743 [GSSAPI]. It obsoletes RFC-1509, making specific - incremental changes in response to implementation experience and - liaison requests. It is intended, therefore, that this memo or a - successor version thereof will become the basis for subsequent - progression of the GSS-API specification on the standards track. - - The Generic Security Service Application Programming Interface - provides security services to its callers, and is intended for - implementation atop a variety of underlying cryptographic mechanisms. - Typically, GSS-API callers will be application protocols into which - security enhancements are integrated through invocation of services - provided by the GSS-API. The GSS-API allows a caller application to - authenticate a principal identity associated with a peer application, - to delegate rights to a peer, and to apply security services such as - confidentiality and integrity on a per-message basis. - - - - - - - - - - - -Wray Standards Track [Page 1] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -1. Introduction - - The Generic Security Service Application Programming Interface - [GSSAPI] provides security services to calling applications. It - allows a communicating application to authenticate the user - associated with another application, to delegate rights to another - application, and to apply security services such as confidentiality - and integrity on a per-message basis. - - There are four stages to using the GSS-API: - - a) The application acquires a set of credentials with which it may - prove its identity to other processes. The application's - credentials vouch for its global identity, which may or may not be - related to any local username under which it may be running. - - b) A pair of communicating applications establish a joint security - context using their credentials. The security context is a pair - of GSS-API data structures that contain shared state information, - which is required in order that per-message security services may - be provided. Examples of state that might be shared between - applications as part of a security context are cryptographic keys, - and message sequence numbers. As part of the establishment of a - security context, the context initiator is authenticated to the - responder, and may require that the responder is authenticated in - turn. The initiator may optionally give the responder the right - to initiate further security contexts, acting as an agent or - delegate of the initiator. This transfer of rights is termed - delegation, and is achieved by creating a set of credentials, - similar to those used by the initiating application, but which may - be used by the responder. - - To establish and maintain the shared information that makes up the - security context, certain GSS-API calls will return a token data - structure, which is an opaque data type that may contain - cryptographically protected data. The caller of such a GSS-API - routine is responsible for transferring the token to the peer - application, encapsulated if necessary in an application- - application protocol. On receipt of such a token, the peer - application should pass it to a corresponding GSS-API routine - which will decode the token and extract the information, updating - the security context state information accordingly. - - - - - - - - - -Wray Standards Track [Page 2] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - c) Per-message services are invoked to apply either: - - integrity and data origin authentication, or confidentiality, - integrity and data origin authentication to application data, - which are treated by GSS-API as arbitrary octet-strings. An - application transmitting a message that it wishes to protect will - call the appropriate GSS-API routine (gss_get_mic or gss_wrap) to - apply protection, specifying the appropriate security context, and - send the resulting token to the receiving application. The - receiver will pass the received token (and, in the case of data - protected by gss_get_mic, the accompanying message-data) to the - corresponding decoding routine (gss_verify_mic or gss_unwrap) to - remove the protection and validate the data. - - d) At the completion of a communications session (which may extend - across several transport connections), each application calls a - GSS-API routine to delete the security context. Multiple contexts - may also be used (either successively or simultaneously) within a - single communications association, at the option of the - applications. - -2. GSS-API Routines - - This section lists the routines that make up the GSS-API, and - offers a brief description of the purpose of each routine. - Detailed descriptions of each routine are listed in alphabetical - order in section 5. - - Table 2-1 GSS-API Credential-management Routines - - Routine Section Function - ------- ------- -------- - gss_acquire_cred 5.2 Assume a global identity; Obtain - a GSS-API credential handle for - pre-existing credentials. - gss_add_cred 5.3 Construct credentials - incrementally - gss_inquire_cred 5.21 Obtain information about a - credential - gss_inquire_cred_by_mech 5.22 Obtain per-mechanism information - about a credential. - gss_release_cred 5.27 Discard a credential handle. - - - - - - - - - -Wray Standards Track [Page 3] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Table 2-2 GSS-API Context-Level Routines - - Routine Section Function - ------- ------- -------- - gss_init_sec_context 5.19 Initiate a security context with - a peer application - gss_accept_sec_context 5.1 Accept a security context - initiated by a - peer application - gss_delete_sec_context 5.9 Discard a security context - gss_process_context_token 5.25 Process a token on a security - context from a peer application - gss_context_time 5.7 Determine for how long a context - will remain valid - gss_inquire_context 5.20 Obtain information about a - security context - gss_wrap_size_limit 5.34 Determine token-size limit for - gss_wrap on a context - gss_export_sec_context 5.14 Transfer a security context to - another process - gss_import_sec_context 5.17 Import a transferred context - - - Table 2-3 GSS-API Per-message Routines - - Routine Section Function - ------- ------- -------- - gss_get_mic 5.15 Calculate a cryptographic message - integrity code (MIC) for a - message; integrity service - gss_verify_mic 5.32 Check a MIC against a message; - verify integrity of a received - message - gss_wrap 5.33 Attach a MIC to a message, and - optionally encrypt the message - content; - confidentiality service - gss_unwrap 5.31 Verify a message with attached - MIC, and decrypt message content - if necessary. - - - - - - - - - - - -Wray Standards Track [Page 4] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Table 2-4 GSS-API Name manipulation Routines - - Routine Section Function - ------- ------- -------- - gss_import_name 5.16 Convert a contiguous string name - to internal-form - gss_display_name 5.10 Convert internal-form name to - text - gss_compare_name 5.6 Compare two internal-form names - - gss_release_name 5.28 Discard an internal-form name - gss_inquire_names_for_mech 5.24 List the name-types supported by - the specified mechanism - gss_inquire_mechs_for_name 5.23 List mechanisms that support the - specified name-type - gss_canonicalize_name 5.5 Convert an internal name to an MN - gss_export_name 5.13 Convert an MN to export form - gss_duplicate_name 5.12 Create a copy of an internal name - - - Table 2-5 GSS-API Miscellaneous Routines - - Routine Section Function - ------- ------- -------- - gss_add_oid_set_member 5.4 Add an object identifier to - a set - gss_display_status 5.11 Convert a GSS-API status code - to text - gss_indicate_mechs 5.18 Determine available underlying - authentication mechanisms - gss_release_buffer 5.26 Discard a buffer - gss_release_oid_set 5.29 Discard a set of object - identifiers - gss_create_empty_oid_set 5.8 Create a set containing no - object identifiers - gss_test_oid_set_member 5.30 Determines whether an object - identifier is a member of a set. - - Individual GSS-API implementations may augment these routines by - providing additional mechanism-specific routines if required - functionality is not available from the generic forms. Applications - are encouraged to use the generic routines wherever possible on - portability grounds. - - - - - - - - -Wray Standards Track [Page 5] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3. Data Types and Calling Conventions - - The following conventions are used by the GSS-API C-language - bindings: - -3.1. Integer types - - GSS-API uses the following integer data type: - - OM_uint32 32-bit unsigned integer - - Where guaranteed minimum bit-count is important, this portable data - type is used by the GSS-API routine definitions. Individual GSS-API - implementations will include appropriate typedef definitions to map - this type onto a built-in data type. If the platform supports the - X/Open xom.h header file, the OM_uint32 definition contained therein - should be used; the GSS-API header file in Appendix A contains logic - that will detect the prior inclusion of xom.h, and will not attempt - to re-declare OM_uint32. If the X/Open header file is not available - on the platform, the GSS-API implementation should use the smallest - natural unsigned integer type that provides at least 32 bits of - precision. - -3.2. String and similar data - - Many of the GSS-API routines take arguments and return values that - describe contiguous octet-strings. All such data is passed between - the GSS-API and the caller using the gss_buffer_t data type. This - data type is a pointer to a buffer descriptor, which consists of a - length field that contains the total number of bytes in the datum, - and a value field which contains a pointer to the actual datum: - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - Storage for data returned to the application by a GSS-API routine - using the gss_buffer_t conventions is allocated by the GSS-API - routine. The application may free this storage by invoking the - gss_release_buffer routine. Allocation of the gss_buffer_desc object - is always the responsibility of the application; unused - gss_buffer_desc objects may be initialized to the value - GSS_C_EMPTY_BUFFER. - - - - - - - -Wray Standards Track [Page 6] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.2.1. Opaque data types - - Certain multiple-word data items are considered opaque data types at - the GSS-API, because their internal structure has no significance - either to the GSS-API or to the caller. Examples of such opaque data - types are the input_token parameter to gss_init_sec_context (which is - opaque to the caller), and the input_message parameter to gss_wrap - (which is opaque to the GSS-API). Opaque data is passed between the - GSS-API and the application using the gss_buffer_t datatype. - -3.2.2. Character strings - - Certain multiple-word data items may be regarded as simple ISO - Latin-1 character strings. Examples are the printable strings passed - to gss_import_name via the input_name_buffer parameter. Some GSS-API - routines also return character strings. All such character strings - are passed between the application and the GSS-API implementation - using the gss_buffer_t datatype, which is a pointer to a - gss_buffer_desc object. - - When a gss_buffer_desc object describes a printable string, the - length field of the gss_buffer_desc should only count printable - characters within the string. In particular, a trailing NUL - character should NOT be included in the length count, nor should - either the GSS-API implementation or the application assume the - presence of an uncounted trailing NUL. - -3.3. Object Identifiers - - Certain GSS-API procedures take parameters of the type gss_OID, or - Object identifier. This is a type containing ISO-defined tree- - structured values, and is used by the GSS-API caller to select an - underlying security mechanism and to specify namespaces. A value of - type gss_OID has the following structure: - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - The elements field of this structure points to the first byte of an - octet string containing the ASN.1 BER encoding of the value portion - of the normal BER TLV encoding of the gss_OID. The length field - contains the number of bytes in this value. For example, the gss_OID - value corresponding to {iso(1) identified-organization(3) icd- - ecma(12) member-company(2) dec(1011) cryptoAlgorithms(7) DASS(5)}, - meaning the DASS X.509 authentication mechanism, has a length field - of 7 and an elements field pointing to seven octets containing the - - - -Wray Standards Track [Page 7] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - following octal values: 53,14,2,207,163,7,5. GSS-API implementations - should provide constant gss_OID values to allow applications to - request any supported mechanism, although applications are encouraged - on portability grounds to accept the default mechanism. gss_OID - values should also be provided to allow applications to specify - particular name types (see section 3.10). Applications should treat - gss_OID_desc values returned by GSS-API routines as read-only. In - particular, the application should not attempt to deallocate them - with free(). The gss_OID_desc datatype is equivalent to the X/Open - OM_object_identifier datatype[XOM]. - -3.4. Object Identifier Sets - - Certain GSS-API procedures take parameters of the type gss_OID_set. - This type represents one or more object identifiers (section 2.3). A - gss_OID_set object has the following structure: - - typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - The count field contains the number of OIDs within the set. The - elements field is a pointer to an array of gss_OID_desc objects, each - of which describes a single OID. gss_OID_set values are used to name - the available mechanisms supported by the GSS-API, to request the use - of specific mechanisms, and to indicate which mechanisms a given - credential supports. - - All OID sets returned to the application by GSS-API are dynamic - objects (the gss_OID_set_desc, the "elements" array of the set, and - the "elements" array of each member OID are all dynamically - allocated), and this storage must be deallocated by the application - using the gss_release_oid_set() routine. - -3.5. Credentials - - A credential handle is a caller-opaque atomic datum that identifies a - GSS-API credential data structure. It is represented by the caller- - opaque type gss_cred_id_t, which should be implemented as a pointer - or arithmetic type. If a pointer implementation is chosen, care must - be taken to ensure that two gss_cred_id_t values may be compared with - the == operator. - - GSS-API credentials can contain mechanism-specific principal - authentication data for multiple mechanisms. A GSS-API credential is - composed of a set of credential-elements, each of which is applicable - to a single mechanism. A credential may contain at most one - - - -Wray Standards Track [Page 8] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - credential-element for each supported mechanism. A credential-element - identifies the data needed by a single mechanism to authenticate a - single principal, and conceptually contains two credential-references - that describe the actual mechanism-specific authentication data, one - to be used by GSS-API for initiating contexts, and one to be used - for accepting contexts. For mechanisms that do not distinguish - between acceptor and initiator credentials, both references would - point to the same underlying mechanism-specific authentication data. - - Credentials describe a set of mechanism-specific principals, and give - their holder the ability to act as any of those principals. All - principal identities asserted by a single GSS-API credential should - belong to the same entity, although enforcement of this property is - an implementation-specific matter. The GSS-API does not make the - actual credentials available to applications; instead a credential - handle is used to identify a particular credential, held internally - by GSS-API. The combination of GSS-API credential handle and - mechanism identifies the principal whose identity will be asserted by - the credential when used with that mechanism. - - The gss_init_sec_context and gss_accept_sec_context routines allow - the value GSS_C_NO_CREDENTIAL to be specified as their credential - handle parameter. This special credential-handle indicates a desire - by the application to act as a default principal. While individual - GSS-API implementations are free to determine such default behavior - as appropriate to the mechanism, the following default behavior by - these routines is recommended for portability: - - gss_init_sec_context - - 1) If there is only a single principal capable of initiating - security contexts for the chosen mechanism that the application - is authorized to act on behalf of, then that principal shall be - used, otherwise - - 2) If the platform maintains a concept of a default network- - identity for the chosen mechanism, and if the application is - authorized to act on behalf of that identity for the purpose of - initiating security contexts, then the principal corresponding - to that identity shall be used, otherwise - - 3) If the platform maintains a concept of a default local - identity, and provides a means to map local identities into - network-identities for the chosen mechanism, and if the - application is authorized to act on behalf of the network- - identity image of the default local identity for the purpose of - - - - - -Wray Standards Track [Page 9] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - initiating security contexts using the chosen mechanism, then - the principal corresponding to that identity shall be used, - otherwise - - 4) A user-configurable default identity should be used. - - gss_accept_sec_context - - 1) If there is only a single authorized principal identity capable - of accepting security contexts for the chosen mechanism, then - that principal shall be used, otherwise - - 2) If the mechanism can determine the identity of the target - principal by examining the context-establishment token, and if - the accepting application is authorized to act as that - principal for the purpose of accepting security contexts using - the chosen mechanism, then that principal identity shall be - used, otherwise - - 3) If the mechanism supports context acceptance by any principal, - and if mutual authentication was not requested, any principal - that the application is authorized to accept security contexts - under using the chosen mechanism may be used, otherwise - - 4)A user-configurable default identity shall be used. - - The purpose of the above rules is to allow security contexts to be - established by both initiator and acceptor using the default behavior - wherever possible. Applications requesting default behavior are - likely to be more portable across mechanisms and platforms than ones - that use gss_acquire_cred to request a specific identity. - -3.6. Contexts - - The gss_ctx_id_t data type contains a caller-opaque atomic value that - identifies one end of a GSS-API security context. It should be - implemented as a pointer or arithmetic type. If a pointer type is - chosen, care should be taken to ensure that two gss_ctx_id_t values - may be compared with the == operator. - - The security context holds state information about each end of a peer - communication, including cryptographic state information. - - - - - - - - - -Wray Standards Track [Page 10] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.7. Authentication tokens - - A token is a caller-opaque type that GSS-API uses to maintain - synchronization between the context data structures at each end of a - GSS-API security context. The token is a cryptographically protected - octet-string, generated by the underlying mechanism at one end of a - GSS-API security context for use by the peer mechanism at the other - end. Encapsulation (if required) and transfer of the token are the - responsibility of the peer applications. A token is passed between - the GSS-API and the application using the gss_buffer_t conventions. - -3.8. Interprocess tokens - - Certain GSS-API routines are intended to transfer data between - processes in multi-process programs. These routines use a caller- - opaque octet-string, generated by the GSS-API in one process for use - by the GSS-API in another process. The calling application is - responsible for transferring such tokens between processes in an OS- - specific manner. Note that, while GSS-API implementors are - encouraged to avoid placing sensitive information within interprocess - tokens, or to cryptographically protect them, many implementations - will be unable to avoid placing key material or other sensitive data - within them. It is the application's responsibility to ensure that - interprocess tokens are protected in transit, and transferred only to - processes that are trustworthy. An interprocess token is passed - between the GSS-API and the application using the gss_buffer_t - conventions. - -3.9. Status values - - Every GSS-API routine returns two distinct values to report status - information to the caller: GSS status codes and Mechanism status - codes. - -3.9.1. GSS status codes - - GSS-API routines return GSS status codes as their OM_uint32 function - value. These codes indicate errors that are independent of the - underlying mechanism(s) used to provide the security service. The - errors that can be indicated via a GSS status code are either generic - API routine errors (errors that are defined in the GSS-API - specification) or calling errors (errors that are specific to these - language bindings). - - A GSS status code can indicate a single fatal generic API error from - the routine and a single calling error. In addition, supplementary - status information may be indicated via the setting of bits in the - supplementary info field of a GSS status code. - - - -Wray Standards Track [Page 11] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - These errors are encoded into the 32-bit GSS status code as follows: - - MSB LSB - |------------------------------------------------------------| - | Calling Error | Routine Error | Supplementary Info | - |------------------------------------------------------------| - Bit 31 24 23 16 15 0 - - Hence if a GSS-API routine returns a GSS status code whose upper 16 - bits contain a non-zero value, the call failed. If the calling error - field is non-zero, the invoking application's call of the routine was - erroneous. Calling errors are defined in table 5-1. If the routine - error field is non-zero, the routine failed for one of the routine- - specific reasons listed below in table 5-2. Whether or not the upper - 16 bits indicate a failure or a success, the routine may indicate - additional information by setting bits in the supplementary info - field of the status code. The meaning of individual bits is listed - below in table 5-3. - - Table 3-1 Calling Errors - - Name Value in field Meaning - ---- -------------- ------- - GSS_S_CALL_INACCESSIBLE_READ 1 A required input parameter - could not be read - GSS_S_CALL_INACCESSIBLE_WRITE 2 A required output parameter - could not be written. - GSS_S_CALL_BAD_STRUCTURE 3 A parameter was malformed - - - - - - - - - - - - - - - - - - - - - - - -Wray Standards Track [Page 12] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Table 3-2 Routine Errors - - Name Value in field Meaning - ---- -------------- ------- - GSS_S_BAD_MECH 1 An unsupported mechanism - was requested - GSS_S_BAD_NAME 2 An invalid name was - supplied - GSS_S_BAD_NAMETYPE 3 A supplied name was of an - unsupported type - GSS_S_BAD_BINDINGS 4 Incorrect channel bindings - were supplied - GSS_S_BAD_STATUS 5 An invalid status code was - supplied - GSS_S_BAD_MIC GSS_S_BAD_SIG 6 A token had an invalid MIC - GSS_S_NO_CRED 7 No credentials were - supplied, or the - credentials were - unavailable or - inaccessible. - GSS_S_NO_CONTEXT 8 No context has been - established - GSS_S_DEFECTIVE_TOKEN 9 A token was invalid - GSS_S_DEFECTIVE_CREDENTIAL 10 A credential was invalid - GSS_S_CREDENTIALS_EXPIRED 11 The referenced credentials - have expired - GSS_S_CONTEXT_EXPIRED 12 The context has expired - GSS_S_FAILURE 13 Miscellaneous failure (see - text) - GSS_S_BAD_QOP 14 The quality-of-protection - requested could not be - provided - GSS_S_UNAUTHORIZED 15 The operation is forbidden - by local security policy - GSS_S_UNAVAILABLE 16 The operation or option is - unavailable - GSS_S_DUPLICATE_ELEMENT 17 The requested credential - element already exists - GSS_S_NAME_NOT_MN 18 The provided name was not a - mechanism name - - - - - - - - - - - -Wray Standards Track [Page 13] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Table 3-3 Supplementary Status Bits - - Name Bit Number Meaning - ---- ---------- ------- - GSS_S_CONTINUE_NEEDED 0 (LSB) Returned only by - gss_init_sec_context or - gss_accept_sec_context. The - routine must be called again - to complete its function. - See routine documentation for - detailed description - GSS_S_DUPLICATE_TOKEN 1 The token was a duplicate of - an earlier token - GSS_S_OLD_TOKEN 2 The token's validity period - has expired - GSS_S_UNSEQ_TOKEN 3 A later token has already been - processed - GSS_S_GAP_TOKEN 4 An expected per-message token - was not received - - The routine documentation also uses the name GSS_S_COMPLETE, which is - a zero value, to indicate an absence of any API errors or - supplementary information bits. - - All GSS_S_xxx symbols equate to complete OM_uint32 status codes, - rather than to bitfield values. For example, the actual value of the - symbol GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is - 3<<16. The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and - GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS - status code and removes all but the relevant field. For example, the - value obtained by applying GSS_ROUTINE_ERROR to a status code removes - the calling errors and supplementary info fields, leaving only the - routine errors field. The values delivered by these macros may be - directly compared with a GSS_S_xxx symbol of the appropriate type. - The macro GSS_ERROR() is also provided, which when applied to a GSS - status code returns a non-zero value if the status code indicated a - calling or routine error, and a zero value otherwise. All macros - defined by GSS-API evaluate their argument(s) exactly once. - - A GSS-API implementation may choose to signal calling errors in a - platform-specific manner instead of, or in addition to the routine - value; routine errors and supplementary info should be returned via - major status values only. - - The GSS major status code GSS_S_FAILURE is used to indicate that the - underlying mechanism detected an error for which no specific GSS - status code is defined. The mechanism-specific status code will - provide more details about the error. - - - -Wray Standards Track [Page 14] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.9.2. Mechanism-specific status codes - - GSS-API routines return a minor_status parameter, which is used to - indicate specialized errors from the underlying security mechanism. - This parameter may contain a single mechanism-specific error, - indicated by a OM_uint32 value. - - The minor_status parameter will always be set by a GSS-API routine, - even if it returns a calling error or one of the generic API errors - indicated above as fatal, although most other output parameters may - remain unset in such cases. However, output parameters that are - expected to return pointers to storage allocated by a routine must - always be set by the routine, even in the event of an error, although - in such cases the GSS-API routine may elect to set the returned - parameter value to NULL to indicate that no storage was actually - allocated. Any length field associated with such pointers (as in a - gss_buffer_desc structure) should also be set to zero in such cases. - -3.10. Names - - A name is used to identify a person or entity. GSS-API authenticates - the relationship between a name and the entity claiming the name. - - Since different authentication mechanisms may employ different - namespaces for identifying their principals, GSSAPI's naming support - is necessarily complex in multi-mechanism environments (or even in - some single-mechanism environments where the underlying mechanism - supports multiple namespaces). - - Two distinct representations are defined for names: - - An internal form. This is the GSS-API "native" format for names, - represented by the implementation-specific gss_name_t type. It is - opaque to GSS-API callers. A single gss_name_t object may contain - multiple names from different namespaces, but all names should - refer to the same entity. An example of such an internal name - would be the name returned from a call to the gss_inquire_cred - routine, when applied to a credential containing credential - elements for multiple authentication mechanisms employing - different namespaces. This gss_name_t object will contain a - distinct name for the entity for each authentication mechanism. - - For GSS-API implementations supporting multiple namespaces, - objects of type gss_name_t must contain sufficient information to - determine the namespace to which each primitive name belongs. - - - - - - -Wray Standards Track [Page 15] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Mechanism-specific contiguous octet-string forms. A format - capable of containing a single name (from a single namespace). - Contiguous string names are always accompanied by an object - identifier specifying the namespace to which the name belongs, and - their format is dependent on the authentication mechanism that - employs the name. Many, but not all, contiguous string names will - be printable, and may therefore be used by GSS-API applications - for communication with their users. - - Routines (gss_import_name and gss_display_name) are provided to - convert names between contiguous string representations and the - internal gss_name_t type. gss_import_name may support multiple - syntaxes for each supported namespace, allowing users the freedom to - choose a preferred name representation. gss_display_name should use - an implementation-chosen printable syntax for each supported name- - type. - - If an application calls gss_display_name(), passing the internal name - resulting from a call to gss_import_name(), there is no guarantee the - the resulting contiguous string name will be the same as the original - imported string name. Nor do name-space identifiers necessarily - survive unchanged after a journey through the internal name-form. An - example of this might be a mechanism that authenticates X.500 names, - but provides an algorithmic mapping of Internet DNS names into X.500. - That mechanism's implementation of gss_import_name() might, when - presented with a DNS name, generate an internal name that contained - both the original DNS name and the equivalent X.500 name. - Alternatively, it might only store the X.500 name. In the latter - case, gss_display_name() would most likely generate a printable X.500 - name, rather than the original DNS name. - - The process of authentication delivers to the context acceptor an - internal name. Since this name has been authenticated by a single - mechanism, it contains only a single name (even if the internal name - presented by the context initiator to gss_init_sec_context had - multiple components). Such names are termed internal mechanism - names, or "MN"s and the names emitted by gss_accept_sec_context() are - always of this type. Since some applications may require MNs without - wanting to incur the overhead of an authentication operation, a - second function, gss_canonicalize_name(), is provided to convert a - general internal name into an MN. - - Comparison of internal-form names may be accomplished via the - gss_compare_name() routine, which returns true if the two names being - compared refer to the same entity. This removes the need for the - application program to understand the syntaxes of the various - printable names that a given GSS-API implementation may support. - Since GSS-API assumes that all primitive names contained within a - - - -Wray Standards Track [Page 16] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - given internal name refer to the same entity, gss_compare_name() can - return true if the two names have at least one primitive name in - common. If the implementation embodies knowledge of equivalence - relationships between names taken from different namespaces, this - knowledge may also allow successful comparison of internal names - containing no overlapping primitive elements. - - When used in large access control lists, the overhead of invoking - gss_import_name() and gss_compare_name() on each name from the ACL - may be prohibitive. As an alternative way of supporting this case, - GSS-API defines a special form of the contiguous string name which - may be compared directly (e.g. with memcmp()). Contiguous names - suitable for comparison are generated by the gss_export_name() - routine, which requires an MN as input. Exported names may be re- - imported by the gss_import_name() routine, and the resulting internal - name will also be an MN. The gss_OID constant GSS_C_NT_EXPORT_NAME - indentifies the "export name" type, and the value of this constant is - given in Appendix A. Structurally, an exported name object consists - of a header containing an OID identifying the mechanism that - authenticated the name, and a trailer containing the name itself, - where the syntax of the trailer is defined by the individual - mechanism specification. The precise format of an export name is - defined in the language-independent GSS-API specification [GSSAPI]. - - Note that the results obtained by using gss_compare_name() will in - general be different from those obtained by invoking - gss_canonicalize_name() and gss_export_name(), and then comparing the - exported names. The first series of operation determines whether two - (unauthenticated) names identify the same principal; the second - whether a particular mechanism would authenticate them as the same - principal. These two operations will in general give the same - results only for MNs. - - The gss_name_t datatype should be implemented as a pointer type. To - allow the compiler to aid the application programmer by performing - type-checking, the use of (void *) is discouraged. A pointer to an - implementation-defined type is the preferred choice. - - Storage is allocated by routines that return gss_name_t values. A - procedure, gss_release_name, is provided to free storage associated - with an internal-form name. - - - - - - - - - - -Wray Standards Track [Page 17] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.11. Channel Bindings - - GSS-API supports the use of user-specified tags to identify a given - context to the peer application. These tags are intended to be used - to identify the particular communications channel that carries the - context. Channel bindings are communicated to the GSS-API using the - following structure: - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - The initiator_addrtype and acceptor_addrtype fields denote the type - of addresses contained in the initiator_address and acceptor_address - buffers. The address type should be one of the following: - - GSS_C_AF_UNSPEC Unspecified address type - GSS_C_AF_LOCAL Host-local address type - GSS_C_AF_INET Internet address type (e.g. IP) - GSS_C_AF_IMPLINK ARPAnet IMP address type - GSS_C_AF_PUP pup protocols (eg BSP) address type - GSS_C_AF_CHAOS MIT CHAOS protocol address type - GSS_C_AF_NS XEROX NS address type - GSS_C_AF_NBS nbs address type - GSS_C_AF_ECMA ECMA address type - GSS_C_AF_DATAKIT datakit protocols address type - GSS_C_AF_CCITT CCITT protocols - GSS_C_AF_SNA IBM SNA address type - GSS_C_AF_DECnet DECnet address type - GSS_C_AF_DLI Direct data link interface address type - GSS_C_AF_LAT LAT address type - GSS_C_AF_HYLINK NSC Hyperchannel address type - GSS_C_AF_APPLETALK AppleTalk address type - GSS_C_AF_BSC BISYNC 2780/3780 address type - GSS_C_AF_DSS Distributed system services address type - GSS_C_AF_OSI OSI TP4 address type - GSS_C_AF_X25 X.25 - GSS_C_AF_NULLADDR No address specified - - Note that these symbols name address families rather than specific - addressing formats. For address families that contain several - alternative address forms, the initiator_address and acceptor_address - fields must contain sufficient information to determine which address - - - - -Wray Standards Track [Page 18] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - form is used. When not otherwise specified, addresses should be - specified in network byte-order (that is, native byte-ordering for - the address family). - - Conceptually, the GSS-API concatenates the initiator_addrtype, - initiator_address, acceptor_addrtype, acceptor_address and - application_data to form an octet string. The mechanism calculates a - MIC over this octet string, and binds the MIC to the context - establishment token emitted by gss_init_sec_context. The same - bindings are presented by the context acceptor to - gss_accept_sec_context, and a MIC is calculated in the same way. The - calculated MIC is compared with that found in the token, and if the - MICs differ, gss_accept_sec_context will return a GSS_S_BAD_BINDINGS - error, and the context will not be established. Some mechanisms may - include the actual channel binding data in the token (rather than - just a MIC); applications should therefore not use confidential data - as channel-binding components. - - Individual mechanisms may impose additional constraints on addresses - and address types that may appear in channel bindings. For example, - a mechanism may verify that the initiator_address field of the - channel bindings presented to gss_init_sec_context contains the - correct network address of the host system. Portable applications - should therefore ensure that they either provide correct information - for the address fields, or omit addressing information, specifying - GSS_C_AF_NULLADDR as the address-types. - -3.12. Optional parameters - - Various parameters are described as optional. This means that they - follow a convention whereby a default value may be requested. The - following conventions are used for omitted parameters. These - conventions apply only to those parameters that are explicitly - documented as optional. - -3.12.1. gss_buffer_t types - - Specify GSS_C_NO_BUFFER as a value. For an input parameter this - signifies that default behavior is requested, while for an output - parameter it indicates that the information that would be returned - via the parameter is not required by the application. - -3.12.2. Integer types (input) - - Individual parameter documentation lists values to be used to - indicate default actions. - - - - - -Wray Standards Track [Page 19] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -3.12.3. Integer types (output) - - Specify NULL as the value for the pointer. - -3.12.4. Pointer types - - Specify NULL as the value. - -3.12.5. Object IDs - - Specify GSS_C_NO_OID as the value. - -3.12.6. Object ID Sets - - Specify GSS_C_NO_OID_SET as the value. - -3.12.7. Channel Bindings - - Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings - are not to be used. - -4. Additional Controls - - This section discusses the optional services that a context initiator - may request of the GSS-API at context establishment. Each of these - services is requested by setting a flag in the req_flags input - parameter to gss_init_sec_context. - - The optional services currently defined are: - - Delegation - The (usually temporary) transfer of rights from - initiator to acceptor, enabling the acceptor to authenticate - itself as an agent of the initiator. - - Mutual Authentication - In addition to the initiator authenticating - its identity to the context acceptor, the context acceptor should - also authenticate itself to the initiator. - - Replay detection - In addition to providing message integrity - services, gss_get_mic and gss_wrap should include message - numbering information to enable gss_verify_mic and gss_unwrap to - detect if a message has been duplicated. - - Out-of-sequence detection - In addition to providing message - integrity services, gss_get_mic and gss_wrap should include - message sequencing information to enable gss_verify_mic and - gss_unwrap to detect if a message has been received out of - sequence. - - - -Wray Standards Track [Page 20] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Anonymous authentication - The establishment of the security context - should not reveal the initiator's identity to the context - acceptor. - - Any currently undefined bits within such flag arguments should be - ignored by GSS-API implementations when presented by an application, - and should be set to zero when returned to the application by the - GSS-API implementation. - - Some mechanisms may not support all optional services, and some - mechanisms may only support some services in conjunction with others. - Both gss_init_sec_context and gss_accept_sec_context inform the - applications which services will be available from the context when - the establishment phase is complete, via the ret_flags output - parameter. In general, if the security mechanism is capable of - providing a requested service, it should do so, even if additional - services must be enabled in order to provide the requested service. - If the mechanism is incapable of providing a requested service, it - should proceed without the service, leaving the application to abort - the context establishment process if it considers the requested - service to be mandatory. - - Some mechanisms may specify that support for some services is - optional, and that implementors of the mechanism need not provide it. - This is most commonly true of the confidentiality service, often - because of legal restrictions on the use of data-encryption, but may - apply to any of the services. Such mechanisms are required to send - at least one token from acceptor to initiator during context - establishment when the initiator indicates a desire to use such a - service, so that the initiating GSS-API can correctly indicate - whether the service is supported by the acceptor's GSS-API. - -4.1. Delegation - - The GSS-API allows delegation to be controlled by the initiating - application via a boolean parameter to gss_init_sec_context(), the - routine that establishes a security context. Some mechanisms do not - support delegation, and for such mechanisms attempts by an - application to enable delegation are ignored. - - The acceptor of a security context for which the initiator enabled - delegation will receive (via the delegated_cred_handle parameter of - gss_accept_sec_context) a credential handle that contains the - delegated identity, and this credential handle may be used to - initiate subsequent GSS-API security contexts as an agent or delegate - of the initiator. If the original initiator's identity is "A" and - the delegate's identity is "B", then, depending on the underlying - mechanism, the identity embodied by the delegated credential may be - - - -Wray Standards Track [Page 21] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - either "A" or "B acting for A". - - For many mechanisms that support delegation, a simple boolean does - not provide enough control. Examples of additional aspects of - delegation control that a mechanism might provide to an application - are duration of delegation, network addresses from which delegation - is valid, and constraints on the tasks that may be performed by a - delegate. Such controls are presently outside the scope of the GSS- - API. GSS-API implementations supporting mechanisms offering - additional controls should provide extension routines that allow - these controls to be exercised (perhaps by modifying the initiator's - GSS-API credential prior to its use in establishing a context). - However, the simple delegation control provided by GSS-API should - always be able to over-ride other mechanism-specific delegation - controls - If the application instructs gss_init_sec_context() that - delegation is not desired, then the implementation must not permit - delegation to occur. This is an exception to the general rule that a - mechanism may enable services even if they are not requested - - delegation may only be provided at the explicit request of the - application. - -4.2. Mutual authentication - - Usually, a context acceptor will require that a context initiator - authenticate itself so that the acceptor may make an access-control - decision prior to performing a service for the initiator. In some - cases, the initiator may also request that the acceptor authenticate - itself. GSS-API allows the initiating application to request this - mutual authentication service by setting a flag when calling - gss_init_sec_context. - - The initiating application is informed as to whether or not the - context acceptor has authenticated itself. Note that some mechanisms - may not support mutual authentication, and other mechanisms may - always perform mutual authentication, whether or not the initiating - application requests it. In particular, mutual authentication my be - required by some mechanisms in order to support replay or out-of- - sequence message detection, and for such mechanisms a request for - either of these services will automatically enable mutual - authentication. - - - - - - - - - - - -Wray Standards Track [Page 22] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -4.3. Replay and out-of-sequence detection - - The GSS-API may provide detection of mis-ordered message once a - security context has been established. Protection may be applied to - messages by either application, by calling either gss_get_mic or - gss_wrap, and verified by the peer application by calling - gss_verify_mic or gss_unwrap. - - gss_get_mic calculates a cryptographic MIC over an application - message, and returns that MIC in a token. The application should - pass both the token and the message to the peer application, which - presents them to gss_verify_mic. - - gss_wrap calculates a cryptographic MIC of an application message, - and places both the MIC and the message inside a single token. The - Application should pass the token to the peer application, which - presents it to gss_unwrap to extract the message and verify the MIC. - - Either pair of routines may be capable of detecting out-of-sequence - message delivery, or duplication of messages. Details of such mis- - ordered messages are indicated through supplementary status bits in - the major status code returned by gss_verify_mic or gss_unwrap. The - relevant supplementary bits are: - - GSS_S_DUPLICATE_TOKEN - The token is a duplicate of one that has - already been received and processed. Only - contexts that claim to provide replay detection - may set this bit. - GSS_S_OLD_TOKEN - The token is too old to determine whether or - not it is a duplicate. Contexts supporting - out-of-sequence detection but not replay - detection should always set this bit if - GSS_S_UNSEQ_TOKEN is set; contexts that support - replay detection should only set this bit if the - token is so old that it cannot be checked for - duplication. - GSS_S_UNSEQ_TOKEN - A later token has already been processed. - GSS_S_GAP_TOKEN - An earlier token has not yet been received. - - A mechanism need not maintain a list of all tokens that have been - processed in order to support these status codes. A typical - mechanism might retain information about only the most recent "N" - tokens processed, allowing it to distinguish duplicates and missing - tokens within the most recent "N" messages; the receipt of a token - older than the most recent "N" would result in a GSS_S_OLD_TOKEN - status. - - - - - -Wray Standards Track [Page 23] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -4.4. Anonymous Authentication - - In certain situations, an application may wish to initiate the - authentication process to authenticate a peer, without revealing its - own identity. As an example, consider an application providing - access to a database containing medical information, and offering - unrestricted access to the service. A client of such a service might - wish to authenticate the service (in order to establish trust in any - information retrieved from it), but might not wish the service to be - able to obtain the client's identity (perhaps due to privacy concerns - about the specific inquiries, or perhaps simply to avoid being placed - on mailing-lists). - - In normal use of the GSS-API, the initiator's identity is made - available to the acceptor as a result of the context establishment - process. However, context initiators may request that their identity - not be revealed to the context acceptor. Many mechanisms do not - support anonymous authentication, and for such mechanisms the request - will not be honored. An authentication token will be still be - generated, but the application is always informed if a requested - service is unavailable, and has the option to abort context - establishment if anonymity is valued above the other security - services that would require a context to be established. - - In addition to informing the application that a context is - established anonymously (via the ret_flags outputs from - gss_init_sec_context and gss_accept_sec_context), the optional - src_name output from gss_accept_sec_context and gss_inquire_context - will, for such contexts, return a reserved internal-form name, - defined by the implementation. - - When presented to gss_display_name, this reserved internal-form name - will result in a printable name that is syntactically distinguishable - from any valid principal name supported by the implementation, - associated with a name-type object identifier with the value - GSS_C_NT_ANONYMOUS, whose value us given in Appendix A. The - printable form of an anonymous name should be chosen such that it - implies anonymity, since this name may appear in, for example, audit - logs. For example, the string "" might be a good choice, - if no valid printable names supported by the implementation can begin - with "<" and end with ">". - -4.5. Confidentiality - - If a context supports the confidentiality service, gss_wrap may be - used to encrypt application messages. Messages are selectively - encrypted, under the control of the conf_req_flag input parameter to - gss_wrap. - - - -Wray Standards Track [Page 24] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -4.6. Inter-process context transfer - - GSS-API V2 provides routines (gss_export_sec_context and - gss_import_sec_context) which allow a security context to be - transferred between processes on a single machine. The most common - use for such a feature is a client-server design where the server is - implemented as a single process that accepts incoming security - contexts, which then launches child processes to deal with the data - on these contexts. In such a design, the child processes must have - access to the security context data structure created within the - parent by its call to gss_accept_sec_context so that they can use - per-message protection services and delete the security context when - the communication session ends. - - Since the security context data structure is expected to contain - sequencing information, it is impractical in general to share a - context between processes. Thus GSS-API provides a call - (gss_export_sec_context) that the process which currently owns the - context can call to declare that it has no intention to use the - context subsequently, and to create an inter-process token containing - information needed by the adopting process to successfully import the - context. After successful completion of gss_export_sec_context, the - original security context is made inaccessible to the calling process - by GSS-API, and any context handles referring to this context are no - longer valid. The originating process transfers the inter-process - token to the adopting process, which passes it to - gss_import_sec_context, and a fresh gss_ctx_id_t is created such that - it is functionally identical to the original context. - - The inter-process token may contain sensitive data from the original - security context (including cryptographic keys). Applications using - inter-process tokens to transfer security contexts must take - appropriate steps to protect these tokens in transit. - - Implementations are not required to support the inter-process - transfer of security contexts. The ability to transfer a security - context is indicated when the context is created, by - gss_init_sec_context or gss_accept_sec_context setting the - GSS_C_TRANS_FLAG bit in their ret_flags parameter. - -4.7. The use of incomplete contexts - - Some mechanisms may allow the per-message services to be used before - the context establishment process is complete. For example, a - mechanism may include sufficient information in its initial context- - level token for the context acceptor to immediately decode messages - protected with gss_wrap or gss_get_mic. For such a mechanism, the - initiating application need not wait until subsequent context-level - - - -Wray Standards Track [Page 25] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - tokens have been sent and received before invoking the per-message - protection services. - - The ability of a context to provide per-message services in advance - of complete context establishment is indicated by the setting of the - GSS_C_PROT_READY_FLAG bit in the ret_flags parameter from - gss_init_sec_context and gss_accept_sec_context. Applications wishing - to use per-message protection services on partially-established - contexts should check this flag before attempting to invoke gss_wrap - or gss_get_mic. - -5. GSS-API Routine Descriptions - - In addition to the explicit major status codes documented here, the - code GSS_S_FAILURE may be returned by any routine, indicating an - implementation-specific or mechanism-specific error condition, - further details of which are reported via the minor_status parameter. - -5.1. gss_accept_sec_context - - OM_uint32 gss_accept_sec_context ( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - const gss_name_t *src_name, - gss_OID *mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - gss_cred_id_t *delegated_cred_handle) - - Purpose: - - Allows a remotely initiated security context between the application - and a remote peer to be established. The routine may return a - output_token which should be transferred to the peer application, - where the peer application will present it to gss_init_sec_context. - If no token need be sent, gss_accept_sec_context will indicate this - by setting the length field of the output_token argument to zero. To - complete the context establishment, one or more reply tokens may be - required from the peer application; if so, gss_accept_sec_context - will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it - should be called again when the reply token is received from the peer - application, passing the token to gss_accept_sec_context via the - input_token parameters. - - - - -Wray Standards Track [Page 26] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Portable applications should be constructed to use the token length - and return status to determine whether a token needs to be sent or - waited for. Thus a typical portable caller should always invoke - gss_accept_sec_context within a loop: - - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - - do { - receive_token_from_peer(input_token); - maj_stat = gss_accept_sec_context(&min_stat, - &context_hdl, - cred_hdl, - input_token, - input_bindings, - &client_name, - &mech_type, - output_token, - &ret_flags, - &time_rec, - &deleg_cred); - if (GSS_ERROR(maj_stat)) { - report_error(maj_stat, min_stat); - }; - if (output_token->length != 0) { - send_token_to_peer(output_token); - - gss_release_buffer(&min_stat, output_token); - }; - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - }; - } while (maj_stat & GSS_S_CONTINUE_NEEDED); - - Whenever the routine returns a major status that includes the value - GSS_S_CONTINUE_NEEDED, the context is not fully established and the - following restrictions apply to the output parameters: - - The value returned via the time_rec parameter is undefined Unless the - accompanying ret_flags parameter contains the bit - GSS_C_PROT_READY_FLAG, indicating that per-message services may be - applied in advance of a successful completion status, the value - returned via the mech_type parameter may be undefined until the - routine returns a major status value of GSS_S_COMPLETE. - - - - -Wray Standards Track [Page 27] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - The values of the GSS_C_DELEG_FLAG, - GSS_C_MUTUAL_FLAG,GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, - GSS_C_CONF_FLAG,GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned - via the ret_flags parameter should contain the values that the - implementation expects would be valid if context establishment were - to succeed. - - The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits - within ret_flags should indicate the actual state at the time - gss_accept_sec_context returns, whether or not the context is fully - established. - - Although this requires that GSS-API implementations set the - GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller - (i.e. when accompanied by a GSS_S_COMPLETE status code), applications - should not rely on this behavior as the flag was not defined in - Version 1 of the GSS-API. Instead, applications should be prepared to - use per-message services after a successful context establishment, - according to the GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG values. - - All other bits within the ret_flags argument should be set to zero. - While the routine returns GSS_S_CONTINUE_NEEDED, the values returned - via the ret_flags argument indicate the services that the - implementation expects to be available from the established context. - - If the initial call of gss_accept_sec_context() fails, the - implementation should not create a context object, and should leave - the value of the context_handle parameter set to GSS_C_NO_CONTEXT to - indicate this. In the event of a failure on a subsequent call, the - implementation is permitted to delete the "half-built" security - context (in which case it should set the context_handle parameter to - GSS_C_NO_CONTEXT), but the preferred behavior is to leave the - security context (and the context_handle parameter) untouched for the - application to delete (using gss_delete_sec_context). - - During context establishment, the informational status bits - GSS_S_OLD_TOKEN and GSS_S_DUPLICATE_TOKEN indicate fatal errors, and - GSS-API mechanisms should always return them in association with a - routine error of GSS_S_FAILURE. This requirement for pairing did not - exist in version 1 of the GSS-API specification, so applications that - wish to run over version 1 implementations must special-case these - codes. - - - - - - - - - -Wray Standards Track [Page 28] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - context_handle gss_ctx_id_t, read/modify context handle for new - context. Supply GSS_C_NO_CONTEXT for first - call; use value returned in subsequent calls. - Once gss_accept_sec_context() has returned a - value via this parameter, resources have been - assigned to the corresponding context, and must - be freed by the application after use with a - call to gss_delete_sec_context(). - - - acceptor_cred_handle gss_cred_id_t, read Credential handle claimed - by context acceptor. Specify - GSS_C_NO_CREDENTIAL to accept the context as a - default principal. If GSS_C_NO_CREDENTIAL is - specified, but no default acceptor principal is - defined, GSS_S_NO_CRED will be returned. - - input_token_buffer buffer, opaque, read token obtained from remote - application. - - input_chan_bindings channel bindings, read, optional Application- - specified bindings. Allows application to - securely bind channel identification information - to the security context. If channel bindings - are not used, specify GSS_C_NO_CHANNEL_BINDINGS. - - src_name gss_name_t, modify, optional Authenticated name - of context initiator. After use, this name - should be deallocated by passing it to - gss_release_name(). If not required, specify - NULL. - - mech_type Object ID, modify, optional Security mechanism - used. The returned OID value will be a pointer - into static storage, and should be treated as - read-only by the caller (in particular, it does - not need to be freed). If not required, specify - NULL. - - output_token buffer, opaque, modify Token to be passed to - peer application. If the length field of the - returned token buffer is 0, then no token need - be passed to the peer application. If a non- - zero length field is returned, the associated - storage must be freed after use by the - application with a call to gss_release_buffer(). - - - -Wray Standards Track [Page 29] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - ret_flags bit-mask, modify, optional Contains various - independent flags, each of which indicates that - the context supports a specific service option. - If not needed, specify NULL. Symbolic names are - provided for each flag, and the symbolic names - corresponding to the required flags should be - logically-ANDed with the ret_flags value to test - whether a given option is supported by the - context. The flags are: - GSS_C_DELEG_FLAG - True - Delegated credentials are available - via the delegated_cred_handle - parameter - False - No credentials were delegated - GSS_C_MUTUAL_FLAG - True - Remote peer asked for mutual - authentication - False - Remote peer did not ask for mutual - authentication - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will not - be detected - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling the gss_wrap - routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or - gss_wrap routines. - False - Per-message integrity service - unavailable. - GSS_C_ANON_FLAG - True - The initiator does not wish to - be authenticated; the src_name - parameter (if requested) contains - - - -Wray Standards Track [Page 30] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - an anonymous internal name. - False - The initiator has been - authenticated normally. - GSS_C_PROT_READY_FLAG - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - if the accompanying major status - return value is either GSS_S_COMPLETE - or GSS_S_CONTINUE_NEEDED. - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the accompanying major status - return value is GSS_S_COMPLETE. - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferable. - All other bits should be set to zero. - - time_rec Integer, modify, optional - number of seconds for which the context will - remain valid. Specify NULL if not required. - - delegated_cred_handle - gss_cred_id_t, modify, optional credential - handle for credentials received from context - initiator. Only valid if deleg_flag in - ret_flags is true, in which case an explicit - credential handle (i.e. not GSS_C_NO_CREDENTIAL) - will be returned; if deleg_flag is false, - gss_accept_context() will set this parameter to - GSS_C_NO_CREDENTIAL. If a credential handle is - returned, the associated resources must be - released by the application after use with a - call to gss_release_cred(). Specify NULL if not - required. - - minor_status Integer, modify - Mechanism specific status code. - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer - application is required to complete the - context, and that gss_accept_sec_context must - be called again with that token. - - - -Wray Standards Track [Page 31] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on - the input_token failed. - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks - performed on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for context - acceptance, or the credential handle did not - reference any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - - GSS_S_BAD_BINDINGS The input_token contains different channel - bindings to those specified via the - input_chan_bindings parameter. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did not - refer to a valid context. - - GSS_S_BAD_SIG The input_token contains an invalid MIC. - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal error - during context establishment. - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of - a token already processed. This is a fatal - error during context establishment. - - GSS_S_BAD_MECH The received token specified a mechanism that is - not supported by the implementation or the - provided credential. - -5.2. gss_acquire_cred - - OM_uint32 gss_acquire_cred ( - OM_uint32 *minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec) - - - - - - - - -Wray Standards Track [Page 32] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Purpose: - - Allows an application to acquire a handle for a pre-existing - credential by name. GSS-API implementations must impose a local - access-control policy on callers of this routine to prevent - unauthorized callers from acquiring credentials to which they are not - entitled. This routine is not intended to provide a "login to the - network" function, as such a function would involve the creation of - new credentials rather than merely acquiring a handle to existing - credentials. Such functions, if required, should be defined in - implementation-specific extensions to the API. - - If desired_name is GSS_C_NO_NAME, the call is interpreted as a - request for a credential handle that will invoke default behavior - when passed to gss_init_sec_context() (if cred_usage is - GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if - cred_usage is GSS_C_ACCEPT or GSS_C_BOTH). - - Mechanisms should honor the desired_mechs parameter, and return a - credential that is suitable to use only with the requested - mechanisms. An exception to this is the case where one underlying - credential element can be shared by multiple mechanisms; in this case - it is permissible for an implementation to indicate all mechanisms - with which the credential element may be used. If desired_mechs is - an empty set, behavior is undefined. - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways - of obtaining GSS-API initiator credentials from the system login - process. Some implementations may therefore not support the - acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via - gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name - produced by applying either gss_inquire_cred to a valid credential, - or gss_inquire_context to an active context. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may choose to delay the actual acquisition until the - credential is required (e.g. by gss_init_sec_context or - gss_accept_sec_context). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call - of gss_inquire_cred immediately following the call of - gss_acquire_cred must return valid credential data, and may therefore - incur the overhead of a deferred credential acquisition. - - - - - - - - -Wray Standards Track [Page 33] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - desired_name gss_name_t, read - Name of principal whose credential - should be acquired - - time_req Integer, read, optional - number of seconds that credentials - should remain valid. Specify GSS_C_INDEFINITE - to request that the credentials have the maximum - permitted lifetime. - - desired_mechs Set of Object IDs, read, optional - set of underlying security mechanisms that - may be used. GSS_C_NO_OID_SET may be used - to obtain an implementation-specific default. - - cred_usage gss_cred_usage_t, read - GSS_C_BOTH - Credentials may be used - either to initiate or accept - security contexts. - GSS_C_INITIATE - Credentials will only be - used to initiate security contexts. - GSS_C_ACCEPT - Credentials will only be used to - accept security contexts. - - output_cred_handle gss_cred_id_t, modify - The returned credential handle. Resources - associated with this credential handle must - be released by the application after use - with a call to gss_release_cred(). - - actual_mechs Set of Object IDs, modify, optional - The set of mechanisms for which the - credential is valid. Storage associated - with the returned OID-set must be released by - the application after use with a call to - gss_release_oid_set(). Specify NULL if not - required. - - time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid. If the - implementation does not support expiration of - credentials, the value GSS_C_INDEFINITE will - be returned. Specify NULL if not required - - - - - -Wray Standards Track [Page 34] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - minor_status Integer, modify - Mechanism specific status code. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Unavailable mechanism requested - - GSS_S_BAD_NAMETYPE Type contained within desired_name parameter - is not supported - - GSS_S_BAD_NAME Value supplied for desired_name parameter is ill - formed. - - GSS_S_CREDENTIALS_EXPIRED The credentials could not be acquired - Because they have expired. - - GSS_S_NO_CRED No credentials were found for the specified name. - -5.3. gss_add_cred - - OM_uint32 gss_add_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *initiator_time_rec, - OM_uint32 *acceptor_time_rec) - - Purpose: - - Adds a credential-element to a credential. The credential-element is - identified by the name of the principal to which it refers. GSS-API - implementations must impose a local access-control policy on callers - of this routine to prevent unauthorized callers from acquiring - credential-elements to which they are not entitled. This routine is - not intended to provide a "login to the network" function, as such a - function would involve the creation of new mechanism-specific - authentication data, rather than merely acquiring a GSS-API handle to - existing data. Such functions, if required, should be defined in - implementation-specific extensions to the API. - - - - -Wray Standards Track [Page 35] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - If desired_name is GSS_C_NO_NAME, the call is interpreted as a - request to add a credential element that will invoke default behavior - when passed to gss_init_sec_context() (if cred_usage is - GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if - cred_usage is GSS_C_ACCEPT or GSS_C_BOTH). - - This routine is expected to be used primarily by context acceptors, - since implementations are likely to provide mechanism-specific ways - of obtaining GSS-API initiator credentials from the system login - process. Some implementations may therefore not support the - acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via - gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name - produced by applying either gss_inquire_cred to a valid credential, - or gss_inquire_context to an active context. - - If credential acquisition is time-consuming for a mechanism, the - mechanism may choose to delay the actual acquisition until the - credential is required (e.g. by gss_init_sec_context or - gss_accept_sec_context). Such mechanism-specific implementation - decisions should be invisible to the calling application; thus a call - of gss_inquire_cred immediately following the call of gss_add_cred - must return valid credential data, and may therefore incur the - overhead of a deferred credential acquisition. - - This routine can be used to either compose a new credential - containing all credential-elements of the original in addition to the - newly-acquire credential-element, or to add the new credential- - element to an existing credential. If NULL is specified for the - output_cred_handle parameter argument, the new credential-element - will be added to the credential identified by input_cred_handle; if a - valid pointer is specified for the output_cred_handle parameter, a - new credential handle will be created. - - If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle, - gss_add_cred will compose a credential (and set the - output_cred_handle parameter accordingly) based on default behavior. - That is, the call will have the same effect as if the application had - first made a call to gss_acquire_cred(), specifying the same usage - and passing GSS_C_NO_NAME as the desired_name parameter to obtain an - explicit credential handle embodying default behavior, passed this - credential handle to gss_add_cred(), and finally called - gss_release_cred() on the first credential handle. - - If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle - parameter, a non-NULL output_cred_handle must be supplied. - - - - - - -Wray Standards Track [Page 36] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - input_cred_handle gss_cred_id_t, read, optional - The credential to which a credential-element - will be added. If GSS_C_NO_CREDENTIAL is - specified, the routine will compose the new - credential based on default behavior (see - description above). Note that, while the - credential-handle is not modified by - gss_add_cred(), the underlying credential - will be modified if output_credential_handle - is NULL. - - desired_name gss_name_t, read. - Name of principal whose credential - should be acquired. - - desired_mech Object ID, read - Underlying security mechanism with which the - credential may be used. - - cred_usage gss_cred_usage_t, read - GSS_C_BOTH - Credential may be used - either to initiate or accept - security contexts. - GSS_C_INITIATE - Credential will only be - used to initiate security - contexts. - GSS_C_ACCEPT - Credential will only be used to - accept security contexts. - - initiator_time_req Integer, read, optional - number of seconds that the credential - should remain valid for initiating security - contexts. This argument is ignored if the - composed credentials are of type GSS_C_ACCEPT. - Specify GSS_C_INDEFINITE to request that the - credentials have the maximum permitted - initiator lifetime. - - acceptor_time_req Integer, read, optional - number of seconds that the credential - should remain valid for accepting security - contexts. This argument is ignored if the - composed credentials are of type GSS_C_INITIATE. - - - -Wray Standards Track [Page 37] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Specify GSS_C_INDEFINITE to request that the - credentials have the maximum permitted initiator - lifetime. - - output_cred_handle gss_cred_id_t, modify, optional - The returned credential handle, containing - the new credential-element and all the - credential-elements from input_cred_handle. - If a valid pointer to a gss_cred_id_t is - supplied for this parameter, gss_add_cred - creates a new credential handle containing all - credential-elements from the input_cred_handle - and the newly acquired credential-element; if - NULL is specified for this parameter, the newly - acquired credential-element will be added - to the credential identified by input_cred_handle. - - The resources associated with any credential - handle returned via this parameter must be - released by the application after use with a - call to gss_release_cred(). - - actual_mechs Set of Object IDs, modify, optional - The complete set of mechanisms for which - the new credential is valid. Storage for - the returned OID-set must be freed by the - application after use with a call to - gss_release_oid_set(). Specify NULL if - not required. - - initiator_time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid for - initiating contexts using the specified - mechanism. If the implementation or mechanism - does not support expiration of credentials, the - value GSS_C_INDEFINITE will be returned. Specify - NULL if not required - - acceptor_time_rec Integer, modify, optional - Actual number of seconds for which the - returned credentials will remain valid for - accepting security contexts using the specified - mechanism. If the implementation or mechanism - does not support expiration of credentials, the - value GSS_C_INDEFINITE will be returned. Specify - NULL if not required - - - - -Wray Standards Track [Page 38] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Unavailable mechanism requested - - GSS_S_BAD_NAMETYPE Type contained within desired_name parameter - is not supported - - GSS_S_BAD_NAME Value supplied for desired_name parameter is - ill-formed. - - GSS_S_DUPLICATE_ELEMENT The credential already contains an element - for the requested mechanism with overlapping - usage and validity period. - - GSS_S_CREDENTIALS_EXPIRED The required credentials could not be - added because they have expired. - - GSS_S_NO_CRED No credentials were found for the specified name. - -5.4. gss_add_oid_set_member - - OM_uint32 gss_add_oid_set_member ( - OM_uint32 *minor_status, - const gss_OID member_oid, - gss_OID_set *oid_set) - - Purpose: - - Add an Object Identifier to an Object Identifier set. This routine - is intended for use in conjunction with gss_create_empty_oid_set when - constructing a set of mechanism OIDs for input to gss_acquire_cred. - The oid_set parameter must refer to an OID-set that was created by - GSS-API (e.g. a set returned by gss_create_empty_oid_set()). GSS-API - creates a copy of the member_oid and inserts this copy into the set, - expanding the storage allocated to the OID-set's elements array if - necessary. The routine may add the new member OID anywhere within - the elements array, and implementations should verify that the new - member_oid is not already contained within the elements array; if the - member_oid is already present, the oid_set should remain unchanged. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - - - - -Wray Standards Track [Page 39] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - member_oid Object ID, read - The object identifier to copied into - the set. - - oid_set Set of Object ID, modify - The set in which the object identifier - should be inserted. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.5. gss_canonicalize_name - - OM_uint32 gss_canonicalize_name ( - OM_uint32 *minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t *output_name) - - Purpose: - - Generate a canonical mechanism name (MN) from an arbitrary internal - name. The mechanism name is the name that would be returned to a - context acceptor on successful authentication of a context where the - initiator used the input_name in a successful call to - gss_acquire_cred, specifying an OID set containing as its - only member, followed by a call to gss_init_sec_context, specifying - as the authentication mechanism. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name gss_name_t, read - The name for which a canonical form is - desired - - mech_type Object ID, read - The authentication mechanism for which the - canonical form of the name is desired. The - desired mechanism must be specified explicitly; - no default is provided. - - - - - - - -Wray Standards Track [Page 40] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - output_name gss_name_t, modify - The resultant canonical name. Storage - associated with this name must be freed by - the application after use with a call to - gss_release_name(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion. - - GSS_S_BAD_MECH The identified mechanism is not supported. - - GSS_S_BAD_NAMETYPE The provided internal name contains no elements - that could be processed by the specified - mechanism. - - GSS_S_BAD_NAME The provided internal name was ill-formed. - -5.6. gss_compare_name - - OM_uint32 gss_compare_name ( - OM_uint32 *minor_status, - const gss_name_t name1, - const gss_name_t name2, - int *name_equal) - - Purpose: - - Allows an application to compare two internal-form names to determine - whether they refer to the same entity. - - If either name presented to gss_compare_name denotes an anonymous - principal, the routines should indicate that the two names do not - refer to the same identity. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - name1 gss_name_t, read - internal-form name - - name2 gss_name_t, read - internal-form name - - - - - - -Wray Standards Track [Page 41] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - name_equal boolean, modify - non-zero - names refer to same entity - zero - names refer to different entities - (strictly, the names are not known - to refer to the same identity). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The two names were of incomparable types. - - GSS_S_BAD_NAME One or both of name1 or name2 was ill-formed. - -5.7. gss_context_time - - OM_uint32 gss_context_time ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 *time_rec) - - Purpose: - - Determines the number of seconds for which the specified context will - remain valid. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context to be interrogated. - - time_rec Integer, modify - Number of seconds that the context will remain - valid. If the context has already expired, - zero will be returned. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify - a valid context - - - - -Wray Standards Track [Page 42] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.8. gss_create_empty_oid_set - - OM_uint32 gss_create_empty_oid_set ( - OM_uint32 *minor_status, - gss_OID_set *oid_set) - - Purpose: - - Create an object-identifier set containing no object identifiers, to - which members may be subsequently added using the - gss_add_oid_set_member() routine. These routines are intended to be - used to construct sets of mechanism object identifiers, for input to - gss_acquire_cred. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - oid_set Set of Object IDs, modify - The empty object identifier set. - The routine will allocate the - gss_OID_set_desc object, which the - application must free after use with - a call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.9. gss_delete_sec_context - - OM_uint32 gss_delete_sec_context ( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token) - - Purpose: - - Delete a security context. gss_delete_sec_context will delete the - local data structures associated with the specified security context, - and may generate an output_token, which when passed to the peer - gss_process_context_token will instruct it to do likewise. If no - token is required by the mechanism, the GSS-API should set the length - field of the output_token (if provided) to zero. No further security - services may be obtained using the context specified by - context_handle. - - - - -Wray Standards Track [Page 43] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - In addition to deleting established security contexts, - gss_delete_sec_context must also be able to delete "half-built" - security contexts resulting from an incomplete sequence of - gss_init_sec_context()/gss_accept_sec_context() calls. - - The output_token parameter is retained for compatibility with version - 1 of the GSS-API. It is recommended that both peer applications - invoke gss_delete_sec_context passing the value GSS_C_NO_BUFFER for - the output_token parameter, indicating that no token is required, and - that gss_delete_sec_context should simply delete local context data - structures. If the application does pass a valid buffer to - gss_delete_sec_context, mechanisms are encouraged to return a zero- - length token, indicating that no peer action is necessary, and that - no token should be transferred by the application. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, modify - context handle identifying context to delete. - After deleting the context, the GSS-API will set - this context handle to GSS_C_NO_CONTEXT. - - output_token buffer, opaque, modify, optional - token to be sent to remote application to - instruct it to also delete the context. It - is recommended that applications specify - GSS_C_NO_BUFFER for this parameter, requesting - local deletion only. If a buffer parameter is - provided by the application, the mechanism may - return a token in it; mechanisms that implement - only local deletion should set the length field of - this token to zero to indicate to the application - that no token is to be sent to the peer. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT No valid context was supplied - - - - - - - - - -Wray Standards Track [Page 44] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.10.gss_display_name - - OM_uint32 gss_display_name ( - OM_uint32 *minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID *output_name_type) - - Purpose: - - Allows an application to obtain a textual representation of an opaque - internal-form name for display purposes. The syntax of a printable - name is defined by the GSS-API implementation. - - If input_name denotes an anonymous principal, the implementation - should return the gss_OID value GSS_C_NT_ANONYMOUS as the - output_name_type, and a textual name that is syntactically distinct - from all valid supported printable names in output_name_buffer. - - If input_name was created by a call to gss_import_name, specifying - GSS_C_NO_OID as the name-type, implementations that employ lazy - conversion between name types may return GSS_C_NO_OID via the - output_name_type parameter. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - input_name gss_name_t, read - name to be displayed - - output_name_buffer buffer, character-string, modify - buffer to receive textual name string. - The application must free storage associated - with this name after use with a call to - gss_release_buffer(). - - output_name_type Object ID, modify, optional - The type of the returned name. The returned - gss_OID will be a pointer into static storage, - and should be treated as read-only by the caller - (in particular, the application should not attempt - to free it). Specify NULL if not required. - - - - - - - -Wray Standards Track [Page 45] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME input_name was ill-formed - -5.11.gss_display_status - - OM_uint32 gss_display_status ( - OM_uint32 *minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 *message_context, - gss_buffer_t status_string) - - Purpose: - - Allows an application to obtain a textual representation of a GSS-API - status code, for display to the user or for logging purposes. Since - some status values may indicate multiple conditions, applications may - need to call gss_display_status multiple times, each call generating - a single text string. The message_context parameter is used by - gss_display_status to store state information about which error - messages have already been extracted from a given status_value; - message_context must be initialized to 0 by the application prior to - the first call, and gss_display_status will return a non-zero value - in this parameter if there are further messages to extract. - - The message_context parameter contains all state information required - by gss_display_status in order to extract further messages from the - status_value; even when a non-zero value is returned in this - parameter, the application is not required to call gss_display_status - again unless subsequent messages are desired. The following code - extracts all messages from a given status code and prints them to - stderr: - - OM_uint32 message_context; - OM_uint32 status_code; - OM_uint32 maj_status; - OM_uint32 min_status; - gss_buffer_desc status_string; - - ... - - message_context = 0; - - do { - - - -Wray Standards Track [Page 46] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - maj_status = gss_display_status ( - &min_status, - status_code, - GSS_C_GSS_CODE, - GSS_C_NO_OID, - &message_context, - &status_string) - - fprintf(stderr, - "%.*s\n", - (int)status_string.length, - - (char *)status_string.value); - - gss_release_buffer(&min_status, &status_string); - - } while (message_context != 0); - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - status_value Integer, read - Status value to be converted - - status_type Integer, read - GSS_C_GSS_CODE - status_value is a GSS status - code - - GSS_C_MECH_CODE - status_value is a mechanism - status code - - mech_type Object ID, read, optional - Underlying mechanism (used to interpret a - minor status value) Supply GSS_C_NO_OID to - obtain the system default. - - message_context Integer, read/modify - Should be initialized to zero by the - application prior to the first call. - On return from gss_display_status(), - a non-zero status_value parameter indicates - that additional messages may be extracted - from the status code via subsequent calls - - - - - -Wray Standards Track [Page 47] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - to gss_display_status(), passing the same - status_value, status_type, mech_type, and - message_context parameters. - - status_string buffer, character string, modify - textual interpretation of the status_value. - Storage associated with this parameter must - be freed by the application after use with - a call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_MECH Indicates that translation in accordance with - an unsupported mechanism type was requested - - GSS_S_BAD_STATUS The status value was not recognized, or the - status type was neither GSS_C_GSS_CODE nor - GSS_C_MECH_CODE. - -5.12. gss_duplicate_name - - OM_uint32 gss_duplicate_name ( - OM_uint32 *minor_status, - const gss_name_t src_name, - gss_name_t *dest_name) - - Purpose: - - Create an exact duplicate of the existing internal name src_name. - The new dest_name will be independent of src_name (i.e. src_name and - dest_name must both be released, and the release of one shall not - affect the validity of the other). - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - src_name gss_name_t, read - internal name to be duplicated. - - dest_name gss_name_t, modify - The resultant copy of . - Storage associated with this name must - be freed by the application after use - with a call to gss_release_name(). - - - -Wray Standards Track [Page 48] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The src_name parameter was ill-formed. - -5.13. gss_export_name - - OM_uint32 gss_export_name ( - OM_uint32 *minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name) - - Purpose: - - To produce a canonical contiguous string representation of a - mechanism name (MN), suitable for direct comparison (e.g. with - memcmp) for use in authorization functions (e.g. matching entries in - an access-control list). The parameter must specify a - valid MN (i.e. an internal name generated by gss_accept_sec_context - or by gss_canonicalize_name). - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name gss_name_t, read - The MN to be exported - - exported_name gss_buffer_t, octet-string, modify - The canonical contiguous string form of - . Storage associated with - this string must freed by the application - after use with gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NAME_NOT_MN The provided internal name was not a mechanism - name. - - GSS_S_BAD_NAME The provided internal name was ill-formed. - - GSS_S_BAD_NAMETYPE The internal name was of a type not supported - by the GSS-API implementation. - - - - -Wray Standards Track [Page 49] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.14. gss_export_sec_context - - OM_uint32 gss_export_sec_context ( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t interprocess_token) - - Purpose: - - Provided to support the sharing of work between multiple processes. - This routine will typically be used by the context-acceptor, in an - application where a single process receives incoming connection - requests and accepts security contexts over them, then passes the - established context to one or more other processes for message - exchange. gss_export_sec_context() deactivates the security context - for the calling process and creates an interprocess token which, when - passed to gss_import_sec_context in another process, will re-activate - the context in the second process. Only a single instantiation of a - given context may be active at any one time; a subsequent attempt by - a context exporter to access the exported security context will fail. - - The implementation may constrain the set of processes by which the - interprocess token may be imported, either as a function of local - security policy, or as a result of implementation decisions. For - example, some implementations may constrain contexts to be passed - only between processes that run under the same account, or which are - part of the same process group. - - The interprocess token may contain security-sensitive information - (for example cryptographic keys). While mechanisms are encouraged to - either avoid placing such sensitive information within interprocess - tokens, or to encrypt the token before returning it to the - application, in a typical object-library GSS-API implementation this - may not be possible. Thus the application must take care to protect - the interprocess token, and ensure that any process to which the - token is transferred is trustworthy. - - If creation of the interprocess token is successful, the - implementation shall deallocate all process-wide resources associated - with the security context, and set the context_handle to - GSS_C_NO_CONTEXT. In the event of an error that makes it impossible - to complete the export of the security context, the implementation - must not return an interprocess token, and should strive to leave the - security context referenced by the context_handle parameter - untouched. If this is impossible, it is permissible for the - implementation to delete the security context, providing it also sets - the context_handle parameter to GSS_C_NO_CONTEXT. - - - - -Wray Standards Track [Page 50] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - context_handle gss_ctx_id_t, modify - context handle identifying the context to - transfer. - - interprocess_token buffer, opaque, modify - token to be transferred to target process. - Storage associated with this token must be - freed by the application after use with a - call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has expired - - GSS_S_NO_CONTEXT The context was invalid - - GSS_S_UNAVAILABLE The operation is not supported. - -5.15. gss_get_mic - - OM_uint32 gss_get_mic ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t msg_token) - - Purpose: - - Generates a cryptographic MIC for the supplied message, and places - the MIC in a token for transfer to the peer application. The qop_req - parameter allows a choice between several cryptographic algorithms, - if supported by the chosen mechanism. - - Since some application-level protocols may wish to use tokens emitted - by gss_wrap() to provide "secure framing", implementations must - support derivation of MICs from zero-length messages. - - - - - - - -Wray Standards Track [Page 51] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - identifies the context on which the message - will be sent - - qop_req gss_qop_t, read, optional - Specifies requested quality of protection. - Callers are encouraged, on portability grounds, - to accept the default quality of protection - offered by the chosen mechanism, which may be - requested by specifying GSS_C_QOP_DEFAULT for - this parameter. If an unsupported protection - strength is requested, gss_get_mic will return a - major_status of GSS_S_BAD_QOP. - - message_buffer buffer, opaque, read - message to be protected - - msg_token buffer, opaque, modify - buffer to receive token. The application must - free storage associated with this buffer after - use with a call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify - a valid context - - GSS_S_BAD_QOP The specified QOP is not supported by the - mechanism. - -5.16. gss_import_name - - OM_uint32 gss_import_name ( - OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t *output_name) - - - - - -Wray Standards Track [Page 52] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Purpose: - - Convert a contiguous string name to internal form. In general, the - internal name returned (via the parameter) will not be - an MN; the exception to this is if the indicates - that the contiguous string provided via the - parameter is of type GSS_C_NT_EXPORT_NAME, in which case the returned - internal name will be an MN for the mechanism that exported the name. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - input_name_buffer buffer, octet-string, read - buffer containing contiguous string name to convert - - input_name_type Object ID, read, optional - Object ID specifying type of printable - name. Applications may specify either - GSS_C_NO_OID to use a mechanism-specific - default printable syntax, or an OID recognized - by the GSS-API implementation to name a - specific namespace. - - output_name gss_name_t, modify - returned name in internal form. Storage - associated with this name must be freed - by the application after use with a call - to gss_release_name(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAMETYPE The input_name_type was unrecognized - - GSS_S_BAD_NAME The input_name parameter could not be interpreted - as a name of the specified type - - GSS_S_BAD_MECH The input name-type was GSS_C_NT_EXPORT_NAME, - but the mechanism contained within the - input-name is not supported - - - - - - - - -Wray Standards Track [Page 53] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.17. gss_import_sec_context - - OM_uint32 gss_import_sec_context ( - OM_uint32 *minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t *context_handle) - - Purpose: - - Allows a process to import a security context established by another - process. A given interprocess token may be imported only once. See - gss_export_sec_context. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - interprocess_token buffer, opaque, modify - token received from exporting process - - context_handle gss_ctx_id_t, modify - context handle of newly reactivated context. - Resources associated with this context handle - must be released by the application after use - with a call to gss_delete_sec_context(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion. - - GSS_S_NO_CONTEXT The token did not contain a valid context - reference. - - GSS_S_DEFECTIVE_TOKEN The token was invalid. - - GSS_S_UNAVAILABLE The operation is unavailable. - - GSS_S_UNAUTHORIZED Local policy prevents the import of this context - by the current process. - -5.18. gss_indicate_mechs - - OM_uint32 gss_indicate_mechs ( - OM_uint32 *minor_status, - gss_OID_set *mech_set) - - - - - -Wray Standards Track [Page 54] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Purpose: - - Allows an application to determine which underlying security - mechanisms are available. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - mech_set set of Object IDs, modify - set of implementation-supported mechanisms. - The returned gss_OID_set value will be a - dynamically-allocated OID set, that should - be released by the caller after use with a - call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.19. gss_init_sec_context - - OM_uint32 gss_init_sec_context ( - OM_uint32 *minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t *context_handle,\ - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec ) - - Purpose: - - Initiates the establishment of a security context between the - application and a remote peer. Initially, the input_token parameter - should be specified either as GSS_C_NO_BUFFER, or as a pointer to a - gss_buffer_desc object whose length field contains the value zero. - The routine may return a output_token which should be transferred to - the peer application, where the peer application will present it to - gss_accept_sec_context. If no token need be sent, - gss_init_sec_context will indicate this by setting the length field - - - -Wray Standards Track [Page 55] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - of the output_token argument to zero. To complete the context - establishment, one or more reply tokens may be required from the peer - application; if so, gss_init_sec_context will return a status - containing the supplementary information bit GSS_S_CONTINUE_NEEDED. - In this case, gss_init_sec_context should be called again when the - reply token is received from the peer application, passing the reply - token to gss_init_sec_context via the input_token parameters. - - Portable applications should be constructed to use the token length - and return status to determine whether a token needs to be sent or - waited for. Thus a typical portable caller should always invoke - gss_init_sec_context within a loop: - - int context_established = 0; - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - ... - input_token->length = 0; - - while (!context_established) { - maj_stat = gss_init_sec_context(&min_stat, - cred_hdl, - &context_hdl, - target_name, - desired_mech, - desired_services, - desired_time, - input_bindings, - input_token, - &actual_mech, - output_token, - &actual_services, - &actual_time); - if (GSS_ERROR(maj_stat)) { - report_error(maj_stat, min_stat); - }; - - if (output_token->length != 0) { - send_token_to_peer(output_token); - gss_release_buffer(&min_stat, output_token) - }; - if (GSS_ERROR(maj_stat)) { - - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - }; - - - -Wray Standards Track [Page 56] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - if (maj_stat & GSS_S_CONTINUE_NEEDED) { - receive_token_from_peer(input_token); - } else { - context_established = 1; - }; - }; - - Whenever the routine returns a major status that includes the value - GSS_S_CONTINUE_NEEDED, the context is not fully established and the - following restrictions apply to the output parameters: - - The value returned via the time_rec parameter is undefined Unless - the accompanying ret_flags parameter contains the bit - GSS_C_PROT_READY_FLAG, indicating that per-message services may be - applied in advance of a successful completion status, the value - returned via the actual_mech_type parameter is undefined until the - routine returns a major status value of GSS_S_COMPLETE. - - The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG, - GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG, - GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the - ret_flags parameter should contain the values that the - implementation expects would be valid if context establishment - were to succeed. In particular, if the application has requested - a service such as delegation or anonymous authentication via the - req_flags argument, and such a service is unavailable from the - underlying mechanism, gss_init_sec_context should generate a token - that will not provide the service, and indicate via the ret_flags - argument that the service will not be supported. The application - may choose to abort the context establishment by calling - gss_delete_sec_context (if it cannot continue in the absence of - the service), or it may choose to transmit the token and continue - context establishment (if the service was merely desired but not - mandatory). - - The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits - within ret_flags should indicate the actual state at the time - gss_init_sec_context returns, whether or not the context is fully - established. - - GSS-API implementations that support per-message protection are - encouraged to set the GSS_C_PROT_READY_FLAG in the final ret_flags - returned to a caller (i.e. when accompanied by a GSS_S_COMPLETE - status code). However, applications should not rely on this - behavior as the flag was not defined in Version 1 of the GSS-API. - Instead, applications should determine what per-message services - are available after a successful context establishment according - to the GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG values. - - - -Wray Standards Track [Page 57] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - All other bits within the ret_flags argument should be set to - zero. - - If the initial call of gss_init_sec_context() fails, the - implementation should not create a context object, and should leave - the value of the context_handle parameter set to GSS_C_NO_CONTEXT to - indicate this. In the event of a failure on a subsequent call, the - implementation is permitted to delete the "half-built" security - context (in which case it should set the context_handle parameter to - GSS_C_NO_CONTEXT), but the preferred behavior is to leave the - security context untouched for the application to delete (using - gss_delete_sec_context). - - During context establishment, the informational status bits - GSS_S_OLD_TOKEN and GSS_S_DUPLICATE_TOKEN indicate fatal errors, and - GSS-API mechanisms should always return them in association with a - routine error of GSS_S_FAILURE. This requirement for pairing did not - exist in version 1 of the GSS-API specification, so applications that - wish to run over version 1 implementations must special-case these - codes. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - initiator_cred_handle gss_cred_id_t, read, optional - handle for credentials claimed. Supply - GSS_C_NO_CREDENTIAL to act as a default - initiator principal. If no default - initiator is defined, the function will - return GSS_S_NO_CRED. - - context_handle gss_ctx_id_t, read/modify - context handle for new context. Supply - GSS_C_NO_CONTEXT for first call; use value - returned by first call in continuation calls. - Resources associated with this context-handle - must be released by the application after use - with a call to gss_delete_sec_context(). - - target_name gss_name_t, read - Name of target - - mech_type OID, read, optional - Object ID of desired mechanism. Supply - GSS_C_NO_OID to obtain an implementation - specific default - - - -Wray Standards Track [Page 58] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - req_flags bit-mask, read - Contains various independent flags, each of - which requests that the context support a - specific service option. Symbolic - names are provided for each flag, and the - symbolic names corresponding to the required - flags should be logically-ORed - together to form the bit-mask value. The - flags are: - - GSS_C_DELEG_FLAG - True - Delegate credentials to remote peer - False - Don't delegate - - GSS_C_MUTUAL_FLAG - True - Request that remote peer - authenticate itself - False - Authenticate self to remote peer - only - - GSS_C_REPLAY_FLAG - True - Enable replay detection for - messages protected with gss_wrap - or gss_get_mic - False - Don't attempt to detect - replayed messages - - GSS_C_SEQUENCE_FLAG - True - Enable detection of out-of-sequence - protected messages - False - Don't attempt to detect - out-of-sequence messages - - GSS_C_CONF_FLAG - True - Request that confidentiality service - be made available (via gss_wrap) - False - No per-message confidentiality service - is required. - - GSS_C_INTEG_FLAG - True - Request that integrity service be - made available (via gss_wrap or - gss_get_mic) - False - No per-message integrity service - is required. - - - - - - -Wray Standards Track [Page 59] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_C_ANON_FLAG - True - Do not reveal the initiator's - identity to the acceptor. - False - Authenticate normally. - - time_req Integer, read, optional - Desired number of seconds for which context - should remain valid. Supply 0 to request a - default validity period. - - input_chan_bindings channel bindings, read, optional - Application-specified bindings. Allows - application to securely bind channel - identification information to the security - context. Specify GSS_C_NO_CHANNEL_BINDINGS - if channel bindings are not used. - - input_token buffer, opaque, read, optional (see text) - Token received from peer application. - Supply GSS_C_NO_BUFFER, or a pointer to - a buffer containing the value GSS_C_EMPTY_BUFFER - on initial call. - - actual_mech_type OID, modify, optional - Actual mechanism used. The OID returned via - this parameter will be a pointer to static - storage that should be treated as read-only; - In particular the application should not attempt - to free it. Specify NULL if not required. - - output_token buffer, opaque, modify - token to be sent to peer application. If - the length field of the returned buffer is - zero, no token need be sent to the peer - application. Storage associated with this - buffer must be freed by the application - after use with a call to gss_release_buffer(). - - ret_flags bit-mask, modify, optional - Contains various independent flags, each of which - indicates that the context supports a specific - service option. Specify NULL if not - required. Symbolic names are provided - for each flag, and the symbolic names - corresponding to the required flags should be - logically-ANDed with the ret_flags value to test - whether a given option is supported by the - context. The flags are: - - - -Wray Standards Track [Page 60] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_C_DELEG_FLAG - True - Credentials were delegated to - the remote peer - False - No credentials were delegated - - GSS_C_MUTUAL_FLAG - True - The remote peer has authenticated - itself. - False - Remote peer has not authenticated - itself. - - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will - not be detected - - GSS_C_CONF_FLAG - True - Confidentiality service may be - invoked by calling gss_wrap routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or gss_wrap - routines. - False - Per-message integrity service - unavailable. - - GSS_C_ANON_FLAG - True - The initiator's identity has not been - revealed, and will not be revealed if - any emitted token is passed to the - acceptor. - False - The initiator's identity has been or - will be authenticated normally. - - GSS_C_PROT_READY_FLAG - - - -Wray Standards Track [Page 61] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available for - use if the accompanying major status - return value is either GSS_S_COMPLETE or - GSS_S_CONTINUE_NEEDED. - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the accompanying major status - return value is GSS_S_COMPLETE. - - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferable. - - All other bits should be set to zero. - - time_rec Integer, modify, optional - number of seconds for which the context - will remain valid. If the implementation does - not support context expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTINUE_NEEDED Indicates that a token from the peer - application is required to complete the - context, and that gss_init_sec_context - must be called again with that token. - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed - on the input_token failed - - GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks - performed on the credential failed. - - GSS_S_NO_CRED The supplied credentials were not valid for - context initiation, or the credential handle - did not reference any credentials. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired - - - -Wray Standards Track [Page 62] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_BAD_BINDINGS The input_token contains different channel - bindings to those specified via the - input_chan_bindings parameter - - GSS_S_BAD_SIG The input_token contains an invalid MIC, or a MIC - that could not be verified - - GSS_S_OLD_TOKEN The input_token was too old. This is a fatal - error during context establishment - - GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate - of a token already processed. This is a - fatal error during context establishment. - - GSS_S_NO_CONTEXT Indicates that the supplied context handle did - not refer to a valid context - - GSS_S_BAD_NAMETYPE The provided target_name parameter contained an - invalid or unsupported type of name - - GSS_S_BAD_NAME The provided target_name parameter was ill-formed. - - GSS_S_BAD_MECH The specified mechanism is not supported by the - provided credential, or is unrecognized by the - implementation. - -5.20. gss_inquire_context - - OM_uint32 gss_inquire_context ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - gss_name_t *src_name, - gss_name_t *targ_name, - OM_uint32 *lifetime_rec, - gss_OID *mech_type, - OM_uint32 *ctx_flags, - int *locally_initiated, - int *open ) - - Purpose: - - Obtains information about a security context. The caller must - already have obtained a handle that refers to the context, although - the context need not be fully established. - - - - - - - -Wray Standards Track [Page 63] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - context_handle gss_ctx_id_t, read - A handle that refers to the security context. - - src_name gss_name_t, modify, optional - The name of the context initiator. - If the context was established using anonymous - authentication, and if the application invoking - gss_inquire_context is the context acceptor, - an anonymous name will be returned. Storage - associated with this name must be freed by the - application after use with a call to - gss_release_name(). Specify NULL if not - required. - - targ_name gss_name_t, modify, optional - The name of the context acceptor. - Storage associated with this name must be - freed by the application after use with a call - to gss_release_name(). If the context acceptor - did not authenticate itself, and if the initiator - did not specify a target name in its call to - gss_init_sec_context(), the value GSS_C_NO_NAME - will be returned. Specify NULL if not required. - - lifetime_rec Integer, modify, optional - The number of seconds for which the context - will remain valid. If the context has - expired, this parameter will be set to zero. - If the implementation does not support - context expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - mech_type gss_OID, modify, optional - The security mechanism providing the - context. The returned OID will be a - pointer to static storage that should - be treated as read-only by the application; - in particular the application should not - attempt to free it. Specify NULL if not - required. - - - - - -Wray Standards Track [Page 64] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - ctx_flags bit-mask, modify, optional - Contains various independent flags, each of - which indicates that the context supports - (or is expected to support, if ctx_open is - false) a specific service option. If not - needed, specify NULL. Symbolic names are - provided for each flag, and the symbolic names - corresponding to the required flags - should be logically-ANDed with the ret_flags - value to test whether a given option is - supported by the context. The flags are: - - GSS_C_DELEG_FLAG - True - Credentials were delegated from - the initiator to the acceptor. - False - No credentials were delegated - - GSS_C_MUTUAL_FLAG - True - The acceptor was authenticated - to the initiator - False - The acceptor did not authenticate - itself. - - GSS_C_REPLAY_FLAG - True - replay of protected messages - will be detected - False - replayed messages will not be - detected - - GSS_C_SEQUENCE_FLAG - True - out-of-sequence protected - messages will be detected - False - out-of-sequence messages will not - be detected - - GSS_C_CONF_FLAG - True - Confidentiality service may be invoked - by calling gss_wrap routine - False - No confidentiality service (via - gss_wrap) available. gss_wrap will - provide message encapsulation, - data-origin authentication and - integrity services only. - - GSS_C_INTEG_FLAG - True - Integrity service may be invoked by - calling either gss_get_mic or gss_wrap - routines. - - - -Wray Standards Track [Page 65] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - False - Per-message integrity service - unavailable. - - GSS_C_ANON_FLAG - True - The initiator's identity will not - be revealed to the acceptor. - The src_name parameter (if - requested) contains an anonymous - internal name. - False - The initiator has been - authenticated normally. - - GSS_C_PROT_READY_FLAG - True - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - for use. - False - Protection services (as specified - by the states of the GSS_C_CONF_FLAG - and GSS_C_INTEG_FLAG) are available - only if the context is fully - established (i.e. if the open parameter - is non-zero). - - GSS_C_TRANS_FLAG - True - The resultant security context may - be transferred to other processes via - a call to gss_export_sec_context(). - False - The security context is not - transferable. - - locally_initiated Boolean, modify - Non-zero if the invoking application is the - context initiator. - Specify NULL if not required. - - open Boolean, modify - Non-zero if the context is fully established; - Zero if a context-establishment token - is expected from the peer application. - Specify NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT The referenced context could not be accessed. - - - - -Wray Standards Track [Page 66] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.21. gss_inquire_cred - - OM_uint32 gss_inquire_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t cred_handle, - gss_name_t *name, - OM_uint32 *lifetime, - gss_cred_usage_t *cred_usage, - gss_OID_set *mechanisms ) - - Purpose: - - Obtains information about a credential. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - cred_handle gss_cred_id_t, read - A handle that refers to the target credential. - Specify GSS_C_NO_CREDENTIAL to inquire about - the default initiator principal. - - name gss_name_t, modify, optional - The name whose identity the credential asserts. - Storage associated with this name should be freed - by the application after use with a call to - gss_release_name(). Specify NULL if not required. - - lifetime Integer, modify, optional - The number of seconds for which the credential - will remain valid. If the credential has - expired, this parameter will be set to zero. - If the implementation does not support - credential expiration, the value - GSS_C_INDEFINITE will be returned. Specify - NULL if not required. - - cred_usage gss_cred_usage_t, modify, optional - How the credential may be used. One of the - following: - GSS_C_INITIATE - GSS_C_ACCEPT - GSS_C_BOTH - Specify NULL if not required. - - - - - -Wray Standards Track [Page 67] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - mechanisms gss_OID_set, modify, optional - Set of mechanisms supported by the credential. - Storage associated with this OID set must be - freed by the application after use with a call - to gss_release_oid_set(). Specify NULL if not - required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED The referenced credentials could not be accessed. - - GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid. - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - If the lifetime parameter was not passed as NULL, - it will be set to 0. - -5.22. gss_inquire_cred_by_mech - - OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 *minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t *name, - OM_uint32 *initiator_lifetime, - OM_uint32 *acceptor_lifetime, - gss_cred_usage_t *cred_usage ) - - Purpose: - - Obtains per-mechanism information about a credential. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - cred_handle gss_cred_id_t, read - A handle that refers to the target credential. - Specify GSS_C_NO_CREDENTIAL to inquire about - the default initiator principal. - - mech_type gss_OID, read - The mechanism for which information should be - returned. - - - - -Wray Standards Track [Page 68] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - name gss_name_t, modify, optional - The name whose identity the credential asserts. - Storage associated with this name must be - freed by the application after use with a call - to gss_release_name(). Specify NULL if not - required. - - initiator_lifetime Integer, modify, optional - The number of seconds for which the credential - will remain capable of initiating security contexts - under the specified mechanism. If the credential - can no longer be used to initiate contexts, or if - the credential usage for this mechanism is - GSS_C_ACCEPT, this parameter will be set to zero. - If the implementation does not support expiration - of initiator credentials, the value - GSS_C_INDEFINITE will be returned. Specify NULL - if not required. - - acceptor_lifetime Integer, modify, optional - The number of seconds for which the credential - will remain capable of accepting security contexts - under the specified mechanism. If the credential - can no longer be used to accept contexts, or if - the credential usage for this mechanism is - GSS_C_INITIATE, this parameter will be set to zero. - - If the implementation does not support expiration - of acceptor credentials, the value GSS_C_INDEFINITE - will be returned. Specify NULL if not required. - - cred_usage gss_cred_usage_t, modify, optional - How the credential may be used with the specified - mechanism. One of the following: - GSS_C_INITIATE - GSS_C_ACCEPT - GSS_C_BOTH - Specify NULL if not required. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED The referenced credentials could not be accessed. - - GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid. - - - - - -Wray Standards Track [Page 69] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired. - If the lifetime parameter was not passed as NULL, - it will be set to 0. - -5.23. gss_inquire_mechs_for_name - - OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 *minor_status, - const gss_name_t input_name, - gss_OID_set *mech_types ) - - Purpose: - - Returns the set of mechanisms supported by the GSS-API implementation - that may be able to process the specified name. - - Each mechanism returned will recognize at least one element within - the name. It is permissible for this routine to be implemented - within a mechanism-independent GSS-API layer, using the type - information contained within the presented name, and based on - registration information provided by individual mechanism - implementations. This means that the returned mech_types set may - indicate that a particular mechanism will understand the name when in - fact it would refuse to accept the name as input to - gss_canonicalize_name, gss_init_sec_context, gss_acquire_cred or - gss_add_cred (due to some property of the specific name, as opposed - to the name type). Thus this routine should be used only as a pre- - filter for a call to a subsequent mechanism-specific routine. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - input_name gss_name_t, read - The name to which the inquiry relates. - - mech_types gss_OID_set, modify - Set of mechanisms that may support the - specified name. The returned OID set - must be freed by the caller after use - with a call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The input_name parameter was ill-formed. - - - -Wray Standards Track [Page 70] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_BAD_NAMETYPE The input_name parameter contained an invalid or - unsupported type of name - -5.24. gss_inquire_names_for_mech - - OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 *minor_status, - const gss_OID mechanism, - gss_OID_set *name_types) - - Purpose: - - Returns the set of nametypes supported by the specified mechanism. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - mechanism gss_OID, read - The mechanism to be interrogated. - - name_types gss_OID_set, modify - Set of name-types supported by the specified - mechanism. The returned OID set must be - freed by the application after use with a - call to gss_release_oid_set(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.25. gss_process_context_token - - OM_uint32 gss_process_context_token ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer) - - Purpose: - - Provides a way to pass an asynchronous token to the security service. - Most context-level tokens are emitted and processed synchronously by - gss_init_sec_context and gss_accept_sec_context, and the application - is informed as to whether further tokens are expected by the - GSS_C_CONTINUE_NEEDED major status bit. Occasionally, a mechanism - may need to emit a context-level token at a point when the peer - entity is not expecting a token. For example, the initiator's final - - - -Wray Standards Track [Page 71] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - call to gss_init_sec_context may emit a token and return a status of - GSS_S_COMPLETE, but the acceptor's call to gss_accept_sec_context may - fail. The acceptor's mechanism may wish to send a token containing - an error indication to the initiator, but the initiator is not - expecting a token at this point, believing that the context is fully - established. Gss_process_context_token provides a way to pass such a - token to the mechanism at any time. - - Parameters: - - minor_status Integer, modify - Implementation specific status code. - - context_handle gss_ctx_id_t, read - context handle of context on which token is to - be processed - - token_buffer buffer, opaque, read - token to process - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed - on the token failed - - GSS_S_NO_CONTEXT The context_handle did not refer to a valid context - -5.26. gss_release_buffer - - OM_uint32 gss_release_buffer ( - OM_uint32 *minor_status, - gss_buffer_t buffer) - - Purpose: - - Free storage associated with a buffer. The storage must have been - allocated by a GSS-API routine. In addition to freeing the - associated storage, the routine will zero the length field in the - descriptor to which the buffer parameter refers, and implementations - are encouraged to additionally set the pointer field in the - descriptor to NULL. Any buffer object returned by a GSS-API routine - may be passed to gss_release_buffer (even if there is no storage - associated with the buffer). - - - - - - -Wray Standards Track [Page 72] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - buffer buffer, modify - The storage associated with the buffer will be - deleted. The gss_buffer_desc object will not - be freed, but its length field will be zeroed. - - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.27. gss_release_cred - - OM_uint32 gss_release_cred ( - OM_uint32 *minor_status, - gss_cred_id_t *cred_handle) - - Purpose: - - Informs GSS-API that the specified credential handle is no longer - required by the application, and frees associated resources. - Implementations are encouraged to set the cred_handle to - GSS_C_NO_CREDENTIAL on successful completion of this call. - - Parameters: - - cred_handle gss_cred_id_t, modify, optional - Opaque handle identifying credential - to be released. If GSS_C_NO_CREDENTIAL - is supplied, the routine will complete - successfully, but will do nothing. - - minor_status Integer, modify - Mechanism specific status code. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CRED Credentials could not be accessed. - - - - - - - -Wray Standards Track [Page 73] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.28. gss_release_name - - OM_uint32 gss_release_name ( - OM_uint32 *minor_status, - gss_name_t *name) - - Purpose: - - Free GSSAPI-allocated storage associated with an internal-form name. - Implementations are encouraged to set the name to GSS_C_NO_NAME on - successful completion of this call. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - name gss_name_t, modify - The name to be deleted - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_BAD_NAME The name parameter did not contain a valid name - -5.29. gss_release_oid_set - - OM_uint32 gss_release_oid_set ( - OM_uint32 *minor_status, - gss_OID_set *set) - - Purpose: - - Free storage associated with a GSSAPI-generated gss_OID_set object. - The set parameter must refer to an OID-set that was returned from a - GSS-API routine. gss_release_oid_set() will free the storage - associated with each individual member OID, the OID set's elements - array, and the gss_OID_set_desc. - - Implementations are encouraged to set the gss_OID_set parameter to - GSS_C_NO_OID_SET on successful completion of this routine. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - - - -Wray Standards Track [Page 74] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - set Set of Object IDs, modify - The storage associated with the gss_OID_set - will be deleted. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - -5.30. gss_test_oid_set_member - - OM_uint32 gss_test_oid_set_member ( - OM_uint32 *minor_status, - const gss_OID member, - const gss_OID_set set, - int *present) - - Purpose: - - Interrogate an Object Identifier set to determine whether a specified - Object Identifier is a member. This routine is intended to be used - with OID sets returned by gss_indicate_mechs(), gss_acquire_cred(), - and gss_inquire_cred(), but will also work with user-generated sets. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - member Object ID, read - The object identifier whose presence - is to be tested. - - set Set of Object ID, read - The Object Identifier set. - - present Boolean, modify - non-zero if the specified OID is a member - of the set, zero if not. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - - - - - - - - -Wray Standards Track [Page 75] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.31. gss_unwrap - - OM_uint32 gss_unwrap ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - gss_qop_t *qop_state) - - Purpose: - - Converts a message previously protected by gss_wrap back to a usable - form, verifying the embedded MIC. The conf_state parameter indicates - whether the message was encrypted; the qop_state parameter indicates - the strength of protection that was used to provide the - confidentiality and integrity services. - - Since some application-level protocols may wish to use tokens emitted - by gss_wrap() to provide "secure framing", implementations must - support the wrapping and unwrapping of zero-length messages. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - arrived - - input_message_buffer buffer, opaque, read - protected message - - output_message_buffer buffer, opaque, modify - Buffer to receive unwrapped message. - Storage associated with this buffer must - be freed by the application after use use - with a call to gss_release_buffer(). - - conf_state boolean, modify, optional - Non-zero - Confidentiality and integrity - protection were used - Zero - Integrity service only was used - Specify NULL if not required - - - - - - -Wray Standards Track [Page 76] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - qop_state gss_qop_t, modify, optional - Quality of protection provided. - Specify NULL if not required - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The MIC was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct - MIC for the message, but it had already been - processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct MIC - for the message, but it is too old to check for - duplication. - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC - for the message, but has been verified out of - sequence; a later token has already been - received. - - GSS_S_GAP_TOKEN The token was valid, and contained a correct MIC - for the message, but has been verified out of - sequence; an earlier expected token has not yet - been received. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify - a valid context - -5.32. gss_verify_mic - - OM_uint32 gss_verify_mic ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t *qop_state) - - - - - - - - -Wray Standards Track [Page 77] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Purpose: - - Verifies that a cryptographic MIC, contained in the token parameter, - fits the supplied message. The qop_state parameter allows a message - recipient to determine the strength of protection that was applied to - the message. - - Since some application-level protocols may wish to use tokens emitted - by gss_wrap() to provide "secure framing", implementations must - support the calculation and verification of MICs over zero-length - messages. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - arrived - - message_buffer buffer, opaque, read - Message to be verified - - token_buffer buffer, opaque, read - Token associated with message - - qop_state gss_qop_t, modify, optional - quality of protection gained from MIC - Specify NULL if not required - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_DEFECTIVE_TOKEN The token failed consistency checks - - GSS_S_BAD_SIG The MIC was incorrect - - GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct - MIC for the message, but it had already been - processed - - GSS_S_OLD_TOKEN The token was valid, and contained a correct MIC - for the message, but it is too old to check for - duplication. - - - - - -Wray Standards Track [Page 78] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC - for the message, but has been verified out of - sequence; a later token has already been received. - - GSS_S_GAP_TOKEN The token was valid, and contained a correct MIC - for the message, but has been verified out of - sequence; an earlier expected token has not yet - been received. - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - -5.33. gss_wrap - - OM_uint32 gss_wrap ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req - const gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer ) - - Purpose: - - Attaches a cryptographic MIC and optionally encrypts the specified - input_message. The output_message contains both the MIC and the - message. The qop_req parameter allows a choice between several - cryptographic algorithms, if supported by the chosen mechanism. - - Since some application-level protocols may wish to use tokens emitted - by gss_wrap() to provide "secure framing", implementations must - support the wrapping of zero-length messages. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code. - - context_handle gss_ctx_id_t, read - Identifies the context on which the message - will be sent - - - - - - - -Wray Standards Track [Page 79] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - conf_req_flag boolean, read - Non-zero - Both confidentiality and integrity - services are requested - Zero - Only integrity service is requested - - qop_req gss_qop_t, read, optional - Specifies required quality of protection. A - mechanism-specific default may be requested by - setting qop_req to GSS_C_QOP_DEFAULT. If an - unsupported protection strength is requested, - gss_wrap will return a major_status of - GSS_S_BAD_QOP. - - input_message_buffer buffer, opaque, read - Message to be protected - - conf_state boolean, modify, optional - Non-zero - Confidentiality, data origin - authentication and integrity - services have been applied - Zero - Integrity and data origin services only - has been applied. - Specify NULL if not required - - output_message_buffer buffer, opaque, modify - Buffer to receive protected message. - Storage associated with this message must - be freed by the application after use with - a call to gss_release_buffer(). - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_CONTEXT_EXPIRED The context has already expired - - GSS_S_NO_CONTEXT The context_handle parameter did not identify a - valid context - - GSS_S_BAD_QOP The specified QOP is not supported by the - mechanism. - - - - - - - - - - -Wray Standards Track [Page 80] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -5.34. gss_wrap_size_limit - - OM_uint32 gss_wrap_size_limit ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 *max_input_size) - - Purpose: - - Allows an application to determine the maximum message size that, if - presented to gss_wrap with the same conf_req_flag and qop_req - parameters, will result in an output token containing no more than - req_output_size bytes. - - This call is intended for use by applications that communicate over - protocols that impose a maximum message size. It enables the - application to fragment messages prior to applying protection. - - GSS-API implementations are recommended but not required to detect - invalid QOP values when gss_wrap_size_limit() is called. This routine - guarantees only a maximum message size, not the availability of - specific QOP values for message protection. - - Successful completion of this call does not guarantee that gss_wrap - will be able to protect a message of length max_input_size bytes, - since this ability may depend on the availability of system resources - at the time that gss_wrap is called. However, if the implementation - itself imposes an upper limit on the length of messages that may be - processed by gss_wrap, the implementation should not return a value - via max_input_bytes that is greater than this length. - - Parameters: - - minor_status Integer, modify - Mechanism specific status code - - context_handle gss_ctx_id_t, read - A handle that refers to the security over - which the messages will be sent. - - conf_req_flag Boolean, read - Indicates whether gss_wrap will be asked - to apply confidentiality protection in - - - - - -Wray Standards Track [Page 81] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - addition to integrity protection. See - the routine description for gss_wrap - for more details. - - qop_req gss_qop_t, read - Indicates the level of protection that - gss_wrap will be asked to provide. See - the routine description for gss_wrap for - more details. - - req_output_size Integer, read - The desired maximum size for tokens emitted - by gss_wrap. - - max_input_size Integer, modify - The maximum input message size that may - be presented to gss_wrap in order to - guarantee that the emitted token shall - be no larger than req_output_size bytes. - - Function value: GSS status code - - GSS_S_COMPLETE Successful completion - - GSS_S_NO_CONTEXT The referenced context could not be accessed. - - GSS_S_CONTEXT_EXPIRED The context has expired. - - GSS_S_BAD_QOP The specified QOP is not supported by the - mechanism. - -6. Security Considerations - - This document specifies a service interface for security facilities - and services; as such, security considerations appear throughout the - specification. Nonetheless, it is appropriate to summarize certain - specific points relevant to GSS-API implementors and calling - applications. Usage of the GSS-API interface does not in itself - provide security services or assurance; instead, these attributes are - dependent on the underlying mechanism(s) which support a GSS-API - implementation. Callers must be attentive to the requests made to - GSS-API calls and to the status indicators returned by GSS-API, as - these specify the security service characteristics which GSS-API will - provide. When the interprocess context transfer facility is used, - appropriate local controls should be applied to constrain access to - interprocess tokens and to the sensitive data which they contain. - - - - - -Wray Standards Track [Page 82] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - Appendix A. GSS-API C header file gssapi.h - - C-language GSS-API implementations should include a copy of the - following header-file. - - #ifndef GSSAPI_H_ - #define GSSAPI_H_ - - - - /* - * First, include stddef.h to get size_t defined. - */ - #include - - /* - * If the platform supports the xom.h header file, it should be - * included here. - */ - #include - - - /* - * Now define the three implementation-dependent types. - */ - typedef gss_ctx_id_t; - typedef gss_cred_id_t; - typedef gss_name_t; - - /* - * The following type must be defined as the smallest natural - * unsigned integer supported by the platform that has at least - * 32 bits of precision. - */ - typedef gss_uint32; - - - #ifdef OM_STRING - /* - * We have included the xom.h header file. Verify that OM_uint32 - * is defined correctly. - */ - - #if sizeof(gss_uint32) != sizeof(OM_uint32) - #error Incompatible definition of OM_uint32 from xom.h - #endif - - typedef OM_object_identifier gss_OID_desc, *gss_OID; - - - -Wray Standards Track [Page 83] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - #else - - /* - * We can't use X/Open definitions, so roll our own. - */ - - typedef gss_uint32 OM_uint32; - - typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; - } gss_OID_desc, *gss_OID; - - #endif - - typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; - } gss_OID_set_desc, *gss_OID_set; - - typedef struct gss_buffer_desc_struct { - size_t length; - void *value; - } gss_buffer_desc, *gss_buffer_t; - - typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - - /* - * For now, define a QOP-type as an OM_uint32 - */ - typedef OM_uint32 gss_qop_t; - - typedef int gss_cred_usage_t; - - /* - * Flag bits for context-level services. - */ - - - - - - - - -Wray Standards Track [Page 84] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - #define GSS_C_DELEG_FLAG 1 - #define GSS_C_MUTUAL_FLAG 2 - #define GSS_C_REPLAY_FLAG 4 - #define GSS_C_SEQUENCE_FLAG 8 - #define GSS_C_CONF_FLAG 16 - #define GSS_C_INTEG_FLAG 32 - #define GSS_C_ANON_FLAG 64 - #define GSS_C_PROT_READY_FLAG 128 - #define GSS_C_TRANS_FLAG 256 - - /* - * Credential usage options - */ - #define GSS_C_BOTH 0 - #define GSS_C_INITIATE 1 - #define GSS_C_ACCEPT 2 - - /* - * Status code types for gss_display_status - */ - #define GSS_C_GSS_CODE 1 - #define GSS_C_MECH_CODE 2 - - /* - * The constant definitions for channel-bindings address families - */ - #define GSS_C_AF_UNSPEC 0 - #define GSS_C_AF_LOCAL 1 - #define GSS_C_AF_INET 2 - #define GSS_C_AF_IMPLINK 3 - #define GSS_C_AF_PUP 4 - #define GSS_C_AF_CHAOS 5 - #define GSS_C_AF_NS 6 - #define GSS_C_AF_NBS 7 - #define GSS_C_AF_ECMA 8 - #define GSS_C_AF_DATAKIT 9 - #define GSS_C_AF_CCITT 10 - #define GSS_C_AF_SNA 11 - #define GSS_C_AF_DECnet 12 - #define GSS_C_AF_DLI 13 - #define GSS_C_AF_LAT 14 - #define GSS_C_AF_HYLINK 15 - #define GSS_C_AF_APPLETALK 16 - #define GSS_C_AF_BSC 17 - #define GSS_C_AF_DSS 18 - #define GSS_C_AF_OSI 19 - #define GSS_C_AF_X25 21 - - - - -Wray Standards Track [Page 85] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - #define GSS_C_AF_NULLADDR 255 - - /* - * Various Null values - */ - #define GSS_C_NO_NAME ((gss_name_t) 0) - #define GSS_C_NO_BUFFER ((gss_buffer_t) 0) - #define GSS_C_NO_OID ((gss_OID) 0) - #define GSS_C_NO_OID_SET ((gss_OID_set) 0) - #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) - #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) - #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) - #define GSS_C_EMPTY_BUFFER {0, NULL} - - /* - * Some alternate names for a couple of the above - * values. These are defined for V1 compatibility. - */ - #define GSS_C_NULL_OID GSS_C_NO_OID - #define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET - - /* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero - * (as done here) to mean "default protection", or to a specific - * explicit QOP value. However, a value of 0 should always be - * interpreted by a GSS-API implementation as a request for the - * default protection level. - */ - #define GSS_C_QOP_DEFAULT 0 - - /* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ - #define GSS_C_INDEFINITE 0xfffffffful - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - - - -Wray Standards Track [Page 86] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - */ - extern gss_OID GSS_C_NT_USER_NAME; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_MACHINE_UID_NAME; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_STRING_UID_NAME; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ - extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; - - - - -Wray Standards Track [Page 87] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_ANONYMOUS; - - - /* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ - extern gss_OID GSS_C_NT_EXPORT_NAME; - - - /* Major status codes */ - - #define GSS_S_COMPLETE 0 - - /* - * Some "helper" definitions to make the status code macros obvious. - */ - #define GSS_C_CALLING_ERROR_OFFSET 24 - #define GSS_C_ROUTINE_ERROR_OFFSET 16 - - - -Wray Standards Track [Page 88] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - #define GSS_C_SUPPLEMENTARY_OFFSET 0 - #define GSS_C_CALLING_ERROR_MASK 0377ul - #define GSS_C_ROUTINE_ERROR_MASK 0377ul - #define GSS_C_SUPPLEMENTARY_MASK 0177777ul - - /* - * The macros that test status codes for error conditions. - * Note that the GSS_ERROR() macro has changed slightly from - * the V1 GSS-API so that it now evaluates its argument - * only once. - */ - #define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) - #define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) - #define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) - #define GSS_ERROR(x) \ - (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ - (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) - - /* - * Now the actual status code definitions - */ - - /* - * Calling errors: - - */ - #define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) - #define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) - #define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - - /* - * Routine errors: - */ - #define GSS_S_BAD_MECH (1ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAME (2ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_NAMETYPE (3ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_BINDINGS (4ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_STATUS (5ul << - - - -Wray Standards Track [Page 89] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_SIG (6ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_MIC GSS_S_BAD_SIG - #define GSS_S_NO_CRED (7ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NO_CONTEXT (8ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_TOKEN (9ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CREDENTIALS_EXPIRED (11ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_CONTEXT_EXPIRED (12ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_FAILURE (13ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_BAD_QOP (14ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_UNAUTHORIZED (15ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_UNAVAILABLE (16ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_DUPLICATE_ELEMENT (17ul << - GSS_C_ROUTINE_ERROR_OFFSET) - #define GSS_S_NAME_NOT_MN (18ul << - GSS_C_ROUTINE_ERROR_OFFSET) - - /* - * Supplementary info bits: - */ - #define GSS_S_CONTINUE_NEEDED \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) - #define GSS_S_DUPLICATE_TOKEN \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) - #define GSS_S_OLD_TOKEN \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) - #define GSS_S_UNSEQ_TOKEN \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) - #define GSS_S_GAP_TOKEN \ - (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) - - /* - * Finally, function prototypes for the GSS-API routines. - */ - - - - - -Wray Standards Track [Page 90] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_acquire_cred - (OM_uint32 , /* minor_status */ - const gss_name_t, /* desired_name */ - OM_uint32, /* time_req */ - const gss_OID_set, /* desired_mechs */ - gss_cred_usage_t, /* cred_usage */ - gss_cred_id_t , /* output_cred_handle */ - gss_OID_set , /* actual_mechs */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_release_cred - (OM_uint32 , /* minor_status */ - gss_cred_id_t * /* cred_handle */ - ); - - OM_uint32 gss_init_sec_context - (OM_uint32 , /* minor_status */ - const gss_cred_id_t, /* initiator_cred_handle */ - gss_ctx_id_t , /* context_handle */ - const gss_name_t, /* target_name */ - const gss_OID, /* mech_type */ - OM_uint32, /* req_flags */ - OM_uint32, /* time_req */ - const gss_channel_bindings_t, - /* input_chan_bindings */ - const gss_buffer_t, /* input_token */ - gss_OID , /* actual_mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32 , /* ret_flags */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_accept_sec_context - (OM_uint32 , /* minor_status */ - gss_ctx_id_t , /* context_handle */ - const gss_cred_id_t, /* acceptor_cred_handle */ - const gss_buffer_t, /* input_token_buffer */ - const gss_channel_bindings_t, - /* input_chan_bindings */ - gss_name_t , /* src_name */ - gss_OID , /* mech_type */ - gss_buffer_t, /* output_token */ - OM_uint32 , /* ret_flags */ - OM_uint32 , /* time_rec */ - gss_cred_id_t * /* delegated_cred_handle */ - ); - - - - -Wray Standards Track [Page 91] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_process_context_token - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t /* token_buffer */ - ); - - OM_uint32 gss_delete_sec_context - (OM_uint32 , /* minor_status */ - gss_ctx_id_t , /* context_handle */ - gss_buffer_t /* output_token */ - ); - - OM_uint32 gss_context_time - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - OM_uint32 * /* time_rec */ - ); - - OM_uint32 gss_get_mic - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - gss_qop_t, /* qop_req */ - const gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - - OM_uint32 gss_verify_mic - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t, /* message_buffer */ - const gss_buffer_t, /* token_buffer */ - gss_qop_t * /* qop_state */ - ); - - OM_uint32 gss_wrap - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - const gss_buffer_t, /* input_message_buffer */ - int , /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - - - - - - - - -Wray Standards Track [Page 92] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_unwrap - (OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - const gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int , /* conf_state */ - gss_qop_t * /* qop_state */ - ); - - - - OM_uint32 gss_display_status - (OM_uint32 , /* minor_status */ - OM_uint32, /* status_value */ - int, /* status_type */ - const gss_OID, /* mech_type */ - OM_uint32 , /* message_context */ - gss_buffer_t /* status_string */ - ); - - OM_uint32 gss_indicate_mechs - (OM_uint32 , /* minor_status */ - gss_OID_set * /* mech_set */ - ); - - OM_uint32 gss_compare_name - (OM_uint32 , /* minor_status */ - const gss_name_t, /* name1 */ - const gss_name_t, /* name2 */ - int * /* name_equal */ - ); - - OM_uint32 gss_display_name - (OM_uint32 , /* minor_status */ - const gss_name_t, /* input_name */ - gss_buffer_t, /* output_name_buffer */ - gss_OID * /* output_name_type */ - ); - - OM_uint32 gss_import_name - (OM_uint32 , /* minor_status */ - const gss_buffer_t, /* input_name_buffer */ - const gss_OID, /* input_name_type */ - gss_name_t * /* output_name */ - ); - - - - - - -Wray Standards Track [Page 93] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_export_name - (OM_uint32, /* minor_status */ - const gss_name_t, /* input_name */ - gss_buffer_t /* exported_name */ - ); - - OM_uint32 gss_release_name - (OM_uint32 *, /* minor_status */ - gss_name_t * /* input_name */ - ); - - OM_uint32 gss_release_buffer - (OM_uint32 , /* minor_status */ - gss_buffer_t /* buffer */ - ); - - OM_uint32 gss_release_oid_set - (OM_uint32 , /* minor_status */ - gss_OID_set * /* set */ - ); - - OM_uint32 gss_inquire_cred - (OM_uint32 , /* minor_status */ - const gss_cred_id_t, /* cred_handle */ - gss_name_t , /* name */ - OM_uint32 , /* lifetime */ - gss_cred_usage_t , /* cred_usage */ - gss_OID_set * /* mechanisms */ - ); - - OM_uint32 gss_inquire_context ( - OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - gss_name_t , /* src_name */ - gss_name_t , /* targ_name */ - OM_uint32 , /* lifetime_rec */ - gss_OID , /* mech_type */ - OM_uint32 , /* ctx_flags */ - int , /* locally_initiated */ - int * /* open */ - ); - - - - - - - - - - -Wray Standards Track [Page 94] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_wrap_size_limit ( - OM_uint32 , /* minor_status */ - const gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - gss_qop_t, /* qop_req */ - OM_uint32, /* req_output_size */ - OM_uint32 * /* max_input_size */ - ); - - OM_uint32 gss_add_cred ( - OM_uint32 , /* minor_status */ - const gss_cred_id_t, /* input_cred_handle */ - const gss_name_t, /* desired_name */ - const gss_OID, /* desired_mech */ - gss_cred_usage_t, /* cred_usage */ - OM_uint32, /* initiator_time_req */ - OM_uint32, /* acceptor_time_req */ - gss_cred_id_t , /* output_cred_handle */ - gss_OID_set , /* actual_mechs */ - OM_uint32 , /* initiator_time_rec */ - OM_uint32 * /* acceptor_time_rec */ - ); - - OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 , /* minor_status */ - const gss_cred_id_t, /* cred_handle */ - const gss_OID, /* mech_type */ - gss_name_t , /* name */ - OM_uint32 , /* initiator_lifetime */ - OM_uint32 , /* acceptor_lifetime */ - gss_cred_usage_t * /* cred_usage */ - ); - - OM_uint32 gss_export_sec_context ( - OM_uint32 , /* minor_status */ - gss_ctx_id_t , /* context_handle */ - gss_buffer_t /* interprocess_token */ - ); - - OM_uint32 gss_import_sec_context ( - OM_uint32 , /* minor_status */ - const gss_buffer_t, /* interprocess_token */ - gss_ctx_id_t * /* context_handle */ - ); - - - - - - - -Wray Standards Track [Page 95] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - OM_uint32 gss_create_empty_oid_set ( - OM_uint32 , /* minor_status */ - gss_OID_set * /* oid_set */ - ); - - OM_uint32 gss_add_oid_set_member ( - OM_uint32 , /* minor_status */ - const gss_OID, /* member_oid */ - gss_OID_set * /* oid_set */ - ); - - OM_uint32 gss_test_oid_set_member ( - OM_uint32 , /* minor_status */ - const gss_OID, /* member */ - const gss_OID_set, /* set */ - int * /* present */ - ); - - OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 , /* minor_status */ - const gss_OID, /* mechanism */ - gss_OID_set * /* name_types */ - ); - - OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 , /* minor_status */ - const gss_name_t, /* input_name */ - gss_OID_set * /* mech_types */ - ); - - OM_uint32 gss_canonicalize_name ( - OM_uint32 , /* minor_status */ - const gss_name_t, /* input_name */ - const gss_OID, /* mech_type */ - gss_name_t * /* output_name */ - ); - - OM_uint32 gss_duplicate_name ( - OM_uint32 , /* minor_status */ - const gss_name_t, /* src_name */ - gss_name_t * /* dest_name */ - ); - - /* - * The following routines are obsolete variants of gss_get_mic, - * gss_verify_mic, gss_wrap and gss_unwrap. They should be - * provided by GSS-API V2 implementations for backwards - * compatibility with V1 applications. Distinct entrypoints - - - -Wray Standards Track [Page 96] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - * (as opposed to #defines) should be provided, both to allow - * GSS-API V1 applications to link against GSS-API V2 - implementations, - * and to retain the slight parameter type differences between the - * obsolete versions of these routines and their current forms. - */ - - OM_uint32 gss_sign - (OM_uint32 , /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* qop_req */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t /* message_token */ - ); - - - OM_uint32 gss_verify - (OM_uint32 , /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* message_buffer */ - gss_buffer_t, /* token_buffer */ - int * /* qop_state */ - ); - - OM_uint32 gss_seal - (OM_uint32 , /* minor_status */ - gss_ctx_id_t, /* context_handle */ - int, /* conf_req_flag */ - int, /* qop_req */ - gss_buffer_t, /* input_message_buffer */ - int , /* conf_state */ - gss_buffer_t /* output_message_buffer */ - ); - - - OM_uint32 gss_unseal - (OM_uint32 , /* minor_status */ - gss_ctx_id_t, /* context_handle */ - gss_buffer_t, /* input_message_buffer */ - gss_buffer_t, /* output_message_buffer */ - int , /* conf_state */ - int * /* qop_state */ - ); - - #endif /* GSSAPI_H_ */ - - - - - - -Wray Standards Track [Page 97] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -Appendix B. Additional constraints for application binary portability - - The purpose of this C-bindings document is to encourage source-level - portability of applications across GSS-API implementations on - different platforms and atop different mechanisms. Additional goals - that have not been explicitly addressed by this document are link- - time and run-time portability. - - Link-time portability provides the ability to compile an application - against one implementation of GSS-API, and then link it against a - different implementation on the same platform. It is a stricter - requirement than source-level portability. - - Run-time portability differs from link-time portability only on those - platforms that implement dynamically loadable GSS-API - implementations, but do not offer load-time symbol resolution. On - such platforms, run-time portability is a stricter requirement than - link-time portability, and will typically include the precise - placement of the various GSS-API routines within library entrypoint - vectors. - - Individual platforms will impose their own rules that must be - followed to achieve link-time (and run-time, if different) - portability. In order to ensure either form of binary portability, - an ABI specification must be written for GSS-API implementations on - that platform. However, it is recognized that there are some issues - that are likely to be common to all such ABI specifications. This - appendix is intended to be a repository for such common issues, and - contains some suggestions that individual ABI specifications may - choose to reference. Since machine architectures vary greatly, it may - not be possible or desirable to follow these suggestions on all - platforms. - -B.1. Pointers - - While ANSI-C provides a single pointer type for each declared type, - plus a single (void *) type, some platforms (notably those using - segmented memory architectures) augment this with various modified - pointer types (e.g. far pointers, near pointers). These language - bindings assume ANSI-C, and thus do not address such non-standard - implementations. GSS-API implementations for such platforms must - choose an appropriate memory model, and should use it consistently - throughout. For example, if a memory model is chosen that requires - the use of far pointers when passing routine parameters, then far - pointers should also be used within the structures defined by GSS- - API. - - - - - -Wray Standards Track [Page 98] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -B.2. Internal structure alignment - - GSS-API defines several data-structures containing differently-sized - fields. An ABI specification should include a detailed description - of how the fields of such structures are aligned, and if there is any - internal padding in these data structures. The use of compiler - defaults for the platform is recommended. - -B.3. Handle types - - The C bindings specify that the gss_cred_id_t and gss_ctx_id_t types - should be implemented as either pointer or arithmetic types, and that - if pointer types are used, care should be taken to ensure that two - handles may be compared with the == operator. Note that ANSI-C does - not guarantee that two pointer values may be compared with the == - operator unless either the two pointers point to members of a single - array, or at least one of the pointers contains a NULL value. - - For binary portability, additional constraints are required. The - following is an attempt at defining platform-independent constraints. - - The size of the handle type must be the same as sizeof(void *), using - the appropriate memory model. - - The == operator for the chosen type must be a simple bit-wise - comparison. That is, for two in-memory handle objects h1 and h2, the - boolean value of the expression - - (h1 == h2) - - should always be the same as the boolean value of the expression - - (memcmp(&h1, &h2, sizeof(h1)) == 0) - - The actual use of the type (void *) for handle types is discouraged, - not for binary portability reasons, but since it effectively disables - much of the compile-time type-checking that the compiler can - otherwise perform, and is therefore not "programmer-friendly". If a - pointer implementation is desired, and if the platform's - implementation of pointers permits, the handles should be implemented - as pointers to distinct implementation-defined types. - -B.4. The gss_name_t type - - The gss_name_t type, representing the internal name object, should be - implemented as a pointer type. The use of the (void *) type is - discouraged as it does not allow the compiler to perform strong - type-checking. However, the pointer type chosen should be of the - - - -Wray Standards Track [Page 99] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - - same size as the (void *) type. Provided this rule is obeyed, ABI - specifications need not further constrain the implementation of - gss_name_t objects. - -B.5. The int and size_t types - - Some platforms may support differently sized implementations of the - "int" and "size_t" types, perhaps chosen through compiler switches, - and perhaps dependent on memory model. An ABI specification for such - a platform should include required implementations for these types. - It is recommended that the default implementation (for the chosen - memory model, if appropriate) is chosen. - -B.6. Procedure-calling conventions - - Some platforms support a variety of different binary conventions for - calling procedures. Such conventions cover things like the format of - the stack frame, the order in which the routine parameters are pushed - onto the stack, whether or not a parameter count is pushed onto the - stack, whether some argument(s) or return values are to be passed in - registers, and whether the called routine or the caller is - responsible for removing the stack frame on return. For such - platforms, an ABI specification should specify which calling - convention is to be used for GSS-API implementations. - -References - - [GSSAPI] Linn, J., "Generic Security Service Application Program - Interface Version 2, Update 1", RFC 2743, January 2000. - - [XOM] OSI Object Management API Specification, Version 2.0 t", - X.400 API Association & X/Open Company Limited, August - 24, 1990 Specification of datatypes and routines for - manipulating information objects. - -Author's Address - - John Wray - Iris Associates - 5 Technology Park Drive, - Westford, MA 01886 - USA - - Phone: +1-978-392-6689 - EMail: John_Wray@Iris.com - - - - - - -Wray Standards Track [Page 100] - -RFC 2744 GSS-API V2: C-bindings January 2000 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2000). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Wray Standards Track [Page 101] - diff --git a/crypto/heimdal/include/Makefile b/crypto/heimdal/include/Makefile deleted file mode 100644 index 16745f4a6890..000000000000 --- a/crypto/heimdal/include/Makefile +++ /dev/null @@ -1,736 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# include/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.32 2002/05/24 15:36:21 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -DHOST=\"$(CANONICAL_HOST)\" - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -SUBDIRS = kadm5 - -noinst_PROGRAMS = bits -CHECK_LOCAL = - -include_HEADERS = krb5-types.h - -CLEANFILES = \ - asn1.h \ - asn1_err.h \ - base64.h \ - com_err.h \ - com_right.h \ - der.h \ - des.h \ - editline.h \ - err.h \ - getarg.h \ - glob.h \ - gssapi.h \ - hdb.h \ - hdb_asn1.h \ - hdb_err.h \ - heim_err.h \ - kafs.h \ - krb5-protos.h \ - krb5-private.h \ - krb5-types.h \ - krb5.h \ - krb5_err.h \ - md4.h \ - md5.h \ - rc4.h \ - otp.h \ - parse_time.h \ - parse_units.h \ - resolve.h \ - roken-common.h \ - roken.h \ - sha.h \ - sl.h \ - xdbm.h - -subdir = include -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = config.h -CONFIG_CLEAN_FILES = -noinst_PROGRAMS = bits$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -bits_SOURCES = bits.c -bits_OBJECTS = bits.$(OBJEXT) -bits_LDADD = $(LDADD) -bits_DEPENDENCIES = -bits_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I. -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = bits.c -HEADERS = $(include_HEADERS) - - -RECURSIVE_TARGETS = info-recursive dvi-recursive install-info-recursive \ - uninstall-info-recursive all-recursive install-data-recursive \ - install-exec-recursive installdirs-recursive install-recursive \ - uninstall-recursive check-recursive installcheck-recursive -DIST_COMMON = $(include_HEADERS) Makefile.am Makefile.in config.h.in -DIST_SUBDIRS = $(SUBDIRS) -SOURCES = bits.c - -all: config.h - $(MAKE) $(AM_MAKEFLAGS) all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign include/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -config.h: stamp-h1 - @if test ! -f $@; then \ - rm -f stamp-h1; \ - $(MAKE) stamp-h1; \ - else :; fi - -stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status - @rm -f stamp-h1 - cd $(top_builddir) && $(SHELL) ./config.status include/config.h - -$(srcdir)/config.h.in: $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && $(AUTOHEADER) - touch $(srcdir)/config.h.in - -distclean-hdr: - -rm -f config.h stamp-h1 - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -bits$(EXEEXT): $(bits_OBJECTS) $(bits_DEPENDENCIES) - @rm -f bits$(EXEEXT) - $(LINK) $(bits_LDFLAGS) $(bits_OBJECTS) $(bits_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d $(distdir)/$$subdir \ - || mkdir $(distdir)/$$subdir \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" \ - distdir=../$(distdir)/$$subdir \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile $(PROGRAMS) $(HEADERS) config.h all-local -installdirs: installdirs-recursive -installdirs-am: - $(mkinstalldirs) $(DESTDIR)$(includedir) - -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-recursive - -distclean-am: clean-am distclean-compile distclean-generic distclean-hdr \ - distclean-libtool distclean-tags - -dvi: dvi-recursive - -dvi-am: - -info: info-recursive - -info-am: - -install-data-am: install-data-local install-includeHEADERS - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) GTAGS all all-am all-local check check-am \ - check-local clean clean-generic clean-libtool \ - clean-noinstPROGRAMS clean-recursive distclean \ - distclean-compile distclean-generic distclean-hdr \ - distclean-libtool distclean-recursive distclean-tags distdir \ - dvi dvi-am dvi-recursive info info-am info-recursive install \ - install-am install-data install-data-am install-data-local \ - install-data-recursive install-exec install-exec-am \ - install-exec-recursive install-includeHEADERS install-info \ - install-info-am install-info-recursive install-man \ - install-recursive install-strip installcheck installcheck-am \ - installdirs installdirs-am installdirs-recursive \ - maintainer-clean maintainer-clean-generic \ - maintainer-clean-recursive mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool mostlyclean-recursive \ - tags tags-recursive uninstall uninstall-am \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-info-recursive uninstall-recursive - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -krb5-types.h: bits$(EXEEXT) - ./bits$(EXEEXT) krb5-types.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/include/base64.h b/crypto/heimdal/include/base64.h deleted file mode 100644 index 5ad1e3b18ea9..000000000000 --- a/crypto/heimdal/include/base64.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: base64.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */ - -#ifndef _BASE64_H_ -#define _BASE64_H_ - -int base64_encode(const void *data, int size, char **str); -int base64_decode(const char *str, void *data); - -#endif diff --git a/crypto/heimdal/include/bits b/crypto/heimdal/include/bits deleted file mode 100755 index 8ac06d01b41b..000000000000 Binary files a/crypto/heimdal/include/bits and /dev/null differ diff --git a/crypto/heimdal/include/config.h b/crypto/heimdal/include/config.h deleted file mode 100644 index 857270b01987..000000000000 --- a/crypto/heimdal/include/config.h +++ /dev/null @@ -1,1399 +0,0 @@ -/* include/config.h. Generated by configure. */ -/* include/config.h.in. Generated from configure.in by autoheader. */ - -#ifndef RCSID -#define RCSID(msg) \ -static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } -#endif - -/* Maximum values on all known systems */ -#define MaxHostNameLen (64+4) -#define MaxPathLen (1024+4) - - - -/* Define if you want authentication support in telnet. */ -#define AUTHENTICATION 1 - -/* path to bin */ -#define BINDIR "/usr/heimdal/bin" - -/* Define if realloc(NULL) doesn't work. */ -/* #undef BROKEN_REALLOC */ - -/* Define if you want support for DCE/DFS PAG's. */ -/* #undef DCE */ - -/* Define if you want to use DES encryption in telnet. */ -#define DES_ENCRYPTION 1 - -/* Define this to enable diagnostics in telnet. */ -#define DIAGNOSTICS 1 - -/* Define if you want encryption support in telnet. */ -#define ENCRYPTION 1 - -/* define if sys/param.h defines the endiness */ -#define ENDIANESS_IN_SYS_PARAM_H 1 - -/* Define this if you want support for broken ENV_{VAR,VAL} telnets. */ -/* #undef ENV_HACK */ - -/* define if prototype of gethostbyaddr is compatible with struct hostent - *gethostbyaddr(const void *, size_t, int) */ -/* #undef GETHOSTBYADDR_PROTO_COMPATIBLE */ - -/* define if prototype of gethostbyname is compatible with struct hostent - *gethostbyname(const char *) */ -#define GETHOSTBYNAME_PROTO_COMPATIBLE 1 - -/* define if prototype of getservbyname is compatible with struct servent - *getservbyname(const char *, const char *) */ -#define GETSERVBYNAME_PROTO_COMPATIBLE 1 - -/* define if prototype of getsockname is compatible with int getsockname(int, - struct sockaddr*, socklen_t*) */ -#define GETSOCKNAME_PROTO_COMPATIBLE 1 - -/* Define if you have the `altzone' variable. */ -/* #undef HAVE_ALTZONE */ - -/* define if your system declares altzone */ -/* #undef HAVE_ALTZONE_DECLARATION */ - -/* Define to 1 if you have the header file. */ -#define HAVE_ARPA_FTP_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ARPA_INET_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ARPA_NAMESER_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ARPA_TELNET_H 1 - -/* Define to 1 if you have the `asnprintf' function. */ -/* #undef HAVE_ASNPRINTF */ - -/* Define to 1 if you have the `asprintf' function. */ -#define HAVE_ASPRINTF 1 - -/* Define to 1 if you have the `atexit' function. */ -#define HAVE_ATEXIT 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_BIND_BITYPES_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_BSDSETJMP_H */ - -/* Define to 1 if you have the `bswap16' function. */ -/* #undef HAVE_BSWAP16 */ - -/* Define to 1 if you have the `bswap32' function. */ -/* #undef HAVE_BSWAP32 */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_CAPABILITY_H */ - -/* Define to 1 if you have the `cap_set_proc' function. */ -/* #undef HAVE_CAP_SET_PROC */ - -/* Define to 1 if you have the `cgetent' function. */ -#define HAVE_CGETENT 1 - -/* Define if you have the function `chown'. */ -#define HAVE_CHOWN 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_CONFIG_H */ - -/* Define if you have the function `copyhostent'. */ -/* #undef HAVE_COPYHOSTENT */ - -/* Define to 1 if you have the `crypt' function. */ -#define HAVE_CRYPT 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_CRYPT_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_CURSES_H 1 - -/* Define if you have the function `daemon'. */ -#define HAVE_DAEMON 1 - -/* define if you have a berkeley db1/2 library */ -#define HAVE_DB1 1 - -/* define if you have a berkeley db3/4 library */ -/* #undef HAVE_DB3 */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_DB3_DB_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_DB4_DB_H */ - -/* Define to 1 if you have the `dbm_firstkey' function. */ -#define HAVE_DBM_FIRSTKEY 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_DBM_H */ - -/* Define to 1 if you have the `dbopen' function. */ -#define HAVE_DBOPEN 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_DB_185_H */ - -/* Define to 1 if you have the `db_create' function. */ -/* #undef HAVE_DB_CREATE */ - -/* Define to 1 if you have the header file. */ -#define HAVE_DB_H 1 - -/* define if you have ndbm compat in db */ -/* #undef HAVE_DB_NDBM */ - -/* Define to 1 if you have the header file. */ -#define HAVE_DIRENT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_DLFCN_H 1 - -/* Define to 1 if you have the `dlopen' function. */ -#define HAVE_DLOPEN 1 - -/* Define to 1 if you have the `dn_expand' function. */ -#define HAVE_DN_EXPAND 1 - -/* Define if you have the function `ecalloc'. */ -/* #undef HAVE_ECALLOC */ - -/* Define to 1 if you have the `el_init' function. */ -#define HAVE_EL_INIT 1 - -/* Define if you have the function `emalloc'. */ -/* #undef HAVE_EMALLOC */ - -/* define if your system declares environ */ -/* #undef HAVE_ENVIRON_DECLARATION */ - -/* Define if you have the function `erealloc'. */ -/* #undef HAVE_EREALLOC */ - -/* Define if you have the function `err'. */ -#define HAVE_ERR 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ERRNO_H 1 - -/* Define if you have the function `errx'. */ -#define HAVE_ERRX 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_ERR_H 1 - -/* Define if you have the function `estrdup'. */ -/* #undef HAVE_ESTRDUP */ - -/* Define if you have the function `fchown'. */ -#define HAVE_FCHOWN 1 - -/* Define to 1 if you have the `fcntl' function. */ -#define HAVE_FCNTL 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_FCNTL_H 1 - -/* Define if you have the function `flock'. */ -#define HAVE_FLOCK 1 - -/* Define if you have the function `fnmatch'. */ -#define HAVE_FNMATCH 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_FNMATCH_H 1 - -/* Define if el_init takes four arguments. */ -#define HAVE_FOUR_VALUED_EL_INIT 1 - -/* define if krb_put_int takes four arguments. */ -/* #undef HAVE_FOUR_VALUED_KRB_PUT_INT */ - -/* Define to 1 if you have the `freeaddrinfo' function. */ -#define HAVE_FREEADDRINFO 1 - -/* Define if you have the function `freehostent'. */ -#define HAVE_FREEHOSTENT 1 - -/* Define to 1 if you have the `gai_strerror' function. */ -#define HAVE_GAI_STRERROR 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_GDBM_NDBM_H */ - -/* Define to 1 if you have the `getaddrinfo' function. */ -#define HAVE_GETADDRINFO 1 - -/* Define to 1 if you have the `getconfattr' function. */ -/* #undef HAVE_GETCONFATTR */ - -/* Define if you have the function `getcwd'. */ -#define HAVE_GETCWD 1 - -/* Define if you have the function `getdtablesize'. */ -#define HAVE_GETDTABLESIZE 1 - -/* Define if you have the function `getegid'. */ -#define HAVE_GETEGID 1 - -/* Define if you have the function `geteuid'. */ -#define HAVE_GETEUID 1 - -/* Define if you have the function `getgid'. */ -#define HAVE_GETGID 1 - -/* Define to 1 if you have the `gethostbyname' function. */ -#define HAVE_GETHOSTBYNAME 1 - -/* Define to 1 if you have the `gethostbyname2' function. */ -#define HAVE_GETHOSTBYNAME2 1 - -/* Define if you have the function `gethostname'. */ -#define HAVE_GETHOSTNAME 1 - -/* Define if you have the function `getifaddrs'. */ -#define HAVE_GETIFADDRS 1 - -/* Define if you have the function `getipnodebyaddr'. */ -#define HAVE_GETIPNODEBYADDR 1 - -/* Define if you have the function `getipnodebyname'. */ -#define HAVE_GETIPNODEBYNAME 1 - -/* Define to 1 if you have the `getlogin' function. */ -#define HAVE_GETLOGIN 1 - -/* Define if you have a working getmsg. */ -/* #undef HAVE_GETMSG */ - -/* Define to 1 if you have the `getnameinfo' function. */ -#define HAVE_GETNAMEINFO 1 - -/* Define if you have the function `getopt'. */ -#define HAVE_GETOPT 1 - -/* Define to 1 if you have the `getprogname' function. */ -#define HAVE_GETPROGNAME 1 - -/* Define to 1 if you have the `getpwnam_r' function. */ -/* #undef HAVE_GETPWNAM_R */ - -/* Define to 1 if you have the `getrlimit' function. */ -#define HAVE_GETRLIMIT 1 - -/* Define to 1 if you have the `getsockopt' function. */ -#define HAVE_GETSOCKOPT 1 - -/* Define to 1 if you have the `getspnam' function. */ -/* #undef HAVE_GETSPNAM */ - -/* Define if you have the function `gettimeofday'. */ -#define HAVE_GETTIMEOFDAY 1 - -/* Define to 1 if you have the `getudbnam' function. */ -/* #undef HAVE_GETUDBNAM */ - -/* Define if you have the function `getuid'. */ -#define HAVE_GETUID 1 - -/* Define if you have the function `getusershell'. */ -#define HAVE_GETUSERSHELL 1 - -/* define if you have a glob() that groks GLOB_BRACE, GLOB_NOCHECK, - GLOB_QUOTE, GLOB_TILDE, and GLOB_LIMIT */ -#define HAVE_GLOB 1 - -/* Define to 1 if you have the `grantpt' function. */ -/* #undef HAVE_GRANTPT */ - -/* Define to 1 if you have the header file. */ -#define HAVE_GRP_H 1 - -/* Define to 1 if you have the `hstrerror' function. */ -#define HAVE_HSTRERROR 1 - -/* Define if you have the `h_errlist' variable. */ -#define HAVE_H_ERRLIST 1 - -/* define if your system declares h_errlist */ -/* #undef HAVE_H_ERRLIST_DECLARATION */ - -/* Define if you have the `h_errno' variable. */ -#define HAVE_H_ERRNO 1 - -/* define if your system declares h_errno */ -#define HAVE_H_ERRNO_DECLARATION 1 - -/* Define if you have the `h_nerr' variable. */ -#define HAVE_H_NERR 1 - -/* define if your system declares h_nerr */ -/* #undef HAVE_H_NERR_DECLARATION */ - -/* Define to 1 if you have the header file. */ -#define HAVE_IFADDRS_H 1 - -/* Define if you have the in6addr_loopback variable */ -#define HAVE_IN6ADDR_LOOPBACK 1 - -/* define */ -#define HAVE_INET_ATON 1 - -/* define */ -#define HAVE_INET_NTOP 1 - -/* define */ -#define HAVE_INET_PTON 1 - -/* Define if you have the function `initgroups'. */ -#define HAVE_INITGROUPS 1 - -/* Define to 1 if you have the `initstate' function. */ -#define HAVE_INITSTATE 1 - -/* Define if you have the function `innetgr'. */ -#define HAVE_INNETGR 1 - -/* Define to 1 if the system has the type `int16_t'. */ -#define HAVE_INT16_T 1 - -/* Define to 1 if the system has the type `int32_t'. */ -#define HAVE_INT32_T 1 - -/* Define to 1 if the system has the type `int64_t'. */ -#define HAVE_INT64_T 1 - -/* Define to 1 if the system has the type `int8_t'. */ -#define HAVE_INT8_T 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_INTTYPES_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_IO_H */ - -/* Define if you have IPv6. */ -#define HAVE_IPV6 1 - -/* Define if you have the function `iruserok'. */ -#define HAVE_IRUSEROK 1 - -/* Define to 1 if you have the `issetugid' function. */ -#define HAVE_ISSETUGID 1 - -/* Define to 1 if you have the `krb_disable_debug' function. */ -/* #undef HAVE_KRB_DISABLE_DEBUG */ - -/* Define to 1 if you have the `krb_enable_debug' function. */ -/* #undef HAVE_KRB_ENABLE_DEBUG */ - -/* Define to 1 if you have the `krb_get_kdc_time_diff' function. */ -/* #undef HAVE_KRB_GET_KDC_TIME_DIFF */ - -/* Define to 1 if you have the `krb_get_our_ip_for_realm' function. */ -/* #undef HAVE_KRB_GET_OUR_IP_FOR_REALM */ - -/* Define to 1 if you have the `krb_kdctimeofday' function. */ -/* #undef HAVE_KRB_KDCTIMEOFDAY */ - -/* Define to 1 if you have the header file. */ -#define HAVE_LIBUTIL_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_LIMITS_H 1 - -/* Define to 1 if you have the `loadquery' function. */ -/* #undef HAVE_LOADQUERY */ - -/* Define if you have the function `localtime_r'. */ -#define HAVE_LOCALTIME_R 1 - -/* Define to 1 if you have the `logout' function. */ -#define HAVE_LOGOUT 1 - -/* Define to 1 if you have the `logwtmp' function. */ -#define HAVE_LOGWTMP 1 - -/* Define to 1 if the system has the type `long long'. */ -#define HAVE_LONG_LONG 1 - -/* Define if you have the function `lstat'. */ -#define HAVE_LSTAT 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_MAILLOCK_H */ - -/* Define if you have the function `memmove'. */ -#define HAVE_MEMMOVE 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_MEMORY_H 1 - -/* Define if you have the function `mkstemp'. */ -#define HAVE_MKSTEMP 1 - -/* Define to 1 if you have the `mktime' function. */ -#define HAVE_MKTIME 1 - -/* define if you have a ndbm library */ -#define HAVE_NDBM 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NDBM_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NETDB_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINET6_IN6_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET6_IN6_VAR_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINET_IN6_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINET_IN6_MACHTYPES_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET_IN_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET_IN_SYSTM_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET_IP_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_NETINET_TCP_H 1 - -/* Define if you want to use Netinfo instead of krb5.conf. */ -/* #undef HAVE_NETINFO */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINFO_NI_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_NET_IF_H 1 - -/* Define if NDBM really is DB (creates files *.db) */ -#define HAVE_NEW_DB 1 - -/* Define to 1 if you have the `on_exit' function. */ -/* #undef HAVE_ON_EXIT */ - -/* Define to 1 if you have the `openpty' function. */ -#define HAVE_OPENPTY 1 - -/* define to use openssl's libcrypto */ -#define HAVE_OPENSSL 1 - -/* define if your system declares optarg */ -#define HAVE_OPTARG_DECLARATION 1 - -/* define if your system declares opterr */ -#define HAVE_OPTERR_DECLARATION 1 - -/* define if your system declares optind */ -#define HAVE_OPTIND_DECLARATION 1 - -/* define if your system declares optopt */ -#define HAVE_OPTOPT_DECLARATION 1 - -/* Define to enable basic OSF C2 support. */ -/* #undef HAVE_OSFC2 */ - -/* Define to 1 if you have the header file. */ -#define HAVE_PATHS_H 1 - -/* Define to 1 if you have the `pidfile' function. */ -/* #undef HAVE_PIDFILE */ - -/* Define to 1 if you have the header file. */ -#define HAVE_PTHREAD_H 1 - -/* Define to 1 if you have the `ptsname' function. */ -/* #undef HAVE_PTSNAME */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_PTY_H */ - -/* Define if you have the function `putenv'. */ -#define HAVE_PUTENV 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_PWD_H 1 - -/* Define to 1 if you have the `rand' function. */ -#define HAVE_RAND 1 - -/* Define to 1 if you have the `random' function. */ -#define HAVE_RANDOM 1 - -/* Define if you have the function `rcmd'. */ -#define HAVE_RCMD 1 - -/* Define if you have a readline compatible library. */ -#define HAVE_READLINE 1 - -/* Define if you have the function `readv'. */ -#define HAVE_READV 1 - -/* Define if you have the function `recvmsg'. */ -#define HAVE_RECVMSG 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_RESOLV_H 1 - -/* Define to 1 if you have the `res_search' function. */ -#define HAVE_RES_SEARCH 1 - -/* Define to 1 if you have the `revoke' function. */ -#define HAVE_REVOKE 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_RPCSVC_YPCLNT_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SAC_H */ - -/* Define to 1 if the system has the type `sa_family_t'. */ -#define HAVE_SA_FAMILY_T 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SECURITY_PAM_MODULES_H 1 - -/* Define to 1 if you have the `select' function. */ -#define HAVE_SELECT 1 - -/* Define if you have the function `sendmsg'. */ -#define HAVE_SENDMSG 1 - -/* Define if you have the function `setegid'. */ -#define HAVE_SETEGID 1 - -/* Define if you have the function `setenv'. */ -#define HAVE_SETENV 1 - -/* Define if you have the function `seteuid'. */ -#define HAVE_SETEUID 1 - -/* Define to 1 if you have the `setitimer' function. */ -#define HAVE_SETITIMER 1 - -/* Define to 1 if you have the `setlim' function. */ -/* #undef HAVE_SETLIM */ - -/* Define to 1 if you have the `setlogin' function. */ -#define HAVE_SETLOGIN 1 - -/* Define to 1 if you have the `setpcred' function. */ -/* #undef HAVE_SETPCRED */ - -/* Define to 1 if you have the `setpgid' function. */ -#define HAVE_SETPGID 1 - -/* Define to 1 if you have the `setproctitle' function. */ -#define HAVE_SETPROCTITLE 1 - -/* Define to 1 if you have the `setprogname' function. */ -#define HAVE_SETPROGNAME 1 - -/* Define to 1 if you have the `setregid' function. */ -#define HAVE_SETREGID 1 - -/* Define to 1 if you have the `setresgid' function. */ -#define HAVE_SETRESGID 1 - -/* Define to 1 if you have the `setresuid' function. */ -#define HAVE_SETRESUID 1 - -/* Define to 1 if you have the `setreuid' function. */ -#define HAVE_SETREUID 1 - -/* Define to 1 if you have the `setsid' function. */ -#define HAVE_SETSID 1 - -/* Define to 1 if you have the `setsockopt' function. */ -#define HAVE_SETSOCKOPT 1 - -/* Define to 1 if you have the `setstate' function. */ -#define HAVE_SETSTATE 1 - -/* Define to 1 if you have the `setutent' function. */ -/* #undef HAVE_SETUTENT */ - -/* Define to 1 if you have the `sgi_getcapabilitybyname' function. */ -/* #undef HAVE_SGI_GETCAPABILITYBYNAME */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SGTTY_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SHADOW_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SIAD_H */ - -/* Define to 1 if you have the `sigaction' function. */ -#define HAVE_SIGACTION 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SIGNAL_H 1 - -/* define if you have a working snprintf */ -#define HAVE_SNPRINTF 1 - -/* Define to 1 if you have the `socket' function. */ -#define HAVE_SOCKET 1 - -/* Define to 1 if the system has the type `socklen_t'. */ -#define HAVE_SOCKLEN_T 1 - -/* Define to 1 if the system has the type `ssize_t'. */ -#define HAVE_SSIZE_T 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_STANDARDS_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_STDINT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_STDLIB_H 1 - -/* Define if you have the function `strcasecmp'. */ -#define HAVE_STRCASECMP 1 - -/* Define if you have the function `strdup'. */ -#define HAVE_STRDUP 1 - -/* Define if you have the function `strerror'. */ -#define HAVE_STRERROR 1 - -/* Define if you have the function `strftime'. */ -#define HAVE_STRFTIME 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_STRINGS_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_STRING_H 1 - -/* Define if you have the function `strlcat'. */ -#define HAVE_STRLCAT 1 - -/* Define if you have the function `strlcpy'. */ -#define HAVE_STRLCPY 1 - -/* Define if you have the function `strlwr'. */ -/* #undef HAVE_STRLWR */ - -/* Define if you have the function `strncasecmp'. */ -#define HAVE_STRNCASECMP 1 - -/* Define if you have the function `strndup'. */ -/* #undef HAVE_STRNDUP */ - -/* Define if you have the function `strnlen'. */ -/* #undef HAVE_STRNLEN */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_STROPTS_H */ - -/* Define if you have the function `strptime'. */ -#define HAVE_STRPTIME 1 - -/* Define if you have the function `strsep'. */ -#define HAVE_STRSEP 1 - -/* Define if you have the function `strsep_copy'. */ -/* #undef HAVE_STRSEP_COPY */ - -/* Define to 1 if you have the `strstr' function. */ -#define HAVE_STRSTR 1 - -/* Define to 1 if you have the `strsvis' function. */ -/* #undef HAVE_STRSVIS */ - -/* Define if you have the function `strtok_r'. */ -#define HAVE_STRTOK_R 1 - -/* Define to 1 if the system has the type `struct addrinfo'. */ -#define HAVE_STRUCT_ADDRINFO 1 - -/* Define to 1 if the system has the type `struct ifaddrs'. */ -#define HAVE_STRUCT_IFADDRS 1 - -/* Define to 1 if the system has the type `struct iovec'. */ -#define HAVE_STRUCT_IOVEC 1 - -/* Define to 1 if the system has the type `struct msghdr'. */ -#define HAVE_STRUCT_MSGHDR 1 - -/* Define to 1 if the system has the type `struct sockaddr'. */ -#define HAVE_STRUCT_SOCKADDR 1 - -/* Define if struct sockaddr has field sa_len. */ -#define HAVE_STRUCT_SOCKADDR_SA_LEN 1 - -/* Define to 1 if the system has the type `struct sockaddr_storage'. */ -#define HAVE_STRUCT_SOCKADDR_STORAGE 1 - -/* define if you have struct spwd */ -/* #undef HAVE_STRUCT_SPWD */ - -/* Define if struct tm has field tm_gmtoff. */ -#define HAVE_STRUCT_TM_TM_GMTOFF 1 - -/* Define if struct tm has field tm_zone. */ -#define HAVE_STRUCT_TM_TM_ZONE 1 - -/* Define if struct utmpx has field ut_exit. */ -/* #undef HAVE_STRUCT_UTMPX_UT_EXIT */ - -/* Define if struct utmpx has field ut_syslen. */ -/* #undef HAVE_STRUCT_UTMPX_UT_SYSLEN */ - -/* Define if struct utmp has field ut_addr. */ -/* #undef HAVE_STRUCT_UTMP_UT_ADDR */ - -/* Define if struct utmp has field ut_host. */ -/* #undef HAVE_STRUCT_UTMP_UT_HOST */ - -/* Define if struct utmp has field ut_id. */ -/* #undef HAVE_STRUCT_UTMP_UT_ID */ - -/* Define if struct utmp has field ut_pid. */ -/* #undef HAVE_STRUCT_UTMP_UT_PID */ - -/* Define if struct utmp has field ut_type. */ -/* #undef HAVE_STRUCT_UTMP_UT_TYPE */ - -/* Define if struct utmp has field ut_user. */ -/* #undef HAVE_STRUCT_UTMP_UT_USER */ - -/* define if struct winsize is declared in sys/termios.h */ -#define HAVE_STRUCT_WINSIZE 1 - -/* Define to 1 if you have the `strunvis' function. */ -#define HAVE_STRUNVIS 1 - -/* Define if you have the function `strupr'. */ -/* #undef HAVE_STRUPR */ - -/* Define to 1 if you have the `strvis' function. */ -#define HAVE_STRVIS 1 - -/* Define to 1 if you have the `strvisx' function. */ -#define HAVE_STRVISX 1 - -/* Define to 1 if you have the `svis' function. */ -/* #undef HAVE_SVIS */ - -/* Define if you have the function `swab'. */ -#define HAVE_SWAB 1 - -/* Define to 1 if you have the `sysconf' function. */ -#define HAVE_SYSCONF 1 - -/* Define to 1 if you have the `sysctl' function. */ -#define HAVE_SYSCTL 1 - -/* Define to 1 if you have the `syslog' function. */ -#define HAVE_SYSLOG 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYSLOG_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_BITYPES_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_BSWAP_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_CAPABILITY_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_CATEGORY_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_FILE_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_FILIO_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_IOCCOM_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_IOCTL_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_PARAM_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_PROC_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_PTYIO_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_PTYVAR_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_PTY_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_RESOURCE_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SELECT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SOCKET_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SOCKIO_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_STAT_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_STREAM_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_STROPTS_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_STRTTY_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_STR_TTY_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SYSCALL_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_SYSCTL_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_TERMIO_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TIMEB_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TIMES_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TIME_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TTY_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TYPES_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_UIO_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_UN_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_UTSNAME_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_WAIT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_TERMCAP_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_TERMIOS_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_TERMIO_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_TERM_H 1 - -/* Define to 1 if you have the `tgetent' function. */ -#define HAVE_TGETENT 1 - -/* Define to 1 if you have the `timegm' function. */ -#define HAVE_TIMEGM 1 - -/* Define if you have the `timezone' variable. */ -#define HAVE_TIMEZONE 1 - -/* define if your system declares timezone */ -#define HAVE_TIMEZONE_DECLARATION 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_TIME_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_TMPDIR_H */ - -/* Define to 1 if you have the `ttyname' function. */ -#define HAVE_TTYNAME 1 - -/* Define to 1 if you have the `ttyslot' function. */ -#define HAVE_TTYSLOT 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_UDB_H */ - -/* Define to 1 if the system has the type `uint16_t'. */ -#define HAVE_UINT16_T 1 - -/* Define to 1 if the system has the type `uint32_t'. */ -#define HAVE_UINT32_T 1 - -/* Define to 1 if the system has the type `uint64_t'. */ -#define HAVE_UINT64_T 1 - -/* Define to 1 if the system has the type `uint8_t'. */ -#define HAVE_UINT8_T 1 - -/* Define to 1 if you have the `umask' function. */ -#define HAVE_UMASK 1 - -/* Define to 1 if you have the `uname' function. */ -#define HAVE_UNAME 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_UNISTD_H 1 - -/* Define to 1 if you have the `unlockpt' function. */ -/* #undef HAVE_UNLOCKPT */ - -/* Define if you have the function `unsetenv'. */ -#define HAVE_UNSETENV 1 - -/* Define to 1 if you have the `unvis' function. */ -#define HAVE_UNVIS 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_USERCONF_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_USERSEC_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_UTIL_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_UTMPX_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_UTMP_H 1 - -/* Define to 1 if the system has the type `u_int16_t'. */ -#define HAVE_U_INT16_T 1 - -/* Define to 1 if the system has the type `u_int32_t'. */ -#define HAVE_U_INT32_T 1 - -/* Define to 1 if the system has the type `u_int64_t'. */ -#define HAVE_U_INT64_T 1 - -/* Define to 1 if the system has the type `u_int8_t'. */ -#define HAVE_U_INT8_T 1 - -/* Define to 1 if you have the `vasnprintf' function. */ -/* #undef HAVE_VASNPRINTF */ - -/* Define to 1 if you have the `vasprintf' function. */ -#define HAVE_VASPRINTF 1 - -/* Define if you have the function `verr'. */ -#define HAVE_VERR 1 - -/* Define if you have the function `verrx'. */ -#define HAVE_VERRX 1 - -/* Define to 1 if you have the `vhangup' function. */ -/* #undef HAVE_VHANGUP */ - -/* Define to 1 if you have the `vis' function. */ -#define HAVE_VIS 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_VIS_H 1 - -/* define if you have a working vsnprintf */ -#define HAVE_VSNPRINTF 1 - -/* Define if you have the function `vsyslog'. */ -#define HAVE_VSYSLOG 1 - -/* Define if you have the function `vwarn'. */ -#define HAVE_VWARN 1 - -/* Define if you have the function `vwarnx'. */ -#define HAVE_VWARNX 1 - -/* Define if you have the function `warn'. */ -#define HAVE_WARN 1 - -/* Define if you have the function `warnx'. */ -#define HAVE_WARNX 1 - -/* Define if you have the function `writev'. */ -#define HAVE_WRITEV 1 - -/* define if struct winsize has ws_xpixel */ -#define HAVE_WS_XPIXEL 1 - -/* define if struct winsize has ws_ypixel */ -#define HAVE_WS_YPIXEL 1 - -/* Define to 1 if you have the `XauFileName' function. */ -#define HAVE_XAUFILENAME 1 - -/* Define to 1 if you have the `XauReadAuth' function. */ -#define HAVE_XAUREADAUTH 1 - -/* Define to 1 if you have the `XauWriteAuth' function. */ -#define HAVE_XAUWRITEAUTH 1 - -/* Define to 1 if you have the `yp_get_default_domain' function. */ -#define HAVE_YP_GET_DEFAULT_DOMAIN 1 - -/* Define to 1 if you have the `_getpty' function. */ -/* #undef HAVE__GETPTY */ - -/* Define if you have the `_res' variable. */ -#define HAVE__RES 1 - -/* define if your system declares _res */ -#define HAVE__RES_DECLARATION 1 - -/* Define to 1 if you have the `_scrsize' function. */ -/* #undef HAVE__SCRSIZE */ - -/* define if your compiler has __attribute__ */ -#define HAVE___ATTRIBUTE__ 1 - -/* Define if you have the `__progname' variable. */ -#define HAVE___PROGNAME 1 - -/* define if your system declares __progname */ -/* #undef HAVE___PROGNAME_DECLARATION */ - -/* Define if you have the hesiod package. */ -/* #undef HESIOD */ - -/* Define if you are running IRIX 4. */ -/* #undef IRIX4 */ - -/* Define if you have the krb4 package. */ -/* #undef KRB4 */ - -/* Enable Kerberos 5 support in applications. */ -#define KRB5 1 - -/* Define if krb_mk_req takes const char * */ -/* #undef KRB_MK_REQ_CONST */ - -/* This is the krb4 sendauth version. */ -/* #undef KRB_SENDAUTH_VERS */ - -/* Define to zero if your krb.h doesn't */ -/* #undef KRB_VERIFY_NOT_SECURE */ - -/* Define to one if your krb.h doesn't */ -/* #undef KRB_VERIFY_SECURE */ - -/* Define to two if your krb.h doesn't */ -/* #undef KRB_VERIFY_SECURE_FAIL */ - -/* path to lib */ -#define LIBDIR "/usr/heimdal/lib" - -/* path to libexec */ -#define LIBEXECDIR "/usr/heimdal/libexec" - -/* path to localstate */ -#define LOCALSTATEDIR "/var/heimdal" - -/* define if the system is missing a prototype for asnprintf() */ -#define NEED_ASNPRINTF_PROTO 1 - -/* define if the system is missing a prototype for asprintf() */ -/* #undef NEED_ASPRINTF_PROTO */ - -/* define if the system is missing a prototype for crypt() */ -/* #undef NEED_CRYPT_PROTO */ - -/* define if the system is missing a prototype for gethostname() */ -/* #undef NEED_GETHOSTNAME_PROTO */ - -/* define if the system is missing a prototype for getusershell() */ -/* #undef NEED_GETUSERSHELL_PROTO */ - -/* define if the system is missing a prototype for glob() */ -/* #undef NEED_GLOB_PROTO */ - -/* define if the system is missing a prototype for hstrerror() */ -/* #undef NEED_HSTRERROR_PROTO */ - -/* define if the system is missing a prototype for inet_aton() */ -/* #undef NEED_INET_ATON_PROTO */ - -/* define if the system is missing a prototype for mkstemp() */ -/* #undef NEED_MKSTEMP_PROTO */ - -/* define if the system is missing a prototype for setenv() */ -/* #undef NEED_SETENV_PROTO */ - -/* define if the system is missing a prototype for snprintf() */ -/* #undef NEED_SNPRINTF_PROTO */ - -/* define if the system is missing a prototype for strndup() */ -#define NEED_STRNDUP_PROTO 1 - -/* define if the system is missing a prototype for strsep() */ -/* #undef NEED_STRSEP_PROTO */ - -/* define if the system is missing a prototype for strsvis() */ -#define NEED_STRSVIS_PROTO 1 - -/* define if the system is missing a prototype for strtok_r() */ -/* #undef NEED_STRTOK_R_PROTO */ - -/* define if the system is missing a prototype for strunvis() */ -/* #undef NEED_STRUNVIS_PROTO */ - -/* define if the system is missing a prototype for strvisx() */ -/* #undef NEED_STRVISX_PROTO */ - -/* define if the system is missing a prototype for strvis() */ -/* #undef NEED_STRVIS_PROTO */ - -/* define if the system is missing a prototype for svis() */ -#define NEED_SVIS_PROTO 1 - -/* define if the system is missing a prototype for unsetenv() */ -/* #undef NEED_UNSETENV_PROTO */ - -/* define if the system is missing a prototype for unvis() */ -/* #undef NEED_UNVIS_PROTO */ - -/* define if the system is missing a prototype for vasnprintf() */ -#define NEED_VASNPRINTF_PROTO 1 - -/* define if the system is missing a prototype for vasprintf() */ -/* #undef NEED_VASPRINTF_PROTO */ - -/* define if the system is missing a prototype for vis() */ -/* #undef NEED_VIS_PROTO */ - -/* define if the system is missing a prototype for vsnprintf() */ -/* #undef NEED_VSNPRINTF_PROTO */ - -/* Define this to enable old environment option in telnet. */ -#define OLD_ENVIRON 1 - -/* Define if you have the openldap package. */ -/* #undef OPENLDAP */ - -/* define if prototype of openlog is compatible with void openlog(const char - *, int, int) */ -#define OPENLOG_PROTO_COMPATIBLE 1 - -/* Define if you want OTP support in applications. */ -#define OTP 1 - -/* Name of package */ -#define PACKAGE "heimdal" - -/* Define to the address where bug reports for this package should be sent. */ -#define PACKAGE_BUGREPORT "heimdal-bugs@pdc.kth.se" - -/* Define to the full name of this package. */ -#define PACKAGE_NAME "Heimdal" - -/* Define to the full name and version of this package. */ -#define PACKAGE_STRING "Heimdal 0.4f" - -/* Define to the one symbol short name of this package. */ -#define PACKAGE_TARNAME "heimdal" - -/* Define to the version of this package. */ -#define PACKAGE_VERSION "0.4f" - -/* Define if getlogin has POSIX flavour (and not BSD). */ -/* #undef POSIX_GETLOGIN */ - -/* Define if getpwnam_r has POSIX flavour. */ -/* #undef POSIX_GETPWNAM_R */ - -/* Define if you have the readline package. */ -/* #undef READLINE */ - -/* Define as the return type of signal handlers (`int' or `void'). */ -#define RETSIGTYPE void - -/* path to sbin */ -#define SBINDIR "/usr/heimdal/sbin" - -/* Define to 1 if you have the ANSI C header files. */ -#define STDC_HEADERS 1 - -/* Define if you have streams ptys. */ -/* #undef STREAMSPTY */ - -/* path to sysconf */ -#define SYSCONFDIR "/etc" - -/* Define to what version of SunOS you are running. */ -/* #undef SunOS */ - -/* Define to 1 if you can safely include both and . */ -#define TIME_WITH_SYS_TIME 1 - -/* Define to 1 if your declares `struct tm'. */ -/* #undef TM_IN_SYS_TIME */ - -/* Version number of package */ -#define VERSION "0.4f" - -/* Define if signal handlers return void. */ -#define VOID_RETSIGTYPE 1 - -/* define if target is big endian */ -/* #undef WORDS_BIGENDIAN */ - -/* Define to 1 if the X Window System is missing or not being used. */ -/* #undef X_DISPLAY_MISSING */ - -/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a - `char[]'. */ -#define YYTEXT_POINTER 1 - -/* Define to enable extensions on glibc-based systems such as Linux. */ -#define _GNU_SOURCE 1 - -/* Define to empty if `const' does not conform to ANSI C. */ -/* #undef const */ - -/* Define to `int' if doesn't define. */ -/* #undef gid_t */ - -/* Define as `__inline' if that's what the C compiler calls it, or to nothing - if it is not supported. */ -/* #undef inline */ - -/* Define this to what the type mode_t should be. */ -/* #undef mode_t */ - -/* Define to `long' if does not define. */ -/* #undef off_t */ - -/* Define to `int' if does not define. */ -/* #undef pid_t */ - -/* Define this to what the type sig_atomic_t should be. */ -/* #undef sig_atomic_t */ - -/* Define to `unsigned' if does not define. */ -/* #undef size_t */ - -/* Define to `int' if doesn't define. */ -/* #undef uid_t */ - - -#if defined(ENCRYPTION) && !defined(AUTHENTICATION) -#define AUTHENTICATION 1 -#endif - -/* Set this to the default system lead string for telnetd - * can contain %-escapes: %s=sysname, %m=machine, %r=os-release - * %v=os-version, %t=tty, %h=hostname, %d=date and time - */ -/* #undef USE_IM */ - -/* Used with login -p */ -/* #undef LOGIN_ARGS */ - -/* set this to a sensible login */ -#ifndef LOGIN_PATH -#define LOGIN_PATH BINDIR "/login" -#endif - - -#ifdef ROKEN_RENAME -#include "roken_rename.h" -#endif - -#ifdef VOID_RETSIGTYPE -#define SIGRETURN(x) return -#else -#define SIGRETURN(x) return (RETSIGTYPE)(x) -#endif - -#ifdef BROKEN_REALLOC -#define realloc(X, Y) isoc_realloc((X), (Y)) -#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y)) -#endif - -#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4) -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S)) -#else -#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S)) -#endif - - -#ifndef HAVE_KRB_KDCTIMEOFDAY -#define krb_kdctimeofday(X) gettimeofday((X), NULL) -#endif - -#ifndef HAVE_KRB_GET_KDC_TIME_DIFF -#define krb_get_kdc_time_diff() (0) -#endif - - -#if ENDIANESS_IN_SYS_PARAM_H -# include -# include -# if BYTE_ORDER == BIG_ENDIAN -# define WORDS_BIGENDIAN 1 -# endif -#endif - - -#if _AIX -#define _ALL_SOURCE -/* XXX this is gross, but kills about a gazillion warnings */ -struct ether_addr; -struct sockaddr; -struct sockaddr_dl; -struct sockaddr_in; -#endif - - -/* IRIX 4 braindamage */ -#if IRIX == 4 && !defined(__STDC__) -#define __STDC__ 0 -#endif - diff --git a/crypto/heimdal/include/fnmatch.h b/crypto/heimdal/include/fnmatch.h deleted file mode 100644 index 95c91d600b64..000000000000 --- a/crypto/heimdal/include/fnmatch.h +++ /dev/null @@ -1,49 +0,0 @@ -/* $NetBSD: fnmatch.h,v 1.5 1994/10/26 00:55:53 cgd Exp $ */ - -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)fnmatch.h 8.1 (Berkeley) 6/2/93 - */ - -#ifndef _FNMATCH_H_ -#define _FNMATCH_H_ - -#define FNM_NOMATCH 1 /* Match failed. */ - -#define FNM_NOESCAPE 0x01 /* Disable backslash escaping. */ -#define FNM_PATHNAME 0x02 /* Slash must be matched by slash. */ -#define FNM_PERIOD 0x04 /* Period must be matched by period. */ - -int fnmatch (const char *, const char *, int); - -#endif /* !_FNMATCH_H_ */ diff --git a/crypto/heimdal/include/getarg.h b/crypto/heimdal/include/getarg.h deleted file mode 100644 index c68b66a1d0b9..000000000000 --- a/crypto/heimdal/include/getarg.h +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: getarg.h,v 1.12 2002/04/18 08:50:08 joda Exp $ */ - -#ifndef __GETARG_H__ -#define __GETARG_H__ - -#include - -struct getargs{ - const char *long_name; - char short_name; - enum { arg_integer, - arg_string, - arg_flag, - arg_negative_flag, - arg_strings, - arg_double, - arg_collect, - arg_counter - } type; - void *value; - const char *help; - const char *arg_help; -}; - -enum { - ARG_ERR_NO_MATCH = 1, - ARG_ERR_BAD_ARG, - ARG_ERR_NO_ARG -}; - -typedef struct getarg_strings { - int num_strings; - char **strings; -} getarg_strings; - -typedef int (*getarg_collect_func)(int short_opt, - int argc, - char **argv, - int *goptind, - int *goptarg, - void *data); - -typedef struct getarg_collect_info { - getarg_collect_func func; - void *data; -} getarg_collect_info; - -int getarg(struct getargs *args, size_t num_args, - int argc, char **argv, int *goptind); - -void arg_printusage (struct getargs *args, - size_t num_args, - const char *progname, - const char *extra_string); - -void free_getarg_strings (getarg_strings *); - -#endif /* __GETARG_H__ */ diff --git a/crypto/heimdal/include/kadm5/Makefile b/crypto/heimdal/include/kadm5/Makefile deleted file mode 100644 index 30517e4ccbe7..000000000000 --- a/crypto/heimdal/include/kadm5/Makefile +++ /dev/null @@ -1,485 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# include/kadm5/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -CLEANFILES = admin.h kadm5_err.h private.h -subdir = include/kadm5 -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = -DIST_COMMON = Makefile.am Makefile.in -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign include/kadm5/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -tags: TAGS -TAGS: - -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile all-local - -installdirs: - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-man install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-generic mostlyclean-libtool uninstall \ - uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/include/krb5-types.h b/crypto/heimdal/include/krb5-types.h deleted file mode 100644 index 652ae3f7b5a8..000000000000 --- a/crypto/heimdal/include/krb5-types.h +++ /dev/null @@ -1,16 +0,0 @@ -/* krb5-types.h -- this file was generated for i386-unknown-freebsd5.0 by - $Id: bits.c,v 1.22 2002/08/28 16:08:44 joda Exp $ */ - -#ifndef __krb5_types_h__ -#define __krb5_types_h__ - -#include -#include -#include - - -typedef socklen_t krb5_socklen_t; -#include -typedef ssize_t krb5_ssize_t; - -#endif /* __krb5_types_h__ */ diff --git a/crypto/heimdal/include/parse_bytes.h b/crypto/heimdal/include/parse_bytes.h deleted file mode 100644 index d7e759da5ea0..000000000000 --- a/crypto/heimdal/include/parse_bytes.h +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: parse_bytes.h,v 1.3 2001/09/04 09:56:00 assar Exp $ */ - -#ifndef __PARSE_BYTES_H__ -#define __PARSE_BYTES_H__ - -int -parse_bytes (const char *s, const char *def_unit); - -int -unparse_bytes (int t, char *s, size_t len); - -int -unparse_bytes_short (int t, char *s, size_t len); - -#endif /* __PARSE_BYTES_H__ */ diff --git a/crypto/heimdal/include/parse_time.h b/crypto/heimdal/include/parse_time.h deleted file mode 100644 index 55de505dbba3..000000000000 --- a/crypto/heimdal/include/parse_time.h +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: parse_time.h,v 1.4 1999/12/02 16:58:51 joda Exp $ */ - -#ifndef __PARSE_TIME_H__ -#define __PARSE_TIME_H__ - -int -parse_time (const char *s, const char *def_unit); - -size_t -unparse_time (int t, char *s, size_t len); - -size_t -unparse_time_approx (int t, char *s, size_t len); - -void -print_time_table (FILE *f); - -#endif /* __PARSE_TIME_H__ */ diff --git a/crypto/heimdal/include/parse_units.h b/crypto/heimdal/include/parse_units.h deleted file mode 100644 index 29c57796c49a..000000000000 --- a/crypto/heimdal/include/parse_units.h +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: parse_units.h,v 1.7 2001/09/04 09:56:00 assar Exp $ */ - -#ifndef __PARSE_UNITS_H__ -#define __PARSE_UNITS_H__ - -#include -#include - -struct units { - const char *name; - unsigned mult; -}; - -typedef struct units units; - -int -parse_units (const char *s, const struct units *units, - const char *def_unit); - -void -print_units_table (const struct units *units, FILE *f); - -int -parse_flags (const char *s, const struct units *units, - int orig); - -int -unparse_units (int num, const struct units *units, char *s, size_t len); - -int -unparse_units_approx (int num, const struct units *units, char *s, - size_t len); - -int -unparse_flags (int num, const struct units *units, char *s, size_t len); - -void -print_flags_table (const struct units *units, FILE *f); - -#endif /* __PARSE_UNITS_H__ */ diff --git a/crypto/heimdal/include/resolve.h b/crypto/heimdal/include/resolve.h deleted file mode 100644 index cb25b7ab44e9..000000000000 --- a/crypto/heimdal/include/resolve.h +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: resolve.h,v 1.15 2002/08/26 13:30:16 assar Exp $ */ - -#ifndef __RESOLVE_H__ -#define __RESOLVE_H__ - -/* We use these, but they are not always present in */ - -#ifndef T_TXT -#define T_TXT 16 -#endif -#ifndef T_AFSDB -#define T_AFSDB 18 -#endif -#ifndef T_SIG -#define T_SIG 24 -#endif -#ifndef T_KEY -#define T_KEY 25 -#endif -#ifndef T_AAAA -#define T_AAAA 28 -#endif -#ifndef T_SRV -#define T_SRV 33 -#endif -#ifndef T_NAPTR -#define T_NAPTR 35 -#endif -#ifndef T_CERT -#define T_CERT 37 -#endif - -#define dns_query rk_dns_query -#define mx_record rk_mx_record -#define srv_record rk_srv_record -#define key_record rk_key_record -#define sig_record rk_sig_record -#define cert_record rk_cert_record -#define resource_record rk_resource_record -#define dns_reply rk_dns_reply - -#define dns_lookup rk_dns_lookup -#define dns_free_data rk_dns_free_data -#define dns_string_to_type rk_dns_string_to_type -#define dns_type_to_string rk_dns_type_to_string -#define dns_srv_order rk_dns_srv_order - -struct dns_query{ - char *domain; - unsigned type; - unsigned class; -}; - -struct mx_record{ - unsigned preference; - char domain[1]; -}; - -struct srv_record{ - unsigned priority; - unsigned weight; - unsigned port; - char target[1]; -}; - -struct key_record { - unsigned flags; - unsigned protocol; - unsigned algorithm; - size_t key_len; - u_char key_data[1]; -}; - -struct sig_record { - unsigned type; - unsigned algorithm; - unsigned labels; - unsigned orig_ttl; - unsigned sig_expiration; - unsigned sig_inception; - unsigned key_tag; - char *signer; - unsigned sig_len; - char sig_data[1]; /* also includes signer */ -}; - -struct cert_record { - unsigned type; - unsigned tag; - unsigned algorithm; - size_t cert_len; - u_char cert_data[1]; -}; - -struct resource_record{ - char *domain; - unsigned type; - unsigned class; - unsigned ttl; - unsigned size; - union { - void *data; - struct mx_record *mx; - struct mx_record *afsdb; /* mx and afsdb are identical */ - struct srv_record *srv; - struct in_addr *a; - char *txt; - struct key_record *key; - struct cert_record *cert; - struct sig_record *sig; - }u; - struct resource_record *next; -}; - -#ifndef T_A /* XXX if isn't included */ -typedef int HEADER; /* will never be used */ -#endif - -struct dns_reply{ - HEADER h; - struct dns_query q; - struct resource_record *head; -}; - - -struct dns_reply* dns_lookup(const char *, const char *); -void dns_free_data(struct dns_reply *); -int dns_string_to_type(const char *name); -const char *dns_type_to_string(int type); -void dns_srv_order(struct dns_reply*); - -#endif /* __RESOLVE_H__ */ diff --git a/crypto/heimdal/include/roken-common.h b/crypto/heimdal/include/roken-common.h deleted file mode 100644 index 2e604ac893e1..000000000000 --- a/crypto/heimdal/include/roken-common.h +++ /dev/null @@ -1,338 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken-common.h,v 1.49 2002/08/20 11:55:04 joda Exp $ */ - -#ifndef __ROKEN_COMMON_H__ -#define __ROKEN_COMMON_H__ - -#ifdef __cplusplus -#define ROKEN_CPP_START extern "C" { -#define ROKEN_CPP_END } -#else -#define ROKEN_CPP_START -#define ROKEN_CPP_END -#endif - -#ifndef INADDR_NONE -#define INADDR_NONE 0xffffffff -#endif - -#ifndef INADDR_LOOPBACK -#define INADDR_LOOPBACK 0x7f000001 -#endif - -#ifndef SOMAXCONN -#define SOMAXCONN 5 -#endif - -#ifndef STDIN_FILENO -#define STDIN_FILENO 0 -#endif - -#ifndef STDOUT_FILENO -#define STDOUT_FILENO 1 -#endif - -#ifndef STDERR_FILENO -#define STDERR_FILENO 2 -#endif - -#ifndef max -#define max(a,b) (((a)>(b))?(a):(b)) -#endif - -#ifndef min -#define min(a,b) (((a)<(b))?(a):(b)) -#endif - -#ifndef TRUE -#define TRUE 1 -#endif - -#ifndef FALSE -#define FALSE 0 -#endif - -#ifndef LOG_DAEMON -#define openlog(id,option,facility) openlog((id),(option)) -#define LOG_DAEMON 0 -#endif -#ifndef LOG_ODELAY -#define LOG_ODELAY 0 -#endif -#ifndef LOG_NDELAY -#define LOG_NDELAY 0x08 -#endif -#ifndef LOG_CONS -#define LOG_CONS 0 -#endif -#ifndef LOG_AUTH -#define LOG_AUTH 0 -#endif -#ifndef LOG_AUTHPRIV -#define LOG_AUTHPRIV LOG_AUTH -#endif - -#ifndef F_OK -#define F_OK 0 -#endif - -#ifndef O_ACCMODE -#define O_ACCMODE 003 -#endif - -#ifndef _PATH_DEV -#define _PATH_DEV "/dev/" -#endif - -#ifndef _PATH_DEVNULL -#define _PATH_DEVNULL "/dev/null" -#endif - -#ifndef _PATH_HEQUIV -#define _PATH_HEQUIV "/etc/hosts.equiv" -#endif - -#ifndef _PATH_VARRUN -#define _PATH_VARRUN "/var/run/" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif - -#ifndef MAXPATHLEN -#define MAXPATHLEN (1024+4) -#endif - -#ifndef SIG_ERR -#define SIG_ERR ((RETSIGTYPE (*)(int))-1) -#endif - -/* - * error code for getipnodeby{name,addr} - */ - -#ifndef HOST_NOT_FOUND -#define HOST_NOT_FOUND 1 -#endif - -#ifndef TRY_AGAIN -#define TRY_AGAIN 2 -#endif - -#ifndef NO_RECOVERY -#define NO_RECOVERY 3 -#endif - -#ifndef NO_DATA -#define NO_DATA 4 -#endif - -#ifndef NO_ADDRESS -#define NO_ADDRESS NO_DATA -#endif - -/* - * error code for getaddrinfo - */ - -#ifndef EAI_NOERROR -#define EAI_NOERROR 0 /* no error */ -#endif - -#ifndef EAI_ADDRFAMILY - -#define EAI_ADDRFAMILY 1 /* address family for nodename not supported */ -#define EAI_AGAIN 2 /* temporary failure in name resolution */ -#define EAI_BADFLAGS 3 /* invalid value for ai_flags */ -#define EAI_FAIL 4 /* non-recoverable failure in name resolution */ -#define EAI_FAMILY 5 /* ai_family not supported */ -#define EAI_MEMORY 6 /* memory allocation failure */ -#define EAI_NODATA 7 /* no address associated with nodename */ -#define EAI_NONAME 8 /* nodename nor servname provided, or not known */ -#define EAI_SERVICE 9 /* servname not supported for ai_socktype */ -#define EAI_SOCKTYPE 10 /* ai_socktype not supported */ -#define EAI_SYSTEM 11 /* system error returned in errno */ - -#endif /* EAI_ADDRFAMILY */ - -/* flags for getaddrinfo() */ - -#ifndef AI_PASSIVE -#define AI_PASSIVE 0x01 -#define AI_CANONNAME 0x02 -#endif /* AI_PASSIVE */ - -#ifndef AI_NUMERICHOST -#define AI_NUMERICHOST 0x04 -#endif - -/* flags for getnameinfo() */ - -#ifndef NI_DGRAM -#define NI_DGRAM 0x01 -#define NI_NAMEREQD 0x02 -#define NI_NOFQDN 0x04 -#define NI_NUMERICHOST 0x08 -#define NI_NUMERICSERV 0x10 -#endif - -/* - * constants for getnameinfo - */ - -#ifndef NI_MAXHOST -#define NI_MAXHOST 1025 -#define NI_MAXSERV 32 -#endif - -/* - * constants for inet_ntop - */ - -#ifndef INET_ADDRSTRLEN -#define INET_ADDRSTRLEN 16 -#endif - -#ifndef INET6_ADDRSTRLEN -#define INET6_ADDRSTRLEN 46 -#endif - -/* - * for shutdown(2) - */ - -#ifndef SHUT_RD -#define SHUT_RD 0 -#endif - -#ifndef SHUT_WR -#define SHUT_WR 1 -#endif - -#ifndef SHUT_RDWR -#define SHUT_RDWR 2 -#endif - -#ifndef HAVE___ATTRIBUTE__ -#define __attribute__(x) -#endif - -ROKEN_CPP_START - -#if IRIX != 4 /* fix for compiler bug */ -#ifdef RETSIGTYPE -typedef RETSIGTYPE (*SigAction)(int); -SigAction signal(int iSig, SigAction pAction); /* BSD compatible */ -#endif -#endif - -int ROKEN_LIB_FUNCTION simple_execve(const char*, char*const[], char*const[]); -int ROKEN_LIB_FUNCTION simple_execvp(const char*, char *const[]); -int ROKEN_LIB_FUNCTION simple_execlp(const char*, ...); -int ROKEN_LIB_FUNCTION simple_execle(const char*, ...); -int ROKEN_LIB_FUNCTION simple_execl(const char *file, ...); - -int ROKEN_LIB_FUNCTION wait_for_process(pid_t); -int ROKEN_LIB_FUNCTION pipe_execv(FILE**, FILE**, FILE**, const char*, ...); - -void ROKEN_LIB_FUNCTION print_version(const char *); - -ssize_t ROKEN_LIB_FUNCTION eread (int fd, void *buf, size_t nbytes); -ssize_t ROKEN_LIB_FUNCTION ewrite (int fd, const void *buf, size_t nbytes); - -struct hostent; - -const char * -hostent_find_fqdn (const struct hostent *he); - -void -esetenv(const char *var, const char *val, int rewrite); - -void -socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port); - -size_t -socket_addr_size (const struct sockaddr *sa); - -void -socket_set_any (struct sockaddr *sa, int af); - -size_t -socket_sockaddr_size (const struct sockaddr *sa); - -void * -socket_get_address (struct sockaddr *sa); - -int -socket_get_port (const struct sockaddr *sa); - -void -socket_set_port (struct sockaddr *sa, int port); - -void -socket_set_portrange (int sock, int restr, int af); - -void -socket_set_debug (int sock); - -void -socket_set_tos (int sock, int tos); - -void -socket_set_reuseaddr (int sock, int val); - -char ** -vstrcollect(va_list *ap); - -char ** -strcollect(char *first, ...); - -void timevalfix(struct timeval *t1); -void timevaladd(struct timeval *t1, const struct timeval *t2); -void timevalsub(struct timeval *t1, const struct timeval *t2); - -char *pid_file_write (const char *progname); -void pid_file_delete (char **); - -int -read_environment(const char *file, char ***env); - -void warnerr(int doerrno, const char *fmt, va_list ap) - __attribute__ ((format (printf, 2, 0))); - -ROKEN_CPP_END - -#endif /* __ROKEN_COMMON_H__ */ diff --git a/crypto/heimdal/include/roken.h b/crypto/heimdal/include/roken.h deleted file mode 100644 index 4be5be54f06b..000000000000 --- a/crypto/heimdal/include/roken.h +++ /dev/null @@ -1,244 +0,0 @@ -/* This is an OS dependent, generated file */ - - -#ifndef __ROKEN_H__ -#define __ROKEN_H__ - -/* -*- C -*- */ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken.h.in,v 1.169 2002/08/26 21:43:38 assar Exp $ */ - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - - -#define ROKEN_LIB_FUNCTION - - -#include - -ROKEN_CPP_START - - - - - - - - - - -int asnprintf (char **ret, size_t max_sz, const char *format, ...) - __attribute__ ((format (printf, 3, 4))); - -int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap) - __attribute__((format (printf, 3, 0))); - - -char * strndup(const char *old, size_t sz); - -char * strlwr(char *); - -size_t strnlen(const char*, size_t); - - -ssize_t strsep_copy(const char**, const char*, char*, size_t); - - - - -char * strupr(char *); - - - - - - - - - - - -#include -struct passwd *k_getpwnam (const char *user); -struct passwd *k_getpwuid (uid_t uid); - -const char *get_default_username (void); - - - - - - - - - - - - - - - - - - -void pidfile (const char*); - -unsigned int bswap32(unsigned int); - -unsigned short bswap16(unsigned short); - - -time_t tm2time (struct tm tm, int local); - -int unix_verify_user(char *user, char *password); - -int roken_concat (char *s, size_t len, ...); - -size_t roken_mconcat (char **s, size_t max_len, ...); - -int roken_vconcat (char *s, size_t len, va_list args); - -size_t roken_vmconcat (char **s, size_t max_len, va_list args); - -ssize_t net_write (int fd, const void *buf, size_t nbytes); - -ssize_t net_read (int fd, void *buf, size_t nbytes); - -int issuid(void); - - -int get_window_size(int fd, struct winsize *); - - - -extern const char *__progname; - -extern char **environ; - - - - -struct hostent * -copyhostent (const struct hostent *h); - - - - - - - - -int -getnameinfo_verified(const struct sockaddr *sa, socklen_t salen, - char *host, size_t hostlen, - char *serv, size_t servlen, - int flags); - -int roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); -int roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **); - - - -void *emalloc (size_t); -void *ecalloc(size_t num, size_t sz); -void *erealloc (void *, size_t); -char *estrdup (const char *); - -/* - * kludges and such - */ - -int roken_gethostby_setup(const char*, const char*); -struct hostent* roken_gethostbyname(const char*); -struct hostent* roken_gethostbyaddr(const void*, size_t, int); - -#define roken_getservbyname(x,y) getservbyname(x,y) - -#define roken_openlog(a,b,c) openlog(a,b,c) - -#define roken_getsockname(a,b,c) getsockname(a,b,c) - - - -void mini_inetd_addrinfo (struct addrinfo*); -void mini_inetd (int port); - -void set_progname(char *argv0); -const char *get_progname(void); - - -int -strsvis(char *dst, const char *src, int flag, const char *extra); - - - - -char * -svis(char *dst, int c, int flag, int nextc, const char *extra); - - - -ROKEN_CPP_END -#define ROKEN_VERSION 0.4f - -#endif /* __ROKEN_H__ */ diff --git a/crypto/heimdal/include/rtbl.h b/crypto/heimdal/include/rtbl.h deleted file mode 100644 index 16496a7fd205..000000000000 --- a/crypto/heimdal/include/rtbl.h +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __rtbl_h__ -#define __rtbl_h__ - -struct rtbl_data; -typedef struct rtbl_data *rtbl_t; - -#define RTBL_ALIGN_LEFT 0 -#define RTBL_ALIGN_RIGHT 1 - -rtbl_t rtbl_create (void); - -void rtbl_destroy (rtbl_t); - -int rtbl_set_prefix (rtbl_t, const char*); - -int rtbl_set_column_prefix (rtbl_t, const char*, const char*); - -int rtbl_add_column (rtbl_t, const char*, unsigned int); - -int rtbl_add_column_entry (rtbl_t, const char*, const char*); - -int rtbl_format (rtbl_t, FILE*); - -#endif /* __rtbl_h__ */ diff --git a/crypto/heimdal/include/stamp-h.in b/crypto/heimdal/include/stamp-h.in deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/crypto/heimdal/include/stamp-h1 b/crypto/heimdal/include/stamp-h1 deleted file mode 100644 index b330768e9bf6..000000000000 --- a/crypto/heimdal/include/stamp-h1 +++ /dev/null @@ -1 +0,0 @@ -timestamp for include/config.h diff --git a/crypto/heimdal/include/xdbm.h b/crypto/heimdal/include/xdbm.h deleted file mode 100644 index 6e65217625fc..000000000000 --- a/crypto/heimdal/include/xdbm.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: xdbm.h,v 1.15 2002/05/17 16:02:22 joda Exp $ */ - -/* Generic *dbm include file */ - -#ifndef __XDBM_H__ -#define __XDBM_H__ - -#if HAVE_DB_NDBM -#define DB_DBM_HSEARCH 1 -#include -#elif HAVE_NDBM -#if defined(HAVE_GDBM_NDBM_H) -#include -#elif defined(HAVE_NDBM_H) -#include -#endif -#endif /* HAVE_NDBM */ - -#endif /* __XDBM_H__ */ diff --git a/crypto/heimdal/kadmin/Makefile b/crypto/heimdal/kadmin/Makefile deleted file mode 100644 index 735c5f760694..000000000000 --- a/crypto/heimdal/kadmin/Makefile +++ /dev/null @@ -1,784 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# kadmin/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.34 2001/08/28 08:31:26 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -sbin_PROGRAMS = kadmin - -libexec_PROGRAMS = kadmind - -man_MANS = kadmin.8 kadmind.8 - -noinst_PROGRAMS = add_random_users - -kadmin_SOURCES = \ - ank.c \ - cpw.c \ - del.c \ - del_enctype.c \ - dump.c \ - ext.c \ - get.c \ - init.c \ - kadmin.c \ - load.c \ - mod.c \ - rename.c \ - util.c \ - random_password.c \ - kadmin_locl.h - - -#KRB4LIB = $(LIB_krb4) -#version4_c = version4.c - -kadmind_SOURCES = \ - kadmind.c \ - server.c \ - kadmin_locl.h \ - $(version4_c) \ - kadm_conn.c - - -EXTRA_kadmind_SOURCES = version4.c - -add_random_users_SOURCES = add-random-users.c - -LDADD_common = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - - -kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(LDADD_common) \ - $(LIB_pidfile) \ - $(LIB_dlopen) - - -kadmin_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/sl/libsl.la \ - $(LIB_readline) \ - $(LDADD_common) \ - $(LIB_dlopen) - - -add_random_users_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(LDADD_common) \ - $(LIB_dlopen) - -subdir = kadmin -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -libexec_PROGRAMS = kadmind$(EXEEXT) -noinst_PROGRAMS = add_random_users$(EXEEXT) -sbin_PROGRAMS = kadmin$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS) - -am_add_random_users_OBJECTS = add-random-users.$(OBJEXT) -add_random_users_OBJECTS = $(am_add_random_users_OBJECTS) -add_random_users_DEPENDENCIES = \ - $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -add_random_users_LDFLAGS = -am_kadmin_OBJECTS = ank.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \ - del_enctype.$(OBJEXT) dump.$(OBJEXT) ext.$(OBJEXT) \ - get.$(OBJEXT) init.$(OBJEXT) kadmin.$(OBJEXT) load.$(OBJEXT) \ - mod.$(OBJEXT) rename.$(OBJEXT) util.$(OBJEXT) \ - random_password.$(OBJEXT) -kadmin_OBJECTS = $(am_kadmin_OBJECTS) -kadmin_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5clnt.la \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/sl/libsl.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kadmin_LDFLAGS = -#am__objects_1 = version4.$(OBJEXT) -am_kadmind_OBJECTS = kadmind.$(OBJEXT) server.$(OBJEXT) $(am__objects_1) \ - kadm_conn.$(OBJEXT) -kadmind_OBJECTS = $(am_kadmind_OBJECTS) -#kadmind_DEPENDENCIES = \ -# $(top_builddir)/lib/kadm5/libkadm5srv.la \ -# $(top_builddir)/lib/hdb/libhdb.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -kadmind_DEPENDENCIES = \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kadmind_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) \ - $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign kadmin/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(sbindir) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f; \ - else :; fi; \ - done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \ - rm -f $(DESTDIR)$(sbindir)/$$f; \ - done - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -add_random_users$(EXEEXT): $(add_random_users_OBJECTS) $(add_random_users_DEPENDENCIES) - @rm -f add_random_users$(EXEEXT) - $(LINK) $(add_random_users_LDFLAGS) $(add_random_users_OBJECTS) $(add_random_users_LDADD) $(LIBS) -kadmin$(EXEEXT): $(kadmin_OBJECTS) $(kadmin_DEPENDENCIES) - @rm -f kadmin$(EXEEXT) - $(LINK) $(kadmin_LDFLAGS) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS) -kadmind$(EXEEXT): $(kadmind_OBJECTS) $(kadmind_DEPENDENCIES) - @rm -f kadmind$(EXEEXT) - $(LINK) $(kadmind_LDFLAGS) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS clean-sbinPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-libexecPROGRAMS install-sbinPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \ - uninstall-sbinPROGRAMS - -uninstall-man: uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS clean-sbinPROGRAMS distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man8 \ - install-sbinPROGRAMS install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \ - uninstall-man8 uninstall-sbinPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/kadmin/kadmin.cat8 b/crypto/heimdal/kadmin/kadmin.cat8 deleted file mode 100644 index 215553393033..000000000000 --- a/crypto/heimdal/kadmin/kadmin.cat8 +++ /dev/null @@ -1,121 +0,0 @@ -KADMIN(8) NetBSD System Manager's Manual KADMIN(8) - -NNAAMMEE - kkaaddmmiinn - Kerberos administration utility - -SSYYNNOOPPSSIISS - kkaaddmmiinn [--pp _s_t_r_i_n_g | ----pprriinncciippaall==_s_t_r_i_n_g] [--KK _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] [--cc - _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] [--rr _r_e_a_l_m | - ----rreeaallmm==_r_e_a_l_m] [--aa _h_o_s_t | ----aaddmmiinn--sseerrvveerr==_h_o_s_t] [--ss _p_o_r_t _n_u_m_b_e_r | - ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r] [--ll | ----llooccaall] [--hh | ----hheellpp] [--vv | ----vveerrssiioonn] - [_c_o_m_m_a_n_d] - -DDEESSCCRRIIPPTTIIOONN - The kkaaddmmiinn program is used to make modification to the Kerberos database, - either remotely via the kadmind(8) daemon, or locally (with the --ll op- - tion). - - Supported options: - - --pp _s_t_r_i_n_g, ----pprriinncciippaall==_s_t_r_i_n_g - principal to authenticate as - - --KK _s_t_r_i_n_g, ----kkeeyyttaabb==_s_t_r_i_n_g - keytab for authentication pricipal - - --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e - location of config file - - --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e - location of master key file - - --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m - realm to use - - --aa _h_o_s_t, ----aaddmmiinn--sseerrvveerr==_h_o_s_t - server to contact - - --ss _p_o_r_t _n_u_m_b_e_r, ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r - port to use - - --ll, ----llooccaall - local admin mode - - If no _c_o_m_m_a_n_d is given on the command line, kkaaddmmiinn will prompt for com- - mands to process. Commands include: - - aadddd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g | - ----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e] - [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e] [----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s] - [----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e] _p_r_i_n_c_i_p_a_l_._._. - - creates a new principal - - ppaasssswwdd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g | - ----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._. - - changes the password of an existing principal - - ddeelleettee _p_r_i_n_c_i_p_a_l_._._. - - removes a principal - - ddeell__eennccttyyppee _p_r_i_n_c_i_p_a_l _e_n_c_t_y_p_e_s_._._. - - removes some enctypes from a principal, this can be useful - the service belonging to the principal is known to not handle - certain enctypes - - eexxtt__kkeeyyttaabb [--kk _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._. - - creates a keytab with the keys of the specified principals - - ggeett [--ll | ----lloonngg] [--ss | ----sshhoorrtt] [--tt | ----tteerrssee] _e_x_p_r_e_s_s_i_o_n_._._. - - lists the principals that match the expressions (which are - shell glob like), long format gives more information, and - terse just prints the names - - rreennaammee _f_r_o_m _t_o - - renames a principal - - mmooddiiffyy [--aa _a_t_t_r_i_b_u_t_e_s | ----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s] - [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e] [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e] - [----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e] - [----kkvvnnoo==_n_u_m_b_e_r] _p_r_i_n_c_i_p_a_l - - modifies certain attributes of a principal - - pprriivviilleeggeess - - lists the operations you are allowd to perform - - When running in local mode, the following commands can also be used. - - dduummpp [--dd | ----ddeeccrryypptt] [_d_u_m_p_-_f_i_l_e] - - writes the database in ``human readable'' form to the speci- - fied file, or standard out - - iinniitt [----rreeaallmm--mmaaxx--ttiicckkeett--lliiffee==_s_t_r_i_n_g] - [----rreeaallmm--mmaaxx--rreenneewwaabbllee--lliiffee==_s_t_r_i_n_g] _r_e_a_l_m - - initialises the Kerberos database with entries for a new - realm, it's possible to have more than one realm served by - one server - - llooaadd _f_i_l_e - - reads a previously dumped database, and re-creates that - database from scratch - - mmeerrggee _f_i_l_e - - similar to lliisstt but just modifies the database with the en- - tries in the dump file - -SSEEEE AALLSSOO - kadmind(8), kdc(8) - - HEIMDAL September 10, 2000 2 diff --git a/crypto/heimdal/kadmin/kadmind.cat8 b/crypto/heimdal/kadmin/kadmind.cat8 deleted file mode 100644 index b7172bcaab82..000000000000 --- a/crypto/heimdal/kadmin/kadmind.cat8 +++ /dev/null @@ -1,93 +0,0 @@ -KADMIND(8) NetBSD System Manager's Manual KADMIND(8) - -NNAAMMEE - kkaaddmmiinndd - server for administrative access to kerberos database - -SSYYNNOOPPSSIISS - kkaaddmmiinndd [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] - [----kkeeyyttaabb==_k_e_y_t_a_b] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--dd | ----ddeebbuugg] [--pp _p_o_r_t | - ----ppoorrttss==_p_o_r_t] [----nnoo--kkeerrbbeerrooss44] - -DDEESSCCRRIIPPTTIIOONN - kkaaddmmiinndd listens for requests for changes to the Kerberos database and - performs these, subject to permissions. When starting, if stdin is a - socket it assumes that it has been started by inetd(8), otherwise it be- - haves as a daemon, forking processes for each new connection. The ----ddeebbuugg - option causes kkaaddmmiinndd to accept exactly one connection, which is useful - for debugging. - - If built with krb4 support, it implements both the Heimdal Kerberos 5 ad- - ministrative protocol and the Kerberos 4 protocol. Password changes via - the Kerberos 4 protocol are also performed by kkaaddmmiinndd, but the - kpasswdd(8) daemon is responsible for the Kerberos 5 password changing - protocol (used by kpasswd(1)) - - This daemon should only be run on ther master server, and not on any - slaves. - - Principals are always allowed to change their own password and list their - own principal. Apart from that, doing any operation requires permission - explicitly added in the ACL file _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l. The format of - this file is: - - _p_r_i_n_c_i_p_a_l _r_i_g_h_t_s [_p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n] - - Where rights is any (comma separated) combination of: - ++oo change-password or cpw - ++oo list - ++oo delete - ++oo modify - ++oo add - ++oo get - ++oo all - - And the optional _p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n restricts the rights to operations on - principals that match the glob-style pattern. - - Supported options: - - --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e - location of config file - - --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e - location of master key file - - ----kkeeyyttaabb==_k_e_y_t_a_b - what keytab to use - - --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m - realm to use - - --dd, ----ddeebbuugg - enable debugging - - --pp _p_o_r_t, ----ppoorrttss==_p_o_r_t - ports to listen to. By default, if run as a daemon, it listen to - ports 749, and 751 (if Kerberos 4 support is built and enabled), - but you can add any number of ports with this option. The port - string is a whitespace separated list of port specifications, - with the special string ``+'' representing the default set of - ports. - - ----nnoo--kkeerrbbeerrooss44 - make kkaaddmmiinndd ignore Kerberos 4 kadmin requests. - -FFIILLEESS - _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l - -EEXXAAMMPPLLEESS - This will cause kkaaddmmiinndd to listen to port 4711 in addition to any com- - piled in defaults: - - kkaaddmmiinndd----ppoorrttss="+ 4711" & - - This acl file will grant Joe all rights, and allow Mallory to view and - add host principals. - - joe/admin@EXAMPLE.COM all - mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM - -SSEEEE AALLSSOO - kpasswd(1), kadmin(8), kdc(8), kpasswdd(8) - - HEIMDAL March 5, 2002 2 diff --git a/crypto/heimdal/kdc/Makefile b/crypto/heimdal/kdc/Makefile deleted file mode 100644 index 7bb233f7f9bc..000000000000 --- a/crypto/heimdal/kdc/Makefile +++ /dev/null @@ -1,803 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# kdc/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.43 2001/08/28 08:31:27 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = string2key - -sbin_PROGRAMS = kstash - -libexec_PROGRAMS = hprop hpropd kdc - -man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8 - -hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h -hpropd_SOURCES = hpropd.c hprop.h - -kstash_SOURCES = kstash.c headers.h - -string2key_SOURCES = string2key.c headers.h - -#krb4_sources = 524.c kerberos4.c kaserver.c rx.h -krb4_sources = - -kdc_SOURCES = \ - config.c \ - connect.c \ - kdc_locl.h \ - kerberos5.c \ - log.c \ - main.c \ - misc.c \ - $(krb4_sources) - - -hprop_LDADD = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_kdb) $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - - -hpropd_LDADD = \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_kdb) $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - - -LDADD = $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) \ - $(DBLIB) - - -kdc_LDADD = $(LDADD) $(LIB_pidfile) -subdir = kdc -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = string2key$(EXEEXT) -libexec_PROGRAMS = hprop$(EXEEXT) hpropd$(EXEEXT) kdc$(EXEEXT) -sbin_PROGRAMS = kstash$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(sbin_PROGRAMS) - -am_hprop_OBJECTS = hprop.$(OBJEXT) mit_dump.$(OBJEXT) v4_dump.$(OBJEXT) -hprop_OBJECTS = $(am_hprop_OBJECTS) -hprop_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -hprop_LDFLAGS = -am_hpropd_OBJECTS = hpropd.$(OBJEXT) -hpropd_OBJECTS = $(am_hpropd_OBJECTS) -hpropd_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -hpropd_LDFLAGS = -#am__objects_1 = 524.$(OBJEXT) kerberos4.$(OBJEXT) \ -# kaserver.$(OBJEXT) -am__objects_1 = -am_kdc_OBJECTS = config.$(OBJEXT) connect.$(OBJEXT) kerberos5.$(OBJEXT) \ - log.$(OBJEXT) main.$(OBJEXT) misc.$(OBJEXT) $(am__objects_1) -kdc_OBJECTS = $(am_kdc_OBJECTS) -kdc_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kdc_LDFLAGS = -am_kstash_OBJECTS = kstash.$(OBJEXT) -kstash_OBJECTS = $(am_kstash_OBJECTS) -kstash_LDADD = $(LDADD) -kstash_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kstash_LDFLAGS = -am_string2key_OBJECTS = string2key.$(OBJEXT) -string2key_OBJECTS = $(am_string2key_OBJECTS) -string2key_LDADD = $(LDADD) -string2key_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -string2key_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) \ - $(kstash_SOURCES) $(string2key_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES) $(string2key_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign kdc/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(sbindir) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f; \ - else :; fi; \ - done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \ - rm -f $(DESTDIR)$(sbindir)/$$f; \ - done - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -hprop$(EXEEXT): $(hprop_OBJECTS) $(hprop_DEPENDENCIES) - @rm -f hprop$(EXEEXT) - $(LINK) $(hprop_LDFLAGS) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS) -hpropd$(EXEEXT): $(hpropd_OBJECTS) $(hpropd_DEPENDENCIES) - @rm -f hpropd$(EXEEXT) - $(LINK) $(hpropd_LDFLAGS) $(hpropd_OBJECTS) $(hpropd_LDADD) $(LIBS) -kdc$(EXEEXT): $(kdc_OBJECTS) $(kdc_DEPENDENCIES) - @rm -f kdc$(EXEEXT) - $(LINK) $(kdc_LDFLAGS) $(kdc_OBJECTS) $(kdc_LDADD) $(LIBS) -kstash$(EXEEXT): $(kstash_OBJECTS) $(kstash_DEPENDENCIES) - @rm -f kstash$(EXEEXT) - $(LINK) $(kstash_LDFLAGS) $(kstash_OBJECTS) $(kstash_LDADD) $(LIBS) -string2key$(EXEEXT): $(string2key_OBJECTS) $(string2key_DEPENDENCIES) - @rm -f string2key$(EXEEXT) - $(LINK) $(string2key_LDFLAGS) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \ - install-sbinPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-sbinPROGRAMS - -uninstall-man: uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-data-local install-exec \ - install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man8 \ - install-sbinPROGRAMS install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man8 \ - uninstall-sbinPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/kdc/hprop-common.c b/crypto/heimdal/kdc/hprop-common.c deleted file mode 100644 index 660725f68883..000000000000 --- a/crypto/heimdal/kdc/hprop-common.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hprop.h" - -RCSID("$Id: hprop-common.c,v 1.7 1999/12/02 17:04:59 joda Exp $"); - -krb5_error_code -send_priv(krb5_context context, krb5_auth_context ac, - krb5_data *data, int fd) -{ - krb5_data packet; - krb5_error_code ret; - - ret = krb5_mk_priv (context, - ac, - data, - &packet, - NULL); - if (ret) - return ret; - - ret = krb5_write_message (context, &fd, &packet); - krb5_data_free(&packet); - return ret; -} - -krb5_error_code -recv_priv(krb5_context context, krb5_auth_context ac, int fd, krb5_data *out) -{ - krb5_error_code ret; - krb5_data data; - - ret = krb5_read_message (context, &fd, &data); - if (ret) - return ret; - - ret = krb5_rd_priv(context, ac, &data, out, NULL); - krb5_data_free (&data); - return ret; -} - -krb5_error_code -send_clear(krb5_context context, int fd, krb5_data data) -{ - return krb5_write_message (context, &fd, &data); -} - -krb5_error_code -recv_clear(krb5_context context, int fd, krb5_data *out) -{ - return krb5_read_message (context, &fd, out); -} diff --git a/crypto/heimdal/kdc/hprop.cat8 b/crypto/heimdal/kdc/hprop.cat8 deleted file mode 100644 index 0ac37e242053..000000000000 --- a/crypto/heimdal/kdc/hprop.cat8 +++ /dev/null @@ -1,98 +0,0 @@ -HPROP(8) NetBSD System Manager's Manual HPROP(8) - -NNAAMMEE - hhpprroopp - propagate the KDC database - -SSYYNNOOPPSSIISS - hhpprroopp [--mm _f_i_l_e | ----mmaasstteerr--kkeeyy==_f_i_l_e] [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] - [----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_a_s_e_r_v_e_r] [--rr _s_t_r_i_n_g | - ----vv44--rreeaallmm==_s_t_r_i_n_g] [--cc _c_e_l_l | ----cceellll==_c_e_l_l] [--SS | ----kkaassppeecciiaallss] [--kk _k_e_y_t_a_b - | ----kkeeyyttaabb==_k_e_y_t_a_b] [--RR _s_t_r_i_n_g | ----vv55--rreeaallmm==_s_t_r_i_n_g] [--DD | ----ddeeccrryypptt] [--EE | - ----eennccrryypptt] [--nn | ----ssttddoouutt] [--vv | ----vveerrbboossee] [----vveerrssiioonn] [--hh | ----hheellpp] - [_h_o_s_t[:_p_o_r_t]] _._._. - -DDEESSCCRRIIPPTTIIOONN - hhpprroopp takes a principal database in a specified format and converts it - into a stream of Heimdal database records. This stream can either be - written to standard out, or (more commonly) be propagated to a hpropd(8) - server running on a different machine. - - If propagating, it connects to all _h_o_s_t_s specified on the command by - opening a TCP connection to port 754 (service hprop) and sends the - database in encrypted form. - - Supported options: - - --mm _f_i_l_e, ----mmaasstteerr--kkeeyy==_f_i_l_e - Where to find the master key to encrypt or decrypt keys with. - - --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e - The database to be propagated. - - ----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_a_s_e_r_v_e_r - Specifies the type of the source database. Alternatives include: - - heimdal a Heimdal database - mit-dump a MIT Kerberos 5 dump file - krb4-db a Kerberos 4 database - krb4-dump a Kerberos 4 dump file - kaserver an AFS kaserver database - - --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b - The keytab to use for fetching the key to be used for authenti- - cating to the propagation daemon(s). The key _k_a_d_m_i_n_/_h_p_r_o_p is used - from this keytab. The default is to fetch the key from the KDC - database. - - --RR _s_t_r_i_n_g, ----vv55--rreeaallmm==_s_t_r_i_n_g - Local realm override. - - --DD, ----ddeeccrryypptt - The encryption keys in the database can either be in clear, or - encrypted with a master key. This option transmits the database - with unencrypted keys. - - --EE, ----eennccrryypptt - This option transmits the database with encrypted keys. - - --nn, ----ssttddoouutt - Dump the database on stdout, in a format that can be fed to - hpropd. - - The following options are only valid if hhpprroopp is compiled with support - for Kerberos 4 (kaserver). - - --rr _s_t_r_i_n_g, ----vv44--rreeaallmm==_s_t_r_i_n_g - v4 realm to use - - --cc _c_e_l_l, ----cceellll==_c_e_l_l - The AFS cell name, used if reading a kaserver database. - - --SS, ----kkaassppeecciiaallss - Also dump the principals marked as special in the kaserver - database. - - --44, ----vv44--ddbb - Deprecated, identical to `--source=krb4-db'. - - --KK, ----kkaa--ddbb - Deprecated, identical to `--source=kaserver'. - -EEXXAAMMPPLLEESS - The following will propagate a database to another machine (which should - run hpropd(8):) - - $ hprop slave-1 slave-2 - - Copy a Kerberos 4 database to a Kerberos 5 slave: - - $ hprop --source=krb4-db -E krb5-slave - - Convert a Kerberos 4 dump-file for use with a Heimdal KDC: - - $ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump --master-key=/.k | hpropd -n - -SSEEEE AALLSSOO - hpropd(8) - - HEIMDAL June 19, 2000 2 diff --git a/crypto/heimdal/kdc/hpropd.cat8 b/crypto/heimdal/kdc/hpropd.cat8 deleted file mode 100644 index e72b4da337a3..000000000000 --- a/crypto/heimdal/kdc/hpropd.cat8 +++ /dev/null @@ -1,42 +0,0 @@ -HPROPD(8) NetBSD System Manager's Manual HPROPD(8) - -NNAAMMEE - hhpprrooppdd - receive a propagated database - -SSYYNNOOPPSSIISS - hhpprrooppdd [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] [--nn | ----ssttddiinn] [----pprriinntt] [--ii | - ----nnoo--iinneettdd] [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--44 | ----vv44dduummpp] - -DDEESSCCRRIIPPTTIIOONN - hhpprrooppdd receives databases sent by hhpprroopp. and writes it as a local - database. - - By default, hhpprrooppdd expects to be started from iinneettdd if stdin is a socket - and expects to receive the dumped database over stdin otherwise. If the - database is sent over the network, it is authenticated and encrypted. - Only connections from kkaaddmmiinn/hhpprroopp are accepted. - - Options supported: - - --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e - database - - --nn, ----ssttddiinn - read from stdin - - ----pprriinntt - print dump to stdout - - --ii, ----nnoo--iinneettdd - Not started from inetd - - --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b - keytab to use for authentication - - --44, ----vv44dduummpp - create v4 type DB - -SSEEEE AALLSSOO - hprop(8) - - HEIMDAL August 27, 1997 1 diff --git a/crypto/heimdal/kdc/kdc.cat8 b/crypto/heimdal/kdc/kdc.cat8 deleted file mode 100644 index 4d83d59973da..000000000000 --- a/crypto/heimdal/kdc/kdc.cat8 +++ /dev/null @@ -1,126 +0,0 @@ -KDC(8) NetBSD System Manager's Manual KDC(8) - -NNAAMMEE - kkddcc - Kerberos 5 server - -SSYYNNOOPPSSIISS - kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh] - [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g] - [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g | - ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s] - -DDEESSCCRRIIPPTTIIOONN - kkddcc serves requests for tickets. When it starts, it first checks the - flags passed, any options that are not specified with a command line flag - is taken from a config file, or from a default compiled-in value. - - Options supported: - - --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e - Specifies the location of the config file, the default is - _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be - specified in the config file. - - --pp, ----nnoo--rreeqquuiirree--pprreeaauutthh - Turn off the requirement for pre-autentication in the initial AS- - REQ for all principals. The use of pre-authentication makes it - more difficult to do offline password attacks. You might want to - turn it off if you have clients that doesn't do pre-authentica- - tion. Since the version 4 protocol doesn't support any pre-au- - thentication, so serving version 4 clients is just about the same - as not requiring pre-athentication. The default is to require - pre-authentication. Adding the require-preauth per principal is a - more flexible way of handling this. - - ----mmaaxx--rreeqquueesstt==_s_i_z_e - Gives an upper limit on the size of the requests that the kdc is - willing to handle. - - --HH, ----eennaabbllee--hhttttpp - Makes the kdc listen on port 80 and handle requests encapsulated - in HTTP. - - --KK, ----nnoo--kkaasseerrvveerr - Disables kaserver emulation (in case it's compiled in). - - --rr _r_e_a_l_m, ----vv44--rreeaallmm==_r_e_a_l_m - What realm this server should act as when dealing with version 4 - requests. The database can contain any number of realms, but - since the version 4 protocol doesn't contain a realm for the - server, it must be explicitly specified. The default is whatever - is returned by kkrrbb__ggeett__llrreeaallmm(). This option is only availabe if - the KDC has been compiled with version 4 support. - - --PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g - Specifies the set of ports the KDC should listen on. It is given - as a white-space separated list of services or port numbers. - - ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s - The list of addresses to listen for requests on. By default, the - kdc will listen on all the locally configured addresses. If only - a subset is desired, or the automatic detection fails, this op- - tion might be used. - - All activities , are logged to one or more destinations, see - krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc. - -CCOONNFFIIGGUURRAATTIIOONN FFIILLEE - The configuration file has the same syntax as krb5.conf(5), but will be - read before _/_e_t_c_/_k_r_b_5_._c_o_n_f, so it may override settings found there. Op- - tions specific to the KDC only are found in the ``[kdc]'' section. All - the command-line options can preferably be added in the configuration - file. The only difference is the pre-authentication flag, that has to be - specified as: - - require-preauth = no - - (in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo). - - And there are some configuration options which do not have command-line - equivalents: - - check-ticket-addresses = _b_o_o_l_e_a_n - Check the addresses in the ticket when processing TGS re- - quests. The default is FALSE. - - allow-null-ticket-addresses = _b_o_o_l_e_a_n - Permit tickets with no addresses. This option is only rele- - vant when check-ticket-addresses is TRUE. - - allow-anonymous = _b_o_o_l_e_a_n - Permit anonymous tickets with no addresses. - - encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n - Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE - code. The Heimdal clients allow both. - - kdc_warn_pwexpire = _t_i_m_e - How long before password/principal expiration the KDC should - start sending out warning messages. - - An example of a config file: - - [kdc] - require-preauth = no - v4-realm = FOO.SE - key-file = /key-file - -BBUUGGSS - If the machine running the KDC has new addresses added to it, the KDC - will have to be restarted to listen to them. The reason it doesn't just - listen to wildcarded (like INADDR_ANY) addresses, is that the replies has - to come from the same address they were sent to, and most OS:es doesn't - pass this information to the application. If your normal mode of opera- - tion require that you add and remove addresses, the best option is proba- - bly to listen to a wildcarded TCP socket, and make sure your clients use - TCP to connect. For instance, this will listen to IPv4 TCP port 88 only: - - kdc --addresses=0.0.0.0 --ports="88/tcp" - - There should be a way to specify protocol, port, and address triplets, - not just addresses and protocol, port tuples. - -SSEEEE AALLSSOO - kinit(1), krb5.conf(5) - - HEIMDAL August 22, 2002 2 diff --git a/crypto/heimdal/kdc/kerberos4.h b/crypto/heimdal/kdc/kerberos4.h deleted file mode 100644 index 5bf3c2bc5502..000000000000 --- a/crypto/heimdal/kdc/kerberos4.h +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: kerberos4.h,v 1.2 1999/12/02 17:04:59 joda Exp $ */ - -#ifndef __KERBEROS4_H__ -#define __KERBEROS4_H__ - -hdb_entry* db_fetch4(const char *name, - const char *instance, - const char *realm); - -#endif /* __KERBEROS4_H__ */ diff --git a/crypto/heimdal/kdc/kstash.cat8 b/crypto/heimdal/kdc/kstash.cat8 deleted file mode 100644 index 266648edc607..000000000000 --- a/crypto/heimdal/kdc/kstash.cat8 +++ /dev/null @@ -1,33 +0,0 @@ -KSTASH(8) NetBSD System Manager's Manual KSTASH(8) - -NNAAMMEE - kkssttaasshh - store the KDC master password in a file - -SSYYNNOOPPSSIISS - kkssttaasshh [--ee _s_t_r_i_n_g | ----eennccttyyppee==_s_t_r_i_n_g] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] - [----ccoonnvveerrtt--ffiillee] [----mmaasstteerr--kkeeyy--ffdd==_f_d] [--hh | ----hheellpp] [----vveerrssiioonn] - -DDEESSCCRRIIPPTTIIOONN - kkssttaasshh reads the Kerberos master key and stores it in a file that will be - used by the KDC. - - Supported options: - - --ee _s_t_r_i_n_g, ----eennccttyyppee==_s_t_r_i_n_g - the encryption type to use, defaults to DES3-CBC-SHA1 - - --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e - the name of the master key file - - ----ccoonnvveerrtt--ffiillee - don't ask for a new master key, just read an old master key file, - and write it back in the new keyfile format - - ----mmaasstteerr--kkeeyy--ffdd==_f_d - filedescriptor to read passphrase from, if not specified the - passphrase will be read from the terminal - -SSEEEE AALLSSOO - kdc(8) - - HEIMDAL September 1, 2000 1 diff --git a/crypto/heimdal/kdc/string2key.cat8 b/crypto/heimdal/kdc/string2key.cat8 deleted file mode 100644 index 60a819e4d474..000000000000 --- a/crypto/heimdal/kdc/string2key.cat8 +++ /dev/null @@ -1,41 +0,0 @@ -STRING2KEY(8) NetBSD System Manager's Manual STRING2KEY(8) - -NNAAMMEE - ssttrriinngg22kkeeyy - map a password into a key - -SSYYNNOOPPSSIISS - ssttrriinngg22kkeeyy [--55 | ----vveerrssiioonn55] [--44 | ----vveerrssiioonn44] [--aa | ----aaffss] [--cc _c_e_l_l | - ----cceellll==_c_e_l_l] [--ww _p_a_s_s_w_o_r_d | ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--pp _p_r_i_n_c_i_p_a_l | - ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--kk _s_t_r_i_n_g | ----kkeeyyttyyppee==_s_t_r_i_n_g] _p_a_s_s_w_o_r_d - -DDEESSCCRRIIPPTTIIOONN - ssttrriinngg22kkeeyy performs the string-to-key function. This is useful when you - want to handle the raw key instead of the password. Supported options: - - --55, ----vveerrssiioonn55 - Output Kerberos v5 string-to-key - - --44, ----vveerrssiioonn44 - Output Kerberos v4 string-to-key - - --aa, ----aaffss - Output AFS string-to-key - - --cc _c_e_l_l, ----cceellll==_c_e_l_l - AFS cell to use - - --ww _p_a_s_s_w_o_r_d, ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d - Password to use - - --pp _p_r_i_n_c_i_p_a_l, ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l - Kerberos v5 principal to use - - --kk _s_t_r_i_n_g, ----kkeeyyttyyppee==_s_t_r_i_n_g - Keytype - - ----vveerrssiioonn - print version - - ----hheellpp - - HEIMDAL March 4, 2000 1 diff --git a/crypto/heimdal/kpasswd/Makefile b/crypto/heimdal/kpasswd/Makefile deleted file mode 100644 index 828ed5b10100..000000000000 --- a/crypto/heimdal/kpasswd/Makefile +++ /dev/null @@ -1,764 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# kpasswd/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.16 2001/08/28 08:31:29 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -man_MANS = kpasswd.1 kpasswdd.8 - -bin_PROGRAMS = kpasswd - -kpasswd_SOURCES = kpasswd.c kpasswd_locl.h - -libexec_PROGRAMS = kpasswdd - -noinst_PROGRAMS = kpasswd-generator - -kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h - -kpasswdd_LDADD = \ - $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(LDADD) \ - $(LIB_pidfile) \ - $(LIB_dlopen) \ - $(DBLIB) - - -LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -subdir = kpasswd -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = kpasswd$(EXEEXT) -libexec_PROGRAMS = kpasswdd$(EXEEXT) -noinst_PROGRAMS = kpasswd-generator$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(noinst_PROGRAMS) - -am_kpasswd_OBJECTS = kpasswd.$(OBJEXT) -kpasswd_OBJECTS = $(am_kpasswd_OBJECTS) -kpasswd_LDADD = $(LDADD) -kpasswd_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kpasswd_LDFLAGS = -kpasswd_generator_SOURCES = kpasswd-generator.c -kpasswd_generator_OBJECTS = kpasswd-generator.$(OBJEXT) -kpasswd_generator_LDADD = $(LDADD) -kpasswd_generator_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kpasswd_generator_LDFLAGS = -am_kpasswdd_OBJECTS = kpasswdd.$(OBJEXT) -kpasswdd_OBJECTS = $(am_kpasswdd_OBJECTS) -kpasswdd_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kpasswdd_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c \ - $(kpasswdd_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c $(kpasswdd_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign kpasswd/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -kpasswd$(EXEEXT): $(kpasswd_OBJECTS) $(kpasswd_DEPENDENCIES) - @rm -f kpasswd$(EXEEXT) - $(LINK) $(kpasswd_LDFLAGS) $(kpasswd_OBJECTS) $(kpasswd_LDADD) $(LIBS) -kpasswd-generator$(EXEEXT): $(kpasswd_generator_OBJECTS) $(kpasswd_generator_DEPENDENCIES) - @rm -f kpasswd-generator$(EXEEXT) - $(LINK) $(kpasswd_generator_LDFLAGS) $(kpasswd_generator_OBJECTS) $(kpasswd_generator_LDADD) $(LIBS) -kpasswdd$(EXEEXT): $(kpasswdd_OBJECTS) $(kpasswdd_DEPENDENCIES) - @rm -f kpasswdd$(EXEEXT) - $(LINK) $(kpasswdd_LDFLAGS) $(kpasswdd_OBJECTS) $(kpasswdd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(man1dir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-data-local install-exec \ - install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man1 install-man8 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \ - uninstall-man1 uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/kpasswd/kpasswd.cat1 b/crypto/heimdal/kpasswd/kpasswd.cat1 deleted file mode 100644 index e76e9cc85ed9..000000000000 --- a/crypto/heimdal/kpasswd/kpasswd.cat1 +++ /dev/null @@ -1,19 +0,0 @@ -KPASSWD(1) NetBSD Reference Manual KPASSWD(1) - -NNAAMMEE - kkppaasssswwdd - Kerberos 5 password changing program - -SSYYNNOOPPSSIISS - kkppaasssswwdd [_p_r_i_n_c_i_p_a_l] - -DDEESSCCRRIIPPTTIIOONN - kkppaasssswwdd is the client for changing passwords. - -DDIIAAGGNNOOSSTTIICCSS - If the password quality check fails or some other error occurs, an expla- - nation is printed. - -SSEEEE AALLSSOO - kpasswdd(8) - - HEIMDAL August 27, 1997 1 diff --git a/crypto/heimdal/kpasswd/kpasswdd.cat8 b/crypto/heimdal/kpasswd/kpasswdd.cat8 deleted file mode 100644 index 3330b8e3eba8..000000000000 --- a/crypto/heimdal/kpasswd/kpasswdd.cat8 +++ /dev/null @@ -1,53 +0,0 @@ -KPASSWDD(8) NetBSD System Manager's Manual KPASSWDD(8) - -NNAAMMEE - kkppaasssswwdddd - Kerberos 5 password changing server - -SSYYNNOOPPSSIISS - kkppaasssswwdddd [----cchheecckk--lliibbrraarryy==_l_i_b_r_a_r_y] [----cchheecckk--ffuunnccttiioonn==_f_u_n_c_t_i_o_n] [--kk _k_s_p_e_c - | ----kkeeyyttaabb==_k_s_p_e_c] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--pp _s_t_r_i_n_g | ----ppoorrtt==_s_t_r_i_n_g] - [----vveerrssiioonn] [----hheellpp] - -DDEESSCCRRIIPPTTIIOONN - kkppaasssswwdddd serves request for password changes. It listens on UDP port 464 - (service kpasswd) and processes requests when they arrive. It changes the - database directly and should thus only run on the master KDC. - - Supported options: - - ----cchheecckk--lliibbrraarryy==_l_i_b_r_a_r_y - If your system has support for dynamic loading of shared li- - braries, you can use an external function to check password qual- - ity. This option specifies which library to load. - - ----cchheecckk--ffuunnccttiioonn==_f_u_n_c_t_i_o_n - This is the function to call in the loaded library. The function - should look like this: - - _c_o_n_s_t _c_h_a_r _* ppaasssswwdd__cchheecckk(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l - _p_r_i_n_c_i_p_a_l, _k_r_b_5___d_a_t_a _*_p_a_s_s_w_o_r_d) - - _c_o_n_t_e_x_t is an initialized context; _p_r_i_n_c_i_p_a_l is the one who tries - to change passwords, and _p_a_s_s_w_o_r_d is the new password. Note that - the password (in _p_a_s_s_w_o_r_d_-_>_d_a_t_a) is not zero terminated. - - --kk _k_s_p_e_c, ----kkeeyyttaabb==_k_s_p_e_c - keytab to get authentication key from - - --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m - default realm - - --pp _s_t_r_i_n_g, ----ppoorrtt==_s_t_r_i_n_g - port to listen on (default service kpasswd - 464). - -DDIIAAGGNNOOSSTTIICCSS - If an error occurs, the error message is returned to the user and/or - logged to syslog. - -BBUUGGSS - The default password quality checks are too basic. - -SSEEEE AALLSSOO - kpasswd(1), kdc(8) - - HEIMDAL April 19, 1999 1 diff --git a/crypto/heimdal/kuser/Makefile b/crypto/heimdal/kuser/Makefile deleted file mode 100644 index 1a120d2c6af6..000000000000 --- a/crypto/heimdal/kuser/Makefile +++ /dev/null @@ -1,734 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# kuser/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.30 2001/09/02 17:12:23 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1 - -bin_PROGRAMS = kinit klist kdestroy kgetcred - -noinst_PROGRAMS = kverify kdecode_ticket generate-requests - -kinit_LDADD = \ - $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - - -kdestroy_LDADD = $(kinit_LDADD) - -klist_LDADD = $(kinit_LDADD) - -LDADD = \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -subdir = kuser -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = kinit$(EXEEXT) klist$(EXEEXT) kdestroy$(EXEEXT) \ - kgetcred$(EXEEXT) -noinst_PROGRAMS = kverify$(EXEEXT) kdecode_ticket$(EXEEXT) \ - generate-requests$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) - -generate_requests_SOURCES = generate-requests.c -generate_requests_OBJECTS = generate-requests.$(OBJEXT) -generate_requests_LDADD = $(LDADD) -generate_requests_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -generate_requests_LDFLAGS = -kdecode_ticket_SOURCES = kdecode_ticket.c -kdecode_ticket_OBJECTS = kdecode_ticket.$(OBJEXT) -kdecode_ticket_LDADD = $(LDADD) -kdecode_ticket_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kdecode_ticket_LDFLAGS = -kdestroy_SOURCES = kdestroy.c -kdestroy_OBJECTS = kdestroy.$(OBJEXT) -#kdestroy_DEPENDENCIES = $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -kdestroy_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kdestroy_LDFLAGS = -kgetcred_SOURCES = kgetcred.c -kgetcred_OBJECTS = kgetcred.$(OBJEXT) -kgetcred_LDADD = $(LDADD) -kgetcred_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kgetcred_LDFLAGS = -kinit_SOURCES = kinit.c -kinit_OBJECTS = kinit.$(OBJEXT) -#kinit_DEPENDENCIES = $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -kinit_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kinit_LDFLAGS = -klist_SOURCES = klist.c -klist_OBJECTS = klist.$(OBJEXT) -#klist_DEPENDENCIES = $(top_builddir)/lib/kafs/libkafs.la \ -# $(top_builddir)/lib/krb5/libkrb5.la \ -# $(top_builddir)/lib/asn1/libasn1.la -klist_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -klist_LDFLAGS = -kverify_SOURCES = kverify.c -kverify_OBJECTS = kverify.$(OBJEXT) -kverify_LDADD = $(LDADD) -kverify_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -kverify_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = generate-requests.c kdecode_ticket.c kdestroy.c \ - kgetcred.c kinit.c klist.c kverify.c -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = generate-requests.c kdecode_ticket.c kdestroy.c kgetcred.c kinit.c klist.c kverify.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign kuser/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -generate-requests$(EXEEXT): $(generate_requests_OBJECTS) $(generate_requests_DEPENDENCIES) - @rm -f generate-requests$(EXEEXT) - $(LINK) $(generate_requests_LDFLAGS) $(generate_requests_OBJECTS) $(generate_requests_LDADD) $(LIBS) -kdecode_ticket$(EXEEXT): $(kdecode_ticket_OBJECTS) $(kdecode_ticket_DEPENDENCIES) - @rm -f kdecode_ticket$(EXEEXT) - $(LINK) $(kdecode_ticket_LDFLAGS) $(kdecode_ticket_OBJECTS) $(kdecode_ticket_LDADD) $(LIBS) -kdestroy$(EXEEXT): $(kdestroy_OBJECTS) $(kdestroy_DEPENDENCIES) - @rm -f kdestroy$(EXEEXT) - $(LINK) $(kdestroy_LDFLAGS) $(kdestroy_OBJECTS) $(kdestroy_LDADD) $(LIBS) -kgetcred$(EXEEXT): $(kgetcred_OBJECTS) $(kgetcred_DEPENDENCIES) - @rm -f kgetcred$(EXEEXT) - $(LINK) $(kgetcred_LDFLAGS) $(kgetcred_OBJECTS) $(kgetcred_LDADD) $(LIBS) -kinit$(EXEEXT): $(kinit_OBJECTS) $(kinit_DEPENDENCIES) - @rm -f kinit$(EXEEXT) - $(LINK) $(kinit_LDFLAGS) $(kinit_OBJECTS) $(kinit_LDADD) $(LIBS) -klist$(EXEEXT): $(klist_OBJECTS) $(klist_DEPENDENCIES) - @rm -f klist$(EXEEXT) - $(LINK) $(klist_LDFLAGS) $(klist_OBJECTS) $(klist_LDADD) $(LIBS) -kverify$(EXEEXT): $(kverify_OBJECTS) $(kverify_DEPENDENCIES) - @rm -f kverify$(EXEEXT) - $(LINK) $(kverify_LDFLAGS) $(kverify_OBJECTS) $(kverify_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libtool \ - clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-data-local install-exec \ - install-exec-am install-info install-info-am install-man \ - install-man1 install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am uninstall-man \ - uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -# make sure install-exec-hook doesn't have any commands in Makefile.am.common -install-exec-hook: - (cd $(DESTDIR)$(bindir) && rm -f kauth && $(LN_S) kinit kauth) -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/kuser/kdestroy.cat1 b/crypto/heimdal/kuser/kdestroy.cat1 deleted file mode 100644 index 8f7247b68589..000000000000 --- a/crypto/heimdal/kuser/kdestroy.cat1 +++ /dev/null @@ -1,29 +0,0 @@ -KDESTROY(1) NetBSD Reference Manual KDESTROY(1) - -NNAAMMEE - kkddeessttrrooyy - destroy the current ticket file - -SSYYNNOOPPSSIISS - kkddeessttrrooyy [--cc _c_a_c_h_e_f_i_l_e] [----ccaacchhee==_c_a_c_h_e_f_i_l_e] [----nnoo--uunnlloogg] [----nnoo--ddeelleettee--vv44] - [----vveerrssiioonn] [----hheellpp] - -DDEESSCCRRIIPPTTIIOONN - kkddeessttrrooyy remove the current set of tickets. - - Supported options: - - --cc _c_a_c_h_e_f_i_l_e - - --ccaacchhee==_c_a_c_h_e_f_i_l_e - The cache file to remove. - - ----nnoo--uunnlloogg - Do not remove AFS tokens. - - ----nnoo--ddeelleettee--vv44 - Do not remove v4 tickets. - -SSEEEE AALLSSOO - kinit(1), klist(1) - - HEIMDAL August 27, 1997 1 diff --git a/crypto/heimdal/kuser/kgetcred.cat1 b/crypto/heimdal/kuser/kgetcred.cat1 deleted file mode 100644 index f01ed61cc6d4..000000000000 --- a/crypto/heimdal/kuser/kgetcred.cat1 +++ /dev/null @@ -1,26 +0,0 @@ -KGETCRED(1) NetBSD Reference Manual KGETCRED(1) - -NNAAMMEE - kkggeettccrreedd - get a ticket for a particular service - -SSYYNNOOPPSSIISS - kkggeettccrreedd [--ee _e_n_c_t_y_p_e | ----eennccttyyppee==_e_n_c_t_y_p_e] [----vveerrssiioonn] [----hheellpp] _s_e_r_v_i_c_e - -DDEESSCCRRIIPPTTIIOONN - kkggeettccrreedd obtains a ticket for a service. Usually tickets for services - are obtained automatically when needed but sometimes for some odd reason - you want to obtain a particular ticket or of a special type. - - Supported options: - - --ee _e_n_c_t_y_p_e, ----eennccttyyppee==_e_n_c_t_y_p_e - encryption type to use - - ----vveerrssiioonn - - ----hheellpp - -SSEEEE AALLSSOO - kinit(1), klist(1) - - HEIMDAL May 14, 1999 1 diff --git a/crypto/heimdal/kuser/kinit.cat1 b/crypto/heimdal/kuser/kinit.cat1 deleted file mode 100644 index c71feb236f60..000000000000 --- a/crypto/heimdal/kuser/kinit.cat1 +++ /dev/null @@ -1,127 +0,0 @@ -KINIT(1) NetBSD Reference Manual KINIT(1) - -NNAAMMEE - kkiinniitt kkaauutthh - acquire initial tickets - -SSYYNNOOPPSSIISS - kkiinniitt [--44 | ----552244iinniitt] [--99 | ----552244ccoonnvveerrtt] [----aaffsslloogg] [--cc _c_a_c_h_e_n_a_m_e | - ----ccaacchhee==_c_a_c_h_e_n_a_m_e] [--ff | ----ffoorrwwaarrddaabbllee] [--tt _k_e_y_t_a_b_n_a_m_e | - ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e] [--ll _t_i_m_e | ----lliiffeettiimmee==_t_i_m_e] [--pp | ----pprrooxxiiaabbllee] - [--RR | ----rreenneeww] [----rreenneewwaabbllee] [--rr _t_i_m_e | ----rreenneewwaabbllee--lliiffee==_t_i_m_e] [--SS - _p_r_i_n_c_i_p_a_l | ----sseerrvveerr==_p_r_i_n_c_i_p_a_l] [--ss _t_i_m_e | ----ssttaarrtt--ttiimmee==_t_i_m_e] [--kk | - ----uussee--kkeeyyttaabb] [--vv | ----vvaalliiddaattee] [--ee _e_n_c_t_y_p_e_s | ----eennccttyyppeess==_e_n_c_t_y_p_e_s] - [--aa _a_d_d_r_e_s_s_e_s | ----eexxttrraa--aaddddrreesssseess==_a_d_d_r_e_s_s_e_s] - [----ffccaacchhee--vveerrssiioonn==_i_n_t_e_g_e_r] [----nnoo--aaddddrreesssseess] [----aannoonnyymmoouuss] - [----vveerrssiioonn] [----hheellpp] [_p_r_i_n_c_i_p_a_l [_c_o_m_m_a_n_d]] - -DDEESSCCRRIIPPTTIIOONN - kkiinniitt is used to authenticate to the kerberos server as _p_r_i_n_c_i_p_a_l, or if - none is given, a system generated default (typically your login name at - the default realm), and acquire a ticket granting ticket that can later - be used to obtain tickets for other services. - - If you have compiled kkiinniitt with Kerberos 4 support and you have a Ker- - beros 4 server, kkiinniitt will detect this and get you Kerberos 4 tickets. - - Supported options: - - --cc _c_a_c_h_e_n_a_m_e ----ccaacchhee==_c_a_c_h_e_n_a_m_e - The credentials cache to put the acquired ticket in, if other - than default. - - --ff, ----ffoorrwwaarrddaabbllee - Get ticket that can be forwarded to another host. - - --tt _k_e_y_t_a_b_n_a_m_e, ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e - Don't ask for a password, but instead get the key from the speci- - fied keytab. - - --ll _t_i_m_e, ----lliiffeettiimmee==_t_i_m_e - Specifies the lifetime of the ticket. The argument can either be - in seconds, or a more human readable string like `1h'. - - --pp, ----pprrooxxiiaabbllee - Request tickets with the proxiable flag set. - - --RR, ----rreenneeww - Try to renew ticket. The ticket must have the `renewable' flag - set, and must not be expired. - - ----rreenneewwaabbllee - The same as ----rreenneewwaabbllee--lliiffee, with an infinite time. - - --rr _t_i_m_e, ----rreenneewwaabbllee--lliiffee==_t_i_m_e - The max renewable ticket life. - - --SS _p_r_i_n_c_i_p_a_l, ----sseerrvveerr==_p_r_i_n_c_i_p_a_l - Get a ticket for a service other than krbtgt/LOCAL.REALM. - - --ss _t_i_m_e, ----ssttaarrtt--ttiimmee==_t_i_m_e - Obtain a ticket that starts to be valid _t_i_m_e (which can really be - a generic time specification, like `1h') seconds into the future. - - --kk, ----uussee--kkeeyyttaabb - The same as ----kkeeyyttaabb, but with the default keytab name (normally - _F_I_L_E_:_/_e_t_c_/_k_r_b_5_._k_e_y_t_a_b). - - --vv, ----vvaalliiddaattee - Try to validate an invalid ticket. - - --ee, ----eennccttyyppeess==_e_n_c_t_y_p_e_s - Request tickets with this particular enctype. - - ----ffccaacchhee--vveerrssiioonn==_v_e_r_s_i_o_n - Create a credentials cache of version vveerrssiioonn. - - --aa, ----eexxttrraa--aaddddrreesssseess==_e_n_c_t_y_p_e_s - Adds a set of addresses that will, in addition to the systems lo- - cal addresses, be put in the ticket. This can be useful if all - addresses a client can use can't be automatically figured out. - One such example is if the client is behind a firewall. Also set- - table via libdefaults/extra_addresses in krb5.conf(5). - - ----nnoo--aaddddrreesssseess - Request a ticket with no addresses. - - ----aannoonnyymmoouuss - Request an anonymous ticket (which means that the ticket will be - issued to an anonymous principal, typically ``anonymous@REALM''). - - The following options are only available if kkiinniitt has been compiled with - support for Kerberos 4. - - --44, ----552244iinniitt - Try to convert the obtained Kerberos 5 krbtgt to a version 4 com- - patible ticket. It will store this ticket in the default Kerberos - 4 ticket file. - - --99, ----552244ccoonnvveerrtt - only convert ticket to version 4 - - ----aaffsslloogg - Gets AFS tickets, converts them to version 4 format, and stores - them in the kernel. Only useful if you have AFS. - - The _f_o_r_w_a_r_d_a_b_l_e, _p_r_o_x_i_a_b_l_e, _t_i_c_k_e_t___l_i_f_e, and _r_e_n_e_w_a_b_l_e___l_i_f_e options can - be set to a default value from the appdefaults section in krb5.conf, see - krb5_appdefault(3). - - If a _c_o_m_m_a_n_d is given, kkiinniitt will setup new credentials caches, and AFS - PAG, and then run the given command. When it finishes the credentials - will be removed. - -EENNVVIIRROONNMMEENNTT - KRB5CCNAME - Specifies the default credentials cache. - - KRB5_CONFIG - The file name of _k_r_b_5_._c_o_n_f , the default being _/_e_t_c_/_k_r_b_5_._c_o_n_f. - - KRBTKFILE - Specifies the Kerberos 4 ticket file to store version 4 tickets - in. - -SSEEEE AALLSSOO - kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5) - - HEIMDAL May 29, 1998 2 diff --git a/crypto/heimdal/kuser/klist.cat1 b/crypto/heimdal/kuser/klist.cat1 deleted file mode 100644 index 4a2b647005d7..000000000000 --- a/crypto/heimdal/kuser/klist.cat1 +++ /dev/null @@ -1,87 +0,0 @@ -KLIST(1) NetBSD Reference Manual KLIST(1) - -NNAAMMEE - kklliisstt - list Kerberos credentials - -SSYYNNOOPPSSIISS - kklliisstt [--cc _c_a_c_h_e | ----ccaacchhee==_c_a_c_h_e] [--ss | --tt | ----tteesstt] [--44 | ----vv44] [--TT | - ----ttookkeennss] [--55 | ----vv55] [--vv | ----vveerrbboossee] [--ff] [----vveerrssiioonn] [----hheellpp] - -DDEESSCCRRIIPPTTIIOONN - kklliisstt reads and displays the current tickets in the crential cache (also - known as the ticket file). - - Options supported: - - --cc _c_a_c_h_e, ----ccaacchhee==_c_a_c_h_e - credentials cache to list - - --ss, --tt, ----tteesstt - Test for there being an active and valid TGT for the local realm - of the user in the credential cache. - - --44, ----vv44 - display v4 tickets - - --TT, ----ttookkeennss - display AFS tokens - - --55, ----vv55 - display v5 cred cache (this is the default) - - --ff Include ticket flags in short form, each charcted stands for a - specific flag, as follows: - F forwardable - f forwarded - P proxiable - p proxied - D postdate-able - d postdated - R renewable - I initial - i invalid - A pre-authenticated - H hardware authenticated - - This information is also output with the ----vveerrbboossee option, but in - a more verbose way. - - --vv, ----vveerrbboossee - Verbose output. Include all possible information: - - Server - the princial the ticket is for - - Ticket etype - the encryption type use in the ticket, followed by - the key version of the ticket, if it is available - - Session key - the encryption type of the session key, if it's dif- - ferent from the encryption type of the ticket - - Auth time - the time the authentication exchange took place - - Start time - the time that this tickets is valid from (only print- - ed if it's different from the auth time) - - End time - when the ticket expires, if it has already expired - this is also noted - - Renew till - the maximum possible end time of any ticket derived - from this one - - Ticket flags - the flags set on the ticket - - Addresses - the set of addresses from which this ticket is valid - -SSEEEE AALLSSOO - kdestroy(1), kinit(1) - - HEIMDAL July 8, 2000 2 diff --git a/crypto/heimdal/lib/45/Makefile b/crypto/heimdal/lib/45/Makefile deleted file mode 100644 index 855d62e29b9f..000000000000 --- a/crypto/heimdal/lib/45/Makefile +++ /dev/null @@ -1,591 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/45/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -lib_LIBRARIES = - -EXTRA_LIBRARIES = lib45.a - -lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h -subdir = lib/45 -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LIBRARIES = $(lib_LIBRARIES) - -lib45_a_AR = $(AR) cru -lib45_a_LIBADD = -am_lib45_a_OBJECTS = get_ad_tkt.$(OBJEXT) mk_req.$(OBJEXT) -lib45_a_OBJECTS = $(am_lib45_a_OBJECTS) - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(lib45_a_SOURCES) -DIST_COMMON = Makefile.am Makefile.in -SOURCES = $(lib45_a_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/45/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -AR = ar -libLIBRARIES_INSTALL = $(INSTALL_DATA) -install-libLIBRARIES: $(lib_LIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(libLIBRARIES_INSTALL) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(libLIBRARIES_INSTALL) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - @$(POST_INSTALL) - @list='$(lib_LIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(RANLIB) $(DESTDIR)$(libdir)/$$p"; \ - $(RANLIB) $(DESTDIR)$(libdir)/$$p; \ - else :; fi; \ - done - -uninstall-libLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(libdir)/$$p"; \ - rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLIBRARIES: - -test -z "$(lib_LIBRARIES)" || rm -f $(lib_LIBRARIES) -lib45.a: $(lib45_a_OBJECTS) $(lib45_a_DEPENDENCIES) - -rm -f lib45.a - $(lib45_a_AR) lib45.a $(lib45_a_OBJECTS) $(lib45_a_LIBADD) - $(RANLIB) lib45.a - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LIBRARIES) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLIBRARIES clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: install-libLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-libLIBRARIES - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libLIBRARIES clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ - install-libLIBRARIES install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-info-am uninstall-libLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/Makefile b/crypto/heimdal/lib/Makefile deleted file mode 100644 index 468d4f0d87d1..000000000000 --- a/crypto/heimdal/lib/Makefile +++ /dev/null @@ -1,612 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.22 2001/08/28 18:44:41 nectar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -#dir_45 = 45 -dir_otp = otp -#dir_dce = kdfs - -SUBDIRS = roken vers editline sl asn1 krb5 \ - kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce) - -subdir = lib -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = - -RECURSIVE_TARGETS = info-recursive dvi-recursive install-info-recursive \ - uninstall-info-recursive all-recursive install-data-recursive \ - install-exec-recursive installdirs-recursive install-recursive \ - uninstall-recursive check-recursive installcheck-recursive -DIST_COMMON = Makefile.am Makefile.in -DIST_SUBDIRS = roken vers editline sl asn1 \ - krb5 kafs hdb kadm5 gssapi auth 45 otp kdfs -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d $(distdir)/$$subdir \ - || mkdir $(distdir)/$$subdir \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" \ - distdir=../$(distdir)/$$subdir \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: - -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -info: info-recursive - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) GTAGS all all-am all-local check check-am \ - check-local clean clean-generic clean-libtool clean-recursive \ - distclean distclean-generic distclean-libtool \ - distclean-recursive distclean-tags distdir dvi dvi-am \ - dvi-recursive info info-am info-recursive install install-am \ - install-data install-data-am install-data-local \ - install-data-recursive install-exec install-exec-am \ - install-exec-recursive install-info install-info-am \ - install-info-recursive install-man install-recursive \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am installdirs-recursive maintainer-clean \ - maintainer-clean-generic maintainer-clean-recursive mostlyclean \ - mostlyclean-generic mostlyclean-libtool mostlyclean-recursive \ - tags tags-recursive uninstall uninstall-am uninstall-info-am \ - uninstall-info-recursive uninstall-recursive - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/asn1/Makefile b/crypto/heimdal/lib/asn1/Makefile deleted file mode 100644 index 6a57e6b64c34..000000000000 --- a/crypto/heimdal/lib/asn1/Makefile +++ /dev/null @@ -1,885 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/asn1/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.68 2002/03/10 23:41:33 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -YFLAGS = -d - -lib_LTLIBRARIES = libasn1.la -libasn1_la_LDFLAGS = -version-info 6:0:0 - -libasn1_la_LIBADD = -lcom_err - -BUILT_SOURCES = \ - $(gen_files:.x=.c) \ - asn1_err.h \ - asn1_err.c - - -gen_files = \ - asn1_APOptions.x \ - asn1_AP_REP.x \ - asn1_AP_REQ.x \ - asn1_AS_REP.x \ - asn1_AS_REQ.x \ - asn1_Authenticator.x \ - asn1_AuthorizationData.x \ - asn1_CKSUMTYPE.x \ - asn1_Checksum.x \ - asn1_ENCTYPE.x \ - asn1_ETYPE_INFO.x \ - asn1_ETYPE_INFO_ENTRY.x \ - asn1_EncAPRepPart.x \ - asn1_EncASRepPart.x \ - asn1_EncKDCRepPart.x \ - asn1_EncKrbCredPart.x \ - asn1_EncKrbPrivPart.x \ - asn1_EncTGSRepPart.x \ - asn1_EncTicketPart.x \ - asn1_EncryptedData.x \ - asn1_EncryptionKey.x \ - asn1_HostAddress.x \ - asn1_HostAddresses.x \ - asn1_KDCOptions.x \ - asn1_KDC_REP.x \ - asn1_KDC_REQ.x \ - asn1_KDC_REQ_BODY.x \ - asn1_KRB_CRED.x \ - asn1_KRB_ERROR.x \ - asn1_KRB_PRIV.x \ - asn1_KRB_SAFE.x \ - asn1_KRB_SAFE_BODY.x \ - asn1_KerberosTime.x \ - asn1_KrbCredInfo.x \ - asn1_LastReq.x \ - asn1_LR_TYPE.x \ - asn1_MESSAGE_TYPE.x \ - asn1_METHOD_DATA.x \ - asn1_NAME_TYPE.x \ - asn1_PADATA_TYPE.x \ - asn1_PA_DATA.x \ - asn1_PA_ENC_TS_ENC.x \ - asn1_Principal.x \ - asn1_PrincipalName.x \ - asn1_Realm.x \ - asn1_TGS_REP.x \ - asn1_TGS_REQ.x \ - asn1_Ticket.x \ - asn1_TicketFlags.x \ - asn1_TransitedEncoding.x \ - asn1_UNSIGNED.x - - -noinst_PROGRAMS = asn1_compile asn1_print -check_PROGRAMS = check-der -TESTS = check-der - -asn1_compile_SOURCES = \ - gen.c \ - gen_copy.c \ - gen_decode.c \ - gen_encode.c \ - gen_free.c \ - gen_glue.c \ - gen_length.c \ - hash.c \ - lex.l \ - main.c \ - parse.y \ - symbol.c - - -libasn1_la_SOURCES = \ - der_get.c \ - der_put.c \ - der_free.c \ - der_length.c \ - der_copy.c \ - timegm.c \ - $(BUILT_SOURCES) - - -asn1_compile_LDADD = \ - $(LIB_roken) $(LEXLIB) - - -check_der_LDADD = \ - libasn1.la \ - $(LIB_roken) - - -asn1_print_LDADD = $(check_der_LDADD) - -CLEANFILES = lex.c parse.c parse.h krb5_asn1.h $(BUILT_SOURCES) \ - $(gen_files) asn1_files - - -include_HEADERS = krb5_asn1.h asn1_err.h der.h - -EXTRA_DIST = asn1_err.et -subdir = lib/asn1 -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libasn1_la_DEPENDENCIES = -am__objects_1 = asn1_APOptions.lo asn1_AP_REP.lo asn1_AP_REQ.lo \ - asn1_AS_REP.lo asn1_AS_REQ.lo asn1_Authenticator.lo \ - asn1_AuthorizationData.lo asn1_CKSUMTYPE.lo asn1_Checksum.lo \ - asn1_ENCTYPE.lo asn1_ETYPE_INFO.lo asn1_ETYPE_INFO_ENTRY.lo \ - asn1_EncAPRepPart.lo asn1_EncASRepPart.lo asn1_EncKDCRepPart.lo \ - asn1_EncKrbCredPart.lo asn1_EncKrbPrivPart.lo \ - asn1_EncTGSRepPart.lo asn1_EncTicketPart.lo \ - asn1_EncryptedData.lo asn1_EncryptionKey.lo asn1_HostAddress.lo \ - asn1_HostAddresses.lo asn1_KDCOptions.lo asn1_KDC_REP.lo \ - asn1_KDC_REQ.lo asn1_KDC_REQ_BODY.lo asn1_KRB_CRED.lo \ - asn1_KRB_ERROR.lo asn1_KRB_PRIV.lo asn1_KRB_SAFE.lo \ - asn1_KRB_SAFE_BODY.lo asn1_KerberosTime.lo asn1_KrbCredInfo.lo \ - asn1_LastReq.lo asn1_LR_TYPE.lo asn1_MESSAGE_TYPE.lo \ - asn1_METHOD_DATA.lo asn1_NAME_TYPE.lo asn1_PADATA_TYPE.lo \ - asn1_PA_DATA.lo asn1_PA_ENC_TS_ENC.lo asn1_Principal.lo \ - asn1_PrincipalName.lo asn1_Realm.lo asn1_TGS_REP.lo \ - asn1_TGS_REQ.lo asn1_Ticket.lo asn1_TicketFlags.lo \ - asn1_TransitedEncoding.lo asn1_UNSIGNED.lo -am__objects_2 = $(am__objects_1) asn1_err.lo -am_libasn1_la_OBJECTS = der_get.lo der_put.lo der_free.lo der_length.lo \ - der_copy.lo timegm.lo $(am__objects_2) -libasn1_la_OBJECTS = $(am_libasn1_la_OBJECTS) -check_PROGRAMS = check-der$(EXEEXT) -noinst_PROGRAMS = asn1_compile$(EXEEXT) asn1_print$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -am_asn1_compile_OBJECTS = gen.$(OBJEXT) gen_copy.$(OBJEXT) \ - gen_decode.$(OBJEXT) gen_encode.$(OBJEXT) gen_free.$(OBJEXT) \ - gen_glue.$(OBJEXT) gen_length.$(OBJEXT) hash.$(OBJEXT) \ - lex.$(OBJEXT) main.$(OBJEXT) parse.$(OBJEXT) symbol.$(OBJEXT) -asn1_compile_OBJECTS = $(am_asn1_compile_OBJECTS) -asn1_compile_DEPENDENCIES = -asn1_compile_LDFLAGS = -asn1_print_SOURCES = asn1_print.c -asn1_print_OBJECTS = asn1_print.$(OBJEXT) -asn1_print_DEPENDENCIES = libasn1.la -asn1_print_LDFLAGS = -check_der_SOURCES = check-der.c -check_der_OBJECTS = check-der.$(OBJEXT) -check_der_DEPENDENCIES = libasn1.la -check_der_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS) -LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS) -YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) -LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS) -DIST_SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) \ - asn1_print.c check-der.c -HEADERS = $(include_HEADERS) - -DIST_COMMON = $(include_HEADERS) Makefile.am Makefile.in lex.c parse.c \ - parse.h -SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) asn1_print.c check-der.c - -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/asn1/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libasn1.la: $(libasn1_la_OBJECTS) $(libasn1_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libasn1_la_LDFLAGS) $(libasn1_la_OBJECTS) $(libasn1_la_LIBADD) $(LIBS) - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -parse.h: parse.c - @if test ! -f $@; then \ - rm -f parse.c; \ - $(MAKE) parse.c; \ - else :; fi -asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES) - @rm -f asn1_compile$(EXEEXT) - $(LINK) $(asn1_compile_LDFLAGS) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS) -asn1_print$(EXEEXT): $(asn1_print_OBJECTS) $(asn1_print_DEPENDENCIES) - @rm -f asn1_print$(EXEEXT) - $(LINK) $(asn1_print_LDFLAGS) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS) -check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES) - @rm -f check-der$(EXEEXT) - $(LINK) $(check_der_LDFLAGS) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -.l.c: - $(LEXCOMPILE) `test -f $< || echo '$(srcdir)/'`$< - sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@ - rm -f $(LEX_OUTPUT_ROOT).c - -.y.c: - $(YACCCOMPILE) `test -f '$<' || echo '$(srcdir)/'`$< - sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@ - rm -f y.tab.c - if test -f y.tab.h; then \ - to=`echo "$*_H" | sed \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ - -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \ - sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \ - rm -f y.tab.h; \ - if cmp -s $*.ht $*.h; then \ - rm -f $*.ht ;\ - else \ - mv $*.ht $*.h; \ - fi; \ - fi - if test -f y.output; then \ - mv y.output $*.output; \ - fi - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH - -check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; \ - srcdir=$(srcdir); export srcdir; \ - list='$(TESTS)'; \ - if test -n "$$list"; then \ - for tst in $$list; do \ - if test -f ./$$tst; then dir=./; \ - elif test -f $$tst; then dir=; \ - else dir="$(srcdir)/"; fi; \ - if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xpass=`expr $$xpass + 1`; \ - failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ - ;; \ - *) \ - echo "PASS: $$tst"; \ - ;; \ - esac; \ - elif test $$? -ne 77; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ - ;; \ - *) \ - failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ - ;; \ - esac; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ - fi; \ - else \ - if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ - else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ - fi; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - else :; fi -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "lex.cparse.hparse.c$(BUILT_SOURCES)" || rm -f lex.c parse.h parse.c $(BUILT_SOURCES) -clean: clean-am - -clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - -.PHONY: GTAGS all all-am all-local check check-TESTS check-am \ - check-local clean clean-checkPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS \ - distclean distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-includeHEADERS \ - install-info install-info-am install-libLTLIBRARIES install-man \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - tags uninstall uninstall-am uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(asn1_compile_OBJECTS): parse.h parse.c - -$(gen_files) krb5_asn1.h: asn1_files - -asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 - ./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 krb5_asn1 - -$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h - -$(asn1_print_OBJECTS): krb5_asn1.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/asn1/libasn1.h b/crypto/heimdal/lib/asn1/libasn1.h deleted file mode 100644 index 8a4994a20c76..000000000000 --- a/crypto/heimdal/lib/asn1/libasn1.h +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: libasn1.h,v 1.9 2001/04/18 13:10:24 joda Exp $ */ - -#ifndef __LIBASN1_H__ -#define __LIBASN1_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include "krb5_asn1.h" -#include "der.h" -#include "asn1_err.h" -#include - -#endif /* __LIBASN1_H__ */ diff --git a/crypto/heimdal/lib/auth/Makefile b/crypto/heimdal/lib/auth/Makefile deleted file mode 100644 index ae87f3ea7abf..000000000000 --- a/crypto/heimdal/lib/auth/Makefile +++ /dev/null @@ -1,605 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/auth/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -SUBDIRS = -DIST_SUBDIRS = afskauthlib pam sia -subdir = lib/auth -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = - -RECURSIVE_TARGETS = info-recursive dvi-recursive install-info-recursive \ - uninstall-info-recursive all-recursive install-data-recursive \ - install-exec-recursive installdirs-recursive install-recursive \ - uninstall-recursive check-recursive installcheck-recursive -DIST_COMMON = ChangeLog Makefile.am Makefile.in -all: all-recursive - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/auth/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @set fnord $$MAKEFLAGS; amf=$$2; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \ - fi; \ - done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d $(distdir)/$$subdir \ - || mkdir $(distdir)/$$subdir \ - || exit 1; \ - (cd $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" \ - distdir=../$(distdir)/$$subdir \ - distdir) \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-recursive -all-am: Makefile all-local -installdirs: installdirs-recursive -installdirs-am: - -install: install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-recursive -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-recursive - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-recursive - -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags - -dvi: dvi-recursive - -dvi-am: - -info: info-recursive - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-recursive - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-recursive - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-recursive - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-info-am - -uninstall-info: uninstall-info-recursive - -.PHONY: $(RECURSIVE_TARGETS) GTAGS all all-am all-local check check-am \ - check-local clean clean-generic clean-libtool clean-recursive \ - distclean distclean-generic distclean-libtool \ - distclean-recursive distclean-tags distdir dvi dvi-am \ - dvi-recursive info info-am info-recursive install install-am \ - install-data install-data-am install-data-local \ - install-data-recursive install-exec install-exec-am \ - install-exec-recursive install-info install-info-am \ - install-info-recursive install-man install-recursive \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am installdirs-recursive maintainer-clean \ - maintainer-clean-generic maintainer-clean-recursive mostlyclean \ - mostlyclean-generic mostlyclean-libtool mostlyclean-recursive \ - tags tags-recursive uninstall uninstall-am uninstall-info-am \ - uninstall-info-recursive uninstall-recursive - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile b/crypto/heimdal/lib/auth/afskauthlib/Makefile deleted file mode 100644 index 4158ca545d39..000000000000 --- a/crypto/heimdal/lib/auth/afskauthlib/Makefile +++ /dev/null @@ -1,542 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/auth/afskauthlib/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.6 2001/07/15 04:21:07 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -DEFS = -DHAVE_CONFIG_H - -foodir = $(libdir) -foo_DATA = afskauthlib.so - -SRCS = verify.c -OBJS = verify.o - -CLEANFILES = $(foo_DATA) $(OBJS) so_locations - -#KAFS = $(top_builddir)/lib/kafs/libkafs.la - -L = \ - $(KAFS) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_krb4) \ - $(LIB_des) \ - $(top_builddir)/lib/roken/libroken.la \ - -lc - -#L = \ -# $(KAFS) \ -# $(LIB_krb4) \ -# $(LIB_des) \ -# $(top_builddir)/lib/roken/libroken.la \ -# -lc - -subdir = lib/auth/afskauthlib -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = -DATA = $(foo_DATA) - -DIST_COMMON = Makefile.am Makefile.in -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/auth/afskauthlib/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -fooDATA_INSTALL = $(INSTALL_DATA) -install-fooDATA: $(foo_DATA) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(foodir) - @list='$(foo_DATA)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(fooDATA_INSTALL) $$d$$p $(DESTDIR)$(foodir)/$$f"; \ - $(fooDATA_INSTALL) $$d$$p $(DESTDIR)$(foodir)/$$f; \ - done - -uninstall-fooDATA: - @$(NORMAL_UNINSTALL) - @list='$(foo_DATA)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(foodir)/$$f"; \ - rm -f $(DESTDIR)$(foodir)/$$f; \ - done -tags: TAGS -TAGS: - -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(DATA) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(foodir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-fooDATA - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-fooDATA uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-fooDATA install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool uninstall uninstall-am uninstall-fooDATA \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -afskauthlib.so: $(OBJS) - $(LINK) -shared $(OBJS) $(L) - -.c.o: - $(COMPILE) -c $< - -$(OBJS): $(top_builddir)/include/config.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/auth/pam/Makefile b/crypto/heimdal/lib/auth/pam/Makefile deleted file mode 100644 index 210653d88f0c..000000000000 --- a/crypto/heimdal/lib/auth/pam/Makefile +++ /dev/null @@ -1,555 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/auth/pam/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.4 2002/05/19 18:43:44 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = - -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -DEFS = -DHAVE_CONFIG_H - -#KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a -#KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so - -#L = \ -# $(KAFS) \ -# $(top_builddir)/lib/krb/.libs/libkrb.a \ -# $(LIB_des_a) \ -# $(top_builddir)/lib/roken/.libs/libroken.a \ -# -lc - - -#L_shared = \ -# $(KAFS_S) \ -# $(top_builddir)/lib/krb/.libs/libkrb.so \ -# $(LIB_des_so) \ -# $(top_builddir)/lib/roken/.libs/libroken.so \ -# $(LIB_getpwnam_r) \ -# -lc - - -#MOD = pam_krb4.so - -EXTRA_DIST = pam.conf.add - -foodir = $(libdir) -foo_DATA = $(MOD) - -LDFLAGS = - -OBJS = pam.o - -CLEANFILES = $(MOD) $(OBJS) -subdir = lib/auth/pam -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = -DATA = $(foo_DATA) - -DIST_COMMON = Makefile.am Makefile.in -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/auth/pam/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -fooDATA_INSTALL = $(INSTALL_DATA) -install-fooDATA: $(foo_DATA) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(foodir) - @list='$(foo_DATA)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(fooDATA_INSTALL) $$d$$p $(DESTDIR)$(foodir)/$$f"; \ - $(fooDATA_INSTALL) $$d$$p $(DESTDIR)$(foodir)/$$f; \ - done - -uninstall-fooDATA: - @$(NORMAL_UNINSTALL) - @list='$(foo_DATA)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(foodir)/$$f"; \ - rm -f $(DESTDIR)$(foodir)/$$f; \ - done -tags: TAGS -TAGS: - -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(DATA) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(foodir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-fooDATA - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-fooDATA uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-fooDATA install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool uninstall uninstall-am uninstall-fooDATA \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -pam_krb4.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \ - echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \ - $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \ - elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \ - echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \ - $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \ - else \ - echo "missing libraries"; exit 1; \ - fi - -.c.o: - $(COMPILE) -c $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/auth/sia/Makefile b/crypto/heimdal/lib/auth/sia/Makefile deleted file mode 100644 index 6bf959fa0ad1..000000000000 --- a/crypto/heimdal/lib/auth/sia/Makefile +++ /dev/null @@ -1,598 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/auth/sia/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.14 2001/09/18 13:04:15 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = - -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs $(WFLAGS_NOIMPLICITINT) -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -DEFS = -DHAVE_CONFIG_H - -#KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a -#KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so - -L = \ - $(KAFS) \ - $(top_builddir)/lib/krb5/.libs/libkrb5.a \ - $(top_builddir)/lib/asn1/.libs/libasn1.a \ - $(LIB_krb4) \ - $(LIB_des_a) \ - $(LIB_com_err_a) \ - $(top_builddir)/lib/roken/.libs/libroken.a \ - $(LIB_getpwnam_r) \ - -lc - -#L = \ -# $(KAFS) \ -# $(top_builddir)/lib/kadm/.libs/libkadm.a \ -# $(top_builddir)/lib/krb/.libs/libkrb.a \ -# $(LIB_des_a) \ -# $(top_builddir)/lib/com_err/.libs/libcom_err.a \ -# $(top_builddir)/lib/roken/.libs/libroken.a \ -# $(LIB_getpwnam_r) \ -# -lc - - -L_shared = \ - $(KAFS_S) \ - $(top_builddir)/lib/krb5/.libs/libkrb5.so \ - $(top_builddir)/lib/asn1/.libs/libasn1.so \ - $(LIB_krb4) \ - $(LIB_des_so) \ - $(LIB_com_err_so) \ - $(top_builddir)/lib/roken/.libs/libroken.so \ - $(LIB_getpwnam_r) \ - -lc - -#L_shared = \ -# $(KAFS_S) \ -# $(top_builddir)/lib/kadm/.libs/libkadm.so \ -# $(top_builddir)/lib/krb/.libs/libkrb.so \ -# $(LIB_des_so) \ -# $(top_builddir)/lib/com_err/.libs/libcom_err.so \ -# $(top_builddir)/lib/roken/.libs/libroken.so \ -# $(LIB_getpwnam_r) \ -# -lc - - -MOD = libsia_krb5.so -#MOD = libsia_krb4.so - -EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \ - krb5_matrix.conf krb5+c2_matrix.conf security.patch - - -foodir = $(libdir) -foo_DATA = $(MOD) - -LDFLAGS = -rpath $(libdir) -Wl,-hidden -Wl,-exported_symbol -Wl,siad_\* - -OBJS = sia.o posix_getpw.o - -CLEANFILES = $(MOD) $(OBJS) so_locations -subdir = lib/auth/sia -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = -DATA = $(foo_DATA) - -DIST_COMMON = Makefile.am Makefile.in -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/auth/sia/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -fooDATA_INSTALL = $(INSTALL_DATA) -install-fooDATA: $(foo_DATA) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(foodir) - @list='$(foo_DATA)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(fooDATA_INSTALL) $$d$$p $(DESTDIR)$(foodir)/$$f"; \ - $(fooDATA_INSTALL) $$d$$p $(DESTDIR)$(foodir)/$$f; \ - done - -uninstall-fooDATA: - @$(NORMAL_UNINSTALL) - @list='$(foo_DATA)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(foodir)/$$f"; \ - rm -f $(DESTDIR)$(foodir)/$$f; \ - done -tags: TAGS -TAGS: - -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(DATA) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(foodir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-fooDATA - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-fooDATA uninstall-info-am - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-fooDATA install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool uninstall uninstall-am uninstall-fooDATA \ - uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -libsia_krb5.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`; \ - elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`; \ - else \ - echo "missing libraries"; exit 1; \ - fi - ostrip -x $@ - -libsia_krb4.so: $(OBJS) - @if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`; \ - elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \ - echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`"; \ - $(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`; \ - else \ - echo "missing libraries"; exit 1; \ - fi - ostrip -x $@ - -.c.o: - $(COMPILE) -c $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/com_err/Makefile b/crypto/heimdal/lib/com_err/Makefile deleted file mode 100644 index 6d9d5cde0451..000000000000 --- a/crypto/heimdal/lib/com_err/Makefile +++ /dev/null @@ -1,703 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/com_err/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.27 2002/03/10 23:52:41 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -YFLAGS = -d - -lib_LTLIBRARIES = libcom_err.la -libcom_err_la_LDFLAGS = -version-info 2:1:1 - -bin_PROGRAMS = compile_et - -include_HEADERS = com_err.h com_right.h - -compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l - -libcom_err_la_SOURCES = error.c com_err.c roken_rename.h - -CLEANFILES = lex.c parse.c parse.h - -compile_et_LDADD = \ - $(LIB_roken) \ - $(LEXLIB) - -subdir = lib/com_err -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libcom_err_la_LIBADD = -am_libcom_err_la_OBJECTS = error.lo com_err.lo -libcom_err_la_OBJECTS = $(am_libcom_err_la_OBJECTS) -bin_PROGRAMS = compile_et$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -am_compile_et_OBJECTS = compile_et.$(OBJEXT) parse.$(OBJEXT) \ - lex.$(OBJEXT) -compile_et_OBJECTS = $(am_compile_et_OBJECTS) -compile_et_DEPENDENCIES = -compile_et_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS) -LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS) -YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) -LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS) -DIST_SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES) -HEADERS = $(include_HEADERS) - -DIST_COMMON = $(include_HEADERS) ChangeLog Makefile.am Makefile.in \ - lex.c parse.c parse.h -SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/com_err/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libcom_err.la: $(libcom_err_la_OBJECTS) $(libcom_err_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libcom_err_la_LDFLAGS) $(libcom_err_la_OBJECTS) $(libcom_err_la_LIBADD) $(LIBS) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -parse.h: parse.c - @if test ! -f $@; then \ - rm -f parse.c; \ - $(MAKE) parse.c; \ - else :; fi -compile_et$(EXEEXT): $(compile_et_OBJECTS) $(compile_et_DEPENDENCIES) - @rm -f compile_et$(EXEEXT) - $(LINK) $(compile_et_LDFLAGS) $(compile_et_OBJECTS) $(compile_et_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -.l.c: - $(LEXCOMPILE) `test -f $< || echo '$(srcdir)/'`$< - sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@ - rm -f $(LEX_OUTPUT_ROOT).c - -.y.c: - $(YACCCOMPILE) `test -f '$<' || echo '$(srcdir)/'`$< - sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@ - rm -f y.tab.c - if test -f y.tab.h; then \ - to=`echo "$*_H" | sed \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ - -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \ - sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \ - rm -f y.tab.h; \ - if cmp -s $*.ht $*.h; then \ - rm -f $*.ht ;\ - else \ - mv $*.ht $*.h; \ - fi; \ - fi - if test -f y.output; then \ - mv y.output $*.output; \ - fi - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local -install-binPROGRAMS: install-libLTLIBRARIES - - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "parse.hparse.clex.c" || rm -f parse.h parse.c lex.c -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS - -install-exec-am: install-binPROGRAMS install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am info \ - info-am install install-am install-binPROGRAMS install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(compile_et_OBJECTS): parse.h parse.c ## XXX broken automake 1.4s -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/des/rc4.h b/crypto/heimdal/lib/des/rc4.h deleted file mode 100644 index 15441f60198d..000000000000 --- a/crypto/heimdal/lib/des/rc4.h +++ /dev/null @@ -1,76 +0,0 @@ -/* crypto/rc4/rc4.h */ -/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* $Id: rc4.h,v 1.2 1999/10/21 12:58:31 joda Exp $ */ - -#ifndef HEADER_RC4_H -#define HEADER_RC4_H - -typedef unsigned int RC4_INT; - -typedef struct rc4_key_st { - RC4_INT x,y; - RC4_INT data[256]; -} RC4_KEY; - - -void RC4_set_key(RC4_KEY *key, int len, unsigned char *data); -void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata, - unsigned char *outdata); - -#endif diff --git a/crypto/heimdal/lib/des/rc4_enc.c b/crypto/heimdal/lib/des/rc4_enc.c deleted file mode 100644 index 6b1686f569b9..000000000000 --- a/crypto/heimdal/lib/des/rc4_enc.c +++ /dev/null @@ -1,133 +0,0 @@ -/* crypto/rc4/rc4_enc.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" -#include "rc4.h" - -RCSID("$Id: rc4_enc.c,v 1.2 1999/10/21 12:58:43 joda Exp $"); - -/* RC4 as implemented from a posting from - * Newsgroups: sci.crypt - * From: sterndark@netcom.com (David Sterndark) - * Subject: RC4 Algorithm revealed. - * Message-ID: - * Date: Wed, 14 Sep 1994 06:35:31 GMT - */ - -void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata, - unsigned char *outdata) - { - register RC4_INT *d; - register RC4_INT x,y,tx,ty; - int i; - - x=key->x; - y=key->y; - d=key->data; - -#define LOOP(in,out) \ - x=((x+1)&0xff); \ - tx=d[x]; \ - y=(tx+y)&0xff; \ - d[x]=ty=d[y]; \ - d[y]=tx; \ - (out) = d[(tx+ty)&0xff]^ (in); - -#ifndef RC4_INDEX -#define RC4_LOOP(a,b,i) LOOP(*((a)++),*((b)++)) -#else -#define RC4_LOOP(a,b,i) LOOP(a[i],b[i]) -#endif - - i=(int)(len>>3L); - if (i) - { - for (;;) - { - RC4_LOOP(indata,outdata,0); - RC4_LOOP(indata,outdata,1); - RC4_LOOP(indata,outdata,2); - RC4_LOOP(indata,outdata,3); - RC4_LOOP(indata,outdata,4); - RC4_LOOP(indata,outdata,5); - RC4_LOOP(indata,outdata,6); - RC4_LOOP(indata,outdata,7); -#ifdef RC4_INDEX - indata+=8; - outdata+=8; -#endif - if (--i == 0) break; - } - } - i=(int)len&0x07; - if (i) - { - for (;;) - { - RC4_LOOP(indata,outdata,0); if (--i == 0) break; - RC4_LOOP(indata,outdata,1); if (--i == 0) break; - RC4_LOOP(indata,outdata,2); if (--i == 0) break; - RC4_LOOP(indata,outdata,3); if (--i == 0) break; - RC4_LOOP(indata,outdata,4); if (--i == 0) break; - RC4_LOOP(indata,outdata,5); if (--i == 0) break; - RC4_LOOP(indata,outdata,6); if (--i == 0) break; - } - } - key->x=x; - key->y=y; - } diff --git a/crypto/heimdal/lib/des/rc4_skey.c b/crypto/heimdal/lib/des/rc4_skey.c deleted file mode 100644 index f5bce4683f37..000000000000 --- a/crypto/heimdal/lib/des/rc4_skey.c +++ /dev/null @@ -1,101 +0,0 @@ -/* crypto/rc4/rc4_skey.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include "des_locl.h" -#include "rc4.h" - -RCSID("$Id: rc4_skey.c,v 1.2 1999/10/21 12:58:52 joda Exp $"); - -/* RC4 as implemented from a posting from - * Newsgroups: sci.crypt - * From: sterndark@netcom.com (David Sterndark) - * Subject: RC4 Algorithm revealed. - * Message-ID: - * Date: Wed, 14 Sep 1994 06:35:31 GMT - */ - -void RC4_set_key(RC4_KEY *key, int len, register unsigned char *data) - { - register RC4_INT tmp; - register int id1,id2; - register RC4_INT *d; - unsigned int i; - - d= &(key->data[0]); - for (i=0; i<256; i++) - d[i]=i; - key->x = 0; - key->y = 0; - id1=id2=0; - -#define SK_LOOP(n) { \ - tmp=d[(n)]; \ - id2 = (data[id1] + tmp + id2) & 0xff; \ - if (++id1 == len) id1=0; \ - d[(n)]=d[id2]; \ - d[id2]=tmp; } - - for (i=0; i < 256; i+=4) - { - SK_LOOP(i+0); - SK_LOOP(i+1); - SK_LOOP(i+2); - SK_LOOP(i+3); - } - } - diff --git a/crypto/heimdal/lib/des/rc4test.c b/crypto/heimdal/lib/des/rc4test.c deleted file mode 100644 index 5abf8cff3073..000000000000 --- a/crypto/heimdal/lib/des/rc4test.c +++ /dev/null @@ -1,201 +0,0 @@ -/* crypto/rc4/rc4test.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include - -#ifdef NO_RC4 -int main(int argc, char *argv[]) -{ - printf("No RC4 support\n"); - return(0); -} -#else -#include - -unsigned char keys[7][30]={ - {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}, - {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}, - {8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {4,0xef,0x01,0x23,0x45}, - {8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}, - {4,0xef,0x01,0x23,0x45}, - }; - -unsigned char data_len[7]={8,8,8,20,28,10}; -unsigned char data[7][30]={ - {0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xff}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0xff}, - {0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0, - 0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0, - 0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0, - 0x12,0x34,0x56,0x78,0xff}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff}, - {0}, - }; - -unsigned char output[7][30]={ - {0x75,0xb7,0x87,0x80,0x99,0xe0,0xc5,0x96,0x00}, - {0x74,0x94,0xc2,0xe7,0x10,0x4b,0x08,0x79,0x00}, - {0xde,0x18,0x89,0x41,0xa3,0x37,0x5d,0x3a,0x00}, - {0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf, - 0xbd,0x61,0x5a,0x11,0x62,0xe1,0xc7,0xba, - 0x36,0xb6,0x78,0x58,0x00}, - {0x66,0xa0,0x94,0x9f,0x8a,0xf7,0xd6,0x89, - 0x1f,0x7f,0x83,0x2b,0xa8,0x33,0xc0,0x0c, - 0x89,0x2e,0xbe,0x30,0x14,0x3c,0xe2,0x87, - 0x40,0x01,0x1e,0xcf,0x00}, - {0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,0xbd,0x61,0x00}, - {0}, - }; - -int main(int argc, char *argv[]) - { - int i,err=0; - int j; - unsigned char *p; - RC4_KEY key; - unsigned char buf[512],obuf[512]; - - for (i=0; i<512; i++) buf[i]=0x01; - - for (i=0; i<6; i++) - { - RC4_set_key(&key,keys[i][0],&(keys[i][1])); - memset(obuf,0x00,sizeof(obuf)); - RC4(&key,data_len[i],&(data[i][0]),obuf); - if (memcmp(obuf,output[i],data_len[i]+1) != 0) - { - printf("error calculating RC4\n"); - printf("output:"); - for (j=0; j - - * testit.c: make it use getarg so that it can handle --help and - --version (and thus make check can pass) - -2001-09-13 Assar Westerlund - - * editline.c: rename STATUS -> el_STATUS to avoid conflict with - STATUS in arpa/nameser.h - -2000-11-15 Assar Westerlund - - * Makefile.am: make libeditline and libel_compat into libtool - libraries but always make them static - -2000-03-01 Assar Westerlund - - * edit_compat.c (readline): be more liberal in what we accept from - el_gets. if count == 0 -> interpret it as EOF. also copy the - string first and then cut of the newline, it's cleaner - -1999-12-23 Assar Westerlund - - * editline.c (TTYinfo): add fallback if we fail to find "le" in - termcap. - -1999-08-06 Assar Westerlund - - * editline.c (TTYinfo): copy backspace string to avoid referencing - into a local variable. - -1999-08-04 Assar Westerlund - - * Makefile.am: don't run testit in `make check' - -1999-04-11 Assar Westerlund - - * Makefile.am: don't run testit as a check - -Sat Apr 10 23:01:18 1999 Johan Danielsson - - * complete.c (rl_complete_filename): return if there were no - matches - -Thu Apr 8 15:08:25 1999 Johan Danielsson - - * Makefile.in: snprintf - - * roken_rename.h: add snprintf, asprintf - - * Makefile.am: build testit - - * complete.c: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros; - (rl_complete): call rl_list_possib instead of doing the same - - * editline.h: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros - - * editline.c: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros - - * sysunix.c: add some whitespace - -Thu Mar 18 11:22:55 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Tue Mar 16 17:10:34 1999 Johan Danielsson - - * editline.c: remove protos for read/write - -Sat Mar 13 22:23:22 1999 Assar Westerlund - - * : add - -Sun Nov 22 10:40:28 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Tue Sep 29 02:09:15 1998 Assar Westerlund - - * Makefile.in (LIB_DEPS): add LIB_tgetent - -Thu Jul 2 15:10:08 1998 Johan Danielsson - - * edit_compat.c: support for newer libedit - -Tue Jun 30 17:18:09 1998 Assar Westerlund - - * Makefile.in (distclean): don't remove roken_rename.h - -Fri May 29 19:03:38 1998 Assar Westerlund - - * Makefile.in (strdup.c): remove dependency - -Mon May 25 05:25:16 1998 Assar Westerlund - - * Makefile.in (clean): try to remove shared library debris - -Sun Apr 19 09:53:46 1998 Assar Westerlund - - * Makefile.in: add symlink magic for linux - -Sat Feb 7 07:24:30 1998 Assar Westerlund - - * editline.h: add prototypes - -Tue Feb 3 10:24:22 1998 Johan Danielsson - - * editline.c: If read returns EINTR, try again. diff --git a/crypto/heimdal/lib/editline/Makefile b/crypto/heimdal/lib/editline/Makefile deleted file mode 100644 index 793c7e6b27e4..000000000000 --- a/crypto/heimdal/lib/editline/Makefile +++ /dev/null @@ -1,730 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/editline/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.13 2002/08/13 13:48:15 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(ROKEN_RENAME) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -ES = snprintf.c strdup.c - -man_MANS = editline.3 - -lib_LTLIBRARIES = libeditline.la -noinst_LTLIBRARIES = libel_compat.la -#noinst_LTLIBRARIES = - -noinst_PROGRAMS = testit - -CHECK_LOCAL = - -testit_LDADD = \ - libeditline.la \ - $(LIB_tgetent) \ - $(LIB_roken) - - -include_HEADERS = editline.h - -libeditline_la_SOURCES = \ - complete.c \ - editline.c \ - sysunix.c \ - editline.h \ - roken_rename.h \ - unix.h \ - $(EXTRA_SOURCE) - - -libeditline_la_LDFLAGS = -static - -EXTRA_SOURCE = $(ES) - -libel_compat_la_SOURCES = edit_compat.c - -libel_compat_la_LDFLAGS = -static - -EXTRA_DIST = $(man_MANS) -subdir = lib/editline -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) - -libeditline_la_LIBADD = -am__objects_1 = snprintf.lo strdup.lo -am__objects_2 = $(am__objects_1) -am_libeditline_la_OBJECTS = complete.lo editline.lo sysunix.lo \ - $(am__objects_2) -libeditline_la_OBJECTS = $(am_libeditline_la_OBJECTS) -libel_compat_la_LIBADD = -am_libel_compat_la_OBJECTS = edit_compat.lo -libel_compat_la_OBJECTS = $(am_libel_compat_la_OBJECTS) -noinst_PROGRAMS = testit$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -testit_SOURCES = testit.c -testit_OBJECTS = testit.$(OBJEXT) -testit_DEPENDENCIES = libeditline.la -testit_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libeditline_la_SOURCES) $(libel_compat_la_SOURCES) \ - testit.c -MANS = $(man_MANS) -HEADERS = $(include_HEADERS) - -DIST_COMMON = README $(include_HEADERS) ChangeLog Makefile.am \ - Makefile.in -SOURCES = $(libeditline_la_SOURCES) $(libel_compat_la_SOURCES) testit.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/editline/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libeditline.la: $(libeditline_la_OBJECTS) $(libeditline_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libeditline_la_LDFLAGS) $(libeditline_la_OBJECTS) $(libeditline_la_LIBADD) $(LIBS) -libel_compat.la: $(libel_compat_la_OBJECTS) $(libel_compat_la_DEPENDENCIES) - $(LINK) $(libel_compat_la_LDFLAGS) $(libel_compat_la_OBJECTS) $(libel_compat_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -testit$(EXEEXT): $(testit_OBJECTS) $(testit_DEPENDENCIES) - @rm -f testit$(EXEEXT) - $(LINK) $(testit_LDFLAGS) $(testit_OBJECTS) $(testit_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man3dir = $(mandir)/man3 -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man3dir) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \ - rm -f $(DESTDIR)$(man3dir)/$$inst; \ - done -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(man3dir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstLTLIBRARIES clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS install-man - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man3 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstLTLIBRARIES clean-noinstPROGRAMS distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-includeHEADERS \ - install-info install-info-am install-libLTLIBRARIES install-man \ - install-man3 install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man uninstall-man3 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strdup.c: - $(LN_S) $(srcdir)/../roken/strdup.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/editline/Makefile.am b/crypto/heimdal/lib/editline/Makefile.am deleted file mode 100644 index 5500d2664f8d..000000000000 --- a/crypto/heimdal/lib/editline/Makefile.am +++ /dev/null @@ -1,53 +0,0 @@ -# $Id: Makefile.am,v 1.13 2002/08/13 13:48:15 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -if do_roken_rename -ES = snprintf.c strdup.c -endif - -INCLUDES += $(ROKEN_RENAME) - -man_MANS = editline.3 - -lib_LTLIBRARIES = libeditline.la -if el_compat -noinst_LTLIBRARIES = libel_compat.la -else -noinst_LTLIBRARIES = -endif - -noinst_PROGRAMS = testit - -CHECK_LOCAL = - -testit_LDADD = \ - libeditline.la \ - $(LIB_tgetent) \ - $(LIB_roken) - -include_HEADERS = editline.h - -libeditline_la_SOURCES = \ - complete.c \ - editline.c \ - sysunix.c \ - editline.h \ - roken_rename.h \ - unix.h \ - $(EXTRA_SOURCE) - -libeditline_la_LDFLAGS = -static - -EXTRA_SOURCE = $(ES) - -libel_compat_la_SOURCES = edit_compat.c - -libel_compat_la_LDFLAGS = -static - -EXTRA_DIST = $(man_MANS) - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strdup.c: - $(LN_S) $(srcdir)/../roken/strdup.c . diff --git a/crypto/heimdal/lib/editline/Makefile.in b/crypto/heimdal/lib/editline/Makefile.in deleted file mode 100644 index 84b2d180513c..000000000000 --- a/crypto/heimdal/lib/editline/Makefile.in +++ /dev/null @@ -1,730 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# @configure_input@ - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.13 2002/08/13 13:48:15 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AMTAR = @AMTAR@ -AS = @AS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ -ECHO = @ECHO@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = @INCLUDE_des@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LEX = @LEX@ - -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(ROKEN_RENAME) - -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -@do_roken_rename_TRUE@ES = snprintf.c strdup.c - -man_MANS = editline.3 - -lib_LTLIBRARIES = libeditline.la -@el_compat_TRUE@noinst_LTLIBRARIES = libel_compat.la -@el_compat_FALSE@noinst_LTLIBRARIES = - -noinst_PROGRAMS = testit - -CHECK_LOCAL = - -testit_LDADD = \ - libeditline.la \ - $(LIB_tgetent) \ - $(LIB_roken) - - -include_HEADERS = editline.h - -libeditline_la_SOURCES = \ - complete.c \ - editline.c \ - sysunix.c \ - editline.h \ - roken_rename.h \ - unix.h \ - $(EXTRA_SOURCE) - - -libeditline_la_LDFLAGS = -static - -EXTRA_SOURCE = $(ES) - -libel_compat_la_SOURCES = edit_compat.c - -libel_compat_la_LDFLAGS = -static - -EXTRA_DIST = $(man_MANS) -subdir = lib/editline -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) - -libeditline_la_LIBADD = -@do_roken_rename_TRUE@am__objects_1 = snprintf.lo strdup.lo -am__objects_2 = $(am__objects_1) -am_libeditline_la_OBJECTS = complete.lo editline.lo sysunix.lo \ - $(am__objects_2) -libeditline_la_OBJECTS = $(am_libeditline_la_OBJECTS) -libel_compat_la_LIBADD = -am_libel_compat_la_OBJECTS = edit_compat.lo -libel_compat_la_OBJECTS = $(am_libel_compat_la_OBJECTS) -noinst_PROGRAMS = testit$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -testit_SOURCES = testit.c -testit_OBJECTS = testit.$(OBJEXT) -testit_DEPENDENCIES = libeditline.la -testit_LDFLAGS = - -DEFS = @DEFS@ -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = $(libeditline_la_SOURCES) $(libel_compat_la_SOURCES) \ - testit.c -MANS = $(man_MANS) -HEADERS = $(include_HEADERS) - -DIST_COMMON = README $(include_HEADERS) ChangeLog Makefile.am \ - Makefile.in -SOURCES = $(libeditline_la_SOURCES) $(libel_compat_la_SOURCES) testit.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/editline/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libeditline.la: $(libeditline_la_OBJECTS) $(libeditline_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libeditline_la_LDFLAGS) $(libeditline_la_OBJECTS) $(libeditline_la_LIBADD) $(LIBS) -libel_compat.la: $(libel_compat_la_OBJECTS) $(libel_compat_la_DEPENDENCIES) - $(LINK) $(libel_compat_la_LDFLAGS) $(libel_compat_la_OBJECTS) $(libel_compat_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -testit$(EXEEXT): $(testit_OBJECTS) $(testit_DEPENDENCIES) - @rm -f testit$(EXEEXT) - $(LINK) $(testit_LDFLAGS) $(testit_OBJECTS) $(testit_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man3dir = $(mandir)/man3 -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man3dir) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \ - rm -f $(DESTDIR)$(man3dir)/$$inst; \ - done -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(man3dir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstLTLIBRARIES clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS install-man - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man3 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstLTLIBRARIES clean-noinstPROGRAMS distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-includeHEADERS \ - install-info install-info-am install-libLTLIBRARIES install-man \ - install-man3 install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man uninstall-man3 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strdup.c: - $(LN_S) $(srcdir)/../roken/strdup.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/editline/README b/crypto/heimdal/lib/editline/README deleted file mode 100644 index 829db995b8bb..000000000000 --- a/crypto/heimdal/lib/editline/README +++ /dev/null @@ -1,45 +0,0 @@ -$Revision: 1.1 $ - -This is a line-editing library. It can be linked into almost any -program to provide command-line editing and recall. - -It is call-compatible with the FSF readline library, but it is a -fraction of the size (and offers fewer features). It does not use -standard I/O. It is distributed under a "C News-like" copyright. - -Configuration is done in the Makefile. Type "make testit" to get -a small slow shell for testing. - -An earlier version was distributed with Byron's rc. Principal -changes over that version include: - Faster. - Is eight-bit clean (thanks to brendan@cs.widener.edu) - Written in K&R C, but ANSI compliant (gcc all warnings) - Propagates EOF properly; rc trip test now passes - Doesn't need or use or provide memmove. - More robust - Calling sequence changed to be compatible with readline. - Test program, new manpage, better configuration - More system-independant; includes Unix and OS-9 support. - -Enjoy, - Rich $alz - - - Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - - This software is not subject to any license of the American Telephone - and Telegraph Company or of the Regents of the University of California. - - Permission is granted to anyone to use this software for any purpose on - any computer system, and to alter it and redistribute it freely, subject - to the following restrictions: - 1. The authors are not responsible for the consequences of use of this - software, no matter how awful, even if they arise from flaws in it. - 2. The origin of this software must not be misrepresented, either by - explicit claim or by omission. Since few users ever read sources, - credits must appear in the documentation. - 3. Altered versions must be plainly marked as such, and must not be - misrepresented as being the original software. Since few users - ever read sources, credits must appear in the documentation. - 4. This notice may not be removed or altered. diff --git a/crypto/heimdal/lib/editline/complete.c b/crypto/heimdal/lib/editline/complete.c deleted file mode 100644 index d2a311d25e99..000000000000 --- a/crypto/heimdal/lib/editline/complete.c +++ /dev/null @@ -1,243 +0,0 @@ -/* Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - * - * This software is not subject to any license of the American Telephone - * and Telegraph Company or of the Regents of the University of California. - * - * Permission is granted to anyone to use this software for any purpose on - * any computer system, and to alter it and redistribute it freely, subject - * to the following restrictions: - * 1. The authors are not responsible for the consequences of use of this - * software, no matter how awful, even if they arise from flaws in it. - * 2. The origin of this software must not be misrepresented, either by - * explicit claim or by omission. Since few users ever read sources, - * credits must appear in the documentation. - * 3. Altered versions must be plainly marked as such, and must not be - * misrepresented as being the original software. Since few users - * ever read sources, credits must appear in the documentation. - * 4. This notice may not be removed or altered. - */ - -/* -** History and file completion functions for editline library. -*/ -#include -#include "editline.h" - -RCSID("$Id: complete.c,v 1.5 1999/04/10 21:01:16 joda Exp $"); - -/* -** strcmp-like sorting predicate for qsort. -*/ -static int -compare(const void *p1, const void *p2) -{ - const char **v1; - const char **v2; - - v1 = (const char **)p1; - v2 = (const char **)p2; - return strcmp(*v1, *v2); -} - -/* -** Fill in *avp with an array of names that match file, up to its length. -** Ignore . and .. . -*/ -static int -FindMatches(char *dir, char *file, char ***avp) -{ - char **av; - char **new; - char *p; - DIR *dp; - DIRENTRY *ep; - size_t ac; - size_t len; - - if ((dp = opendir(dir)) == NULL) - return 0; - - av = NULL; - ac = 0; - len = strlen(file); - while ((ep = readdir(dp)) != NULL) { - p = ep->d_name; - if (p[0] == '.' && (p[1] == '\0' || (p[1] == '.' && p[2] == '\0'))) - continue; - if (len && strncmp(p, file, len) != 0) - continue; - - if ((ac % MEM_INC) == 0) { - if ((new = malloc(sizeof(char*) * (ac + MEM_INC))) == NULL) - break; - if (ac) { - memcpy(new, av, ac * sizeof (char **)); - free(av); - } - *avp = av = new; - } - - if ((av[ac] = strdup(p)) == NULL) { - if (ac == 0) - free(av); - break; - } - ac++; - } - - /* Clean up and return. */ - (void)closedir(dp); - if (ac) - qsort(av, ac, sizeof (char **), compare); - return ac; -} - -/* -** Split a pathname into allocated directory and trailing filename parts. -*/ -static int SplitPath(char *path, char **dirpart, char **filepart) -{ - static char DOT[] = "."; - char *dpart; - char *fpart; - - if ((fpart = strrchr(path, '/')) == NULL) { - if ((dpart = strdup(DOT)) == NULL) - return -1; - if ((fpart = strdup(path)) == NULL) { - free(dpart); - return -1; - } - } - else { - if ((dpart = strdup(path)) == NULL) - return -1; - dpart[fpart - path] = '\0'; - if ((fpart = strdup(++fpart)) == NULL) { - free(dpart); - return -1; - } - } - *dirpart = dpart; - *filepart = fpart; - return 0; -} - -/* -** Attempt to complete the pathname, returning an allocated copy. -** Fill in *unique if we completed it, or set it to 0 if ambiguous. -*/ - -static char * -rl_complete_filename(char *pathname, int *unique) -{ - char **av; - char *new; - char *p; - size_t ac; - size_t end; - size_t i; - size_t j; - size_t len; - char *s; - - ac = rl_list_possib(pathname, &av); - if(ac == 0) - return NULL; - - s = strrchr(pathname, '/'); - if(s == NULL) - len = strlen(pathname); - else - len = strlen(s + 1); - - p = NULL; - if (ac == 1) { - /* Exactly one match -- finish it off. */ - *unique = 1; - j = strlen(av[0]) - len + 2; - if ((p = malloc(j + 1)) != NULL) { - memcpy(p, av[0] + len, j); - asprintf(&new, "%s%s", pathname, p); - if(new != NULL) { - rl_add_slash(new, p); - free(new); - } - } - } - else { - *unique = 0; - if (len) { - /* Find largest matching substring. */ - for (i = len, end = strlen(av[0]); i < end; i++) - for (j = 1; j < ac; j++) - if (av[0][i] != av[j][i]) - goto breakout; - breakout: - if (i > len) { - j = i - len + 1; - if ((p = malloc(j)) != NULL) { - memcpy(p, av[0] + len, j); - p[j - 1] = '\0'; - } - } - } - } - - /* Clean up and return. */ - for (i = 0; i < ac; i++) - free(av[i]); - free(av); - return p; -} - -static rl_complete_func_t complete_func = rl_complete_filename; - -char * -rl_complete(char *pathname, int *unique) -{ - return (*complete_func)(pathname, unique); -} - -rl_complete_func_t -rl_set_complete_func(rl_complete_func_t func) -{ - rl_complete_func_t old = complete_func; - complete_func = func; - return old; -} - - -/* -** Return all possible completions. -*/ -static int -rl_list_possib_filename(char *pathname, char ***avp) -{ - char *dir; - char *file; - int ac; - - if (SplitPath(pathname, &dir, &file) < 0) - return 0; - ac = FindMatches(dir, file, avp); - free(dir); - free(file); - return ac; -} - -static rl_list_possib_func_t list_possib_func = rl_list_possib_filename; - -int -rl_list_possib(char *pathname, char ***avp) -{ - return (*list_possib_func)(pathname, avp); -} - -rl_list_possib_func_t -rl_set_list_possib_func(rl_list_possib_func_t func) -{ - rl_list_possib_func_t old = list_possib_func; - list_possib_func = func; - return old; -} diff --git a/crypto/heimdal/lib/editline/edit_compat.c b/crypto/heimdal/lib/editline/edit_compat.c deleted file mode 100644 index e0f4962802d2..000000000000 --- a/crypto/heimdal/lib/editline/edit_compat.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include "edit_compat.h" - -RCSID("$Id: edit_compat.c,v 1.9 2001/08/29 00:24:33 assar Exp $"); - -void -rl_reset_terminal(char *p) -{ -} - -void -rl_initialize(void) -{ -} - -static const char *pr; -static const char* ret_prompt(EditLine *e) -{ - return pr; -} - -static History *h; - -#ifdef H_SETSIZE -#define EL_INIT_FOUR 1 -#else -#ifdef H_SETMAXSIZE -/* backwards compatibility */ -#define H_SETSIZE H_SETMAXSIZE -#endif -#endif - -char * -readline(const char* prompt) -{ - static EditLine *e; -#ifdef H_SETSIZE - HistEvent ev; -#endif - int count; - const char *str; - - if(e == NULL){ -#ifdef EL_INIT_FOUR - e = el_init("", stdin, stdout, stderr); -#else - e = el_init("", stdin, stdout); -#endif - el_set(e, EL_PROMPT, ret_prompt); - h = history_init(); -#ifdef H_SETSIZE - history(h, &ev, H_SETSIZE, 25); -#else - history(h, H_EVENT, 25); -#endif - el_set(e, EL_HIST, history, h); - el_set(e, EL_EDITOR, "emacs"); /* XXX? */ - } - pr = prompt ? prompt : ""; - str = el_gets(e, &count); - if (str && count > 0) { - char *ret = strdup (str); - - if (ret == NULL) - return NULL; - - if (ret[strlen(ret) - 1] == '\n') - ret[strlen(ret) - 1] = '\0'; - return ret; - } - return NULL; -} - -void -add_history(char *p) -{ -#ifdef H_SETSIZE - HistEvent ev; - history(h, &ev, H_ENTER, p); -#else - history(h, H_ENTER, p); -#endif -} diff --git a/crypto/heimdal/lib/editline/edit_compat.h b/crypto/heimdal/lib/editline/edit_compat.h deleted file mode 100644 index c0c40fe98358..000000000000 --- a/crypto/heimdal/lib/editline/edit_compat.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (c) 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: edit_compat.h,v 1.1 2001/08/29 00:24:33 assar Exp $ */ - -#ifndef _EDIT_COMPAT_H -#define _EDIT_COMPAT_H - -void rl_reset_terminal(char *p); -void rl_initialize(void); -char *readline(const char *prompt); -void add_history(char *p); - -#endif /* _EDIT_COMPAT_H */ diff --git a/crypto/heimdal/lib/editline/editline.3 b/crypto/heimdal/lib/editline/editline.3 deleted file mode 100644 index 6e30a09d918f..000000000000 --- a/crypto/heimdal/lib/editline/editline.3 +++ /dev/null @@ -1,175 +0,0 @@ -.\" $Revision: 1.2 $ -.TH EDITLINE 3 -.SH NAME -editline \- command-line editing library with history -.SH SYNOPSIS -.nf -.B "char *" -.B "readline(prompt)" -.B " char *prompt;" - -.B "void" -.B "add_history(line)" -.B " char *line;" -.fi -.SH DESCRIPTION -.I Editline -is a library that provides an line-editing interface with text recall. -It is intended to be compatible with the -.I readline -library provided by the Free Software Foundation, but much smaller. -The bulk of this manual page describes the user interface. -.PP -The -.I readline -routine returns a line of text with the trailing newline removed. -The data is returned in a buffer allocated with -.IR malloc (3), -so the space should be released with -.IR free (3) -when the calling program is done with it. -Before accepting input from the user, the specified -.I prompt -is displayed on the terminal. -.PP -The -.I add_history -routine makes a copy of the specified -.I line -and adds it to the internal history list. -.SS "User Interface" -A program that uses this library provides a simple emacs-like editing -interface to its users. -A line may be edited before it is sent to the calling program by typing either -control characters or escape sequences. -A control character, shown as a caret followed by a letter, is typed by -holding down the ``control'' key while the letter is typed. -For example, ``^A'' is a control-A. -An escape sequence is entered by typing the ``escape'' key followed by one or -more characters. -The escape key is abbreviated as ``ESC.'' -Note that unlike control keys, case matters in escape sequences; ``ESC\ F'' -is not the same as ``ESC\ f''. -.PP -An editing command may be typed anywhere on the line, not just at the -beginning. -In addition, a return may also be typed anywhere on the line, not just at -the end. -.PP -Most editing commands may be given a repeat count, -.IR n , -where -.I n -is a number. -To enter a repeat count, type the escape key, the number, and then -the command to execute. -For example, ``ESC\ 4\ ^f'' moves forward four characters. -If a command may be given a repeat count then the text ``[n]'' is given at the -end of its description. -.PP -The following control characters are accepted: -.RS -.nf -.ta \w'ESC DEL 'u -^A Move to the beginning of the line -^B Move left (backwards) [n] -^D Delete character [n] -^E Move to end of line -^F Move right (forwards) [n] -^G Ring the bell -^H Delete character before cursor (backspace key) [n] -^I Complete filename (tab key); see below -^J Done with line (return key) -^K Kill to end of line (or column [n]) -^L Redisplay line -^M Done with line (alternate return key) -^N Get next line from history [n] -^P Get previous line from history [n] -^R Search backward (forward if [n]) through history for text; -\& must start line if text begins with an uparrow -^T Transpose characters -^V Insert next character, even if it is an edit command -^W Wipe to the mark -^X^X Exchange current location and mark -^Y Yank back last killed text -^[ Start an escape sequence (escape key) -^]c Move forward to next character ``c'' -^? Delete character before cursor (delete key) [n] -.fi -.RE -.PP -The following escape sequences are provided. -.RS -.nf -.ta \w'ESC DEL 'u -ESC\ ^H Delete previous word (backspace key) [n] -ESC\ DEL Delete previous word (delete key) [n] -ESC\ SP Set the mark (space key); see ^X^X and ^Y above -ESC\ \. Get the last (or [n]'th) word from previous line -ESC\ ? Show possible completions; see below -ESC\ < Move to start of history -ESC\ > Move to end of history -ESC\ b Move backward a word [n] -ESC\ d Delete word under cursor [n] -ESC\ f Move forward a word [n] -ESC\ l Make word lowercase [n] -ESC\ u Make word uppercase [n] -ESC\ y Yank back last killed text -ESC\ v Show library version -ESC\ w Make area up to mark yankable -ESC\ nn Set repeat count to the number nn -ESC\ C Read from environment variable ``_C_'', where C is -\& an uppercase letter -.fi -.RE -.PP -The -.I editline -library has a small macro facility. -If you type the escape key followed by an uppercase letter, -.IR C , -then the contents of the environment variable -.I _C_ -are read in as if you had typed them at the keyboard. -For example, if the variable -.I _L_ -contains the following: -.RS -^A^Kecho '^V^[[H^V^[[2J'^M -.RE -Then typing ``ESC L'' will move to the beginning of the line, kill the -entire line, enter the echo command needed to clear the terminal (if your -terminal is like a VT-100), and send the line back to the shell. -.PP -The -.I editline -library also does filename completion. -Suppose the root directory has the following files in it: -.RS -.nf -.ta \w'core 'u -bin vmunix -core vmunix.old -.fi -.RE -If you type ``rm\ /v'' and then the tab key. -.I Editline -will then finish off as much of the name as possible by adding ``munix''. -Because the name is not unique, it will then beep. -If you type the escape key and a question mark, it will display the -two choices. -If you then type a period and a tab, the library will finish off the filename -for you: -.RS -.nf -.RI "rm /v[TAB]" munix .TAB old -.fi -.RE -The tab key is shown by ``[TAB]'' and the automatically-entered text -is shown in italics. -.SH "BUGS AND LIMITATIONS" -Cannot handle lines more than 80 columns. -.SH AUTHORS -Simmule R. Turner -and Rich $alz . -Original manual page by DaviD W. Sanderson . diff --git a/crypto/heimdal/lib/editline/editline.c b/crypto/heimdal/lib/editline/editline.c deleted file mode 100644 index 24fa8464a9a1..000000000000 --- a/crypto/heimdal/lib/editline/editline.c +++ /dev/null @@ -1,1376 +0,0 @@ -/* Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - * - * This software is not subject to any license of the American Telephone - * and Telegraph Company or of the Regents of the University of California. - * - * Permission is granted to anyone to use this software for any purpose on - * any computer system, and to alter it and redistribute it freely, subject - * to the following restrictions: - * 1. The authors are not responsible for the consequences of use of this - * software, no matter how awful, even if they arise from flaws in it. - * 2. The origin of this software must not be misrepresented, either by - * explicit claim or by omission. Since few users ever read sources, - * credits must appear in the documentation. - * 3. Altered versions must be plainly marked as such, and must not be - * misrepresented as being the original software. Since few users - * ever read sources, credits must appear in the documentation. - * 4. This notice may not be removed or altered. - */ - -/* -** Main editing routines for editline library. -*/ -#include -#include "editline.h" -#include -#include - -RCSID("$Id: editline.c,v 1.10 2001/09/13 01:19:54 assar Exp $"); - -/* -** Manifest constants. -*/ -#define SCREEN_WIDTH 80 -#define SCREEN_ROWS 24 -#define NO_ARG (-1) -#define DEL 127 -#define CTL(x) ((x) & 0x1F) -#define ISCTL(x) ((x) && (x) < ' ') -#define UNCTL(x) ((x) + 64) -#define META(x) ((x) | 0x80) -#define ISMETA(x) ((x) & 0x80) -#define UNMETA(x) ((x) & 0x7F) -#if !defined(HIST_SIZE) -#define HIST_SIZE 20 -#endif /* !defined(HIST_SIZE) */ - -/* -** Command status codes. -*/ -typedef enum _el_STATUS { - CSdone, CSeof, CSmove, CSdispatch, CSstay -} el_STATUS; - -/* -** The type of case-changing to perform. -*/ -typedef enum _CASE { - TOupper, TOlower -} CASE; - -/* -** Key to command mapping. -*/ -typedef struct _KEYMAP { - unsigned char Key; - el_STATUS (*Function)(); -} KEYMAP; - -/* -** Command history structure. -*/ -typedef struct _HISTORY { - int Size; - int Pos; - unsigned char *Lines[HIST_SIZE]; -} HISTORY; - -/* -** Globals. -*/ -int rl_eof; -int rl_erase; -int rl_intr; -int rl_kill; - -static unsigned char NIL[] = ""; -static const unsigned char *Input = NIL; -static unsigned char *Line; -static const char *Prompt; -static unsigned char *Yanked; -static char *Screen; -static char NEWLINE[]= CRLF; -static HISTORY H; -int rl_quit; -static int Repeat; -static int End; -static int Mark; -static int OldPoint; -static int Point; -static int PushBack; -static int Pushed; -static KEYMAP Map[33]; -static KEYMAP MetaMap[16]; -static size_t Length; -static size_t ScreenCount; -static size_t ScreenSize; -static char *backspace; -static int TTYwidth; -static int TTYrows; - -/* Display print 8-bit chars as `M-x' or as the actual 8-bit char? */ -int rl_meta_chars = 1; - -/* -** Declarations. -*/ -static unsigned char *editinput(void); -char *tgetstr(const char*, char**); -int tgetent(char*, const char*); -int tgetnum(const char*); - -/* -** TTY input/output functions. -*/ - -static void -TTYflush() -{ - if (ScreenCount) { - write(1, Screen, ScreenCount); - ScreenCount = 0; - } -} - -static void -TTYput(unsigned char c) -{ - Screen[ScreenCount] = c; - if (++ScreenCount >= ScreenSize - 1) { - ScreenSize += SCREEN_INC; - Screen = realloc(Screen, ScreenSize); - } -} - -static void -TTYputs(const char *p) -{ - while (*p) - TTYput(*p++); -} - -static void -TTYshow(unsigned char c) -{ - if (c == DEL) { - TTYput('^'); - TTYput('?'); - } - else if (ISCTL(c)) { - TTYput('^'); - TTYput(UNCTL(c)); - } - else if (rl_meta_chars && ISMETA(c)) { - TTYput('M'); - TTYput('-'); - TTYput(UNMETA(c)); - } - else - TTYput(c); -} - -static void -TTYstring(unsigned char *p) -{ - while (*p) - TTYshow(*p++); -} - -static int -TTYget() -{ - char c; - int e; - - TTYflush(); - if (Pushed) { - Pushed = 0; - return PushBack; - } - if (*Input) - return *Input++; - do { - e = read(0, &c, 1); - } while(e < 0 && errno == EINTR); - if(e == 1) - return c; - return EOF; -} - -static void -TTYback(void) -{ - if (backspace) - TTYputs(backspace); - else - TTYput('\b'); -} - -static void -TTYbackn(int n) -{ - while (--n >= 0) - TTYback(); -} - -static void -TTYinfo() -{ - static int init; - char *term; - char buff[2048]; - char *bp; - char *tmp; -#if defined(TIOCGWINSZ) - struct winsize W; -#endif /* defined(TIOCGWINSZ) */ - - if (init) { -#if defined(TIOCGWINSZ) - /* Perhaps we got resized. */ - if (ioctl(0, TIOCGWINSZ, &W) >= 0 - && W.ws_col > 0 && W.ws_row > 0) { - TTYwidth = (int)W.ws_col; - TTYrows = (int)W.ws_row; - } -#endif /* defined(TIOCGWINSZ) */ - return; - } - init++; - - TTYwidth = TTYrows = 0; - bp = &buff[0]; - if ((term = getenv("TERM")) == NULL) - term = "dumb"; - if (tgetent(buff, term) < 0) { - TTYwidth = SCREEN_WIDTH; - TTYrows = SCREEN_ROWS; - return; - } - tmp = tgetstr("le", &bp); - if (tmp != NULL) - backspace = strdup(tmp); - else - backspace = "\b"; - TTYwidth = tgetnum("co"); - TTYrows = tgetnum("li"); - -#if defined(TIOCGWINSZ) - if (ioctl(0, TIOCGWINSZ, &W) >= 0) { - TTYwidth = (int)W.ws_col; - TTYrows = (int)W.ws_row; - } -#endif /* defined(TIOCGWINSZ) */ - - if (TTYwidth <= 0 || TTYrows <= 0) { - TTYwidth = SCREEN_WIDTH; - TTYrows = SCREEN_ROWS; - } -} - - -/* -** Print an array of words in columns. -*/ -static void -columns(int ac, unsigned char **av) -{ - unsigned char *p; - int i; - int j; - int k; - int len; - int skip; - int longest; - int cols; - - /* Find longest name, determine column count from that. */ - for (longest = 0, i = 0; i < ac; i++) - if ((j = strlen((char *)av[i])) > longest) - longest = j; - cols = TTYwidth / (longest + 3); - - TTYputs(NEWLINE); - for (skip = ac / cols + 1, i = 0; i < skip; i++) { - for (j = i; j < ac; j += skip) { - for (p = av[j], len = strlen((char *)p), k = len; --k >= 0; p++) - TTYput(*p); - if (j + skip < ac) - while (++len < longest + 3) - TTYput(' '); - } - TTYputs(NEWLINE); - } -} - -static void -reposition() -{ - int i; - unsigned char *p; - - TTYput('\r'); - TTYputs(Prompt); - for (i = Point, p = Line; --i >= 0; p++) - TTYshow(*p); -} - -static void -left(el_STATUS Change) -{ - TTYback(); - if (Point) { - if (ISCTL(Line[Point - 1])) - TTYback(); - else if (rl_meta_chars && ISMETA(Line[Point - 1])) { - TTYback(); - TTYback(); - } - } - if (Change == CSmove) - Point--; -} - -static void -right(el_STATUS Change) -{ - TTYshow(Line[Point]); - if (Change == CSmove) - Point++; -} - -static el_STATUS -ring_bell() -{ - TTYput('\07'); - TTYflush(); - return CSstay; -} - -static el_STATUS -do_macro(unsigned char c) -{ - unsigned char name[4]; - - name[0] = '_'; - name[1] = c; - name[2] = '_'; - name[3] = '\0'; - - if ((Input = (unsigned char *)getenv((char *)name)) == NULL) { - Input = NIL; - return ring_bell(); - } - return CSstay; -} - -static el_STATUS -do_forward(el_STATUS move) -{ - int i; - unsigned char *p; - - i = 0; - do { - p = &Line[Point]; - for ( ; Point < End && (*p == ' ' || !isalnum(*p)); Point++, p++) - if (move == CSmove) - right(CSstay); - - for (; Point < End && isalnum(*p); Point++, p++) - if (move == CSmove) - right(CSstay); - - if (Point == End) - break; - } while (++i < Repeat); - - return CSstay; -} - -static el_STATUS -do_case(CASE type) -{ - int i; - int end; - int count; - unsigned char *p; - - do_forward(CSstay); - if (OldPoint != Point) { - if ((count = Point - OldPoint) < 0) - count = -count; - Point = OldPoint; - if ((end = Point + count) > End) - end = End; - for (i = Point, p = &Line[i]; i < end; i++, p++) { - if (type == TOupper) { - if (islower(*p)) - *p = toupper(*p); - } - else if (isupper(*p)) - *p = tolower(*p); - right(CSmove); - } - } - return CSstay; -} - -static el_STATUS -case_down_word() -{ - return do_case(TOlower); -} - -static el_STATUS -case_up_word() -{ - return do_case(TOupper); -} - -static void -ceol() -{ - int extras; - int i; - unsigned char *p; - - for (extras = 0, i = Point, p = &Line[i]; i <= End; i++, p++) { - TTYput(' '); - if (ISCTL(*p)) { - TTYput(' '); - extras++; - } - else if (rl_meta_chars && ISMETA(*p)) { - TTYput(' '); - TTYput(' '); - extras += 2; - } - } - - for (i += extras; i > Point; i--) - TTYback(); -} - -static void -clear_line() -{ - Point = -strlen(Prompt); - TTYput('\r'); - ceol(); - Point = 0; - End = 0; - Line[0] = '\0'; -} - -static el_STATUS -insert_string(unsigned char *p) -{ - size_t len; - int i; - unsigned char *new; - unsigned char *q; - - len = strlen((char *)p); - if (End + len >= Length) { - if ((new = malloc(sizeof(unsigned char) * (Length + len + MEM_INC))) == NULL) - return CSstay; - if (Length) { - memcpy(new, Line, Length); - free(Line); - } - Line = new; - Length += len + MEM_INC; - } - - for (q = &Line[Point], i = End - Point; --i >= 0; ) - q[len + i] = q[i]; - memcpy(&Line[Point], p, len); - End += len; - Line[End] = '\0'; - TTYstring(&Line[Point]); - Point += len; - - return Point == End ? CSstay : CSmove; -} - - -static unsigned char * -next_hist() -{ - return H.Pos >= H.Size - 1 ? NULL : H.Lines[++H.Pos]; -} - -static unsigned char * -prev_hist() -{ - return H.Pos == 0 ? NULL : H.Lines[--H.Pos]; -} - -static el_STATUS -do_insert_hist(unsigned char *p) -{ - if (p == NULL) - return ring_bell(); - Point = 0; - reposition(); - ceol(); - End = 0; - return insert_string(p); -} - -static el_STATUS -do_hist(unsigned char *(*move)()) -{ - unsigned char *p; - int i; - - i = 0; - do { - if ((p = (*move)()) == NULL) - return ring_bell(); - } while (++i < Repeat); - return do_insert_hist(p); -} - -static el_STATUS -h_next() -{ - return do_hist(next_hist); -} - -static el_STATUS -h_prev() -{ - return do_hist(prev_hist); -} - -static el_STATUS -h_first() -{ - return do_insert_hist(H.Lines[H.Pos = 0]); -} - -static el_STATUS -h_last() -{ - return do_insert_hist(H.Lines[H.Pos = H.Size - 1]); -} - -/* -** Return zero if pat appears as a substring in text. -*/ -static int -substrcmp(char *text, char *pat, int len) -{ - unsigned char c; - - if ((c = *pat) == '\0') - return *text == '\0'; - for ( ; *text; text++) - if (*text == c && strncmp(text, pat, len) == 0) - return 0; - return 1; -} - -static unsigned char * -search_hist(unsigned char *search, unsigned char *(*move)()) -{ - static unsigned char *old_search; - int len; - int pos; - int (*match)(); - char *pat; - - /* Save or get remembered search pattern. */ - if (search && *search) { - if (old_search) - free(old_search); - old_search = (unsigned char *)strdup((char *)search); - } - else { - if (old_search == NULL || *old_search == '\0') - return NULL; - search = old_search; - } - - /* Set up pattern-finder. */ - if (*search == '^') { - match = strncmp; - pat = (char *)(search + 1); - } - else { - match = substrcmp; - pat = (char *)search; - } - len = strlen(pat); - - for (pos = H.Pos; (*move)() != NULL; ) - if ((*match)((char *)H.Lines[H.Pos], pat, len) == 0) - return H.Lines[H.Pos]; - H.Pos = pos; - return NULL; -} - -static el_STATUS -h_search() -{ - static int Searching; - const char *old_prompt; - unsigned char *(*move)(); - unsigned char *p; - - if (Searching) - return ring_bell(); - Searching = 1; - - clear_line(); - old_prompt = Prompt; - Prompt = "Search: "; - TTYputs(Prompt); - move = Repeat == NO_ARG ? prev_hist : next_hist; - p = search_hist(editinput(), move); - clear_line(); - Prompt = old_prompt; - TTYputs(Prompt); - - Searching = 0; - return do_insert_hist(p); -} - -static el_STATUS -fd_char() -{ - int i; - - i = 0; - do { - if (Point >= End) - break; - right(CSmove); - } while (++i < Repeat); - return CSstay; -} - -static void -save_yank(int begin, int i) -{ - if (Yanked) { - free(Yanked); - Yanked = NULL; - } - - if (i < 1) - return; - - if ((Yanked = malloc(sizeof(unsigned char) * (i + 1))) != NULL) { - memcpy(Yanked, &Line[begin], i); - Yanked[i+1] = '\0'; - } -} - -static el_STATUS -delete_string(int count) -{ - int i; - unsigned char *p; - - if (count <= 0 || End == Point) - return ring_bell(); - - if (count == 1 && Point == End - 1) { - /* Optimize common case of delete at end of line. */ - End--; - p = &Line[Point]; - i = 1; - TTYput(' '); - if (ISCTL(*p)) { - i = 2; - TTYput(' '); - } - else if (rl_meta_chars && ISMETA(*p)) { - i = 3; - TTYput(' '); - TTYput(' '); - } - TTYbackn(i); - *p = '\0'; - return CSmove; - } - if (Point + count > End && (count = End - Point) <= 0) - return CSstay; - - if (count > 1) - save_yank(Point, count); - - for (p = &Line[Point], i = End - (Point + count) + 1; --i >= 0; p++) - p[0] = p[count]; - ceol(); - End -= count; - TTYstring(&Line[Point]); - return CSmove; -} - -static el_STATUS -bk_char() -{ - int i; - - i = 0; - do { - if (Point == 0) - break; - left(CSmove); - } while (++i < Repeat); - - return CSstay; -} - -static el_STATUS -bk_del_char() -{ - int i; - - i = 0; - do { - if (Point == 0) - break; - left(CSmove); - } while (++i < Repeat); - - return delete_string(i); -} - -static el_STATUS -redisplay() -{ - TTYputs(NEWLINE); - TTYputs(Prompt); - TTYstring(Line); - return CSmove; -} - -static el_STATUS -kill_line() -{ - int i; - - if (Repeat != NO_ARG) { - if (Repeat < Point) { - i = Point; - Point = Repeat; - reposition(); - delete_string(i - Point); - } - else if (Repeat > Point) { - right(CSmove); - delete_string(Repeat - Point - 1); - } - return CSmove; - } - - save_yank(Point, End - Point); - Line[Point] = '\0'; - ceol(); - End = Point; - return CSstay; -} - -static el_STATUS -insert_char(int c) -{ - el_STATUS s; - unsigned char buff[2]; - unsigned char *p; - unsigned char *q; - int i; - - if (Repeat == NO_ARG || Repeat < 2) { - buff[0] = c; - buff[1] = '\0'; - return insert_string(buff); - } - - if ((p = malloc(Repeat + 1)) == NULL) - return CSstay; - for (i = Repeat, q = p; --i >= 0; ) - *q++ = c; - *q = '\0'; - Repeat = 0; - s = insert_string(p); - free(p); - return s; -} - -static el_STATUS -meta() -{ - unsigned int c; - KEYMAP *kp; - - if ((c = TTYget()) == EOF) - return CSeof; - /* Also include VT-100 arrows. */ - if (c == '[' || c == 'O') - switch (c = TTYget()) { - default: return ring_bell(); - case EOF: return CSeof; - case 'A': return h_prev(); - case 'B': return h_next(); - case 'C': return fd_char(); - case 'D': return bk_char(); - } - - if (isdigit(c)) { - for (Repeat = c - '0'; (c = TTYget()) != EOF && isdigit(c); ) - Repeat = Repeat * 10 + c - '0'; - Pushed = 1; - PushBack = c; - return CSstay; - } - - if (isupper(c)) - return do_macro(c); - for (OldPoint = Point, kp = MetaMap; kp->Function; kp++) - if (kp->Key == c) - return (*kp->Function)(); - - return ring_bell(); -} - -static el_STATUS -emacs(unsigned int c) -{ - el_STATUS s; - KEYMAP *kp; - - if (ISMETA(c)) { - Pushed = 1; - PushBack = UNMETA(c); - return meta(); - } - for (kp = Map; kp->Function; kp++) - if (kp->Key == c) - break; - s = kp->Function ? (*kp->Function)() : insert_char((int)c); - if (!Pushed) - /* No pushback means no repeat count; hacky, but true. */ - Repeat = NO_ARG; - return s; -} - -static el_STATUS -TTYspecial(unsigned int c) -{ - if (ISMETA(c)) - return CSdispatch; - - if (c == rl_erase || c == DEL) - return bk_del_char(); - if (c == rl_kill) { - if (Point != 0) { - Point = 0; - reposition(); - } - Repeat = NO_ARG; - return kill_line(); - } - if (c == rl_intr || c == rl_quit) { - Point = End = 0; - Line[0] = '\0'; - return redisplay(); - } - if (c == rl_eof && Point == 0 && End == 0) - return CSeof; - - return CSdispatch; -} - -static unsigned char * -editinput() -{ - unsigned int c; - - Repeat = NO_ARG; - OldPoint = Point = Mark = End = 0; - Line[0] = '\0'; - - while ((c = TTYget()) != EOF) - switch (TTYspecial(c)) { - case CSdone: - return Line; - case CSeof: - return NULL; - case CSmove: - reposition(); - break; - case CSdispatch: - switch (emacs(c)) { - case CSdone: - return Line; - case CSeof: - return NULL; - case CSmove: - reposition(); - break; - case CSdispatch: - case CSstay: - break; - } - break; - case CSstay: - break; - } - return NULL; -} - -static void -hist_add(unsigned char *p) -{ - int i; - - if ((p = (unsigned char *)strdup((char *)p)) == NULL) - return; - if (H.Size < HIST_SIZE) - H.Lines[H.Size++] = p; - else { - free(H.Lines[0]); - for (i = 0; i < HIST_SIZE - 1; i++) - H.Lines[i] = H.Lines[i + 1]; - H.Lines[i] = p; - } - H.Pos = H.Size - 1; -} - -/* -** For compatibility with FSF readline. -*/ -/* ARGSUSED0 */ -void -rl_reset_terminal(char *p) -{ -} - -void -rl_initialize(void) -{ -} - -char * -readline(const char* prompt) -{ - unsigned char *line; - - if (Line == NULL) { - Length = MEM_INC; - if ((Line = malloc(Length)) == NULL) - return NULL; - } - - TTYinfo(); - rl_ttyset(0); - hist_add(NIL); - ScreenSize = SCREEN_INC; - Screen = malloc(ScreenSize); - Prompt = prompt ? prompt : (char *)NIL; - TTYputs(Prompt); - if ((line = editinput()) != NULL) { - line = (unsigned char *)strdup((char *)line); - TTYputs(NEWLINE); - TTYflush(); - } - rl_ttyset(1); - free(Screen); - free(H.Lines[--H.Size]); - return (char *)line; -} - -void -add_history(char *p) -{ - if (p == NULL || *p == '\0') - return; - -#if defined(UNIQUE_HISTORY) - if (H.Pos && strcmp(p, H.Lines[H.Pos - 1]) == 0) - return; -#endif /* defined(UNIQUE_HISTORY) */ - hist_add((unsigned char *)p); -} - - -static el_STATUS -beg_line() -{ - if (Point) { - Point = 0; - return CSmove; - } - return CSstay; -} - -static el_STATUS -del_char() -{ - return delete_string(Repeat == NO_ARG ? 1 : Repeat); -} - -static el_STATUS -end_line() -{ - if (Point != End) { - Point = End; - return CSmove; - } - return CSstay; -} - -/* -** Move back to the beginning of the current word and return an -** allocated copy of it. -*/ -static unsigned char * -find_word() -{ - static char SEPS[] = "#;&|^$=`'{}()<>\n\t "; - unsigned char *p; - unsigned char *new; - size_t len; - - for (p = &Line[Point]; p > Line && strchr(SEPS, (char)p[-1]) == NULL; p--) - continue; - len = Point - (p - Line) + 1; - if ((new = malloc(len)) == NULL) - return NULL; - memcpy(new, p, len); - new[len - 1] = '\0'; - return new; -} - -static el_STATUS -c_complete() -{ - unsigned char *p; - unsigned char *word; - int unique; - el_STATUS s; - - word = find_word(); - p = (unsigned char *)rl_complete((char *)word, &unique); - if (word) - free(word); - if (p && *p) { - s = insert_string(p); - if (!unique) - ring_bell(); - free(p); - return s; - } - return ring_bell(); -} - -static el_STATUS -c_possible() -{ - unsigned char **av; - unsigned char *word; - int ac; - - word = find_word(); - ac = rl_list_possib((char *)word, (char ***)&av); - if (word) - free(word); - if (ac) { - columns(ac, av); - while (--ac >= 0) - free(av[ac]); - free(av); - return CSmove; - } - return ring_bell(); -} - -static el_STATUS -accept_line() -{ - Line[End] = '\0'; - return CSdone; -} - -static el_STATUS -transpose() -{ - unsigned char c; - - if (Point) { - if (Point == End) - left(CSmove); - c = Line[Point - 1]; - left(CSstay); - Line[Point - 1] = Line[Point]; - TTYshow(Line[Point - 1]); - Line[Point++] = c; - TTYshow(c); - } - return CSstay; -} - -static el_STATUS -quote() -{ - unsigned int c; - - return (c = TTYget()) == EOF ? CSeof : insert_char((int)c); -} - -static el_STATUS -wipe() -{ - int i; - - if (Mark > End) - return ring_bell(); - - if (Point > Mark) { - i = Point; - Point = Mark; - Mark = i; - reposition(); - } - - return delete_string(Mark - Point); -} - -static el_STATUS -mk_set() -{ - Mark = Point; - return CSstay; -} - -static el_STATUS -exchange() -{ - unsigned int c; - - if ((c = TTYget()) != CTL('X')) - return c == EOF ? CSeof : ring_bell(); - - if ((c = Mark) <= End) { - Mark = Point; - Point = c; - return CSmove; - } - return CSstay; -} - -static el_STATUS -yank() -{ - if (Yanked && *Yanked) - return insert_string(Yanked); - return CSstay; -} - -static el_STATUS -copy_region() -{ - if (Mark > End) - return ring_bell(); - - if (Point > Mark) - save_yank(Mark, Point - Mark); - else - save_yank(Point, Mark - Point); - - return CSstay; -} - -static el_STATUS -move_to_char() -{ - unsigned int c; - int i; - unsigned char *p; - - if ((c = TTYget()) == EOF) - return CSeof; - for (i = Point + 1, p = &Line[i]; i < End; i++, p++) - if (*p == c) { - Point = i; - return CSmove; - } - return CSstay; -} - -static el_STATUS -fd_word() -{ - return do_forward(CSmove); -} - -static el_STATUS -fd_kill_word() -{ - int i; - - do_forward(CSstay); - if (OldPoint != Point) { - i = Point - OldPoint; - Point = OldPoint; - return delete_string(i); - } - return CSstay; -} - -static el_STATUS -bk_word() -{ - int i; - unsigned char *p; - - i = 0; - do { - for (p = &Line[Point]; p > Line && !isalnum(p[-1]); p--) - left(CSmove); - - for (; p > Line && p[-1] != ' ' && isalnum(p[-1]); p--) - left(CSmove); - - if (Point == 0) - break; - } while (++i < Repeat); - - return CSstay; -} - -static el_STATUS -bk_kill_word() -{ - bk_word(); - if (OldPoint != Point) - return delete_string(OldPoint - Point); - return CSstay; -} - -static int -argify(unsigned char *line, unsigned char ***avp) -{ - unsigned char *c; - unsigned char **p; - unsigned char **new; - int ac; - int i; - - i = MEM_INC; - if ((*avp = p = malloc(sizeof(unsigned char*) * i))== NULL) - return 0; - - for (c = line; isspace(*c); c++) - continue; - if (*c == '\n' || *c == '\0') - return 0; - - for (ac = 0, p[ac++] = c; *c && *c != '\n'; ) { - if (isspace(*c)) { - *c++ = '\0'; - if (*c && *c != '\n') { - if (ac + 1 == i) { - new = malloc(sizeof(unsigned char*) * (i + MEM_INC)); - if (new == NULL) { - p[ac] = NULL; - return ac; - } - memcpy(new, p, i * sizeof (char **)); - i += MEM_INC; - free(p); - *avp = p = new; - } - p[ac++] = c; - } - } - else - c++; - } - *c = '\0'; - p[ac] = NULL; - return ac; -} - -static el_STATUS -last_argument() -{ - unsigned char **av; - unsigned char *p; - el_STATUS s; - int ac; - - if (H.Size == 1 || (p = H.Lines[H.Size - 2]) == NULL) - return ring_bell(); - - if ((p = (unsigned char *)strdup((char *)p)) == NULL) - return CSstay; - ac = argify(p, &av); - - if (Repeat != NO_ARG) - s = Repeat < ac ? insert_string(av[Repeat]) : ring_bell(); - else - s = ac ? insert_string(av[ac - 1]) : CSstay; - - if (ac) - free(av); - free(p); - return s; -} - -static KEYMAP Map[33] = { - { CTL('@'), ring_bell }, - { CTL('A'), beg_line }, - { CTL('B'), bk_char }, - { CTL('D'), del_char }, - { CTL('E'), end_line }, - { CTL('F'), fd_char }, - { CTL('G'), ring_bell }, - { CTL('H'), bk_del_char }, - { CTL('I'), c_complete }, - { CTL('J'), accept_line }, - { CTL('K'), kill_line }, - { CTL('L'), redisplay }, - { CTL('M'), accept_line }, - { CTL('N'), h_next }, - { CTL('O'), ring_bell }, - { CTL('P'), h_prev }, - { CTL('Q'), ring_bell }, - { CTL('R'), h_search }, - { CTL('S'), ring_bell }, - { CTL('T'), transpose }, - { CTL('U'), ring_bell }, - { CTL('V'), quote }, - { CTL('W'), wipe }, - { CTL('X'), exchange }, - { CTL('Y'), yank }, - { CTL('Z'), ring_bell }, - { CTL('['), meta }, - { CTL(']'), move_to_char }, - { CTL('^'), ring_bell }, - { CTL('_'), ring_bell }, - { 0, NULL } -}; - -static KEYMAP MetaMap[16]= { - { CTL('H'), bk_kill_word }, - { DEL, bk_kill_word }, - { ' ', mk_set }, - { '.', last_argument }, - { '<', h_first }, - { '>', h_last }, - { '?', c_possible }, - { 'b', bk_word }, - { 'd', fd_kill_word }, - { 'f', fd_word }, - { 'l', case_down_word }, - { 'u', case_up_word }, - { 'y', yank }, - { 'w', copy_region }, - { 0, NULL } -}; diff --git a/crypto/heimdal/lib/editline/editline.cat3 b/crypto/heimdal/lib/editline/editline.cat3 deleted file mode 100644 index 93f02f7887e4..000000000000 --- a/crypto/heimdal/lib/editline/editline.cat3 +++ /dev/null @@ -1,141 +0,0 @@ -EDITLINE(3) EDITLINE(3) - - - -NNAAMMEE - editline - command-line editing library with history - -SSYYNNOOPPSSIISS - cchhaarr ** - rreeaaddlliinnee((pprroommpptt)) - cchhaarr **pprroommpptt;; - - vvooiidd - aadddd__hhiissttoorryy((lliinnee)) - cchhaarr **lliinnee;; - -DDEESSCCRRIIPPTTIIOONN - _E_d_i_t_l_i_n_e is a library that provides an line-editing inter- - face with text recall. It is intended to be compatible - with the _r_e_a_d_l_i_n_e library provided by the Free Software - Foundation, but much smaller. The bulk of this manual - page describes the user interface. - - The _r_e_a_d_l_i_n_e routine returns a line of text with the - trailing newline removed. The data is returned in a - buffer allocated with _m_a_l_l_o_c(3), so the space should be - released with _f_r_e_e(3) when the calling program is done - with it. Before accepting input from the user, the speci- - fied _p_r_o_m_p_t is displayed on the terminal. - - The _a_d_d___h_i_s_t_o_r_y routine makes a copy of the specified _l_i_n_e - and adds it to the internal history list. - - UUsseerr IInntteerrffaaccee - A program that uses this library provides a simple emacs- - like editing interface to its users. A line may be edited - before it is sent to the calling program by typing either - control characters or escape sequences. A control charac- - ter, shown as a caret followed by a letter, is typed by - holding down the ``control'' key while the letter is - typed. For example, ``^A'' is a control-A. An escape - sequence is entered by typing the ``escape'' key followed - by one or more characters. The escape key is abbreviated - as ``ESC.'' Note that unlike control keys, case matters - in escape sequences; ``ESC F'' is not the same as - ``ESC f''. - - An editing command may be typed anywhere on the line, not - just at the beginning. In addition, a return may also be - typed anywhere on the line, not just at the end. - - Most editing commands may be given a repeat count, _n, - where _n is a number. To enter a repeat count, type the - escape key, the number, and then the command to execute. - For example, ``ESC 4 ^f'' moves forward four characters. - If a command may be given a repeat count then the text - ``[n]'' is given at the end of its description. - - The following control characters are accepted: - ^A Move to the beginning of the line - ^B Move left (backwards) [n] - ^D Delete character [n] - ^E Move to end of line - ^F Move right (forwards) [n] - ^G Ring the bell - ^H Delete character before cursor (backspace key) [n] - ^I Complete filename (tab key); see below - ^J Done with line (return key) - ^K Kill to end of line (or column [n]) - ^L Redisplay line - ^M Done with line (alternate return key) - ^N Get next line from history [n] - ^P Get previous line from history [n] - ^R Search backward (forward if [n]) through history for text; - must start line if text begins with an uparrow - ^T Transpose characters - ^V Insert next character, even if it is an edit command - ^W Wipe to the mark - ^X^X Exchange current location and mark - ^Y Yank back last killed text - ^[ Start an escape sequence (escape key) - ^]c Move forward to next character ``c'' - ^? Delete character before cursor (delete key) [n] - - The following escape sequences are provided. - ESC ^H Delete previous word (backspace key) [n] - ESC DEL Delete previous word (delete key) [n] - ESC SP Set the mark (space key); see ^X^X and ^Y above - ESC . Get the last (or [n]'th) word from previous line - ESC ? Show possible completions; see below - ESC < Move to start of history - ESC > Move to end of history - ESC b Move backward a word [n] - ESC d Delete word under cursor [n] - ESC f Move forward a word [n] - ESC l Make word lowercase [n] - ESC u Make word uppercase [n] - ESC y Yank back last killed text - ESC v Show library version - ESC w Make area up to mark yankable - ESC nn Set repeat count to the number nn - ESC C Read from environment variable ``_C_'', where C is - an uppercase letter - - The _e_d_i_t_l_i_n_e library has a small macro facility. If you - type the escape key followed by an uppercase letter, _C, - then the contents of the environment variable ___C__ are read - in as if you had typed them at the keyboard. For example, - if the variable ___L__ contains the following: - ^A^Kecho '^V^[[H^V^[[2J'^M - Then typing ``ESC L'' will move to the beginning of the - line, kill the entire line, enter the echo command needed - to clear the terminal (if your terminal is like a VT-100), - and send the line back to the shell. - - The _e_d_i_t_l_i_n_e library also does filename completion. Sup- - pose the root directory has the following files in it: - bin vmunix - core vmunix.old - If you type ``rm /v'' and then the tab key. _E_d_i_t_l_i_n_e will - then finish off as much of the name as possible by adding - ``munix''. Because the name is not unique, it will then - beep. If you type the escape key and a question mark, it - will display the two choices. If you then type a period - and a tab, the library will finish off the filename for - you: - rm /v[TAB]_m_u_n_i_x.TAB_o_l_d - The tab key is shown by ``[TAB]'' and the automatically- - entered text is shown in italics. - -BBUUGGSS AANNDD LLIIMMIITTAATTIIOONNSS - Cannot handle lines more than 80 columns. - -AAUUTTHHOORRSS - Simmule R. Turner and - Rich $alz . Original manual page by DaviD - W. Sanderson . - - - - EDITLINE(3) diff --git a/crypto/heimdal/lib/editline/editline.h b/crypto/heimdal/lib/editline/editline.h deleted file mode 100644 index a948ddc5c5dc..000000000000 --- a/crypto/heimdal/lib/editline/editline.h +++ /dev/null @@ -1,64 +0,0 @@ -/* $Revision: 1.4 $ -** -** Internal header file for editline library. -*/ -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include - -#define CRLF "\r\n" - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif - -#ifdef HAVE_DIRENT_H -#include -typedef struct dirent DIRENTRY; -#else -#include -typedef struct direct DIRENTRY; -#endif - -#include - -#if !defined(S_ISDIR) -#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) -#endif /* !defined(S_ISDIR) */ - -typedef unsigned char CHAR; - -#define MEM_INC 64 -#define SCREEN_INC 256 - -/* -** Variables and routines internal to this package. -*/ -extern int rl_eof; -extern int rl_erase; -extern int rl_intr; -extern int rl_kill; -extern int rl_quit; - -typedef char* (*rl_complete_func_t)(char*, int*); - -typedef int (*rl_list_possib_func_t)(char*, char***); - -void add_history (char*); -char* readline (const char* prompt); -void rl_add_slash (char*, char*); -char* rl_complete (char*, int*); -void rl_initialize (void); -int rl_list_possib (char*, char***); -void rl_reset_terminal (char*); -void rl_ttyset (int); -rl_complete_func_t rl_set_complete_func (rl_complete_func_t); -rl_list_possib_func_t rl_set_list_possib_func (rl_list_possib_func_t); - diff --git a/crypto/heimdal/lib/editline/roken_rename.h b/crypto/heimdal/lib/editline/roken_rename.h deleted file mode 100644 index 9ea278d22f2e..000000000000 --- a/crypto/heimdal/lib/editline/roken_rename.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken_rename.h,v 1.4 1999/12/02 16:58:39 joda Exp $ */ - -#ifndef __roken_rename_h__ -#define __roken_rename_h__ - -#ifndef HAVE_STRDUP -#define strdup _editline_strdup -#endif -#ifndef HAVE_SNPRINTF -#define snprintf _editline_snprintf -#endif -#ifndef HAVE_VSNPRINTF -#define vsnprintf _editline_vsnprintf -#endif -#ifndef HAVE_ASPRINTF -#define asprintf _editline_asprintf -#endif -#ifndef HAVE_ASNPRINTF -#define asnprintf _editline_asnprintf -#endif -#ifndef HAVE_VASPRINTF -#define vasprintf _editline_vasprintf -#endif -#ifndef HAVE_VASNPRINTF -#define vasnprintf _editline_vasnprintf -#endif - -#endif /* __roken_rename_h__ */ diff --git a/crypto/heimdal/lib/editline/sysunix.c b/crypto/heimdal/lib/editline/sysunix.c deleted file mode 100644 index bcd6def6ca03..000000000000 --- a/crypto/heimdal/lib/editline/sysunix.c +++ /dev/null @@ -1,92 +0,0 @@ -/* Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - * - * This software is not subject to any license of the American Telephone - * and Telegraph Company or of the Regents of the University of California. - * - * Permission is granted to anyone to use this software for any purpose on - * any computer system, and to alter it and redistribute it freely, subject - * to the following restrictions: - * 1. The authors are not responsible for the consequences of use of this - * software, no matter how awful, even if they arise from flaws in it. - * 2. The origin of this software must not be misrepresented, either by - * explicit claim or by omission. Since few users ever read sources, - * credits must appear in the documentation. - * 3. Altered versions must be plainly marked as such, and must not be - * misrepresented as being the original software. Since few users - * ever read sources, credits must appear in the documentation. - * 4. This notice may not be removed or altered. - */ - -/* -** Unix system-dependant routines for editline library. -*/ -#include -#include "editline.h" - -#ifdef HAVE_TERMIOS_H -#include -#else -#include -#endif - -RCSID("$Id: sysunix.c,v 1.4 1999/04/08 13:08:24 joda Exp $"); - -#ifdef HAVE_TERMIOS_H - -void -rl_ttyset(int Reset) -{ - static struct termios old; - struct termios new; - - if (Reset == 0) { - tcgetattr(0, &old); - rl_erase = old.c_cc[VERASE]; - rl_kill = old.c_cc[VKILL]; - rl_eof = old.c_cc[VEOF]; - rl_intr = old.c_cc[VINTR]; - rl_quit = old.c_cc[VQUIT]; - - new = old; - new.c_cc[VINTR] = -1; - new.c_cc[VQUIT] = -1; - new.c_lflag &= ~(ECHO | ICANON); - new.c_iflag &= ~(ISTRIP | INPCK); - new.c_cc[VMIN] = 1; - new.c_cc[VTIME] = 0; - tcsetattr(0, TCSANOW, &new); - } - else - tcsetattr(0, TCSANOW, &old); -} - -#else /* !HAVE_TERMIOS_H */ - -void -rl_ttyset(int Reset) -{ - static struct sgttyb old; - struct sgttyb new; - - if (Reset == 0) { - ioctl(0, TIOCGETP, &old); - rl_erase = old.sg_erase; - rl_kill = old.sg_kill; - new = old; - new.sg_flags &= ~(ECHO | ICANON); - new.sg_flags &= ~(ISTRIP | INPCK); - ioctl(0, TIOCSETP, &new); - } else { - ioctl(0, TIOCSETP, &old); - } -} -#endif /* HAVE_TERMIOS_H */ - -void -rl_add_slash(char *path, char *p) -{ - struct stat Sb; - - if (stat(path, &Sb) >= 0) - strcat(p, S_ISDIR(Sb.st_mode) ? "/" : " "); -} diff --git a/crypto/heimdal/lib/editline/testit.c b/crypto/heimdal/lib/editline/testit.c deleted file mode 100644 index c8ab847a7b07..000000000000 --- a/crypto/heimdal/lib/editline/testit.c +++ /dev/null @@ -1,78 +0,0 @@ -/* $Revision: 1.3 $ -** -** A "micro-shell" to test editline library. -** If given any arguments, commands aren't executed. -*/ -#if defined(HAVE_CONFIG_H) -#include -#endif -#include -#include -#ifdef HAVE_ERRNO_H -#include -#endif -#include - -#include "editline.h" - -static int n_flag = 0; -static int version_flag = 0; -static int help_flag = 0; - -static struct getargs args[] = { - {"dry-run", 'n', arg_flag, &n_flag, - "do not run commands", NULL }, - {"version", 0, arg_flag, &version_flag, - "print version", NULL }, - {"help", 0, arg_flag, &help_flag, - NULL, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - ""); - exit (ret); -} - -int -main(int argc, char **argv) -{ - char *p; - int optind = 0; - - setprogname (argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag){ - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - while ((p = readline("testit> ")) != NULL) { - (void)printf("\t\t\t|%s|\n", p); - if (!n_flag) { - if (strncmp(p, "cd ", 3) == 0) { - if (chdir(&p[3]) < 0) - perror(&p[3]); - } else if (system(p) != 0) { - perror(p); - } - } - add_history(p); - free(p); - } - exit(0); - /* NOTREACHED */ -} diff --git a/crypto/heimdal/lib/editline/unix.h b/crypto/heimdal/lib/editline/unix.h deleted file mode 100644 index fe6beedcec2b..000000000000 --- a/crypto/heimdal/lib/editline/unix.h +++ /dev/null @@ -1,22 +0,0 @@ -/* $Revision: 1.1 $ -** -** Editline system header file for Unix. -*/ - -#define CRLF "\r\n" -#define FORWARD STATIC - -#include -#include - -#if defined(USE_DIRENT) -#include -typedef struct dirent DIRENTRY; -#else -#include -typedef struct direct DIRENTRY; -#endif /* defined(USE_DIRENT) */ - -#if !defined(S_ISDIR) -#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) -#endif /* !defined(S_ISDIR) */ diff --git a/crypto/heimdal/lib/gssapi/Makefile b/crypto/heimdal/lib/gssapi/Makefile deleted file mode 100644 index c8533372ddf6..000000000000 --- a/crypto/heimdal/lib/gssapi/Makefile +++ /dev/null @@ -1,659 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/gssapi/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.38 2002/03/22 12:16:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 3:5:2 -libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la - -include_HEADERS = gssapi.h - -libgssapi_la_SOURCES = \ - 8003.c \ - accept_sec_context.c \ - acquire_cred.c \ - add_oid_set_member.c \ - canonicalize_name.c \ - compare_name.c \ - context_time.c \ - copy_ccache.c \ - create_emtpy_oid_set.c \ - decapsulate.c \ - delete_sec_context.c \ - display_name.c \ - display_status.c \ - duplicate_name.c \ - encapsulate.c \ - export_sec_context.c \ - export_name.c \ - external.c \ - get_mic.c \ - gssapi.h \ - gssapi_locl.h \ - import_name.c \ - import_sec_context.c \ - indicate_mechs.c \ - init.c \ - init_sec_context.c \ - inquire_context.c \ - inquire_cred.c \ - release_buffer.c \ - release_cred.c \ - release_name.c \ - release_oid_set.c \ - test_oid_set_member.c \ - unwrap.c \ - v1.c \ - verify_mic.c \ - wrap.c \ - address_to_krb5addr.c - -subdir = lib/gssapi -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libgssapi_la_DEPENDENCIES = ../krb5/libkrb5.la ../asn1/libasn1.la \ - ../roken/libroken.la -am_libgssapi_la_OBJECTS = 8003.lo accept_sec_context.lo acquire_cred.lo \ - add_oid_set_member.lo canonicalize_name.lo compare_name.lo \ - context_time.lo copy_ccache.lo create_emtpy_oid_set.lo \ - decapsulate.lo delete_sec_context.lo display_name.lo \ - display_status.lo duplicate_name.lo encapsulate.lo \ - export_sec_context.lo export_name.lo external.lo get_mic.lo \ - import_name.lo import_sec_context.lo indicate_mechs.lo init.lo \ - init_sec_context.lo inquire_context.lo inquire_cred.lo \ - release_buffer.lo release_cred.lo release_name.lo \ - release_oid_set.lo test_oid_set_member.lo unwrap.lo v1.lo \ - verify_mic.lo wrap.lo address_to_krb5addr.lo -libgssapi_la_OBJECTS = $(am_libgssapi_la_OBJECTS) - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libgssapi_la_SOURCES) -HEADERS = $(include_HEADERS) - -DIST_COMMON = $(include_HEADERS) ChangeLog Makefile.am Makefile.in -SOURCES = $(libgssapi_la_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/gssapi/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libgssapi.la: $(libgssapi_la_OBJECTS) $(libgssapi_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libgssapi_la_LDFLAGS) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libLTLIBRARIES clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-includeHEADERS \ - install-info install-info-am install-libLTLIBRARIES install-man \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - tags uninstall uninstall-am uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/hdb/Makefile b/crypto/heimdal/lib/hdb/Makefile deleted file mode 100644 index b1c2f969fc97..000000000000 --- a/crypto/heimdal/lib/hdb/Makefile +++ /dev/null @@ -1,686 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/hdb/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.53 2002/08/19 16:17:16 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I../asn1 -I$(srcdir)/../asn1 $(INCLUDE_des) $(INCLUDE_openldap) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \ - asn1_Salt.c hdb_err.c hdb_err.h asn1_GENERATION.c - - -foo = asn1_Key.x asn1_GENERATION.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x - -CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files - -noinst_PROGRAMS = convert_db -LDADD = libhdb.la \ - $(LIB_openldap) \ - ../krb5/libkrb5.la \ - ../asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) - - -lib_LTLIBRARIES = libhdb.la -libhdb_la_LDFLAGS = -version-info 7:5:0 - -libhdb_la_SOURCES = \ - common.c \ - db.c \ - db3.c \ - hdb-ldap.c \ - hdb.c \ - keytab.c \ - mkey.c \ - ndbm.c \ - print.c \ - $(BUILT_SOURCES) - - -include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h - -libhdb_la_LIBADD = ../krb5/libkrb5.la ../asn1/libasn1.la ../roken/libroken.la $(LIB_openldap) $(DBLIB) $(LIB_NDBM) -subdir = lib/hdb -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libhdb_la_DEPENDENCIES = ../krb5/libkrb5.la ../asn1/libasn1.la \ - ../roken/libroken.la -am__objects_1 = asn1_Key.lo asn1_Event.lo asn1_HDBFlags.lo \ - asn1_hdb_entry.lo asn1_Salt.lo hdb_err.lo asn1_GENERATION.lo -am_libhdb_la_OBJECTS = common.lo db.lo db3.lo hdb-ldap.lo hdb.lo \ - keytab.lo mkey.lo ndbm.lo print.lo $(am__objects_1) -libhdb_la_OBJECTS = $(am_libhdb_la_OBJECTS) -noinst_PROGRAMS = convert_db$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -convert_db_SOURCES = convert_db.c -convert_db_OBJECTS = convert_db.$(OBJEXT) -convert_db_LDADD = $(LDADD) -convert_db_DEPENDENCIES = libhdb.la ../krb5/libkrb5.la \ - ../asn1/libasn1.la -convert_db_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libhdb_la_SOURCES) convert_db.c -HEADERS = $(include_HEADERS) - -DIST_COMMON = $(include_HEADERS) Makefile.am Makefile.in -SOURCES = $(libhdb_la_SOURCES) convert_db.c - -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/hdb/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libhdb.la: $(libhdb_la_OBJECTS) $(libhdb_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libhdb_la_LDFLAGS) $(libhdb_la_OBJECTS) $(libhdb_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -convert_db$(EXEEXT): $(convert_db_OBJECTS) $(convert_db_DEPENDENCIES) - @rm -f convert_db$(EXEEXT) - $(LINK) $(convert_db_LDFLAGS) $(convert_db_OBJECTS) $(convert_db_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h - -$(srcdir)/hdb-protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h - -$(srcdir)/hdb-private.h: - cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h - -$(foo) hdb_asn1.h: asn1_files - -asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 - ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1 - -$(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h - -$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h - -# to help stupid solaris make - -hdb_err.h: hdb_err.et -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/hdb/libasn1.h b/crypto/heimdal/lib/hdb/libasn1.h deleted file mode 100644 index ef02d7c7e7ae..000000000000 --- a/crypto/heimdal/lib/hdb/libasn1.h +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 1997, 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: libasn1.h,v 1.5 2001/04/18 16:21:33 joda Exp $ */ - -#ifndef __LIBASN1_H__ -#define __LIBASN1_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include "hdb_asn1.h" -#include -#include - -#endif /* __LIBASN1_H__ */ diff --git a/crypto/heimdal/lib/kadm5/Makefile b/crypto/heimdal/lib/kadm5/Makefile deleted file mode 100644 index e0503c952937..000000000000 --- a/crypto/heimdal/lib/kadm5/Makefile +++ /dev/null @@ -1,880 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/kadm5/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.51 2002/08/16 20:57:09 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la -libkadm5srv_la_LDFLAGS = -version-info 7:5:0 -libkadm5clnt_la_LDFLAGS = -version-info 6:3:2 -sbin_PROGRAMS = dump_log replay_log truncate_log - -libkadm5srv_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la -libkadm5clnt_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la - -libexec_PROGRAMS = ipropd-master ipropd-slave - -kadm5includedir = $(includedir)/kadm5 -buildkadm5include = $(buildinclude)/kadm5 - -kadm5include_HEADERS = kadm5_err.h admin.h private.h \ - kadm5-protos.h kadm5-private.h - - -SOURCES_client = \ - admin.h \ - chpass_c.c \ - common_glue.c \ - create_c.c \ - delete_c.c \ - destroy_c.c \ - flush_c.c \ - free.c \ - get_c.c \ - get_princs_c.c \ - init_c.c \ - kadm5_err.c \ - kadm5_locl.h \ - marshall.c \ - modify_c.c \ - private.h \ - privs_c.c \ - randkey_c.c \ - rename_c.c \ - send_recv.c - - -SOURCES_server = \ - acl.c \ - admin.h \ - bump_pw_expire.c \ - chpass_s.c \ - common_glue.c \ - context_s.c \ - create_s.c \ - delete_s.c \ - destroy_s.c \ - ent_setup.c \ - error.c \ - flush_s.c \ - free.c \ - get_princs_s.c \ - get_s.c \ - init_s.c \ - kadm5_err.c \ - kadm5_locl.h \ - keys.c \ - log.c \ - marshall.c \ - modify_s.c \ - private.h \ - privs_s.c \ - randkey_s.c \ - rename_s.c \ - set_keys.c \ - set_modifier.c \ - password_quality.c - - -libkadm5srv_la_SOURCES = $(SOURCES_server) server_glue.c -libkadm5clnt_la_SOURCES = $(SOURCES_client) client_glue.c - -dump_log_SOURCES = dump_log.c kadm5_locl.h - -replay_log_SOURCES = replay_log.c kadm5_locl.h - -ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h - -ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h - -truncate_log_SOURCES = truncate_log.c - -LDADD = \ - libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(LIB_openldap) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_des) \ - $(LIB_roken) \ - $(DBLIB) \ - $(LIB_dlopen) \ - $(LIB_pidfile) - - -CLEANFILES = kadm5_err.c kadm5_err.h - -proto_opts = -q -R '^(_|kadm5_c_|kadm5_s_|kadm5_log)' -P comment -subdir = lib/kadm5 -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libkadm5clnt_la_DEPENDENCIES = ../krb5/libkrb5.la ../hdb/libhdb.la \ - ../roken/libroken.la -am__objects_1 = chpass_c.lo common_glue.lo create_c.lo delete_c.lo \ - destroy_c.lo flush_c.lo free.lo get_c.lo get_princs_c.lo \ - init_c.lo kadm5_err.lo marshall.lo modify_c.lo privs_c.lo \ - randkey_c.lo rename_c.lo send_recv.lo -am_libkadm5clnt_la_OBJECTS = $(am__objects_1) client_glue.lo -libkadm5clnt_la_OBJECTS = $(am_libkadm5clnt_la_OBJECTS) -libkadm5srv_la_DEPENDENCIES = ../krb5/libkrb5.la ../hdb/libhdb.la \ - ../roken/libroken.la -am__objects_2 = acl.lo bump_pw_expire.lo chpass_s.lo common_glue.lo \ - context_s.lo create_s.lo delete_s.lo destroy_s.lo ent_setup.lo \ - error.lo flush_s.lo free.lo get_princs_s.lo get_s.lo init_s.lo \ - kadm5_err.lo keys.lo log.lo marshall.lo modify_s.lo privs_s.lo \ - randkey_s.lo rename_s.lo set_keys.lo set_modifier.lo \ - password_quality.lo -am_libkadm5srv_la_OBJECTS = $(am__objects_2) server_glue.lo -libkadm5srv_la_OBJECTS = $(am_libkadm5srv_la_OBJECTS) -libexec_PROGRAMS = ipropd-master$(EXEEXT) ipropd-slave$(EXEEXT) -sbin_PROGRAMS = dump_log$(EXEEXT) replay_log$(EXEEXT) \ - truncate_log$(EXEEXT) -PROGRAMS = $(libexec_PROGRAMS) $(sbin_PROGRAMS) - -am_dump_log_OBJECTS = dump_log.$(OBJEXT) -dump_log_OBJECTS = $(am_dump_log_OBJECTS) -dump_log_LDADD = $(LDADD) -dump_log_DEPENDENCIES = libkadm5srv.la $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -dump_log_LDFLAGS = -am_ipropd_master_OBJECTS = ipropd_master.$(OBJEXT) -ipropd_master_OBJECTS = $(am_ipropd_master_OBJECTS) -ipropd_master_LDADD = $(LDADD) -ipropd_master_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -ipropd_master_LDFLAGS = -am_ipropd_slave_OBJECTS = ipropd_slave.$(OBJEXT) -ipropd_slave_OBJECTS = $(am_ipropd_slave_OBJECTS) -ipropd_slave_LDADD = $(LDADD) -ipropd_slave_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -ipropd_slave_LDFLAGS = -am_replay_log_OBJECTS = replay_log.$(OBJEXT) -replay_log_OBJECTS = $(am_replay_log_OBJECTS) -replay_log_LDADD = $(LDADD) -replay_log_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -replay_log_LDFLAGS = -am_truncate_log_OBJECTS = truncate_log.$(OBJEXT) -truncate_log_OBJECTS = $(am_truncate_log_OBJECTS) -truncate_log_LDADD = $(LDADD) -truncate_log_DEPENDENCIES = libkadm5srv.la \ - $(top_builddir)/lib/hdb/libhdb.la \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -truncate_log_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - $(dump_log_SOURCES) $(ipropd_master_SOURCES) \ - $(ipropd_slave_SOURCES) $(replay_log_SOURCES) \ - $(truncate_log_SOURCES) -HEADERS = $(kadm5include_HEADERS) - -DIST_COMMON = $(kadm5include_HEADERS) ChangeLog Makefile.am Makefile.in -SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) $(dump_log_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) $(replay_log_SOURCES) $(truncate_log_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/kadm5/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libkadm5clnt.la: $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkadm5clnt_la_LDFLAGS) $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_LIBADD) $(LIBS) -libkadm5srv.la: $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkadm5srv_la_LDFLAGS) $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_LIBADD) $(LIBS) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(sbindir) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f; \ - else :; fi; \ - done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \ - rm -f $(DESTDIR)$(sbindir)/$$f; \ - done - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -dump_log$(EXEEXT): $(dump_log_OBJECTS) $(dump_log_DEPENDENCIES) - @rm -f dump_log$(EXEEXT) - $(LINK) $(dump_log_LDFLAGS) $(dump_log_OBJECTS) $(dump_log_LDADD) $(LIBS) -ipropd-master$(EXEEXT): $(ipropd_master_OBJECTS) $(ipropd_master_DEPENDENCIES) - @rm -f ipropd-master$(EXEEXT) - $(LINK) $(ipropd_master_LDFLAGS) $(ipropd_master_OBJECTS) $(ipropd_master_LDADD) $(LIBS) -ipropd-slave$(EXEEXT): $(ipropd_slave_OBJECTS) $(ipropd_slave_DEPENDENCIES) - @rm -f ipropd-slave$(EXEEXT) - $(LINK) $(ipropd_slave_LDFLAGS) $(ipropd_slave_OBJECTS) $(ipropd_slave_LDADD) $(LIBS) -replay_log$(EXEEXT): $(replay_log_OBJECTS) $(replay_log_DEPENDENCIES) - @rm -f replay_log$(EXEEXT) - $(LINK) $(replay_log_LDFLAGS) $(replay_log_OBJECTS) $(replay_log_LDADD) $(LIBS) -truncate_log$(EXEEXT): $(truncate_log_OBJECTS) $(truncate_log_DEPENDENCIES) - @rm -f truncate_log$(EXEEXT) - $(LINK) $(truncate_log_LDFLAGS) $(truncate_log_OBJECTS) $(truncate_log_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -kadm5includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-kadm5includeHEADERS: $(kadm5include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(kadm5includedir) - @list='$(kadm5include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(kadm5includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(kadm5includedir)/$$f"; \ - $(kadm5includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(kadm5includedir)/$$f; \ - done - -uninstall-kadm5includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(kadm5include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(kadm5includedir)/$$f"; \ - rm -f $(DESTDIR)$(kadm5includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir) $(DESTDIR)$(kadm5includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-kadm5includeHEADERS - -install-exec-am: install-libLTLIBRARIES install-libexecPROGRAMS \ - install-sbinPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am uninstall-kadm5includeHEADERS \ - uninstall-libLTLIBRARIES uninstall-libexecPROGRAMS \ - uninstall-sbinPROGRAMS - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libLTLIBRARIES clean-libexecPROGRAMS \ - clean-libtool clean-sbinPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-info install-info-am install-kadm5includeHEADERS \ - install-libLTLIBRARIES install-libexecPROGRAMS install-man \ - install-sbinPROGRAMS install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-info-am uninstall-kadm5includeHEADERS \ - uninstall-libLTLIBRARIES uninstall-libexecPROGRAMS \ - uninstall-sbinPROGRAMS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -install-build-headers:: $(kadm5include_HEADERS) - @foo='$(kadm5include_HEADERS)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildkadm5include)/$$f 2> /dev/null ; then \ - : ; else \ - echo "cp $$file $(buildkadm5include)/$$f";\ - cp $$file $(buildkadm5include)/$$f; \ - fi ; \ - done - -$(libkadm5srv_la_OBJECTS): kadm5_err.h - -client_glue.lo server_glue.lo: $(srcdir)/common_glue.c - -# to help stupid solaris make - -kadm5_err.h: kadm5_err.et - -$(libkadm5clnt_la_OBJECTS) $(libkadm5srv_la_OBJECTS): $(srcdir)/kadm5-protos.h $(srcdir)/kadm5-private.h -$(srcdir)/kadm5-protos.h: - cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \ - -o kadm5-protos.h \ - $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - || rm -f kadm5-protos.h - -$(srcdir)/kadm5-private.h: - cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \ - -p kadm5-private.h \ - $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \ - || rm -f kadm5-private.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/kafs/Makefile b/crypto/heimdal/lib/kafs/Makefile deleted file mode 100644 index d9b704278b9a..000000000000 --- a/crypto/heimdal/lib/kafs/Makefile +++ /dev/null @@ -1,760 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/kafs/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.37 2002/08/19 15:08:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(AFS_EXTRA_DEFS) $(ROKEN_RENAME) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -#AFSLIBS = libkafs.la -AFSLIBS = -#DEPLIB_krb4 = $(LIB_krb4) $(LIB_des) -DEPLIB_krb4 = - -#AFSL_EXP = -##AFSL_EXP = $(srcdir)/afsl.exp - -##AFS_EXTRA_LD = -e _nostart -###AFS_EXTRA_LD = -bnoentry - -###AIX_SRC = afslib.c -###AIX_SRC = dlfcn.c -##AIX_SRC = -#AIX_SRC = -###AFS_EXTRA_LIBS = -##AFS_EXTRA_LIBS = afslib.so -###AFS_EXTRA_DEFS = -DSTATIC_AFS -##AFS_EXTRA_DEFS = - -libkafs_la_LIBADD = ../krb5/libkrb5.la ../roken/libroken.la $(DEPLIB_krb4) -#libkafs_la_LIBADD = ../roken/libroken.la $(DEPLIB_krb4) - -lib_LTLIBRARIES = $(AFSLIBS) -libkafs_la_LDFLAGS = -version-info 3:4:3 -foodir = $(libdir) -foo_DATA = $(AFS_EXTRA_LIBS) - -# EXTRA_DATA = afslib.so -CLEANFILES = $(AFS_EXTRA_LIBS) $(ROKEN_SRCS) - -include_HEADERS = kafs.h - -afskrb5_c = afskrb5.c - -ROKEN_SRCS = resolve.c strtok_r.c strlcpy.c strsep.c - -libkafs_la_SOURCES = \ - afssys.c \ - afskrb.c \ - $(afskrb5_c) \ - common.c \ - $(AIX_SRC) \ - kafs_locl.h \ - afssysdefs.h \ - $(ROKEN_SRCS) - - - -#afslib_so_SOURCES = afslib.c -EXTRA_libkafs_la_SOURCES = afskrb5.c dlfcn.c afslib.c dlfcn.h - -EXTRA_DIST = README.dlfcn afsl.exp afslib.exp - -man_MANS = kafs.3 -subdir = lib/kafs -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libkafs_la_DEPENDENCIES = ../krb5/libkrb5.la \ - ../roken/libroken.la -#libkafs_la_DEPENDENCIES = ../roken/libroken.la -#libkafs_la_DEPENDENCIES = ../krb5/libkrb5.la \ -# ../roken/libroken.la -##libkafs_la_DEPENDENCIES = ../roken/libroken.la -am__objects_1 = afskrb5.lo -###am__objects_2 = afslib.lo -###am__objects_2 = \ -### dlfcn.lo -##am__objects_2 = -#am__objects_2 = -am__objects_3 = resolve.lo strtok_r.lo strlcpy.lo \ - strsep.lo -am_libkafs_la_OBJECTS = afssys.lo afskrb.lo $(am__objects_1) common.lo \ - $(am__objects_2) $(am__objects_3) -libkafs_la_OBJECTS = $(am_libkafs_la_OBJECTS) - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES) -MANS = $(man_MANS) -DATA = $(foo_DATA) - -HEADERS = $(include_HEADERS) - -DIST_COMMON = $(include_HEADERS) ChangeLog Makefile.am Makefile.in -SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/kafs/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libkafs.la: $(libkafs_la_OBJECTS) $(libkafs_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkafs_la_LDFLAGS) $(libkafs_la_OBJECTS) $(libkafs_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man3dir = $(mandir)/man3 -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man3dir) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \ - rm -f $(DESTDIR)$(man3dir)/$$inst; \ - done -fooDATA_INSTALL = $(INSTALL_DATA) -install-fooDATA: $(foo_DATA) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(foodir) - @list='$(foo_DATA)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(fooDATA_INSTALL) $$d$$p $(DESTDIR)$(foodir)/$$f"; \ - $(fooDATA_INSTALL) $$d$$p $(DESTDIR)$(foodir)/$$f; \ - done - -uninstall-fooDATA: - @$(NORMAL_UNINSTALL) - @list='$(foo_DATA)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(foodir)/$$f"; \ - rm -f $(DESTDIR)$(foodir)/$$f; \ - done -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(man3dir) $(DESTDIR)$(foodir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-fooDATA \ - install-includeHEADERS install-man - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-fooDATA uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man3 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libLTLIBRARIES clean-libtool distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-fooDATA \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-man3 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-fooDATA uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \ - uninstall-man3 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -# AIX: this almost works with gcc, but somehow it fails to use the -# correct ld, use ld instead -afslib.so: afslib.o - ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc - -$(OBJECTS): ../../include/config.h - -resolve.c: - $(LN_S) $(srcdir)/../roken/resolve.c . - -strtok_r.c: - $(LN_S) $(srcdir)/../roken/strtok_r.c . - -strlcpy.c: - $(LN_S) $(srcdir)/../roken/strlcpy.c . - -strsep.c: - $(LN_S) $(srcdir)/../roken/strsep.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/kafs/kafs.cat3 b/crypto/heimdal/lib/kafs/kafs.cat3 deleted file mode 100644 index ecab780e25b5..000000000000 --- a/crypto/heimdal/lib/kafs/kafs.cat3 +++ /dev/null @@ -1,97 +0,0 @@ -KAFS(3) NetBSD Programmer's Manual KAFS(3) - -NNAAMMEE - kk__hhaassaaffss, kk__ppiiooccttll, kk__uunnlloogg, kk__sseettppaagg, kk__aaffss__cceellll__ooff__ffiillee, kkrrbb__aaffsslloogg, - kkrrbb__aaffsslloogg__uuiidd - AFS library - -LLIIBBRRAARRYY - AFS cache manager access library (libkafs, -lkafs) - -SSYYNNOOPPSSIISS - ##iinncclluuddee <> - - _i_n_t - kk__aaffss__cceellll__ooff__ffiillee(_c_o_n_s_t _c_h_a_r _*_p_a_t_h, _c_h_a_r _*_c_e_l_l, _i_n_t _l_e_n); - - _i_n_t - kk__hhaassaaffss(); - - _i_n_t - kk__ppiiooccttll(_c_h_a_r _*_a___p_a_t_h, _i_n_t _o___o_p_c_o_d_e, _s_t_r_u_c_t _V_i_c_e_I_o_c_t_l _*_a___p_a_r_a_m_s_P, - _i_n_t _a___f_o_l_l_o_w_S_y_m_l_i_n_k_s); - - _i_n_t - kk__sseettppaagg(); - - _i_n_t - kk__uunnlloogg(); - - _i_n_t - kkrrbb__aaffsslloogg(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m); - - _i_n_t - kkrrbb__aaffsslloogg__uuiidd(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m, _u_i_d___t _u_i_d); - -DDEESSCCRRIIPPTTIIOONN - kk__hhaassaaffss() initializes some library internal structures, and tests for - the presence of AFS in the kernel, none of the other functions should be - called before kk__hhaassaaffss() is called, or if it fails. - - kkrrbb__aaffsslloogg(), and kkrrbb__aaffsslloogg__uuiidd() obtains new tokens (and possibly tick- - ets) for the specified _c_e_l_l and _r_e_a_l_m. If _c_e_l_l is NULL, the local cell - is used. If _r_e_a_l_m is NULL, the function tries to guess what realm to use. - Unless you have some good knowledge of what cell or realm to use, you - should pass NULL. kkrrbb__aaffsslloogg() will use the real user-id for the ViceId - field in the token, kkrrbb__aaffsslloogg__uuiidd() will use _u_i_d. - - kk__aaffss__cceellll__ooff__ffiillee() will in _c_e_l_l return the cell of a specified file, no - more than _l_e_n characters is put in _c_e_l_l. - - kk__ppiiooccttll() does a ppiiooccttll() syscall with the specified arguments. This - function is equivalent to llppiiooccttll(). - - kk__sseettppaagg() initializes a new PAG. - - kk__uunnlloogg() removes destroys all tokens in the current PAG. - -RREETTUURRNN VVAALLUUEESS - kk__hhaassaaffss() returns 1 if AFS is present in the kernel, 0 otherwise. - kkrrbb__aaffsslloogg() and kkrrbb__aaffsslloogg__uuiidd() returns 0 on success, or a kerberos er- - ror number on failure. kk__aaffss__cceellll__ooff__ffiillee(), kk__ppiiooccttll(), kk__sseettppaagg(), and - kk__uunnlloogg() all return the value of the underlaying system call, 0 on suc- - cess. - -EENNVVIIRROONNMMEENNTT - The following environment variable affect the mode of operation of kkaaffss: - - AFS_SYSCALL Normally, kkaaffss will try to figure out the correct system - call(s) that are used by AFS by itself. If it does not man- - age to do that, or does it incorrectly, you can set this - variable to the system call number or list of system call - numbers that should be used. - -EEXXAAMMPPLLEESS - The following code from llooggiinn will obtain a new PAG and tokens for the - local cell and the cell of the users home directory. - - if (k_hasafs()) { - char cell[64]; - k_setpag(); - if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog(cell, NULL); - krb_afslog(NULL, NULL); - } - -EERRRROORRSS - If any of these functions (apart from kk__hhaassaaffss()) is called without AFS - beeing present in the kernel, the process will usually (depending on the - operating system) receive a SIGSYS signal. - -SSEEEE AALLSSOO - Transarc Corporation, "File Server/Cache Manager Interface", _A_F_S_-_3 - _P_r_o_g_r_a_m_m_e_r_'_s _R_e_f_e_r_e_n_c_e, 1991. - -BBUUGGSS - AFS_SYSCALL has no effect under AIX. - - KTH-KRB May 7, 1997 2 diff --git a/crypto/heimdal/lib/krb5/Makefile b/crypto/heimdal/lib/krb5/Makefile deleted file mode 100644 index 3bdc8a72c013..000000000000 --- a/crypto/heimdal/lib/krb5/Makefile +++ /dev/null @@ -1,1141 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/krb5/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.145 2002/08/29 04:02:24 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I../com_err -I$(srcdir)/../com_err - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = verify_krb5_conf - -noinst_PROGRAMS = dump_config test_get_addrs krbhst-test - -TESTS = \ - n-fold-test \ - string-to-key-test \ - derived-key-test \ - store-test \ - parse-name-test - - -check_PROGRAMS = $(TESTS) - -LDADD = libkrb5.la \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - - -libkrb5_la_LIBADD = \ - ../com_err/error.lo ../com_err/com_err.lo \ - $(LIB_des) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - - -lib_LTLIBRARIES = libkrb5.la - -ERR_FILES = krb5_err.c heim_err.c k524_err.c - -libkrb5_la_SOURCES = \ - acl.c \ - add_et_list.c \ - addr_families.c \ - aname_to_localname.c \ - appdefault.c \ - asn1_glue.c \ - auth_context.c \ - build_ap_req.c \ - build_auth.c \ - cache.c \ - changepw.c \ - codec.c \ - config_file.c \ - config_file_netinfo.c \ - convert_creds.c \ - constants.c \ - context.c \ - copy_host_realm.c \ - crc.c \ - creds.c \ - crypto.c \ - data.c \ - eai_to_heim_errno.c \ - error_string.c \ - expand_hostname.c \ - fcache.c \ - free.c \ - free_host_realm.c \ - generate_seq_number.c \ - generate_subkey.c \ - get_addrs.c \ - get_cred.c \ - get_default_principal.c \ - get_default_realm.c \ - get_for_creds.c \ - get_host_realm.c \ - get_in_tkt.c \ - get_in_tkt_pw.c \ - get_in_tkt_with_keytab.c \ - get_in_tkt_with_skey.c \ - get_port.c \ - init_creds.c \ - init_creds_pw.c \ - keyblock.c \ - keytab.c \ - keytab_any.c \ - keytab_file.c \ - keytab_memory.c \ - keytab_keyfile.c \ - keytab_krb4.c \ - krbhst.c \ - kuserok.c \ - log.c \ - mcache.c \ - misc.c \ - mk_error.c \ - mk_priv.c \ - mk_rep.c \ - mk_req.c \ - mk_req_ext.c \ - mk_safe.c \ - net_read.c \ - net_write.c \ - n-fold.c \ - padata.c \ - principal.c \ - prog_setup.c \ - prompter_posix.c \ - rd_cred.c \ - rd_error.c \ - rd_priv.c \ - rd_rep.c \ - rd_req.c \ - rd_safe.c \ - read_message.c \ - recvauth.c \ - replay.c \ - send_to_kdc.c \ - sendauth.c \ - set_default_realm.c \ - sock_principal.c \ - store.c \ - store-int.h \ - store_emem.c \ - store_fd.c \ - store_mem.c \ - ticket.c \ - time.c \ - transited.c \ - verify_init.c \ - verify_user.c \ - version.c \ - warn.c \ - write_message.c \ - $(ERR_FILES) - - -libkrb5_la_LDFLAGS = -version-info 18:3:1 - - -#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo -man_MANS = \ - kerberos.8 \ - krb5.3 \ - krb5.conf.5 \ - krb5_425_conv_principal.3 \ - krb5_appdefault.3 \ - krb5_auth_context.3 \ - krb5_build_principal.3 \ - krb5_config.3 \ - krb5_context.3 \ - krb5_create_checksum.3 \ - krb5_crypto_init.3 \ - krb5_encrypt.3 \ - krb5_free_addresses.3 \ - krb5_free_principal.3 \ - krb5_get_all_client_addrs.3 \ - krb5_get_krbhst.3 \ - krb5_init_context.3 \ - krb5_keytab.3 \ - krb5_krbhst_init.3 \ - krb5_openlog.3 \ - krb5_parse_name.3 \ - krb5_principal_get_realm.3 \ - krb5_sname_to_principal.3 \ - krb5_timeofday.3 \ - krb5_unparse_name.3 \ - krb5_verify_user.3 \ - krb5_warn.3 \ - verify_krb5_conf.8 - - -include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h k524_err.h - -CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h k524_err.c k524_err.h -subdir = lib/krb5 -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libkrb5_la_DEPENDENCIES = ../com_err/error.lo ../com_err/com_err.lo \ - $(top_builddir)/lib/asn1/libasn1.la -am__objects_1 = krb5_err.lo heim_err.lo k524_err.lo -am_libkrb5_la_OBJECTS = acl.lo add_et_list.lo addr_families.lo \ - aname_to_localname.lo appdefault.lo asn1_glue.lo \ - auth_context.lo build_ap_req.lo build_auth.lo cache.lo \ - changepw.lo codec.lo config_file.lo config_file_netinfo.lo \ - convert_creds.lo constants.lo context.lo copy_host_realm.lo \ - crc.lo creds.lo crypto.lo data.lo eai_to_heim_errno.lo \ - error_string.lo expand_hostname.lo fcache.lo free.lo \ - free_host_realm.lo generate_seq_number.lo generate_subkey.lo \ - get_addrs.lo get_cred.lo get_default_principal.lo \ - get_default_realm.lo get_for_creds.lo get_host_realm.lo \ - get_in_tkt.lo get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \ - get_in_tkt_with_skey.lo get_port.lo init_creds.lo \ - init_creds_pw.lo keyblock.lo keytab.lo keytab_any.lo \ - keytab_file.lo keytab_memory.lo keytab_keyfile.lo \ - keytab_krb4.lo krbhst.lo kuserok.lo log.lo mcache.lo misc.lo \ - mk_error.lo mk_priv.lo mk_rep.lo mk_req.lo mk_req_ext.lo \ - mk_safe.lo net_read.lo net_write.lo n-fold.lo padata.lo \ - principal.lo prog_setup.lo prompter_posix.lo rd_cred.lo \ - rd_error.lo rd_priv.lo rd_rep.lo rd_req.lo rd_safe.lo \ - read_message.lo recvauth.lo replay.lo send_to_kdc.lo \ - sendauth.lo set_default_realm.lo sock_principal.lo store.lo \ - store_emem.lo store_fd.lo store_mem.lo ticket.lo time.lo \ - transited.lo verify_init.lo verify_user.lo version.lo warn.lo \ - write_message.lo $(am__objects_1) -libkrb5_la_OBJECTS = $(am_libkrb5_la_OBJECTS) -bin_PROGRAMS = verify_krb5_conf$(EXEEXT) -check_PROGRAMS = n-fold-test$(EXEEXT) string-to-key-test$(EXEEXT) \ - derived-key-test$(EXEEXT) store-test$(EXEEXT) \ - parse-name-test$(EXEEXT) -noinst_PROGRAMS = dump_config$(EXEEXT) test_get_addrs$(EXEEXT) \ - krbhst-test$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) - -derived_key_test_SOURCES = derived-key-test.c -derived_key_test_OBJECTS = derived-key-test.$(OBJEXT) -derived_key_test_LDADD = $(LDADD) -derived_key_test_DEPENDENCIES = libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -derived_key_test_LDFLAGS = -dump_config_SOURCES = dump_config.c -dump_config_OBJECTS = dump_config.$(OBJEXT) -dump_config_LDADD = $(LDADD) -dump_config_DEPENDENCIES = libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -dump_config_LDFLAGS = -krbhst_test_SOURCES = krbhst-test.c -krbhst_test_OBJECTS = krbhst-test.$(OBJEXT) -krbhst_test_LDADD = $(LDADD) -krbhst_test_DEPENDENCIES = libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -krbhst_test_LDFLAGS = -n_fold_test_SOURCES = n-fold-test.c -n_fold_test_OBJECTS = n-fold-test.$(OBJEXT) -n_fold_test_LDADD = $(LDADD) -n_fold_test_DEPENDENCIES = libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -n_fold_test_LDFLAGS = -parse_name_test_SOURCES = parse-name-test.c -parse_name_test_OBJECTS = parse-name-test.$(OBJEXT) -parse_name_test_LDADD = $(LDADD) -parse_name_test_DEPENDENCIES = libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -parse_name_test_LDFLAGS = -store_test_SOURCES = store-test.c -store_test_OBJECTS = store-test.$(OBJEXT) -store_test_LDADD = $(LDADD) -store_test_DEPENDENCIES = libkrb5.la $(top_builddir)/lib/asn1/libasn1.la -store_test_LDFLAGS = -string_to_key_test_SOURCES = string-to-key-test.c -string_to_key_test_OBJECTS = string-to-key-test.$(OBJEXT) -string_to_key_test_LDADD = $(LDADD) -string_to_key_test_DEPENDENCIES = libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -string_to_key_test_LDFLAGS = -test_get_addrs_SOURCES = test_get_addrs.c -test_get_addrs_OBJECTS = test_get_addrs.$(OBJEXT) -test_get_addrs_LDADD = $(LDADD) -test_get_addrs_DEPENDENCIES = libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -test_get_addrs_LDFLAGS = -verify_krb5_conf_SOURCES = verify_krb5_conf.c -verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT) -verify_krb5_conf_LDADD = $(LDADD) -verify_krb5_conf_DEPENDENCIES = libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la -verify_krb5_conf_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libkrb5_la_SOURCES) derived-key-test.c dump_config.c \ - krbhst-test.c n-fold-test.c parse-name-test.c store-test.c \ - string-to-key-test.c test_get_addrs.c verify_krb5_conf.c -MANS = $(man_MANS) -HEADERS = $(include_HEADERS) - -DIST_COMMON = $(include_HEADERS) Makefile.am Makefile.in -SOURCES = $(libkrb5_la_SOURCES) derived-key-test.c dump_config.c krbhst-test.c n-fold-test.c parse-name-test.c store-test.c string-to-key-test.c test_get_addrs.c verify_krb5_conf.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/krb5/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkrb5_la_LDFLAGS) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -derived-key-test$(EXEEXT): $(derived_key_test_OBJECTS) $(derived_key_test_DEPENDENCIES) - @rm -f derived-key-test$(EXEEXT) - $(LINK) $(derived_key_test_LDFLAGS) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS) -dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES) - @rm -f dump_config$(EXEEXT) - $(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS) -krbhst-test$(EXEEXT): $(krbhst_test_OBJECTS) $(krbhst_test_DEPENDENCIES) - @rm -f krbhst-test$(EXEEXT) - $(LINK) $(krbhst_test_LDFLAGS) $(krbhst_test_OBJECTS) $(krbhst_test_LDADD) $(LIBS) -n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES) - @rm -f n-fold-test$(EXEEXT) - $(LINK) $(n_fold_test_LDFLAGS) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS) -parse-name-test$(EXEEXT): $(parse_name_test_OBJECTS) $(parse_name_test_DEPENDENCIES) - @rm -f parse-name-test$(EXEEXT) - $(LINK) $(parse_name_test_LDFLAGS) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS) -store-test$(EXEEXT): $(store_test_OBJECTS) $(store_test_DEPENDENCIES) - @rm -f store-test$(EXEEXT) - $(LINK) $(store_test_LDFLAGS) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS) -string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_DEPENDENCIES) - @rm -f string-to-key-test$(EXEEXT) - $(LINK) $(string_to_key_test_LDFLAGS) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS) -test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES) - @rm -f test_get_addrs$(EXEEXT) - $(LINK) $(test_get_addrs_LDFLAGS) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS) -verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) - @rm -f verify_krb5_conf$(EXEEXT) - $(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man3dir = $(mandir)/man3 -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man3dir) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \ - rm -f $(DESTDIR)$(man3dir)/$$inst; \ - done - -man5dir = $(mandir)/man5 -install-man5: $(man5_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man5dir) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \ - done -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \ - rm -f $(DESTDIR)$(man5dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH - -check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; \ - srcdir=$(srcdir); export srcdir; \ - list='$(TESTS)'; \ - if test -n "$$list"; then \ - for tst in $$list; do \ - if test -f ./$$tst; then dir=./; \ - elif test -f $$tst; then dir=; \ - else dir="$(srcdir)/"; fi; \ - if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xpass=`expr $$xpass + 1`; \ - failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ - ;; \ - *) \ - echo "PASS: $$tst"; \ - ;; \ - esac; \ - elif test $$? -ne 77; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ - ;; \ - *) \ - failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ - ;; \ - esac; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ - fi; \ - else \ - if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ - else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ - fi; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - else :; fi -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local -install-binPROGRAMS: install-libLTLIBRARIES - - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) $(DESTDIR)$(man3dir) $(DESTDIR)$(man5dir) $(DESTDIR)$(man8dir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS install-man - -install-exec-am: install-binPROGRAMS install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 install-man5 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man - -uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-TESTS check-am \ - check-local clean clean-binPROGRAMS clean-checkPROGRAMS \ - clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-data-local install-exec \ - install-exec-am install-includeHEADERS install-info \ - install-info-am install-libLTLIBRARIES install-man install-man3 \ - install-man5 install-man8 install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \ - uninstall-man3 uninstall-man5 uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h - -$(srcdir)/krb5-protos.h: $(ERR_FILES) - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h - -$(srcdir)/krb5-private.h: $(ERR_FILES) - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h - -$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h k524_err.h - -# to help stupid solaris make - -krb5_err.h: krb5_err.et - -heim_err.h: heim_err.et - -k524_err.h: k524_err.et -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/krb5/address.c b/crypto/heimdal/lib/krb5/address.c deleted file mode 100644 index 5dc756ae4122..000000000000 --- a/crypto/heimdal/lib/krb5/address.c +++ /dev/null @@ -1,203 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb5_locl.h" - -RCSID("$Id: address.c,v 1.15 2001/05/14 06:14:44 assar Exp $"); - -#if 0 -/* This is the supposedly MIT-api version */ - -krb5_boolean -krb5_address_search(krb5_context context, - const krb5_address *addr, - krb5_address *const *addrlist) -{ - krb5_address *a; - - while((a = *addrlist++)) - if (krb5_address_compare (context, addr, a)) - return TRUE; - return FALSE; -} -#endif - -krb5_boolean -krb5_address_search(krb5_context context, - const krb5_address *addr, - const krb5_addresses *addrlist) -{ - int i; - - for (i = 0; i < addrlist->len; ++i) - if (krb5_address_compare (context, addr, &addrlist->val[i])) - return TRUE; - return FALSE; -} - -int -krb5_address_order(krb5_context context, - const krb5_address *addr1, - const krb5_address *addr2) -{ - return (addr1->addr_type - addr2->addr_type) - || memcmp (addr1->address.data, - addr2->address.data, - addr1->address.length); -} - -krb5_boolean -krb5_address_compare(krb5_context context, - const krb5_address *addr1, - const krb5_address *addr2) -{ - return krb5_address_order (context, addr1, addr2) == 0; -} - -krb5_error_code -krb5_copy_address(krb5_context context, - const krb5_address *inaddr, - krb5_address *outaddr) -{ - copy_HostAddress(inaddr, outaddr); - return 0; -} - -krb5_error_code -krb5_copy_addresses(krb5_context context, - const krb5_addresses *inaddr, - krb5_addresses *outaddr) -{ - copy_HostAddresses(inaddr, outaddr); - return 0; -} - -krb5_error_code -krb5_free_address(krb5_context context, - krb5_address *address) -{ - krb5_data_free (&address->address); - return 0; -} - -krb5_error_code -krb5_free_addresses(krb5_context context, - krb5_addresses *addresses) -{ - free_HostAddresses(addresses); - return 0; -} - -krb5_error_code -krb5_append_addresses(krb5_context context, - krb5_addresses *dest, - const krb5_addresses *source) -{ - krb5_address *tmp; - krb5_error_code ret; - int i; - if(source->len > 0) { - tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp)); - if(tmp == NULL) { - krb5_set_error_string(context, "realloc: out of memory"); - return ENOMEM; - } - dest->val = tmp; - for(i = 0; i < source->len; i++) { - /* skip duplicates */ - if(krb5_address_search(context, &source->val[i], dest)) - continue; - ret = krb5_copy_address(context, - &source->val[i], - &dest->val[dest->len]); - if(ret) - return ret; - dest->len++; - } - } - return 0; -} - -/* - * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port) - */ - -krb5_error_code -krb5_make_addrport (krb5_context context, - krb5_address **res, const krb5_address *addr, int16_t port) -{ - krb5_error_code ret; - size_t len = addr->address.length + 2 + 4 * 4; - u_char *p; - - *res = malloc (sizeof(**res)); - if (*res == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - (*res)->addr_type = KRB5_ADDRESS_ADDRPORT; - ret = krb5_data_alloc (&(*res)->address, len); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - free (*res); - return ret; - } - p = (*res)->address.data; - *p++ = 0; - *p++ = 0; - *p++ = (addr->addr_type ) & 0xFF; - *p++ = (addr->addr_type >> 8) & 0xFF; - - *p++ = (addr->address.length ) & 0xFF; - *p++ = (addr->address.length >> 8) & 0xFF; - *p++ = (addr->address.length >> 16) & 0xFF; - *p++ = (addr->address.length >> 24) & 0xFF; - - memcpy (p, addr->address.data, addr->address.length); - p += addr->address.length; - - *p++ = 0; - *p++ = 0; - *p++ = (KRB5_ADDRESS_IPPORT ) & 0xFF; - *p++ = (KRB5_ADDRESS_IPPORT >> 8) & 0xFF; - - *p++ = (2 ) & 0xFF; - *p++ = (2 >> 8) & 0xFF; - *p++ = (2 >> 16) & 0xFF; - *p++ = (2 >> 24) & 0xFF; - - memcpy (p, &port, 2); - p += 2; - - return 0; -} diff --git a/crypto/heimdal/lib/otp/ChangeLog b/crypto/heimdal/lib/otp/ChangeLog deleted file mode 100644 index b9d36eff6d6c..000000000000 --- a/crypto/heimdal/lib/otp/ChangeLog +++ /dev/null @@ -1,85 +0,0 @@ -2002-05-20 Johan Danielsson - - * otp_db.c: fix ndbm test - -2002-05-17 Johan Danielsson - - * Makefile.am: add hooks for ndbm_wrap - - * otp_db.c: use ndbm_wrap - -2001-07-12 Assar Westerlund - - * Makefile.am: add required library dependencies - -2001-01-30 Assar Westerlund - - * Makefile.am (libotp_la_LDFLAGS): bump version to 1:2:1 - -2001-01-29 Assar Westerlund - - * otp_md.c: update to new md4/md5/sha API - -2000-12-11 Assar Westerlund - - * Makefile.am (INCLUDES): add krb4 includes here, which are - somewhat bogusly used when linking against libdes supplied by krb4 - -2000-07-25 Johan Danielsson - - * Makefile.am: bump version to 1:1:1 - -2000-07-01 Assar Westerlund - - * const-ify - -2000-02-07 Assar Westerlund - - * Makefile.am: update version to 1:0:1 - -2000-01-26 Assar Westerlund - - * otp_md.c: update to pseudo-standard APIs for md4,md5,sha. - * otp_md.c: start using the pseudo-standard APIs for the hash - functions - -1999-10-20 Assar Westerlund - - * Makefile.am: set version to 0:1:0 - -Fri Mar 19 14:52:48 1999 Johan Danielsson - - * Makefile.am: add version-info - -Thu Mar 18 11:24:19 1999 Johan Danielsson - - * Makefile.am: include Makefile.am.common - -Sat Mar 13 22:27:10 1999 Assar Westerlund - - * otp_parse.c: unsigned-ify - -Sun Nov 22 10:44:16 1998 Assar Westerlund - - * Makefile.in (WFLAGS): set - -Mon May 25 05:27:07 1998 Assar Westerlund - - * Makefile.in (clean): try to remove shared library debris - -Sat May 23 20:54:28 1998 Assar Westerlund - - * Makefile.am: link with DBLIB - -Sun Apr 19 09:59:46 1998 Assar Westerlund - - * Makefile.in: add symlink magic for linux - -Sat Feb 7 07:27:18 1998 Assar Westerlund - - * otp_db.c (otp_put): make sure we don't overrun `buf' - -Sun Nov 9 07:14:59 1997 Assar Westerlund - - * otp_locl.h: use xdbm.h - diff --git a/crypto/heimdal/lib/otp/Makefile b/crypto/heimdal/lib/otp/Makefile deleted file mode 100644 index d65608668f69..000000000000 --- a/crypto/heimdal/lib/otp/Makefile +++ /dev/null @@ -1,682 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/otp/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.22 2002/08/13 14:02:54 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des) $(ROKEN_RENAME) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -noinst_PROGRAMS = otptest - -check_PROGRAMS = otptest - -otptest_LDADD = libotp.la - -include_HEADERS = otp.h - -lib_LTLIBRARIES = libotp.la -libotp_la_LDFLAGS = -version-info 1:3:1 -libotp_la_LIBADD = $(LIB_des) $(LIB_roken) $(LIB_NDBM) - -#ndbm_wrap = ndbm_wrap.c ndbm_wrap.h -ndbm_wrap = - -libotp_la_SOURCES = \ - otp.c \ - otp_challenge.c \ - otp_db.c \ - otp_md.c \ - otp_parse.c \ - otp_print.c \ - otp_verify.c \ - otp_locl.h \ - otp_md.h \ - roken_rename.h \ - $(ndbm_wrap) \ - $(ROKEN_SRCS) - - -ROKEN_SRCS = snprintf.c strcasecmp.c strncasecmp.c strlwr.c -subdir = lib/otp -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libotp_la_DEPENDENCIES = -#am__objects_1 = ndbm_wrap.lo -am__objects_1 = -am__objects_2 = snprintf.lo strcasecmp.lo \ - strncasecmp.lo strlwr.lo -am_libotp_la_OBJECTS = otp.lo otp_challenge.lo otp_db.lo otp_md.lo \ - otp_parse.lo otp_print.lo otp_verify.lo $(am__objects_1) \ - $(am__objects_2) -libotp_la_OBJECTS = $(am_libotp_la_OBJECTS) -check_PROGRAMS = otptest$(EXEEXT) -noinst_PROGRAMS = otptest$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -otptest_SOURCES = otptest.c -otptest_OBJECTS = otptest.$(OBJEXT) -otptest_DEPENDENCIES = libotp.la -otptest_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libotp_la_SOURCES) otptest.c -HEADERS = $(include_HEADERS) - -DIST_COMMON = $(include_HEADERS) ChangeLog Makefile.am Makefile.in -SOURCES = $(libotp_la_SOURCES) otptest.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/otp/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libotp.la: $(libotp_la_OBJECTS) $(libotp_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libotp_la_LDFLAGS) $(libotp_la_OBJECTS) $(libotp_la_LIBADD) $(LIBS) - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -otptest$(EXEEXT): $(otptest_OBJECTS) $(otptest_DEPENDENCIES) - @rm -f otptest$(EXEEXT) - $(LINK) $(otptest_LDFLAGS) $(otptest_OBJECTS) $(otptest_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(libotp_la_OBJECTS): $(ndbm_wrap) - -ndbm_wrap.c: - $(LN_S) $(srcdir)/../roken/ndbm_wrap.c . -ndbm_wrap.h: - (echo '#define dbm_rename(X) __otp_ ## X'; cat $(srcdir)/../roken/ndbm_wrap.h) > ndbm_wrap.h - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strcasecmp.c: - $(LN_S) $(srcdir)/../roken/strcasecmp.c . -strncasecmp.c: - $(LN_S) $(srcdir)/../roken/strncasecmp.c . -strlwr.c: - $(LN_S) $(srcdir)/../roken/strlwr.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/otp/Makefile.am b/crypto/heimdal/lib/otp/Makefile.am deleted file mode 100644 index 8e2425158195..000000000000 --- a/crypto/heimdal/lib/otp/Makefile.am +++ /dev/null @@ -1,58 +0,0 @@ -# $Id: Makefile.am,v 1.22 2002/08/13 14:02:54 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_des) $(ROKEN_RENAME) - -noinst_PROGRAMS = otptest - -check_PROGRAMS = otptest - -otptest_LDADD = libotp.la - -include_HEADERS = otp.h - -lib_LTLIBRARIES = libotp.la -libotp_la_LDFLAGS = -version-info 1:3:1 -libotp_la_LIBADD = $(LIB_des) $(LIB_roken) $(LIB_NDBM) - -if HAVE_DB3 -ndbm_wrap = ndbm_wrap.c ndbm_wrap.h -else -ndbm_wrap = -endif - -libotp_la_SOURCES = \ - otp.c \ - otp_challenge.c \ - otp_db.c \ - otp_md.c \ - otp_parse.c \ - otp_print.c \ - otp_verify.c \ - otp_locl.h \ - otp_md.h \ - roken_rename.h \ - $(ndbm_wrap) \ - $(ROKEN_SRCS) - -if do_roken_rename -ROKEN_SRCS = snprintf.c strcasecmp.c strncasecmp.c strlwr.c -endif - -$(libotp_la_OBJECTS): $(ndbm_wrap) - -ndbm_wrap.c: - $(LN_S) $(srcdir)/../roken/ndbm_wrap.c . -ndbm_wrap.h: - (echo '#define dbm_rename(X) __otp_ ## X'; cat $(srcdir)/../roken/ndbm_wrap.h) > ndbm_wrap.h - - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strcasecmp.c: - $(LN_S) $(srcdir)/../roken/strcasecmp.c . -strncasecmp.c: - $(LN_S) $(srcdir)/../roken/strncasecmp.c . -strlwr.c: - $(LN_S) $(srcdir)/../roken/strlwr.c . diff --git a/crypto/heimdal/lib/otp/Makefile.in b/crypto/heimdal/lib/otp/Makefile.in deleted file mode 100644 index 60278b51d92f..000000000000 --- a/crypto/heimdal/lib/otp/Makefile.in +++ /dev/null @@ -1,682 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# @configure_input@ - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.22 2002/08/13 14:02:54 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AMTAR = @AMTAR@ -AS = @AS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ -ECHO = @ECHO@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = @INCLUDE_des@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LEX = @LEX@ - -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des) $(ROKEN_RENAME) - -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -noinst_PROGRAMS = otptest - -check_PROGRAMS = otptest - -otptest_LDADD = libotp.la - -include_HEADERS = otp.h - -lib_LTLIBRARIES = libotp.la -libotp_la_LDFLAGS = -version-info 1:3:1 -libotp_la_LIBADD = $(LIB_des) $(LIB_roken) $(LIB_NDBM) - -@HAVE_DB3_TRUE@ndbm_wrap = ndbm_wrap.c ndbm_wrap.h -@HAVE_DB3_FALSE@ndbm_wrap = - -libotp_la_SOURCES = \ - otp.c \ - otp_challenge.c \ - otp_db.c \ - otp_md.c \ - otp_parse.c \ - otp_print.c \ - otp_verify.c \ - otp_locl.h \ - otp_md.h \ - roken_rename.h \ - $(ndbm_wrap) \ - $(ROKEN_SRCS) - - -@do_roken_rename_TRUE@ROKEN_SRCS = snprintf.c strcasecmp.c strncasecmp.c strlwr.c -subdir = lib/otp -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libotp_la_DEPENDENCIES = -@HAVE_DB3_TRUE@am__objects_1 = ndbm_wrap.lo -@HAVE_DB3_FALSE@am__objects_1 = -@do_roken_rename_TRUE@am__objects_2 = snprintf.lo strcasecmp.lo \ -@do_roken_rename_TRUE@ strncasecmp.lo strlwr.lo -am_libotp_la_OBJECTS = otp.lo otp_challenge.lo otp_db.lo otp_md.lo \ - otp_parse.lo otp_print.lo otp_verify.lo $(am__objects_1) \ - $(am__objects_2) -libotp_la_OBJECTS = $(am_libotp_la_OBJECTS) -check_PROGRAMS = otptest$(EXEEXT) -noinst_PROGRAMS = otptest$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -otptest_SOURCES = otptest.c -otptest_OBJECTS = otptest.$(OBJEXT) -otptest_DEPENDENCIES = libotp.la -otptest_LDFLAGS = - -DEFS = @DEFS@ -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = $(libotp_la_SOURCES) otptest.c -HEADERS = $(include_HEADERS) - -DIST_COMMON = $(include_HEADERS) ChangeLog Makefile.am Makefile.in -SOURCES = $(libotp_la_SOURCES) otptest.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/otp/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libotp.la: $(libotp_la_OBJECTS) $(libotp_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libotp_la_LDFLAGS) $(libotp_la_OBJECTS) $(libotp_la_LIBADD) $(LIBS) - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -otptest$(EXEEXT): $(otptest_OBJECTS) $(otptest_DEPENDENCIES) - @rm -f otptest$(EXEEXT) - $(LINK) $(otptest_LDFLAGS) $(otptest_OBJECTS) $(otptest_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(libotp_la_OBJECTS): $(ndbm_wrap) - -ndbm_wrap.c: - $(LN_S) $(srcdir)/../roken/ndbm_wrap.c . -ndbm_wrap.h: - (echo '#define dbm_rename(X) __otp_ ## X'; cat $(srcdir)/../roken/ndbm_wrap.h) > ndbm_wrap.h - -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strcasecmp.c: - $(LN_S) $(srcdir)/../roken/strcasecmp.c . -strncasecmp.c: - $(LN_S) $(srcdir)/../roken/strncasecmp.c . -strlwr.c: - $(LN_S) $(srcdir)/../roken/strlwr.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/otp/otp.c b/crypto/heimdal/lib/otp/otp.c deleted file mode 100644 index 746f3cb53a28..000000000000 --- a/crypto/heimdal/lib/otp/otp.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp.c,v 1.8 2000/07/12 00:26:43 assar Exp $"); -#endif - -#include "otp_locl.h" -#include "otp_md.h" - -static OtpAlgorithm algorithms[] = { - {OTP_ALG_MD4, "md4", 16, otp_md4_hash, otp_md4_init, otp_md4_next}, - {OTP_ALG_MD5, "md5", 16, otp_md5_hash, otp_md5_init, otp_md5_next}, - {OTP_ALG_SHA, "sha", 20, otp_sha_hash, otp_sha_init, otp_sha_next} -}; - -OtpAlgorithm * -otp_find_alg (char *name) -{ - int i; - - for (i = 0; i < sizeof(algorithms)/sizeof(*algorithms); ++i) - if (strcmp (name, algorithms[i].name) == 0) - return &algorithms[i]; - return NULL; -} - -char * -otp_error (OtpContext *o) -{ - return o->err; -} diff --git a/crypto/heimdal/lib/otp/otp.h b/crypto/heimdal/lib/otp/otp.h deleted file mode 100644 index e813458f629f..000000000000 --- a/crypto/heimdal/lib/otp/otp.h +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: otp.h,v 1.19 2000/07/12 00:26:43 assar Exp $ */ - -#ifndef _OTP_H -#define _OTP_H - -#include -#include - -enum {OTPKEYSIZE = 8}; - -typedef unsigned char OtpKey[OTPKEYSIZE]; - -#define OTP_MIN_PASSPHRASE 10 -#define OTP_MAX_PASSPHRASE 63 - -#define OTP_USER_TIMEOUT 120 -#define OTP_DB_TIMEOUT 60 - -#define OTP_HEXPREFIX "hex:" -#define OTP_WORDPREFIX "word:" - -typedef enum { OTP_ALG_MD4, OTP_ALG_MD5, OTP_ALG_SHA } OtpAlgID; - -#define OTP_ALG_DEFAULT "md5" - -typedef struct { - OtpAlgID id; - char *name; - int hashsize; - int (*hash)(const char *s, size_t len, unsigned char *res); - int (*init)(OtpKey key, const char *pwd, const char *seed); - int (*next)(OtpKey key); -} OtpAlgorithm; - -typedef struct { - char *user; - OtpAlgorithm *alg; - unsigned n; - char seed[17]; - OtpKey key; - int challengep; - time_t lock_time; - char *err; -} OtpContext; - -OtpAlgorithm *otp_find_alg (char *name); -void otp_print_stddict (OtpKey key, char *str, size_t sz); -void otp_print_hex (OtpKey key, char *str, size_t sz); -void otp_print_stddict_extended (OtpKey key, char *str, size_t sz); -void otp_print_hex_extended (OtpKey key, char *str, size_t sz); -unsigned otp_checksum (OtpKey key); -int otp_parse_hex (OtpKey key, const char *); -int otp_parse_stddict (OtpKey key, const char *); -int otp_parse_altdict (OtpKey key, const char *, OtpAlgorithm *); -int otp_parse (OtpKey key, const char *, OtpAlgorithm *); -int otp_challenge (OtpContext *ctx, char *user, char *str, size_t len); -int otp_verify_user (OtpContext *ctx, const char *passwd); -int otp_verify_user_1 (OtpContext *ctx, const char *passwd); -char *otp_error (OtpContext *ctx); - -void *otp_db_open (void); -void otp_db_close (void *); -int otp_put (void *, OtpContext *ctx); -int otp_get (void *, OtpContext *ctx); -int otp_simple_get (void *, OtpContext *ctx); -int otp_delete (void *, OtpContext *ctx); - -#endif /* _OTP_H */ diff --git a/crypto/heimdal/lib/otp/otp_challenge.c b/crypto/heimdal/lib/otp/otp_challenge.c deleted file mode 100644 index 3507c4fe220f..000000000000 --- a/crypto/heimdal/lib/otp/otp_challenge.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_challenge.c,v 1.10 1999/12/02 16:58:44 joda Exp $"); -#endif - -#include "otp_locl.h" - -int -otp_challenge (OtpContext *ctx, char *user, char *str, size_t len) -{ - void *dbm; - int ret; - - ctx->challengep = 0; - ctx->err = NULL; - ctx->user = malloc(strlen(user) + 1); - if (ctx->user == NULL) { - ctx->err = "Out of memory"; - return -1; - } - strcpy(ctx->user, user); - dbm = otp_db_open (); - if (dbm == NULL) { - ctx->err = "Cannot open database"; - return -1; - } - ret = otp_get (dbm, ctx); - otp_db_close (dbm); - if (ret) - return ret; - snprintf (str, len, - "[ otp-%s %u %s ]", - ctx->alg->name, ctx->n-1, ctx->seed); - ctx->challengep = 1; - return 0; -} diff --git a/crypto/heimdal/lib/otp/otp_db.c b/crypto/heimdal/lib/otp/otp_db.c deleted file mode 100644 index d6f71fe4a6a0..000000000000 --- a/crypto/heimdal/lib/otp/otp_db.c +++ /dev/null @@ -1,233 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_db.c,v 1.19 2002/05/19 22:11:03 joda Exp $"); -#endif - -#include "otp_locl.h" - -#if !defined(HAVE_NDBM) && !defined(HAVE_DB_NDBM) -#include "ndbm_wrap.h" -#endif - -#define RETRIES 5 - -void * -otp_db_open (void) -{ - int lock; - int i; - void *ret; - - for(i = 0; i < RETRIES; ++i) { - struct stat statbuf; - - lock = open (OTP_DB_LOCK, O_WRONLY | O_CREAT | O_EXCL, 0666); - if (lock >= 0) { - close(lock); - break; - } - if (stat (OTP_DB_LOCK, &statbuf) == 0) { - if (time(NULL) - statbuf.st_mtime > OTP_DB_TIMEOUT) - unlink (OTP_DB_LOCK); - else - sleep (1); - } - } - if (i == RETRIES) - return NULL; - ret = dbm_open (OTP_DB, O_RDWR | O_CREAT, 0600); - if (ret == NULL) - unlink (OTP_DB_LOCK); - return ret; -} - -void -otp_db_close (void *dbm) -{ - dbm_close ((DBM *)dbm); - unlink (OTP_DB_LOCK); -} - -/* - * Remove this entry from the database. - * return 0 if ok. - */ - -int -otp_delete (void *v, OtpContext *ctx) -{ - DBM *dbm = (DBM *)v; - datum key; - - key.dsize = strlen(ctx->user); - key.dptr = ctx->user; - - return dbm_delete(dbm, key); -} - -/* - * Read this entry from the database and lock it if lockp. - */ - -static int -otp_get_internal (void *v, OtpContext *ctx, int lockp) -{ - DBM *dbm = (DBM *)v; - datum dat, key; - char *p; - time_t now, then; - - key.dsize = strlen(ctx->user); - key.dptr = ctx->user; - - dat = dbm_fetch (dbm, key); - if (dat.dptr == NULL) { - ctx->err = "Entry not found"; - return -1; - } - p = dat.dptr; - - memcpy (&then, p, sizeof(then)); - ctx->lock_time = then; - if (lockp) { - time(&now); - if (then && now - then < OTP_USER_TIMEOUT) { - ctx->err = "Entry locked"; - return -1; - } - memcpy (p, &now, sizeof(now)); - } - p += sizeof(now); - ctx->alg = otp_find_alg (p); - if (ctx->alg == NULL) { - ctx->err = "Bad algorithm"; - return -1; - } - p += strlen(p) + 1; - { - unsigned char *up = (unsigned char *)p; - ctx->n = (up[0] << 24) | (up[1] << 16) | (up[2] << 8) | up[3]; - } - p += 4; - memcpy (ctx->key, p, OTPKEYSIZE); - p += OTPKEYSIZE; - strlcpy (ctx->seed, p, sizeof(ctx->seed)); - if (lockp) - return dbm_store (dbm, key, dat, DBM_REPLACE); - else - return 0; -} - -/* - * Get and lock. - */ - -int -otp_get (void *v, OtpContext *ctx) -{ - return otp_get_internal (v, ctx, 1); -} - -/* - * Get and don't lock. - */ - -int -otp_simple_get (void *v, OtpContext *ctx) -{ - return otp_get_internal (v, ctx, 0); -} - -/* - * Write this entry to the database. - */ - -int -otp_put (void *v, OtpContext *ctx) -{ - DBM *dbm = (DBM *)v; - datum dat, key; - char buf[1024], *p; - time_t zero = 0; - size_t len, rem; - - key.dsize = strlen(ctx->user); - key.dptr = ctx->user; - - p = buf; - rem = sizeof(buf); - - if (rem < sizeof(zero)) - return -1; - memcpy (p, &zero, sizeof(zero)); - p += sizeof(zero); - rem -= sizeof(zero); - len = strlen(ctx->alg->name) + 1; - - if (rem < len) - return -1; - strcpy (p, ctx->alg->name); - p += len; - rem -= len; - - if (rem < 4) - return -1; - { - unsigned char *up = (unsigned char *)p; - *up++ = (ctx->n >> 24) & 0xFF; - *up++ = (ctx->n >> 16) & 0xFF; - *up++ = (ctx->n >> 8) & 0xFF; - *up++ = (ctx->n >> 0) & 0xFF; - } - p += 4; - rem -= 4; - - if (rem < OTPKEYSIZE) - return -1; - memcpy (p, ctx->key, OTPKEYSIZE); - p += OTPKEYSIZE; - rem -= OTPKEYSIZE; - - len = strlen(ctx->seed) + 1; - if (rem < len) - return -1; - strcpy (p, ctx->seed); - p += len; - rem -= len; - dat.dptr = buf; - dat.dsize = p - buf; - return dbm_store (dbm, key, dat, DBM_REPLACE); -} diff --git a/crypto/heimdal/lib/otp/otp_locl.h b/crypto/heimdal/lib/otp/otp_locl.h deleted file mode 100644 index 18c92845665c..000000000000 --- a/crypto/heimdal/lib/otp/otp_locl.h +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: otp_locl.h,v 1.12 2002/08/12 15:09:20 joda Exp $ */ - -#include -#include -#include -#include -#include -#include -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_STAT_H -#include -#endif -#ifdef HAVE_PWD_H -#include -#endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_IO_H -#include -#endif - -#include - -#include - -#include - -#define OTPKEYS "/.otpkeys" - -#define OTP_DB SYSCONFDIR "/otp" -#define OTP_DB_LOCK SYSCONFDIR "/otp-lock" diff --git a/crypto/heimdal/lib/otp/otp_md.c b/crypto/heimdal/lib/otp/otp_md.c deleted file mode 100644 index 3b491bda3635..000000000000 --- a/crypto/heimdal/lib/otp/otp_md.c +++ /dev/null @@ -1,274 +0,0 @@ -/* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_md.c,v 1.15 2001/08/22 20:30:32 assar Exp $"); -#endif -#include "otp_locl.h" - -#include "otp_md.h" -#ifdef HAVE_OPENSSL -#include -#include -#include -#else -#include -#include -#include -#endif - -/* - * Compress len bytes from md into key - */ - -static void -compressmd (OtpKey key, unsigned char *md, size_t len) -{ - u_char *p = key; - - memset (p, 0, OTPKEYSIZE); - while(len) { - *p++ ^= *md++; - *p++ ^= *md++; - *p++ ^= *md++; - *p++ ^= *md++; - len -= 4; - if (p == key + OTPKEYSIZE) - p = key; - } -} - -static int -otp_md_init (OtpKey key, - const char *pwd, - const char *seed, - void (*init)(void *), - void (*update)(void *, const void *, size_t), - void (*final)(void *, void *), - void *arg, - unsigned char *res, - size_t ressz) -{ - char *p; - int len; - - len = strlen(pwd) + strlen(seed); - p = malloc (len + 1); - if (p == NULL) - return -1; - strcpy (p, seed); - strlwr (p); - strcat (p, pwd); - (*init)(arg); - (*update)(arg, p, len); - (*final)(res, arg); - free (p); - compressmd (key, res, ressz); - return 0; -} - -static int -otp_md_next (OtpKey key, - void (*init)(void *), - void (*update)(void *, const void *, size_t), - void (*final)(void *, void *), - void *arg, - unsigned char *res, - size_t ressz) -{ - (*init)(arg); - (*update)(arg, key, OTPKEYSIZE); - (*final)(res, arg); - compressmd (key, res, ressz); - return 0; -} - -static int -otp_md_hash (const char *data, - size_t len, - void (*init)(void *), - void (*update)(void *, const void *, size_t), - void (*final)(void *, void *), - void *arg, - unsigned char *res, - size_t ressz) -{ - (*init)(arg); - (*update)(arg, data, len); - (*final)(res, arg); - return 0; -} - -int -otp_md4_init (OtpKey key, const char *pwd, const char *seed) -{ - unsigned char res[16]; - MD4_CTX md4; - - return otp_md_init (key, pwd, seed, - (void (*)(void *))MD4_Init, - (void (*)(void *, const void *, size_t))MD4_Update, - (void (*)(void *, void *))MD4_Final, - &md4, res, sizeof(res)); -} - -int -otp_md4_hash (const char *data, - size_t len, - unsigned char *res) -{ - MD4_CTX md4; - - return otp_md_hash (data, len, - (void (*)(void *))MD4_Init, - (void (*)(void *, const void *, size_t))MD4_Update, - (void (*)(void *, void *))MD4_Final, - &md4, res, 16); -} - -int -otp_md4_next (OtpKey key) -{ - unsigned char res[16]; - MD4_CTX md4; - - return otp_md_next (key, - (void (*)(void *))MD4_Init, - (void (*)(void *, const void *, size_t))MD4_Update, - (void (*)(void *, void *))MD4_Final, - &md4, res, sizeof(res)); -} - - -int -otp_md5_init (OtpKey key, const char *pwd, const char *seed) -{ - unsigned char res[16]; - MD5_CTX md5; - - return otp_md_init (key, pwd, seed, - (void (*)(void *))MD5_Init, - (void (*)(void *, const void *, size_t))MD5_Update, - (void (*)(void *, void *))MD5_Final, - &md5, res, sizeof(res)); -} - -int -otp_md5_hash (const char *data, - size_t len, - unsigned char *res) -{ - MD5_CTX md5; - - return otp_md_hash (data, len, - (void (*)(void *))MD5_Init, - (void (*)(void *, const void *, size_t))MD5_Update, - (void (*)(void *, void *))MD5_Final, - &md5, res, 16); -} - -int -otp_md5_next (OtpKey key) -{ - unsigned char res[16]; - MD5_CTX md5; - - return otp_md_next (key, - (void (*)(void *))MD5_Init, - (void (*)(void *, const void *, size_t))MD5_Update, - (void (*)(void *, void *))MD5_Final, - &md5, res, sizeof(res)); -} - -/* - * For histerical reasons, in the OTP definition it's said that the - * result from SHA must be stored in little-endian order. See - * draft-ietf-otp-01.txt. - */ - -static void -SHA1_Final_little_endian (void *res, SHA_CTX *m) -{ - unsigned char tmp[20]; - unsigned char *p = res; - int j; - - SHA1_Final (tmp, m); - for (j = 0; j < 20; j += 4) { - p[j] = tmp[j+3]; - p[j+1] = tmp[j+2]; - p[j+2] = tmp[j+1]; - p[j+3] = tmp[j]; - } -} - -int -otp_sha_init (OtpKey key, const char *pwd, const char *seed) -{ - unsigned char res[20]; - SHA_CTX sha1; - - return otp_md_init (key, pwd, seed, - (void (*)(void *))SHA1_Init, - (void (*)(void *, const void *, size_t))SHA1_Update, - (void (*)(void *, void *))SHA1_Final_little_endian, - &sha1, res, sizeof(res)); -} - -int -otp_sha_hash (const char *data, - size_t len, - unsigned char *res) -{ - SHA_CTX sha1; - - return otp_md_hash (data, len, - (void (*)(void *))SHA1_Init, - (void (*)(void *, const void *, size_t))SHA1_Update, - (void (*)(void *, void *))SHA1_Final_little_endian, - &sha1, res, 20); -} - -int -otp_sha_next (OtpKey key) -{ - unsigned char res[20]; - SHA_CTX sha1; - - return otp_md_next (key, - (void (*)(void *))SHA1_Init, - (void (*)(void *, const void *, size_t))SHA1_Update, - (void (*)(void *, void *))SHA1_Final_little_endian, - &sha1, res, sizeof(res)); -} diff --git a/crypto/heimdal/lib/otp/otp_md.h b/crypto/heimdal/lib/otp/otp_md.h deleted file mode 100644 index 5732606439ca..000000000000 --- a/crypto/heimdal/lib/otp/otp_md.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: otp_md.h,v 1.7 2000/07/12 00:26:44 assar Exp $ */ - -int otp_md4_init (OtpKey key, const char *pwd, const char *seed); -int otp_md4_hash (const char *, size_t, unsigned char *res); -int otp_md4_next (OtpKey key); - -int otp_md5_init (OtpKey key, const char *pwd, const char *seed); -int otp_md5_hash (const char *, size_t, unsigned char *res); -int otp_md5_next (OtpKey key); - -int otp_sha_init (OtpKey key, const char *pwd, const char *seed); -int otp_sha_hash (const char *, size_t, unsigned char *res); -int otp_sha_next (OtpKey key); diff --git a/crypto/heimdal/lib/otp/otp_parse.c b/crypto/heimdal/lib/otp/otp_parse.c deleted file mode 100644 index cc69de50051b..000000000000 --- a/crypto/heimdal/lib/otp/otp_parse.c +++ /dev/null @@ -1,2515 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_parse.c,v 1.20 2000/07/01 13:58:38 assar Exp $"); -#endif - -#include "otp_locl.h" - -struct e { - char *s; - unsigned n; -}; - -extern const struct e inv_std_dict[2048]; - -static int -cmp(const void *a, const void *b) -{ - struct e *e1, *e2; - - e1 = (struct e *)a; - e2 = (struct e *)b; - return strcasecmp (e1->s, e2->s); -} - -static int -get_stdword (const char *s, void *v) -{ - struct e e, *r; - - e.s = (char *)s; - e.n = -1; - r = (struct e *) bsearch (&e, inv_std_dict, - sizeof(inv_std_dict)/sizeof(*inv_std_dict), - sizeof(*inv_std_dict), cmp); - if (r) - return r->n; - else - return -1; -} - -static void -compress (OtpKey key, unsigned wn[]) -{ - key[0] = wn[0] >> 3; - key[1] = ((wn[0] & 0x07) << 5) | (wn[1] >> 6); - key[2] = ((wn[1] & 0x3F) << 2) | (wn[2] >> 9); - key[3] = ((wn[2] >> 1) & 0xFF); - key[4] = ((wn[2] & 0x01) << 7) | (wn[3] >> 4); - key[5] = ((wn[3] & 0x0F) << 4) | (wn[4] >> 7); - key[6] = ((wn[4] & 0x7F) << 1) | (wn[5] >> 10); - key[7] = ((wn[5] >> 2) & 0xFF); -} - -static int -get_altword (const char *s, void *a) -{ - OtpAlgorithm *alg = (OtpAlgorithm *)a; - int ret; - unsigned char *res = malloc(alg->hashsize); - - if (res == NULL) - return -1; - alg->hash (s, strlen(s), res); - ret = (unsigned)(res[alg->hashsize - 1]) | - ((res[alg->hashsize - 2] & 0x03) << 8); - free (res); - return ret; -} - -static int -parse_words(unsigned wn[], - const char *str, - int (*convert)(const char *, void *), - void *arg) -{ - unsigned char *w, *wend, c; - int i; - int tmp; - - w = (unsigned char *)str; - for (i = 0; i < 6; ++i) { - while (isspace(*w)) - ++w; - wend = w; - while (isalpha (*wend)) - ++wend; - c = *wend; - *wend = '\0'; - tmp = (*convert)((char *)w, arg); - *wend = c; - w = wend; - if (tmp < 0) - return -1; - wn[i] = tmp; - } - return 0; -} - -static int -otp_parse_internal (OtpKey key, const char *str, - OtpAlgorithm *alg, - int (*convert)(const char *, void *)) -{ - unsigned wn[6]; - - if (parse_words (wn, str, convert, alg)) - return -1; - compress (key, wn); - if (otp_checksum (key) != (wn[5] & 0x03)) - return -1; - return 0; -} - -int -otp_parse_stddict (OtpKey key, const char *str) -{ - return otp_parse_internal (key, str, NULL, get_stdword); -} - -int -otp_parse_altdict (OtpKey key, const char *str, OtpAlgorithm *alg) -{ - return otp_parse_internal (key, str, alg, get_altword); -} - -int -otp_parse_hex (OtpKey key, const char *s) -{ - char buf[17], *b; - int is[8]; - int i; - - b = buf; - while (*s) { - if (strchr ("0123456789ABCDEFabcdef", *s)) { - if (b - buf >= 16) - return -1; - else - *b++ = tolower(*s); - } - s++; - } - *b = '\0'; - if (sscanf (buf, "%2x%2x%2x%2x%2x%2x%2x%2x", - &is[0], &is[1], &is[2], &is[3], &is[4], - &is[5], &is[6], &is[7]) != 8) - return -1; - for (i = 0; i < OTPKEYSIZE; ++i) - key[i] = is[i]; - return 0; -} - -int -otp_parse (OtpKey key, const char *s, OtpAlgorithm *alg) -{ - int ret; - int dohex = 1; - - if (strncmp (s, OTP_HEXPREFIX, strlen(OTP_HEXPREFIX)) == 0) - return otp_parse_hex (key, s + strlen(OTP_HEXPREFIX)); - if (strncmp (s, OTP_WORDPREFIX, strlen(OTP_WORDPREFIX)) == 0) { - s += strlen(OTP_WORDPREFIX); - dohex = 0; - } - - ret = otp_parse_stddict (key, s); - if (ret) - ret = otp_parse_altdict (key, s, alg); - if (ret && dohex) - ret = otp_parse_hex (key, s); - return ret; -} - -const char *const std_dict[2048] = -{ "A", "ABE", "ACE", "ACT", "AD", "ADA", "ADD", -"AGO", "AID", "AIM", "AIR", "ALL", "ALP", "AM", "AMY", -"AN", "ANA", "AND", "ANN", "ANT", "ANY", "APE", "APS", -"APT", "ARC", "ARE", "ARK", "ARM", "ART", "AS", "ASH", -"ASK", "AT", "ATE", "AUG", "AUK", "AVE", "AWE", "AWK", -"AWL", "AWN", "AX", "AYE", "BAD", "BAG", "BAH", "BAM", -"BAN", "BAR", "BAT", "BAY", "BE", "BED", "BEE", "BEG", -"BEN", "BET", "BEY", "BIB", "BID", "BIG", "BIN", "BIT", -"BOB", "BOG", "BON", "BOO", "BOP", "BOW", "BOY", "BUB", -"BUD", "BUG", "BUM", "BUN", "BUS", "BUT", "BUY", "BY", -"BYE", "CAB", "CAL", "CAM", "CAN", "CAP", "CAR", "CAT", -"CAW", "COD", "COG", "COL", "CON", "COO", "COP", "COT", -"COW", "COY", "CRY", "CUB", "CUE", "CUP", "CUR", "CUT", -"DAB", "DAD", "DAM", "DAN", "DAR", "DAY", "DEE", "DEL", -"DEN", "DES", "DEW", "DID", "DIE", "DIG", "DIN", "DIP", -"DO", "DOE", "DOG", "DON", "DOT", "DOW", "DRY", "DUB", -"DUD", "DUE", "DUG", "DUN", "EAR", "EAT", "ED", "EEL", -"EGG", "EGO", "ELI", "ELK", "ELM", "ELY", "EM", "END", -"EST", "ETC", "EVA", "EVE", "EWE", "EYE", "FAD", "FAN", -"FAR", "FAT", "FAY", "FED", "FEE", "FEW", "FIB", "FIG", -"FIN", "FIR", "FIT", "FLO", "FLY", "FOE", "FOG", "FOR", -"FRY", "FUM", "FUN", "FUR", "GAB", "GAD", "GAG", "GAL", -"GAM", "GAP", "GAS", "GAY", "GEE", "GEL", "GEM", "GET", -"GIG", "GIL", "GIN", "GO", "GOT", "GUM", "GUN", "GUS", -"GUT", "GUY", "GYM", "GYP", "HA", "HAD", "HAL", "HAM", -"HAN", "HAP", "HAS", "HAT", "HAW", "HAY", "HE", "HEM", -"HEN", "HER", "HEW", "HEY", "HI", "HID", "HIM", "HIP", -"HIS", "HIT", "HO", "HOB", "HOC", "HOE", "HOG", "HOP", -"HOT", "HOW", "HUB", "HUE", "HUG", "HUH", "HUM", "HUT", -"I", "ICY", "IDA", "IF", "IKE", "ILL", "INK", "INN", -"IO", "ION", "IQ", "IRA", "IRE", "IRK", "IS", "IT", -"ITS", "IVY", "JAB", "JAG", "JAM", "JAN", "JAR", "JAW", -"JAY", "JET", "JIG", "JIM", "JO", "JOB", "JOE", "JOG", -"JOT", "JOY", "JUG", "JUT", "KAY", "KEG", "KEN", "KEY", -"KID", "KIM", "KIN", "KIT", "LA", "LAB", "LAC", "LAD", -"LAG", "LAM", "LAP", "LAW", "LAY", "LEA", "LED", "LEE", -"LEG", "LEN", "LEO", "LET", "LEW", "LID", "LIE", "LIN", -"LIP", "LIT", "LO", "LOB", "LOG", "LOP", "LOS", "LOT", -"LOU", "LOW", "LOY", "LUG", "LYE", "MA", "MAC", "MAD", -"MAE", "MAN", "MAO", "MAP", "MAT", "MAW", "MAY", "ME", -"MEG", "MEL", "MEN", "MET", "MEW", "MID", "MIN", "MIT", -"MOB", "MOD", "MOE", "MOO", "MOP", "MOS", "MOT", "MOW", -"MUD", "MUG", "MUM", "MY", "NAB", "NAG", "NAN", "NAP", -"NAT", "NAY", "NE", "NED", "NEE", "NET", "NEW", "NIB", -"NIIL", "NIP", "NIT", "NO", "NOB", "NOD", "NON", "NOR", -"NOT", "NOV", "NOW", "NU", "NUN", "NUT", "O", "OAF", -"OAK", "OAR", "OAT", "ODD", "ODE", "OF", "OFF", "OFT", -"OH", "OIL", "OK", "OLD", "ON", "ONE", "OR", "ORB", -"ORE", "ORR", "OS", "OTT", "OUR", "OUT", "OVA", "OW", -"OWE", "OWL", "OWN", "OX", "PA", "PAD", "PAL", "PAM", -"PAN", "PAP", "PAR", "PAT", "PAW", "PAY", "PEA", "PEG", -"PEN", "PEP", "PER", "PET", "PEW", "PHI", "PI", "PIE", -"PIN", "PIT", "PLY", "PO", "POD", "POE", "POP", "POT", -"POW", "PRO", "PRY", "PUB", "PUG", "PUN", "PUP", "PUT", -"QUO", "RAG", "RAM", "RAN", "RAP", "RAT", "RAW", "RAY", -"REB", "RED", "REP", "RET", "RIB", "RID", "RIG", "RIM", -"RIO", "RIP", "ROB", "ROD", "ROE", "RON", "ROT", "ROW", -"ROY", "RUB", "RUE", "RUG", "RUM", "RUN", "RYE", "SAC", -"SAD", "SAG", "SAL", "SAM", "SAN", "SAP", "SAT", "SAW", -"SAY", "SEA", "SEC", "SEE", "SEN", "SET", "SEW", "SHE", -"SHY", "SIN", "SIP", "SIR", "SIS", "SIT", "SKI", "SKY", -"SLY", "SO", "SOB", "SOD", "SON", "SOP", "SOW", "SOY", -"SPA", "SPY", "SUB", "SUD", "SUE", "SUM", "SUN", "SUP", -"TAB", "TAD", "TAG", "TAN", "TAP", "TAR", "TEA", "TED", -"TEE", "TEN", "THE", "THY", "TIC", "TIE", "TIM", "TIN", -"TIP", "TO", "TOE", "TOG", "TOM", "TON", "TOO", "TOP", -"TOW", "TOY", "TRY", "TUB", "TUG", "TUM", "TUN", "TWO", -"UN", "UP", "US", "USE", "VAN", "VAT", "VET", "VIE", -"WAD", "WAG", "WAR", "WAS", "WAY", "WE", "WEB", "WED", -"WEE", "WET", "WHO", "WHY", "WIN", "WIT", "WOK", "WON", -"WOO", "WOW", "WRY", "WU", "YAM", "YAP", "YAW", "YE", -"YEA", "YES", "YET", "YOU", "ABED", "ABEL", "ABET", "ABLE", -"ABUT", "ACHE", "ACID", "ACME", "ACRE", "ACTA", "ACTS", "ADAM", -"ADDS", "ADEN", "AFAR", "AFRO", "AGEE", "AHEM", "AHOY", "AIDA", -"AIDE", "AIDS", "AIRY", "AJAR", "AKIN", "ALAN", "ALEC", "ALGA", -"ALIA", "ALLY", "ALMA", "ALOE", "ALSO", "ALTO", "ALUM", "ALVA", -"AMEN", "AMES", "AMID", "AMMO", "AMOK", "AMOS", "AMRA", "ANDY", -"ANEW", "ANNA", "ANNE", "ANTE", "ANTI", "AQUA", "ARAB", "ARCH", -"AREA", "ARGO", "ARID", "ARMY", "ARTS", "ARTY", "ASIA", "ASKS", -"ATOM", "AUNT", "AURA", "AUTO", "AVER", "AVID", "AVIS", "AVON", -"AVOW", "AWAY", "AWRY", "BABE", "BABY", "BACH", "BACK", "BADE", -"BAIL", "BAIT", "BAKE", "BALD", "BALE", "BALI", "BALK", "BALL", -"BALM", "BAND", "BANE", "BANG", "BANK", "BARB", "BARD", "BARE", -"BARK", "BARN", "BARR", "BASE", "BASH", "BASK", "BASS", "BATE", -"BATH", "BAWD", "BAWL", "BEAD", "BEAK", "BEAM", "BEAN", "BEAR", -"BEAT", "BEAU", "BECK", "BEEF", "BEEN", "BEER", "BEET", "BELA", -"BELL", "BELT", "BEND", "BENT", "BERG", "BERN", "BERT", "BESS", -"BEST", "BETA", "BETH", "BHOY", "BIAS", "BIDE", "BIEN", "BILE", -"BILK", "BILL", "BIND", "BING", "BIRD", "BITE", "BITS", "BLAB", -"BLAT", "BLED", "BLEW", "BLOB", "BLOC", "BLOT", "BLOW", "BLUE", -"BLUM", "BLUR", "BOAR", "BOAT", "BOCA", "BOCK", "BODE", "BODY", -"BOGY", "BOHR", "BOIL", "BOLD", "BOLO", "BOLT", "BOMB", "BONA", -"BOND", "BONE", "BONG", "BONN", "BONY", "BOOK", "BOOM", "BOON", -"BOOT", "BORE", "BORG", "BORN", "BOSE", "BOSS", "BOTH", "BOUT", -"BOWL", "BOYD", "BRAD", "BRAE", "BRAG", "BRAN", "BRAY", "BRED", -"BREW", "BRIG", "BRIM", "BROW", "BUCK", "BUDD", "BUFF", "BULB", -"BULK", "BULL", "BUNK", "BUNT", "BUOY", "BURG", "BURL", "BURN", -"BURR", "BURT", "BURY", "BUSH", "BUSS", "BUST", "BUSY", "BYTE", -"CADY", "CAFE", "CAGE", "CAIN", "CAKE", "CALF", "CALL", "CALM", -"CAME", "CANE", "CANT", "CARD", "CARE", "CARL", "CARR", "CART", -"CASE", "CASH", "CASK", "CAST", "CAVE", "CEIL", "CELL", "CENT", -"CERN", "CHAD", "CHAR", "CHAT", "CHAW", "CHEF", "CHEN", "CHEW", -"CHIC", "CHIN", "CHOU", "CHOW", "CHUB", "CHUG", "CHUM", "CITE", -"CITY", "CLAD", "CLAM", "CLAN", "CLAW", "CLAY", "CLOD", "CLOG", -"CLOT", "CLUB", "CLUE", "COAL", "COAT", "COCA", "COCK", "COCO", -"CODA", "CODE", "CODY", "COED", "COIL", "COIN", "COKE", "COLA", -"COLD", "COLT", "COMA", "COMB", "COME", "COOK", "COOL", "COON", -"COOT", "CORD", "CORE", "CORK", "CORN", "COST", "COVE", "COWL", -"CRAB", "CRAG", "CRAM", "CRAY", "CREW", "CRIB", "CROW", "CRUD", -"CUBA", "CUBE", "CUFF", "CULL", "CULT", "CUNY", "CURB", "CURD", -"CURE", "CURL", "CURT", "CUTS", "DADE", "DALE", "DAME", "DANA", -"DANE", "DANG", "DANK", "DARE", "DARK", "DARN", "DART", "DASH", -"DATA", "DATE", "DAVE", "DAVY", "DAWN", "DAYS", "DEAD", "DEAF", -"DEAL", "DEAN", "DEAR", "DEBT", "DECK", "DEED", "DEEM", "DEER", -"DEFT", "DEFY", "DELL", "DENT", "DENY", "DESK", "DIAL", "DICE", -"DIED", "DIET", "DIME", "DINE", "DING", "DINT", "DIRE", "DIRT", -"DISC", "DISH", "DISK", "DIVE", "DOCK", "DOES", "DOLE", "DOLL", -"DOLT", "DOME", "DONE", "DOOM", "DOOR", "DORA", "DOSE", "DOTE", -"DOUG", "DOUR", "DOVE", "DOWN", "DRAB", "DRAG", "DRAM", "DRAW", -"DREW", "DRUB", "DRUG", "DRUM", "DUAL", "DUCK", "DUCT", "DUEL", -"DUET", "DUKE", "DULL", "DUMB", "DUNE", "DUNK", "DUSK", "DUST", -"DUTY", "EACH", "EARL", "EARN", "EASE", "EAST", "EASY", "EBEN", -"ECHO", "EDDY", "EDEN", "EDGE", "EDGY", "EDIT", "EDNA", "EGAN", -"ELAN", "ELBA", "ELLA", "ELSE", "EMIL", "EMIT", "EMMA", "ENDS", -"ERIC", "EROS", "EVEN", "EVER", "EVIL", "EYED", "FACE", "FACT", -"FADE", "FAIL", "FAIN", "FAIR", "FAKE", "FALL", "FAME", "FANG", -"FARM", "FAST", "FATE", "FAWN", "FEAR", "FEAT", "FEED", "FEEL", -"FEET", "FELL", "FELT", "FEND", "FERN", "FEST", "FEUD", "FIEF", -"FIGS", "FILE", "FILL", "FILM", "FIND", "FINE", "FINK", "FIRE", -"FIRM", "FISH", "FISK", "FIST", "FITS", "FIVE", "FLAG", "FLAK", -"FLAM", "FLAT", "FLAW", "FLEA", "FLED", "FLEW", "FLIT", "FLOC", -"FLOG", "FLOW", "FLUB", "FLUE", "FOAL", "FOAM", "FOGY", "FOIL", -"FOLD", "FOLK", "FOND", "FONT", "FOOD", "FOOL", "FOOT", "FORD", -"FORE", "FORK", "FORM", "FORT", "FOSS", "FOUL", "FOUR", "FOWL", -"FRAU", "FRAY", "FRED", "FREE", "FRET", "FREY", "FROG", "FROM", -"FUEL", "FULL", "FUME", "FUND", "FUNK", "FURY", "FUSE", "FUSS", -"GAFF", "GAGE", "GAIL", "GAIN", "GAIT", "GALA", "GALE", "GALL", -"GALT", "GAME", "GANG", "GARB", "GARY", "GASH", "GATE", "GAUL", -"GAUR", "GAVE", "GAWK", "GEAR", "GELD", "GENE", "GENT", "GERM", -"GETS", "GIBE", "GIFT", "GILD", "GILL", "GILT", "GINA", "GIRD", -"GIRL", "GIST", "GIVE", "GLAD", "GLEE", "GLEN", "GLIB", "GLOB", -"GLOM", "GLOW", "GLUE", "GLUM", "GLUT", "GOAD", "GOAL", "GOAT", -"GOER", "GOES", "GOLD", "GOLF", "GONE", "GONG", "GOOD", "GOOF", -"GORE", "GORY", "GOSH", "GOUT", "GOWN", "GRAB", "GRAD", "GRAY", -"GREG", "GREW", "GREY", "GRID", "GRIM", "GRIN", "GRIT", "GROW", -"GRUB", "GULF", "GULL", "GUNK", "GURU", "GUSH", "GUST", "GWEN", -"GWYN", "HAAG", "HAAS", "HACK", "HAIL", "HAIR", "HALE", "HALF", -"HALL", "HALO", "HALT", "HAND", "HANG", "HANK", "HANS", "HARD", -"HARK", "HARM", "HART", "HASH", "HAST", "HATE", "HATH", "HAUL", -"HAVE", "HAWK", "HAYS", "HEAD", "HEAL", "HEAR", "HEAT", "HEBE", -"HECK", "HEED", "HEEL", "HEFT", "HELD", "HELL", "HELM", "HERB", -"HERD", "HERE", "HERO", "HERS", "HESS", "HEWN", "HICK", "HIDE", -"HIGH", "HIKE", "HILL", "HILT", "HIND", "HINT", "HIRE", "HISS", -"HIVE", "HOBO", "HOCK", "HOFF", "HOLD", "HOLE", "HOLM", "HOLT", -"HOME", "HONE", "HONK", "HOOD", "HOOF", "HOOK", "HOOT", "HORN", -"HOSE", "HOST", "HOUR", "HOVE", "HOWE", "HOWL", "HOYT", "HUCK", -"HUED", "HUFF", "HUGE", "HUGH", "HUGO", "HULK", "HULL", "HUNK", -"HUNT", "HURD", "HURL", "HURT", "HUSH", "HYDE", "HYMN", "IBIS", -"ICON", "IDEA", "IDLE", "IFFY", "INCA", "INCH", "INTO", "IONS", -"IOTA", "IOWA", "IRIS", "IRMA", "IRON", "ISLE", "ITCH", "ITEM", -"IVAN", "JACK", "JADE", "JAIL", "JAKE", "JANE", "JAVA", "JEAN", -"JEFF", "JERK", "JESS", "JEST", "JIBE", "JILL", "JILT", "JIVE", -"JOAN", "JOBS", "JOCK", "JOEL", "JOEY", "JOHN", "JOIN", "JOKE", -"JOLT", "JOVE", "JUDD", "JUDE", "JUDO", "JUDY", "JUJU", "JUKE", -"JULY", "JUNE", "JUNK", "JUNO", "JURY", "JUST", "JUTE", "KAHN", -"KALE", "KANE", "KANT", "KARL", "KATE", "KEEL", "KEEN", "KENO", -"KENT", "KERN", "KERR", "KEYS", "KICK", "KILL", "KIND", "KING", -"KIRK", "KISS", "KITE", "KLAN", "KNEE", "KNEW", "KNIT", "KNOB", -"KNOT", "KNOW", "KOCH", "KONG", "KUDO", "KURD", "KURT", "KYLE", -"LACE", "LACK", "LACY", "LADY", "LAID", "LAIN", "LAIR", "LAKE", -"LAMB", "LAME", "LAND", "LANE", "LANG", "LARD", "LARK", "LASS", -"LAST", "LATE", "LAUD", "LAVA", "LAWN", "LAWS", "LAYS", "LEAD", -"LEAF", "LEAK", "LEAN", "LEAR", "LEEK", "LEER", "LEFT", "LEND", -"LENS", "LENT", "LEON", "LESK", "LESS", "LEST", "LETS", "LIAR", -"LICE", "LICK", "LIED", "LIEN", "LIES", "LIEU", "LIFE", "LIFT", -"LIKE", "LILA", "LILT", "LILY", "LIMA", "LIMB", "LIME", "LIND", -"LINE", "LINK", "LINT", "LION", "LISA", "LIST", "LIVE", "LOAD", -"LOAF", "LOAM", "LOAN", "LOCK", "LOFT", "LOGE", "LOIS", "LOLA", -"LONE", "LONG", "LOOK", "LOON", "LOOT", "LORD", "LORE", "LOSE", -"LOSS", "LOST", "LOUD", "LOVE", "LOWE", "LUCK", "LUCY", "LUGE", -"LUKE", "LULU", "LUND", "LUNG", "LURA", "LURE", "LURK", "LUSH", -"LUST", "LYLE", "LYNN", "LYON", "LYRA", "MACE", "MADE", "MAGI", -"MAID", "MAIL", "MAIN", "MAKE", "MALE", "MALI", "MALL", "MALT", -"MANA", "MANN", "MANY", "MARC", "MARE", "MARK", "MARS", "MART", -"MARY", "MASH", "MASK", "MASS", "MAST", "MATE", "MATH", "MAUL", -"MAYO", "MEAD", "MEAL", "MEAN", "MEAT", "MEEK", "MEET", "MELD", -"MELT", "MEMO", "MEND", "MENU", "MERT", "MESH", "MESS", "MICE", -"MIKE", "MILD", "MILE", "MILK", "MILL", "MILT", "MIMI", "MIND", -"MINE", "MINI", "MINK", "MINT", "MIRE", "MISS", "MIST", "MITE", -"MITT", "MOAN", "MOAT", "MOCK", "MODE", "MOLD", "MOLE", "MOLL", -"MOLT", "MONA", "MONK", "MONT", "MOOD", "MOON", "MOOR", "MOOT", -"MORE", "MORN", "MORT", "MOSS", "MOST", "MOTH", "MOVE", "MUCH", -"MUCK", "MUDD", "MUFF", "MULE", "MULL", "MURK", "MUSH", "MUST", -"MUTE", "MUTT", "MYRA", "MYTH", "NAGY", "NAIL", "NAIR", "NAME", -"NARY", "NASH", "NAVE", "NAVY", "NEAL", "NEAR", "NEAT", "NECK", -"NEED", "NEIL", "NELL", "NEON", "NERO", "NESS", "NEST", "NEWS", -"NEWT", "NIBS", "NICE", "NICK", "NILE", "NINA", "NINE", "NOAH", -"NODE", "NOEL", "NOLL", "NONE", "NOOK", "NOON", "NORM", "NOSE", -"NOTE", "NOUN", "NOVA", "NUDE", "NULL", "NUMB", "OATH", "OBEY", -"OBOE", "ODIN", "OHIO", "OILY", "OINT", "OKAY", "OLAF", "OLDY", -"OLGA", "OLIN", "OMAN", "OMEN", "OMIT", "ONCE", "ONES", "ONLY", -"ONTO", "ONUS", "ORAL", "ORGY", "OSLO", "OTIS", "OTTO", "OUCH", -"OUST", "OUTS", "OVAL", "OVEN", "OVER", "OWLY", "OWNS", "QUAD", -"QUIT", "QUOD", "RACE", "RACK", "RACY", "RAFT", "RAGE", "RAID", -"RAIL", "RAIN", "RAKE", "RANK", "RANT", "RARE", "RASH", "RATE", -"RAVE", "RAYS", "READ", "REAL", "REAM", "REAR", "RECK", "REED", -"REEF", "REEK", "REEL", "REID", "REIN", "RENA", "REND", "RENT", -"REST", "RICE", "RICH", "RICK", "RIDE", "RIFT", "RILL", "RIME", -"RING", "RINK", "RISE", "RISK", "RITE", "ROAD", "ROAM", "ROAR", -"ROBE", "ROCK", "RODE", "ROIL", "ROLL", "ROME", "ROOD", "ROOF", -"ROOK", "ROOM", "ROOT", "ROSA", "ROSE", "ROSS", "ROSY", "ROTH", -"ROUT", "ROVE", "ROWE", "ROWS", "RUBE", "RUBY", "RUDE", "RUDY", -"RUIN", "RULE", "RUNG", "RUNS", "RUNT", "RUSE", "RUSH", "RUSK", -"RUSS", "RUST", "RUTH", "SACK", "SAFE", "SAGE", "SAID", "SAIL", -"SALE", "SALK", "SALT", "SAME", "SAND", "SANE", "SANG", "SANK", -"SARA", "SAUL", "SAVE", "SAYS", "SCAN", "SCAR", "SCAT", "SCOT", -"SEAL", "SEAM", "SEAR", "SEAT", "SEED", "SEEK", "SEEM", "SEEN", -"SEES", "SELF", "SELL", "SEND", "SENT", "SETS", "SEWN", "SHAG", -"SHAM", "SHAW", "SHAY", "SHED", "SHIM", "SHIN", "SHOD", "SHOE", -"SHOT", "SHOW", "SHUN", "SHUT", "SICK", "SIDE", "SIFT", "SIGH", -"SIGN", "SILK", "SILL", "SILO", "SILT", "SINE", "SING", "SINK", -"SIRE", "SITE", "SITS", "SITU", "SKAT", "SKEW", "SKID", "SKIM", -"SKIN", "SKIT", "SLAB", "SLAM", "SLAT", "SLAY", "SLED", "SLEW", -"SLID", "SLIM", "SLIT", "SLOB", "SLOG", "SLOT", "SLOW", "SLUG", -"SLUM", "SLUR", "SMOG", "SMUG", "SNAG", "SNOB", "SNOW", "SNUB", -"SNUG", "SOAK", "SOAR", "SOCK", "SODA", "SOFA", "SOFT", "SOIL", -"SOLD", "SOME", "SONG", "SOON", "SOOT", "SORE", "SORT", "SOUL", -"SOUR", "SOWN", "STAB", "STAG", "STAN", "STAR", "STAY", "STEM", -"STEW", "STIR", "STOW", "STUB", "STUN", "SUCH", "SUDS", "SUIT", -"SULK", "SUMS", "SUNG", "SUNK", "SURE", "SURF", "SWAB", "SWAG", -"SWAM", "SWAN", "SWAT", "SWAY", "SWIM", "SWUM", "TACK", "TACT", -"TAIL", "TAKE", "TALE", "TALK", "TALL", "TANK", "TASK", "TATE", -"TAUT", "TEAL", "TEAM", "TEAR", "TECH", "TEEM", "TEEN", "TEET", -"TELL", "TEND", "TENT", "TERM", "TERN", "TESS", "TEST", "THAN", -"THAT", "THEE", "THEM", "THEN", "THEY", "THIN", "THIS", "THUD", -"THUG", "TICK", "TIDE", "TIDY", "TIED", "TIER", "TILE", "TILL", -"TILT", "TIME", "TINA", "TINE", "TINT", "TINY", "TIRE", "TOAD", -"TOGO", "TOIL", "TOLD", "TOLL", "TONE", "TONG", "TONY", "TOOK", -"TOOL", "TOOT", "TORE", "TORN", "TOTE", "TOUR", "TOUT", "TOWN", -"TRAG", "TRAM", "TRAY", "TREE", "TREK", "TRIG", "TRIM", "TRIO", -"TROD", "TROT", "TROY", "TRUE", "TUBA", "TUBE", "TUCK", "TUFT", -"TUNA", "TUNE", "TUNG", "TURF", "TURN", "TUSK", "TWIG", "TWIN", -"TWIT", "ULAN", "UNIT", "URGE", "USED", "USER", "USES", "UTAH", -"VAIL", "VAIN", "VALE", "VARY", "VASE", "VAST", "VEAL", "VEDA", -"VEIL", "VEIN", "VEND", "VENT", "VERB", "VERY", "VETO", "VICE", -"VIEW", "VINE", "VISE", "VOID", "VOLT", "VOTE", "WACK", "WADE", -"WAGE", "WAIL", "WAIT", "WAKE", "WALE", "WALK", "WALL", "WALT", -"WAND", "WANE", "WANG", "WANT", "WARD", "WARM", "WARN", "WART", -"WASH", "WAST", "WATS", "WATT", "WAVE", "WAVY", "WAYS", "WEAK", -"WEAL", "WEAN", "WEAR", "WEED", "WEEK", "WEIR", "WELD", "WELL", -"WELT", "WENT", "WERE", "WERT", "WEST", "WHAM", "WHAT", "WHEE", -"WHEN", "WHET", "WHOA", "WHOM", "WICK", "WIFE", "WILD", "WILL", -"WIND", "WINE", "WING", "WINK", "WINO", "WIRE", "WISE", "WISH", -"WITH", "WOLF", "WONT", "WOOD", "WOOL", "WORD", "WORE", "WORK", -"WORM", "WORN", "WOVE", "WRIT", "WYNN", "YALE", "YANG", "YANK", -"YARD", "YARN", "YAWL", "YAWN", "YEAH", "YEAR", "YELL", "YOGA", -"YOKE" }; - -const struct e inv_std_dict[2048] = { -{"A", 0}, -{"ABE", 1}, -{"ABED", 571}, -{"ABEL", 572}, -{"ABET", 573}, -{"ABLE", 574}, -{"ABUT", 575}, -{"ACE", 2}, -{"ACHE", 576}, -{"ACID", 577}, -{"ACME", 578}, -{"ACRE", 579}, -{"ACT", 3}, -{"ACTA", 580}, -{"ACTS", 581}, -{"AD", 4}, -{"ADA", 5}, -{"ADAM", 582}, -{"ADD", 6}, -{"ADDS", 583}, -{"ADEN", 584}, -{"AFAR", 585}, -{"AFRO", 586}, -{"AGEE", 587}, -{"AGO", 7}, -{"AHEM", 588}, -{"AHOY", 589}, -{"AID", 8}, -{"AIDA", 590}, -{"AIDE", 591}, -{"AIDS", 592}, -{"AIM", 9}, -{"AIR", 10}, -{"AIRY", 593}, -{"AJAR", 594}, -{"AKIN", 595}, -{"ALAN", 596}, -{"ALEC", 597}, -{"ALGA", 598}, -{"ALIA", 599}, -{"ALL", 11}, -{"ALLY", 600}, -{"ALMA", 601}, -{"ALOE", 602}, -{"ALP", 12}, -{"ALSO", 603}, -{"ALTO", 604}, -{"ALUM", 605}, -{"ALVA", 606}, -{"AM", 13}, -{"AMEN", 607}, -{"AMES", 608}, -{"AMID", 609}, -{"AMMO", 610}, -{"AMOK", 611}, -{"AMOS", 612}, -{"AMRA", 613}, -{"AMY", 14}, -{"AN", 15}, -{"ANA", 16}, -{"AND", 17}, -{"ANDY", 614}, -{"ANEW", 615}, -{"ANN", 18}, -{"ANNA", 616}, -{"ANNE", 617}, -{"ANT", 19}, -{"ANTE", 618}, -{"ANTI", 619}, -{"ANY", 20}, -{"APE", 21}, -{"APS", 22}, -{"APT", 23}, -{"AQUA", 620}, -{"ARAB", 621}, -{"ARC", 24}, -{"ARCH", 622}, -{"ARE", 25}, -{"AREA", 623}, -{"ARGO", 624}, -{"ARID", 625}, -{"ARK", 26}, -{"ARM", 27}, -{"ARMY", 626}, -{"ART", 28}, -{"ARTS", 627}, -{"ARTY", 628}, -{"AS", 29}, -{"ASH", 30}, -{"ASIA", 629}, -{"ASK", 31}, -{"ASKS", 630}, -{"AT", 32}, -{"ATE", 33}, -{"ATOM", 631}, -{"AUG", 34}, -{"AUK", 35}, -{"AUNT", 632}, -{"AURA", 633}, -{"AUTO", 634}, -{"AVE", 36}, -{"AVER", 635}, -{"AVID", 636}, -{"AVIS", 637}, -{"AVON", 638}, -{"AVOW", 639}, -{"AWAY", 640}, -{"AWE", 37}, -{"AWK", 38}, -{"AWL", 39}, -{"AWN", 40}, -{"AWRY", 641}, -{"AX", 41}, -{"AYE", 42}, -{"BABE", 642}, -{"BABY", 643}, -{"BACH", 644}, -{"BACK", 645}, -{"BAD", 43}, -{"BADE", 646}, -{"BAG", 44}, -{"BAH", 45}, -{"BAIL", 647}, -{"BAIT", 648}, -{"BAKE", 649}, -{"BALD", 650}, -{"BALE", 651}, -{"BALI", 652}, -{"BALK", 653}, -{"BALL", 654}, -{"BALM", 655}, -{"BAM", 46}, -{"BAN", 47}, -{"BAND", 656}, -{"BANE", 657}, -{"BANG", 658}, -{"BANK", 659}, -{"BAR", 48}, -{"BARB", 660}, -{"BARD", 661}, -{"BARE", 662}, -{"BARK", 663}, -{"BARN", 664}, -{"BARR", 665}, -{"BASE", 666}, -{"BASH", 667}, -{"BASK", 668}, -{"BASS", 669}, -{"BAT", 49}, -{"BATE", 670}, -{"BATH", 671}, -{"BAWD", 672}, -{"BAWL", 673}, -{"BAY", 50}, -{"BE", 51}, -{"BEAD", 674}, -{"BEAK", 675}, -{"BEAM", 676}, -{"BEAN", 677}, -{"BEAR", 678}, -{"BEAT", 679}, -{"BEAU", 680}, -{"BECK", 681}, -{"BED", 52}, -{"BEE", 53}, -{"BEEF", 682}, -{"BEEN", 683}, -{"BEER", 684}, -{"BEET", 685}, -{"BEG", 54}, -{"BELA", 686}, -{"BELL", 687}, -{"BELT", 688}, -{"BEN", 55}, -{"BEND", 689}, -{"BENT", 690}, -{"BERG", 691}, -{"BERN", 692}, -{"BERT", 693}, -{"BESS", 694}, -{"BEST", 695}, -{"BET", 56}, -{"BETA", 696}, -{"BETH", 697}, -{"BEY", 57}, -{"BHOY", 698}, -{"BIAS", 699}, -{"BIB", 58}, -{"BID", 59}, -{"BIDE", 700}, -{"BIEN", 701}, -{"BIG", 60}, -{"BILE", 702}, -{"BILK", 703}, -{"BILL", 704}, -{"BIN", 61}, -{"BIND", 705}, -{"BING", 706}, -{"BIRD", 707}, -{"BIT", 62}, -{"BITE", 708}, -{"BITS", 709}, -{"BLAB", 710}, -{"BLAT", 711}, -{"BLED", 712}, -{"BLEW", 713}, -{"BLOB", 714}, -{"BLOC", 715}, -{"BLOT", 716}, -{"BLOW", 717}, -{"BLUE", 718}, -{"BLUM", 719}, -{"BLUR", 720}, -{"BOAR", 721}, -{"BOAT", 722}, -{"BOB", 63}, -{"BOCA", 723}, -{"BOCK", 724}, -{"BODE", 725}, -{"BODY", 726}, -{"BOG", 64}, -{"BOGY", 727}, -{"BOHR", 728}, -{"BOIL", 729}, -{"BOLD", 730}, -{"BOLO", 731}, -{"BOLT", 732}, -{"BOMB", 733}, -{"BON", 65}, -{"BONA", 734}, -{"BOND", 735}, -{"BONE", 736}, -{"BONG", 737}, -{"BONN", 738}, -{"BONY", 739}, -{"BOO", 66}, -{"BOOK", 740}, -{"BOOM", 741}, -{"BOON", 742}, -{"BOOT", 743}, -{"BOP", 67}, -{"BORE", 744}, -{"BORG", 745}, -{"BORN", 746}, -{"BOSE", 747}, -{"BOSS", 748}, -{"BOTH", 749}, -{"BOUT", 750}, -{"BOW", 68}, -{"BOWL", 751}, -{"BOY", 69}, -{"BOYD", 752}, -{"BRAD", 753}, -{"BRAE", 754}, -{"BRAG", 755}, -{"BRAN", 756}, -{"BRAY", 757}, -{"BRED", 758}, -{"BREW", 759}, -{"BRIG", 760}, -{"BRIM", 761}, -{"BROW", 762}, -{"BUB", 70}, -{"BUCK", 763}, -{"BUD", 71}, -{"BUDD", 764}, -{"BUFF", 765}, -{"BUG", 72}, -{"BULB", 766}, -{"BULK", 767}, -{"BULL", 768}, -{"BUM", 73}, -{"BUN", 74}, -{"BUNK", 769}, -{"BUNT", 770}, -{"BUOY", 771}, -{"BURG", 772}, -{"BURL", 773}, -{"BURN", 774}, -{"BURR", 775}, -{"BURT", 776}, -{"BURY", 777}, -{"BUS", 75}, -{"BUSH", 778}, -{"BUSS", 779}, -{"BUST", 780}, -{"BUSY", 781}, -{"BUT", 76}, -{"BUY", 77}, -{"BY", 78}, -{"BYE", 79}, -{"BYTE", 782}, -{"CAB", 80}, -{"CADY", 783}, -{"CAFE", 784}, -{"CAGE", 785}, -{"CAIN", 786}, -{"CAKE", 787}, -{"CAL", 81}, -{"CALF", 788}, -{"CALL", 789}, -{"CALM", 790}, -{"CAM", 82}, -{"CAME", 791}, -{"CAN", 83}, -{"CANE", 792}, -{"CANT", 793}, -{"CAP", 84}, -{"CAR", 85}, -{"CARD", 794}, -{"CARE", 795}, -{"CARL", 796}, -{"CARR", 797}, -{"CART", 798}, -{"CASE", 799}, -{"CASH", 800}, -{"CASK", 801}, -{"CAST", 802}, -{"CAT", 86}, -{"CAVE", 803}, -{"CAW", 87}, -{"CEIL", 804}, -{"CELL", 805}, -{"CENT", 806}, -{"CERN", 807}, -{"CHAD", 808}, -{"CHAR", 809}, -{"CHAT", 810}, -{"CHAW", 811}, -{"CHEF", 812}, -{"CHEN", 813}, -{"CHEW", 814}, -{"CHIC", 815}, -{"CHIN", 816}, -{"CHOU", 817}, -{"CHOW", 818}, -{"CHUB", 819}, -{"CHUG", 820}, -{"CHUM", 821}, -{"CITE", 822}, -{"CITY", 823}, -{"CLAD", 824}, -{"CLAM", 825}, -{"CLAN", 826}, -{"CLAW", 827}, -{"CLAY", 828}, -{"CLOD", 829}, -{"CLOG", 830}, -{"CLOT", 831}, -{"CLUB", 832}, -{"CLUE", 833}, -{"COAL", 834}, -{"COAT", 835}, -{"COCA", 836}, -{"COCK", 837}, -{"COCO", 838}, -{"COD", 88}, -{"CODA", 839}, -{"CODE", 840}, -{"CODY", 841}, -{"COED", 842}, -{"COG", 89}, -{"COIL", 843}, -{"COIN", 844}, -{"COKE", 845}, -{"COL", 90}, -{"COLA", 846}, -{"COLD", 847}, -{"COLT", 848}, -{"COMA", 849}, -{"COMB", 850}, -{"COME", 851}, -{"CON", 91}, -{"COO", 92}, -{"COOK", 852}, -{"COOL", 853}, -{"COON", 854}, -{"COOT", 855}, -{"COP", 93}, -{"CORD", 856}, -{"CORE", 857}, -{"CORK", 858}, -{"CORN", 859}, -{"COST", 860}, -{"COT", 94}, -{"COVE", 861}, -{"COW", 95}, -{"COWL", 862}, -{"COY", 96}, -{"CRAB", 863}, -{"CRAG", 864}, -{"CRAM", 865}, -{"CRAY", 866}, -{"CREW", 867}, -{"CRIB", 868}, -{"CROW", 869}, -{"CRUD", 870}, -{"CRY", 97}, -{"CUB", 98}, -{"CUBA", 871}, -{"CUBE", 872}, -{"CUE", 99}, -{"CUFF", 873}, -{"CULL", 874}, -{"CULT", 875}, -{"CUNY", 876}, -{"CUP", 100}, -{"CUR", 101}, -{"CURB", 877}, -{"CURD", 878}, -{"CURE", 879}, -{"CURL", 880}, -{"CURT", 881}, -{"CUT", 102}, -{"CUTS", 882}, -{"DAB", 103}, -{"DAD", 104}, -{"DADE", 883}, -{"DALE", 884}, -{"DAM", 105}, -{"DAME", 885}, -{"DAN", 106}, -{"DANA", 886}, -{"DANE", 887}, -{"DANG", 888}, -{"DANK", 889}, -{"DAR", 107}, -{"DARE", 890}, -{"DARK", 891}, -{"DARN", 892}, -{"DART", 893}, -{"DASH", 894}, -{"DATA", 895}, -{"DATE", 896}, -{"DAVE", 897}, -{"DAVY", 898}, -{"DAWN", 899}, -{"DAY", 108}, -{"DAYS", 900}, -{"DEAD", 901}, -{"DEAF", 902}, -{"DEAL", 903}, -{"DEAN", 904}, -{"DEAR", 905}, -{"DEBT", 906}, -{"DECK", 907}, -{"DEE", 109}, -{"DEED", 908}, -{"DEEM", 909}, -{"DEER", 910}, -{"DEFT", 911}, -{"DEFY", 912}, -{"DEL", 110}, -{"DELL", 913}, -{"DEN", 111}, -{"DENT", 914}, -{"DENY", 915}, -{"DES", 112}, -{"DESK", 916}, -{"DEW", 113}, -{"DIAL", 917}, -{"DICE", 918}, -{"DID", 114}, -{"DIE", 115}, -{"DIED", 919}, -{"DIET", 920}, -{"DIG", 116}, -{"DIME", 921}, -{"DIN", 117}, -{"DINE", 922}, -{"DING", 923}, -{"DINT", 924}, -{"DIP", 118}, -{"DIRE", 925}, -{"DIRT", 926}, -{"DISC", 927}, -{"DISH", 928}, -{"DISK", 929}, -{"DIVE", 930}, -{"DO", 119}, -{"DOCK", 931}, -{"DOE", 120}, -{"DOES", 932}, -{"DOG", 121}, -{"DOLE", 933}, -{"DOLL", 934}, -{"DOLT", 935}, -{"DOME", 936}, -{"DON", 122}, -{"DONE", 937}, -{"DOOM", 938}, -{"DOOR", 939}, -{"DORA", 940}, -{"DOSE", 941}, -{"DOT", 123}, -{"DOTE", 942}, -{"DOUG", 943}, -{"DOUR", 944}, -{"DOVE", 945}, -{"DOW", 124}, -{"DOWN", 946}, -{"DRAB", 947}, -{"DRAG", 948}, -{"DRAM", 949}, -{"DRAW", 950}, -{"DREW", 951}, -{"DRUB", 952}, -{"DRUG", 953}, -{"DRUM", 954}, -{"DRY", 125}, -{"DUAL", 955}, -{"DUB", 126}, -{"DUCK", 956}, -{"DUCT", 957}, -{"DUD", 127}, -{"DUE", 128}, -{"DUEL", 958}, -{"DUET", 959}, -{"DUG", 129}, -{"DUKE", 960}, -{"DULL", 961}, -{"DUMB", 962}, -{"DUN", 130}, -{"DUNE", 963}, -{"DUNK", 964}, -{"DUSK", 965}, -{"DUST", 966}, -{"DUTY", 967}, -{"EACH", 968}, -{"EAR", 131}, -{"EARL", 969}, -{"EARN", 970}, -{"EASE", 971}, -{"EAST", 972}, -{"EASY", 973}, -{"EAT", 132}, -{"EBEN", 974}, -{"ECHO", 975}, -{"ED", 133}, -{"EDDY", 976}, -{"EDEN", 977}, -{"EDGE", 978}, -{"EDGY", 979}, -{"EDIT", 980}, -{"EDNA", 981}, -{"EEL", 134}, -{"EGAN", 982}, -{"EGG", 135}, -{"EGO", 136}, -{"ELAN", 983}, -{"ELBA", 984}, -{"ELI", 137}, -{"ELK", 138}, -{"ELLA", 985}, -{"ELM", 139}, -{"ELSE", 986}, -{"ELY", 140}, -{"EM", 141}, -{"EMIL", 987}, -{"EMIT", 988}, -{"EMMA", 989}, -{"END", 142}, -{"ENDS", 990}, -{"ERIC", 991}, -{"EROS", 992}, -{"EST", 143}, -{"ETC", 144}, -{"EVA", 145}, -{"EVE", 146}, -{"EVEN", 993}, -{"EVER", 994}, -{"EVIL", 995}, -{"EWE", 147}, -{"EYE", 148}, -{"EYED", 996}, -{"FACE", 997}, -{"FACT", 998}, -{"FAD", 149}, -{"FADE", 999}, -{"FAIL", 1000}, -{"FAIN", 1001}, -{"FAIR", 1002}, -{"FAKE", 1003}, -{"FALL", 1004}, -{"FAME", 1005}, -{"FAN", 150}, -{"FANG", 1006}, -{"FAR", 151}, -{"FARM", 1007}, -{"FAST", 1008}, -{"FAT", 152}, -{"FATE", 1009}, -{"FAWN", 1010}, -{"FAY", 153}, -{"FEAR", 1011}, -{"FEAT", 1012}, -{"FED", 154}, -{"FEE", 155}, -{"FEED", 1013}, -{"FEEL", 1014}, -{"FEET", 1015}, -{"FELL", 1016}, -{"FELT", 1017}, -{"FEND", 1018}, -{"FERN", 1019}, -{"FEST", 1020}, -{"FEUD", 1021}, -{"FEW", 156}, -{"FIB", 157}, -{"FIEF", 1022}, -{"FIG", 158}, -{"FIGS", 1023}, -{"FILE", 1024}, -{"FILL", 1025}, -{"FILM", 1026}, -{"FIN", 159}, -{"FIND", 1027}, -{"FINE", 1028}, -{"FINK", 1029}, -{"FIR", 160}, -{"FIRE", 1030}, -{"FIRM", 1031}, -{"FISH", 1032}, -{"FISK", 1033}, -{"FIST", 1034}, -{"FIT", 161}, -{"FITS", 1035}, -{"FIVE", 1036}, -{"FLAG", 1037}, -{"FLAK", 1038}, -{"FLAM", 1039}, -{"FLAT", 1040}, -{"FLAW", 1041}, -{"FLEA", 1042}, -{"FLED", 1043}, -{"FLEW", 1044}, -{"FLIT", 1045}, -{"FLO", 162}, -{"FLOC", 1046}, -{"FLOG", 1047}, -{"FLOW", 1048}, -{"FLUB", 1049}, -{"FLUE", 1050}, -{"FLY", 163}, -{"FOAL", 1051}, -{"FOAM", 1052}, -{"FOE", 164}, -{"FOG", 165}, -{"FOGY", 1053}, -{"FOIL", 1054}, -{"FOLD", 1055}, -{"FOLK", 1056}, -{"FOND", 1057}, -{"FONT", 1058}, -{"FOOD", 1059}, -{"FOOL", 1060}, -{"FOOT", 1061}, -{"FOR", 166}, -{"FORD", 1062}, -{"FORE", 1063}, -{"FORK", 1064}, -{"FORM", 1065}, -{"FORT", 1066}, -{"FOSS", 1067}, -{"FOUL", 1068}, -{"FOUR", 1069}, -{"FOWL", 1070}, -{"FRAU", 1071}, -{"FRAY", 1072}, -{"FRED", 1073}, -{"FREE", 1074}, -{"FRET", 1075}, -{"FREY", 1076}, -{"FROG", 1077}, -{"FROM", 1078}, -{"FRY", 167}, -{"FUEL", 1079}, -{"FULL", 1080}, -{"FUM", 168}, -{"FUME", 1081}, -{"FUN", 169}, -{"FUND", 1082}, -{"FUNK", 1083}, -{"FUR", 170}, -{"FURY", 1084}, -{"FUSE", 1085}, -{"FUSS", 1086}, -{"GAB", 171}, -{"GAD", 172}, -{"GAFF", 1087}, -{"GAG", 173}, -{"GAGE", 1088}, -{"GAIL", 1089}, -{"GAIN", 1090}, -{"GAIT", 1091}, -{"GAL", 174}, -{"GALA", 1092}, -{"GALE", 1093}, -{"GALL", 1094}, -{"GALT", 1095}, -{"GAM", 175}, -{"GAME", 1096}, -{"GANG", 1097}, -{"GAP", 176}, -{"GARB", 1098}, -{"GARY", 1099}, -{"GAS", 177}, -{"GASH", 1100}, -{"GATE", 1101}, -{"GAUL", 1102}, -{"GAUR", 1103}, -{"GAVE", 1104}, -{"GAWK", 1105}, -{"GAY", 178}, -{"GEAR", 1106}, -{"GEE", 179}, -{"GEL", 180}, -{"GELD", 1107}, -{"GEM", 181}, -{"GENE", 1108}, -{"GENT", 1109}, -{"GERM", 1110}, -{"GET", 182}, -{"GETS", 1111}, -{"GIBE", 1112}, -{"GIFT", 1113}, -{"GIG", 183}, -{"GIL", 184}, -{"GILD", 1114}, -{"GILL", 1115}, -{"GILT", 1116}, -{"GIN", 185}, -{"GINA", 1117}, -{"GIRD", 1118}, -{"GIRL", 1119}, -{"GIST", 1120}, -{"GIVE", 1121}, -{"GLAD", 1122}, -{"GLEE", 1123}, -{"GLEN", 1124}, -{"GLIB", 1125}, -{"GLOB", 1126}, -{"GLOM", 1127}, -{"GLOW", 1128}, -{"GLUE", 1129}, -{"GLUM", 1130}, -{"GLUT", 1131}, -{"GO", 186}, -{"GOAD", 1132}, -{"GOAL", 1133}, -{"GOAT", 1134}, -{"GOER", 1135}, -{"GOES", 1136}, -{"GOLD", 1137}, -{"GOLF", 1138}, -{"GONE", 1139}, -{"GONG", 1140}, -{"GOOD", 1141}, -{"GOOF", 1142}, -{"GORE", 1143}, -{"GORY", 1144}, -{"GOSH", 1145}, -{"GOT", 187}, -{"GOUT", 1146}, -{"GOWN", 1147}, -{"GRAB", 1148}, -{"GRAD", 1149}, -{"GRAY", 1150}, -{"GREG", 1151}, -{"GREW", 1152}, -{"GREY", 1153}, -{"GRID", 1154}, -{"GRIM", 1155}, -{"GRIN", 1156}, -{"GRIT", 1157}, -{"GROW", 1158}, -{"GRUB", 1159}, -{"GULF", 1160}, -{"GULL", 1161}, -{"GUM", 188}, -{"GUN", 189}, -{"GUNK", 1162}, -{"GURU", 1163}, -{"GUS", 190}, -{"GUSH", 1164}, -{"GUST", 1165}, -{"GUT", 191}, -{"GUY", 192}, -{"GWEN", 1166}, -{"GWYN", 1167}, -{"GYM", 193}, -{"GYP", 194}, -{"HA", 195}, -{"HAAG", 1168}, -{"HAAS", 1169}, -{"HACK", 1170}, -{"HAD", 196}, -{"HAIL", 1171}, -{"HAIR", 1172}, -{"HAL", 197}, -{"HALE", 1173}, -{"HALF", 1174}, -{"HALL", 1175}, -{"HALO", 1176}, -{"HALT", 1177}, -{"HAM", 198}, -{"HAN", 199}, -{"HAND", 1178}, -{"HANG", 1179}, -{"HANK", 1180}, -{"HANS", 1181}, -{"HAP", 200}, -{"HARD", 1182}, -{"HARK", 1183}, -{"HARM", 1184}, -{"HART", 1185}, -{"HAS", 201}, -{"HASH", 1186}, -{"HAST", 1187}, -{"HAT", 202}, -{"HATE", 1188}, -{"HATH", 1189}, -{"HAUL", 1190}, -{"HAVE", 1191}, -{"HAW", 203}, -{"HAWK", 1192}, -{"HAY", 204}, -{"HAYS", 1193}, -{"HE", 205}, -{"HEAD", 1194}, -{"HEAL", 1195}, -{"HEAR", 1196}, -{"HEAT", 1197}, -{"HEBE", 1198}, -{"HECK", 1199}, -{"HEED", 1200}, -{"HEEL", 1201}, -{"HEFT", 1202}, -{"HELD", 1203}, -{"HELL", 1204}, -{"HELM", 1205}, -{"HEM", 206}, -{"HEN", 207}, -{"HER", 208}, -{"HERB", 1206}, -{"HERD", 1207}, -{"HERE", 1208}, -{"HERO", 1209}, -{"HERS", 1210}, -{"HESS", 1211}, -{"HEW", 209}, -{"HEWN", 1212}, -{"HEY", 210}, -{"HI", 211}, -{"HICK", 1213}, -{"HID", 212}, -{"HIDE", 1214}, -{"HIGH", 1215}, -{"HIKE", 1216}, -{"HILL", 1217}, -{"HILT", 1218}, -{"HIM", 213}, -{"HIND", 1219}, -{"HINT", 1220}, -{"HIP", 214}, -{"HIRE", 1221}, -{"HIS", 215}, -{"HISS", 1222}, -{"HIT", 216}, -{"HIVE", 1223}, -{"HO", 217}, -{"HOB", 218}, -{"HOBO", 1224}, -{"HOC", 219}, -{"HOCK", 1225}, -{"HOE", 220}, -{"HOFF", 1226}, -{"HOG", 221}, -{"HOLD", 1227}, -{"HOLE", 1228}, -{"HOLM", 1229}, -{"HOLT", 1230}, -{"HOME", 1231}, -{"HONE", 1232}, -{"HONK", 1233}, -{"HOOD", 1234}, -{"HOOF", 1235}, -{"HOOK", 1236}, -{"HOOT", 1237}, -{"HOP", 222}, -{"HORN", 1238}, -{"HOSE", 1239}, -{"HOST", 1240}, -{"HOT", 223}, -{"HOUR", 1241}, -{"HOVE", 1242}, -{"HOW", 224}, -{"HOWE", 1243}, -{"HOWL", 1244}, -{"HOYT", 1245}, -{"HUB", 225}, -{"HUCK", 1246}, -{"HUE", 226}, -{"HUED", 1247}, -{"HUFF", 1248}, -{"HUG", 227}, -{"HUGE", 1249}, -{"HUGH", 1250}, -{"HUGO", 1251}, -{"HUH", 228}, -{"HULK", 1252}, -{"HULL", 1253}, -{"HUM", 229}, -{"HUNK", 1254}, -{"HUNT", 1255}, -{"HURD", 1256}, -{"HURL", 1257}, -{"HURT", 1258}, -{"HUSH", 1259}, -{"HUT", 230}, -{"HYDE", 1260}, -{"HYMN", 1261}, -{"I", 231}, -{"IBIS", 1262}, -{"ICON", 1263}, -{"ICY", 232}, -{"IDA", 233}, -{"IDEA", 1264}, -{"IDLE", 1265}, -{"IF", 234}, -{"IFFY", 1266}, -{"IKE", 235}, -{"ILL", 236}, -{"INCA", 1267}, -{"INCH", 1268}, -{"INK", 237}, -{"INN", 238}, -{"INTO", 1269}, -{"IO", 239}, -{"ION", 240}, -{"IONS", 1270}, -{"IOTA", 1271}, -{"IOWA", 1272}, -{"IQ", 241}, -{"IRA", 242}, -{"IRE", 243}, -{"IRIS", 1273}, -{"IRK", 244}, -{"IRMA", 1274}, -{"IRON", 1275}, -{"IS", 245}, -{"ISLE", 1276}, -{"IT", 246}, -{"ITCH", 1277}, -{"ITEM", 1278}, -{"ITS", 247}, -{"IVAN", 1279}, -{"IVY", 248}, -{"JAB", 249}, -{"JACK", 1280}, -{"JADE", 1281}, -{"JAG", 250}, -{"JAIL", 1282}, -{"JAKE", 1283}, -{"JAM", 251}, -{"JAN", 252}, -{"JANE", 1284}, -{"JAR", 253}, -{"JAVA", 1285}, -{"JAW", 254}, -{"JAY", 255}, -{"JEAN", 1286}, -{"JEFF", 1287}, -{"JERK", 1288}, -{"JESS", 1289}, -{"JEST", 1290}, -{"JET", 256}, -{"JIBE", 1291}, -{"JIG", 257}, -{"JILL", 1292}, -{"JILT", 1293}, -{"JIM", 258}, -{"JIVE", 1294}, -{"JO", 259}, -{"JOAN", 1295}, -{"JOB", 260}, -{"JOBS", 1296}, -{"JOCK", 1297}, -{"JOE", 261}, -{"JOEL", 1298}, -{"JOEY", 1299}, -{"JOG", 262}, -{"JOHN", 1300}, -{"JOIN", 1301}, -{"JOKE", 1302}, -{"JOLT", 1303}, -{"JOT", 263}, -{"JOVE", 1304}, -{"JOY", 264}, -{"JUDD", 1305}, -{"JUDE", 1306}, -{"JUDO", 1307}, -{"JUDY", 1308}, -{"JUG", 265}, -{"JUJU", 1309}, -{"JUKE", 1310}, -{"JULY", 1311}, -{"JUNE", 1312}, -{"JUNK", 1313}, -{"JUNO", 1314}, -{"JURY", 1315}, -{"JUST", 1316}, -{"JUT", 266}, -{"JUTE", 1317}, -{"KAHN", 1318}, -{"KALE", 1319}, -{"KANE", 1320}, -{"KANT", 1321}, -{"KARL", 1322}, -{"KATE", 1323}, -{"KAY", 267}, -{"KEEL", 1324}, -{"KEEN", 1325}, -{"KEG", 268}, -{"KEN", 269}, -{"KENO", 1326}, -{"KENT", 1327}, -{"KERN", 1328}, -{"KERR", 1329}, -{"KEY", 270}, -{"KEYS", 1330}, -{"KICK", 1331}, -{"KID", 271}, -{"KILL", 1332}, -{"KIM", 272}, -{"KIN", 273}, -{"KIND", 1333}, -{"KING", 1334}, -{"KIRK", 1335}, -{"KISS", 1336}, -{"KIT", 274}, -{"KITE", 1337}, -{"KLAN", 1338}, -{"KNEE", 1339}, -{"KNEW", 1340}, -{"KNIT", 1341}, -{"KNOB", 1342}, -{"KNOT", 1343}, -{"KNOW", 1344}, -{"KOCH", 1345}, -{"KONG", 1346}, -{"KUDO", 1347}, -{"KURD", 1348}, -{"KURT", 1349}, -{"KYLE", 1350}, -{"LA", 275}, -{"LAB", 276}, -{"LAC", 277}, -{"LACE", 1351}, -{"LACK", 1352}, -{"LACY", 1353}, -{"LAD", 278}, -{"LADY", 1354}, -{"LAG", 279}, -{"LAID", 1355}, -{"LAIN", 1356}, -{"LAIR", 1357}, -{"LAKE", 1358}, -{"LAM", 280}, -{"LAMB", 1359}, -{"LAME", 1360}, -{"LAND", 1361}, -{"LANE", 1362}, -{"LANG", 1363}, -{"LAP", 281}, -{"LARD", 1364}, -{"LARK", 1365}, -{"LASS", 1366}, -{"LAST", 1367}, -{"LATE", 1368}, -{"LAUD", 1369}, -{"LAVA", 1370}, -{"LAW", 282}, -{"LAWN", 1371}, -{"LAWS", 1372}, -{"LAY", 283}, -{"LAYS", 1373}, -{"LEA", 284}, -{"LEAD", 1374}, -{"LEAF", 1375}, -{"LEAK", 1376}, -{"LEAN", 1377}, -{"LEAR", 1378}, -{"LED", 285}, -{"LEE", 286}, -{"LEEK", 1379}, -{"LEER", 1380}, -{"LEFT", 1381}, -{"LEG", 287}, -{"LEN", 288}, -{"LEND", 1382}, -{"LENS", 1383}, -{"LENT", 1384}, -{"LEO", 289}, -{"LEON", 1385}, -{"LESK", 1386}, -{"LESS", 1387}, -{"LEST", 1388}, -{"LET", 290}, -{"LETS", 1389}, -{"LEW", 291}, -{"LIAR", 1390}, -{"LICE", 1391}, -{"LICK", 1392}, -{"LID", 292}, -{"LIE", 293}, -{"LIED", 1393}, -{"LIEN", 1394}, -{"LIES", 1395}, -{"LIEU", 1396}, -{"LIFE", 1397}, -{"LIFT", 1398}, -{"LIKE", 1399}, -{"LILA", 1400}, -{"LILT", 1401}, -{"LILY", 1402}, -{"LIMA", 1403}, -{"LIMB", 1404}, -{"LIME", 1405}, -{"LIN", 294}, -{"LIND", 1406}, -{"LINE", 1407}, -{"LINK", 1408}, -{"LINT", 1409}, -{"LION", 1410}, -{"LIP", 295}, -{"LISA", 1411}, -{"LIST", 1412}, -{"LIT", 296}, -{"LIVE", 1413}, -{"LO", 297}, -{"LOAD", 1414}, -{"LOAF", 1415}, -{"LOAM", 1416}, -{"LOAN", 1417}, -{"LOB", 298}, -{"LOCK", 1418}, -{"LOFT", 1419}, -{"LOG", 299}, -{"LOGE", 1420}, -{"LOIS", 1421}, -{"LOLA", 1422}, -{"LONE", 1423}, -{"LONG", 1424}, -{"LOOK", 1425}, -{"LOON", 1426}, -{"LOOT", 1427}, -{"LOP", 300}, -{"LORD", 1428}, -{"LORE", 1429}, -{"LOS", 301}, -{"LOSE", 1430}, -{"LOSS", 1431}, -{"LOST", 1432}, -{"LOT", 302}, -{"LOU", 303}, -{"LOUD", 1433}, -{"LOVE", 1434}, -{"LOW", 304}, -{"LOWE", 1435}, -{"LOY", 305}, -{"LUCK", 1436}, -{"LUCY", 1437}, -{"LUG", 306}, -{"LUGE", 1438}, -{"LUKE", 1439}, -{"LULU", 1440}, -{"LUND", 1441}, -{"LUNG", 1442}, -{"LURA", 1443}, -{"LURE", 1444}, -{"LURK", 1445}, -{"LUSH", 1446}, -{"LUST", 1447}, -{"LYE", 307}, -{"LYLE", 1448}, -{"LYNN", 1449}, -{"LYON", 1450}, -{"LYRA", 1451}, -{"MA", 308}, -{"MAC", 309}, -{"MACE", 1452}, -{"MAD", 310}, -{"MADE", 1453}, -{"MAE", 311}, -{"MAGI", 1454}, -{"MAID", 1455}, -{"MAIL", 1456}, -{"MAIN", 1457}, -{"MAKE", 1458}, -{"MALE", 1459}, -{"MALI", 1460}, -{"MALL", 1461}, -{"MALT", 1462}, -{"MAN", 312}, -{"MANA", 1463}, -{"MANN", 1464}, -{"MANY", 1465}, -{"MAO", 313}, -{"MAP", 314}, -{"MARC", 1466}, -{"MARE", 1467}, -{"MARK", 1468}, -{"MARS", 1469}, -{"MART", 1470}, -{"MARY", 1471}, -{"MASH", 1472}, -{"MASK", 1473}, -{"MASS", 1474}, -{"MAST", 1475}, -{"MAT", 315}, -{"MATE", 1476}, -{"MATH", 1477}, -{"MAUL", 1478}, -{"MAW", 316}, -{"MAY", 317}, -{"MAYO", 1479}, -{"ME", 318}, -{"MEAD", 1480}, -{"MEAL", 1481}, -{"MEAN", 1482}, -{"MEAT", 1483}, -{"MEEK", 1484}, -{"MEET", 1485}, -{"MEG", 319}, -{"MEL", 320}, -{"MELD", 1486}, -{"MELT", 1487}, -{"MEMO", 1488}, -{"MEN", 321}, -{"MEND", 1489}, -{"MENU", 1490}, -{"MERT", 1491}, -{"MESH", 1492}, -{"MESS", 1493}, -{"MET", 322}, -{"MEW", 323}, -{"MICE", 1494}, -{"MID", 324}, -{"MIKE", 1495}, -{"MILD", 1496}, -{"MILE", 1497}, -{"MILK", 1498}, -{"MILL", 1499}, -{"MILT", 1500}, -{"MIMI", 1501}, -{"MIN", 325}, -{"MIND", 1502}, -{"MINE", 1503}, -{"MINI", 1504}, -{"MINK", 1505}, -{"MINT", 1506}, -{"MIRE", 1507}, -{"MISS", 1508}, -{"MIST", 1509}, -{"MIT", 326}, -{"MITE", 1510}, -{"MITT", 1511}, -{"MOAN", 1512}, -{"MOAT", 1513}, -{"MOB", 327}, -{"MOCK", 1514}, -{"MOD", 328}, -{"MODE", 1515}, -{"MOE", 329}, -{"MOLD", 1516}, -{"MOLE", 1517}, -{"MOLL", 1518}, -{"MOLT", 1519}, -{"MONA", 1520}, -{"MONK", 1521}, -{"MONT", 1522}, -{"MOO", 330}, -{"MOOD", 1523}, -{"MOON", 1524}, -{"MOOR", 1525}, -{"MOOT", 1526}, -{"MOP", 331}, -{"MORE", 1527}, -{"MORN", 1528}, -{"MORT", 1529}, -{"MOS", 332}, -{"MOSS", 1530}, -{"MOST", 1531}, -{"MOT", 333}, -{"MOTH", 1532}, -{"MOVE", 1533}, -{"MOW", 334}, -{"MUCH", 1534}, -{"MUCK", 1535}, -{"MUD", 335}, -{"MUDD", 1536}, -{"MUFF", 1537}, -{"MUG", 336}, -{"MULE", 1538}, -{"MULL", 1539}, -{"MUM", 337}, -{"MURK", 1540}, -{"MUSH", 1541}, -{"MUST", 1542}, -{"MUTE", 1543}, -{"MUTT", 1544}, -{"MY", 338}, -{"MYRA", 1545}, -{"MYTH", 1546}, -{"NAB", 339}, -{"NAG", 340}, -{"NAGY", 1547}, -{"NAIL", 1548}, -{"NAIR", 1549}, -{"NAME", 1550}, -{"NAN", 341}, -{"NAP", 342}, -{"NARY", 1551}, -{"NASH", 1552}, -{"NAT", 343}, -{"NAVE", 1553}, -{"NAVY", 1554}, -{"NAY", 344}, -{"NE", 345}, -{"NEAL", 1555}, -{"NEAR", 1556}, -{"NEAT", 1557}, -{"NECK", 1558}, -{"NED", 346}, -{"NEE", 347}, -{"NEED", 1559}, -{"NEIL", 1560}, -{"NELL", 1561}, -{"NEON", 1562}, -{"NERO", 1563}, -{"NESS", 1564}, -{"NEST", 1565}, -{"NET", 348}, -{"NEW", 349}, -{"NEWS", 1566}, -{"NEWT", 1567}, -{"NIB", 350}, -{"NIBS", 1568}, -{"NICE", 1569}, -{"NICK", 1570}, -{"NIIL", 351}, -{"NILE", 1571}, -{"NINA", 1572}, -{"NINE", 1573}, -{"NIP", 352}, -{"NIT", 353}, -{"NO", 354}, -{"NOAH", 1574}, -{"NOB", 355}, -{"NOD", 356}, -{"NODE", 1575}, -{"NOEL", 1576}, -{"NOLL", 1577}, -{"NON", 357}, -{"NONE", 1578}, -{"NOOK", 1579}, -{"NOON", 1580}, -{"NOR", 358}, -{"NORM", 1581}, -{"NOSE", 1582}, -{"NOT", 359}, -{"NOTE", 1583}, -{"NOUN", 1584}, -{"NOV", 360}, -{"NOVA", 1585}, -{"NOW", 361}, -{"NU", 362}, -{"NUDE", 1586}, -{"NULL", 1587}, -{"NUMB", 1588}, -{"NUN", 363}, -{"NUT", 364}, -{"O", 365}, -{"OAF", 366}, -{"OAK", 367}, -{"OAR", 368}, -{"OAT", 369}, -{"OATH", 1589}, -{"OBEY", 1590}, -{"OBOE", 1591}, -{"ODD", 370}, -{"ODE", 371}, -{"ODIN", 1592}, -{"OF", 372}, -{"OFF", 373}, -{"OFT", 374}, -{"OH", 375}, -{"OHIO", 1593}, -{"OIL", 376}, -{"OILY", 1594}, -{"OINT", 1595}, -{"OK", 377}, -{"OKAY", 1596}, -{"OLAF", 1597}, -{"OLD", 378}, -{"OLDY", 1598}, -{"OLGA", 1599}, -{"OLIN", 1600}, -{"OMAN", 1601}, -{"OMEN", 1602}, -{"OMIT", 1603}, -{"ON", 379}, -{"ONCE", 1604}, -{"ONE", 380}, -{"ONES", 1605}, -{"ONLY", 1606}, -{"ONTO", 1607}, -{"ONUS", 1608}, -{"OR", 381}, -{"ORAL", 1609}, -{"ORB", 382}, -{"ORE", 383}, -{"ORGY", 1610}, -{"ORR", 384}, -{"OS", 385}, -{"OSLO", 1611}, -{"OTIS", 1612}, -{"OTT", 386}, -{"OTTO", 1613}, -{"OUCH", 1614}, -{"OUR", 387}, -{"OUST", 1615}, -{"OUT", 388}, -{"OUTS", 1616}, -{"OVA", 389}, -{"OVAL", 1617}, -{"OVEN", 1618}, -{"OVER", 1619}, -{"OW", 390}, -{"OWE", 391}, -{"OWL", 392}, -{"OWLY", 1620}, -{"OWN", 393}, -{"OWNS", 1621}, -{"OX", 394}, -{"PA", 395}, -{"PAD", 396}, -{"PAL", 397}, -{"PAM", 398}, -{"PAN", 399}, -{"PAP", 400}, -{"PAR", 401}, -{"PAT", 402}, -{"PAW", 403}, -{"PAY", 404}, -{"PEA", 405}, -{"PEG", 406}, -{"PEN", 407}, -{"PEP", 408}, -{"PER", 409}, -{"PET", 410}, -{"PEW", 411}, -{"PHI", 412}, -{"PI", 413}, -{"PIE", 414}, -{"PIN", 415}, -{"PIT", 416}, -{"PLY", 417}, -{"PO", 418}, -{"POD", 419}, -{"POE", 420}, -{"POP", 421}, -{"POT", 422}, -{"POW", 423}, -{"PRO", 424}, -{"PRY", 425}, -{"PUB", 426}, -{"PUG", 427}, -{"PUN", 428}, -{"PUP", 429}, -{"PUT", 430}, -{"QUAD", 1622}, -{"QUIT", 1623}, -{"QUO", 431}, -{"QUOD", 1624}, -{"RACE", 1625}, -{"RACK", 1626}, -{"RACY", 1627}, -{"RAFT", 1628}, -{"RAG", 432}, -{"RAGE", 1629}, -{"RAID", 1630}, -{"RAIL", 1631}, -{"RAIN", 1632}, -{"RAKE", 1633}, -{"RAM", 433}, -{"RAN", 434}, -{"RANK", 1634}, -{"RANT", 1635}, -{"RAP", 435}, -{"RARE", 1636}, -{"RASH", 1637}, -{"RAT", 436}, -{"RATE", 1638}, -{"RAVE", 1639}, -{"RAW", 437}, -{"RAY", 438}, -{"RAYS", 1640}, -{"READ", 1641}, -{"REAL", 1642}, -{"REAM", 1643}, -{"REAR", 1644}, -{"REB", 439}, -{"RECK", 1645}, -{"RED", 440}, -{"REED", 1646}, -{"REEF", 1647}, -{"REEK", 1648}, -{"REEL", 1649}, -{"REID", 1650}, -{"REIN", 1651}, -{"RENA", 1652}, -{"REND", 1653}, -{"RENT", 1654}, -{"REP", 441}, -{"REST", 1655}, -{"RET", 442}, -{"RIB", 443}, -{"RICE", 1656}, -{"RICH", 1657}, -{"RICK", 1658}, -{"RID", 444}, -{"RIDE", 1659}, -{"RIFT", 1660}, -{"RIG", 445}, -{"RILL", 1661}, -{"RIM", 446}, -{"RIME", 1662}, -{"RING", 1663}, -{"RINK", 1664}, -{"RIO", 447}, -{"RIP", 448}, -{"RISE", 1665}, -{"RISK", 1666}, -{"RITE", 1667}, -{"ROAD", 1668}, -{"ROAM", 1669}, -{"ROAR", 1670}, -{"ROB", 449}, -{"ROBE", 1671}, -{"ROCK", 1672}, -{"ROD", 450}, -{"RODE", 1673}, -{"ROE", 451}, -{"ROIL", 1674}, -{"ROLL", 1675}, -{"ROME", 1676}, -{"RON", 452}, -{"ROOD", 1677}, -{"ROOF", 1678}, -{"ROOK", 1679}, -{"ROOM", 1680}, -{"ROOT", 1681}, -{"ROSA", 1682}, -{"ROSE", 1683}, -{"ROSS", 1684}, -{"ROSY", 1685}, -{"ROT", 453}, -{"ROTH", 1686}, -{"ROUT", 1687}, -{"ROVE", 1688}, -{"ROW", 454}, -{"ROWE", 1689}, -{"ROWS", 1690}, -{"ROY", 455}, -{"RUB", 456}, -{"RUBE", 1691}, -{"RUBY", 1692}, -{"RUDE", 1693}, -{"RUDY", 1694}, -{"RUE", 457}, -{"RUG", 458}, -{"RUIN", 1695}, -{"RULE", 1696}, -{"RUM", 459}, -{"RUN", 460}, -{"RUNG", 1697}, -{"RUNS", 1698}, -{"RUNT", 1699}, -{"RUSE", 1700}, -{"RUSH", 1701}, -{"RUSK", 1702}, -{"RUSS", 1703}, -{"RUST", 1704}, -{"RUTH", 1705}, -{"RYE", 461}, -{"SAC", 462}, -{"SACK", 1706}, -{"SAD", 463}, -{"SAFE", 1707}, -{"SAG", 464}, -{"SAGE", 1708}, -{"SAID", 1709}, -{"SAIL", 1710}, -{"SAL", 465}, -{"SALE", 1711}, -{"SALK", 1712}, -{"SALT", 1713}, -{"SAM", 466}, -{"SAME", 1714}, -{"SAN", 467}, -{"SAND", 1715}, -{"SANE", 1716}, -{"SANG", 1717}, -{"SANK", 1718}, -{"SAP", 468}, -{"SARA", 1719}, -{"SAT", 469}, -{"SAUL", 1720}, -{"SAVE", 1721}, -{"SAW", 470}, -{"SAY", 471}, -{"SAYS", 1722}, -{"SCAN", 1723}, -{"SCAR", 1724}, -{"SCAT", 1725}, -{"SCOT", 1726}, -{"SEA", 472}, -{"SEAL", 1727}, -{"SEAM", 1728}, -{"SEAR", 1729}, -{"SEAT", 1730}, -{"SEC", 473}, -{"SEE", 474}, -{"SEED", 1731}, -{"SEEK", 1732}, -{"SEEM", 1733}, -{"SEEN", 1734}, -{"SEES", 1735}, -{"SELF", 1736}, -{"SELL", 1737}, -{"SEN", 475}, -{"SEND", 1738}, -{"SENT", 1739}, -{"SET", 476}, -{"SETS", 1740}, -{"SEW", 477}, -{"SEWN", 1741}, -{"SHAG", 1742}, -{"SHAM", 1743}, -{"SHAW", 1744}, -{"SHAY", 1745}, -{"SHE", 478}, -{"SHED", 1746}, -{"SHIM", 1747}, -{"SHIN", 1748}, -{"SHOD", 1749}, -{"SHOE", 1750}, -{"SHOT", 1751}, -{"SHOW", 1752}, -{"SHUN", 1753}, -{"SHUT", 1754}, -{"SHY", 479}, -{"SICK", 1755}, -{"SIDE", 1756}, -{"SIFT", 1757}, -{"SIGH", 1758}, -{"SIGN", 1759}, -{"SILK", 1760}, -{"SILL", 1761}, -{"SILO", 1762}, -{"SILT", 1763}, -{"SIN", 480}, -{"SINE", 1764}, -{"SING", 1765}, -{"SINK", 1766}, -{"SIP", 481}, -{"SIR", 482}, -{"SIRE", 1767}, -{"SIS", 483}, -{"SIT", 484}, -{"SITE", 1768}, -{"SITS", 1769}, -{"SITU", 1770}, -{"SKAT", 1771}, -{"SKEW", 1772}, -{"SKI", 485}, -{"SKID", 1773}, -{"SKIM", 1774}, -{"SKIN", 1775}, -{"SKIT", 1776}, -{"SKY", 486}, -{"SLAB", 1777}, -{"SLAM", 1778}, -{"SLAT", 1779}, -{"SLAY", 1780}, -{"SLED", 1781}, -{"SLEW", 1782}, -{"SLID", 1783}, -{"SLIM", 1784}, -{"SLIT", 1785}, -{"SLOB", 1786}, -{"SLOG", 1787}, -{"SLOT", 1788}, -{"SLOW", 1789}, -{"SLUG", 1790}, -{"SLUM", 1791}, -{"SLUR", 1792}, -{"SLY", 487}, -{"SMOG", 1793}, -{"SMUG", 1794}, -{"SNAG", 1795}, -{"SNOB", 1796}, -{"SNOW", 1797}, -{"SNUB", 1798}, -{"SNUG", 1799}, -{"SO", 488}, -{"SOAK", 1800}, -{"SOAR", 1801}, -{"SOB", 489}, -{"SOCK", 1802}, -{"SOD", 490}, -{"SODA", 1803}, -{"SOFA", 1804}, -{"SOFT", 1805}, -{"SOIL", 1806}, -{"SOLD", 1807}, -{"SOME", 1808}, -{"SON", 491}, -{"SONG", 1809}, -{"SOON", 1810}, -{"SOOT", 1811}, -{"SOP", 492}, -{"SORE", 1812}, -{"SORT", 1813}, -{"SOUL", 1814}, -{"SOUR", 1815}, -{"SOW", 493}, -{"SOWN", 1816}, -{"SOY", 494}, -{"SPA", 495}, -{"SPY", 496}, -{"STAB", 1817}, -{"STAG", 1818}, -{"STAN", 1819}, -{"STAR", 1820}, -{"STAY", 1821}, -{"STEM", 1822}, -{"STEW", 1823}, -{"STIR", 1824}, -{"STOW", 1825}, -{"STUB", 1826}, -{"STUN", 1827}, -{"SUB", 497}, -{"SUCH", 1828}, -{"SUD", 498}, -{"SUDS", 1829}, -{"SUE", 499}, -{"SUIT", 1830}, -{"SULK", 1831}, -{"SUM", 500}, -{"SUMS", 1832}, -{"SUN", 501}, -{"SUNG", 1833}, -{"SUNK", 1834}, -{"SUP", 502}, -{"SURE", 1835}, -{"SURF", 1836}, -{"SWAB", 1837}, -{"SWAG", 1838}, -{"SWAM", 1839}, -{"SWAN", 1840}, -{"SWAT", 1841}, -{"SWAY", 1842}, -{"SWIM", 1843}, -{"SWUM", 1844}, -{"TAB", 503}, -{"TACK", 1845}, -{"TACT", 1846}, -{"TAD", 504}, -{"TAG", 505}, -{"TAIL", 1847}, -{"TAKE", 1848}, -{"TALE", 1849}, -{"TALK", 1850}, -{"TALL", 1851}, -{"TAN", 506}, -{"TANK", 1852}, -{"TAP", 507}, -{"TAR", 508}, -{"TASK", 1853}, -{"TATE", 1854}, -{"TAUT", 1855}, -{"TEA", 509}, -{"TEAL", 1856}, -{"TEAM", 1857}, -{"TEAR", 1858}, -{"TECH", 1859}, -{"TED", 510}, -{"TEE", 511}, -{"TEEM", 1860}, -{"TEEN", 1861}, -{"TEET", 1862}, -{"TELL", 1863}, -{"TEN", 512}, -{"TEND", 1864}, -{"TENT", 1865}, -{"TERM", 1866}, -{"TERN", 1867}, -{"TESS", 1868}, -{"TEST", 1869}, -{"THAN", 1870}, -{"THAT", 1871}, -{"THE", 513}, -{"THEE", 1872}, -{"THEM", 1873}, -{"THEN", 1874}, -{"THEY", 1875}, -{"THIN", 1876}, -{"THIS", 1877}, -{"THUD", 1878}, -{"THUG", 1879}, -{"THY", 514}, -{"TIC", 515}, -{"TICK", 1880}, -{"TIDE", 1881}, -{"TIDY", 1882}, -{"TIE", 516}, -{"TIED", 1883}, -{"TIER", 1884}, -{"TILE", 1885}, -{"TILL", 1886}, -{"TILT", 1887}, -{"TIM", 517}, -{"TIME", 1888}, -{"TIN", 518}, -{"TINA", 1889}, -{"TINE", 1890}, -{"TINT", 1891}, -{"TINY", 1892}, -{"TIP", 519}, -{"TIRE", 1893}, -{"TO", 520}, -{"TOAD", 1894}, -{"TOE", 521}, -{"TOG", 522}, -{"TOGO", 1895}, -{"TOIL", 1896}, -{"TOLD", 1897}, -{"TOLL", 1898}, -{"TOM", 523}, -{"TON", 524}, -{"TONE", 1899}, -{"TONG", 1900}, -{"TONY", 1901}, -{"TOO", 525}, -{"TOOK", 1902}, -{"TOOL", 1903}, -{"TOOT", 1904}, -{"TOP", 526}, -{"TORE", 1905}, -{"TORN", 1906}, -{"TOTE", 1907}, -{"TOUR", 1908}, -{"TOUT", 1909}, -{"TOW", 527}, -{"TOWN", 1910}, -{"TOY", 528}, -{"TRAG", 1911}, -{"TRAM", 1912}, -{"TRAY", 1913}, -{"TREE", 1914}, -{"TREK", 1915}, -{"TRIG", 1916}, -{"TRIM", 1917}, -{"TRIO", 1918}, -{"TROD", 1919}, -{"TROT", 1920}, -{"TROY", 1921}, -{"TRUE", 1922}, -{"TRY", 529}, -{"TUB", 530}, -{"TUBA", 1923}, -{"TUBE", 1924}, -{"TUCK", 1925}, -{"TUFT", 1926}, -{"TUG", 531}, -{"TUM", 532}, -{"TUN", 533}, -{"TUNA", 1927}, -{"TUNE", 1928}, -{"TUNG", 1929}, -{"TURF", 1930}, -{"TURN", 1931}, -{"TUSK", 1932}, -{"TWIG", 1933}, -{"TWIN", 1934}, -{"TWIT", 1935}, -{"TWO", 534}, -{"ULAN", 1936}, -{"UN", 535}, -{"UNIT", 1937}, -{"UP", 536}, -{"URGE", 1938}, -{"US", 537}, -{"USE", 538}, -{"USED", 1939}, -{"USER", 1940}, -{"USES", 1941}, -{"UTAH", 1942}, -{"VAIL", 1943}, -{"VAIN", 1944}, -{"VALE", 1945}, -{"VAN", 539}, -{"VARY", 1946}, -{"VASE", 1947}, -{"VAST", 1948}, -{"VAT", 540}, -{"VEAL", 1949}, -{"VEDA", 1950}, -{"VEIL", 1951}, -{"VEIN", 1952}, -{"VEND", 1953}, -{"VENT", 1954}, -{"VERB", 1955}, -{"VERY", 1956}, -{"VET", 541}, -{"VETO", 1957}, -{"VICE", 1958}, -{"VIE", 542}, -{"VIEW", 1959}, -{"VINE", 1960}, -{"VISE", 1961}, -{"VOID", 1962}, -{"VOLT", 1963}, -{"VOTE", 1964}, -{"WACK", 1965}, -{"WAD", 543}, -{"WADE", 1966}, -{"WAG", 544}, -{"WAGE", 1967}, -{"WAIL", 1968}, -{"WAIT", 1969}, -{"WAKE", 1970}, -{"WALE", 1971}, -{"WALK", 1972}, -{"WALL", 1973}, -{"WALT", 1974}, -{"WAND", 1975}, -{"WANE", 1976}, -{"WANG", 1977}, -{"WANT", 1978}, -{"WAR", 545}, -{"WARD", 1979}, -{"WARM", 1980}, -{"WARN", 1981}, -{"WART", 1982}, -{"WAS", 546}, -{"WASH", 1983}, -{"WAST", 1984}, -{"WATS", 1985}, -{"WATT", 1986}, -{"WAVE", 1987}, -{"WAVY", 1988}, -{"WAY", 547}, -{"WAYS", 1989}, -{"WE", 548}, -{"WEAK", 1990}, -{"WEAL", 1991}, -{"WEAN", 1992}, -{"WEAR", 1993}, -{"WEB", 549}, -{"WED", 550}, -{"WEE", 551}, -{"WEED", 1994}, -{"WEEK", 1995}, -{"WEIR", 1996}, -{"WELD", 1997}, -{"WELL", 1998}, -{"WELT", 1999}, -{"WENT", 2000}, -{"WERE", 2001}, -{"WERT", 2002}, -{"WEST", 2003}, -{"WET", 552}, -{"WHAM", 2004}, -{"WHAT", 2005}, -{"WHEE", 2006}, -{"WHEN", 2007}, -{"WHET", 2008}, -{"WHO", 553}, -{"WHOA", 2009}, -{"WHOM", 2010}, -{"WHY", 554}, -{"WICK", 2011}, -{"WIFE", 2012}, -{"WILD", 2013}, -{"WILL", 2014}, -{"WIN", 555}, -{"WIND", 2015}, -{"WINE", 2016}, -{"WING", 2017}, -{"WINK", 2018}, -{"WINO", 2019}, -{"WIRE", 2020}, -{"WISE", 2021}, -{"WISH", 2022}, -{"WIT", 556}, -{"WITH", 2023}, -{"WOK", 557}, -{"WOLF", 2024}, -{"WON", 558}, -{"WONT", 2025}, -{"WOO", 559}, -{"WOOD", 2026}, -{"WOOL", 2027}, -{"WORD", 2028}, -{"WORE", 2029}, -{"WORK", 2030}, -{"WORM", 2031}, -{"WORN", 2032}, -{"WOVE", 2033}, -{"WOW", 560}, -{"WRIT", 2034}, -{"WRY", 561}, -{"WU", 562}, -{"WYNN", 2035}, -{"YALE", 2036}, -{"YAM", 563}, -{"YANG", 2037}, -{"YANK", 2038}, -{"YAP", 564}, -{"YARD", 2039}, -{"YARN", 2040}, -{"YAW", 565}, -{"YAWL", 2041}, -{"YAWN", 2042}, -{"YE", 566}, -{"YEA", 567}, -{"YEAH", 2043}, -{"YEAR", 2044}, -{"YELL", 2045}, -{"YES", 568}, -{"YET", 569}, -{"YOGA", 2046}, -{"YOKE", 2047}, -{"YOU", 570} -}; diff --git a/crypto/heimdal/lib/otp/otp_print.c b/crypto/heimdal/lib/otp/otp_print.c deleted file mode 100644 index 701a74cff515..000000000000 --- a/crypto/heimdal/lib/otp/otp_print.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_print.c,v 1.14 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include "otp_locl.h" - -extern const char *const std_dict[]; - -unsigned -otp_checksum (OtpKey key) -{ - int i; - unsigned sum = 0; - - for (i = 0; i < OTPKEYSIZE; ++i) - sum += ((key[i] >> 0) & 0x03) - + ((key[i] >> 2) & 0x03) - + ((key[i] >> 4) & 0x03) - + ((key[i] >> 6) & 0x03); - sum &= 0x03; - return sum; -} - -void -otp_print_stddict (OtpKey key, char *str, size_t sz) -{ - unsigned sum; - - sum = otp_checksum (key); - snprintf (str, sz, - "%s %s %s %s %s %s", - std_dict[(key[0] << 3) | (key[1] >> 5)], - std_dict[((key[1] & 0x1F) << 6) | (key[2] >> 2)], - std_dict[((key[2] & 0x03) << 9) | (key[3] << 1) | (key[4] >> 7)], - std_dict[((key[4] & 0x7F) << 4) | (key[5] >> 4)], - std_dict[((key[5] & 0x0F) << 7) | (key[6] >> 1)], - std_dict[((key[6] & 0x01) << 10) | (key[7] << 2) | sum]); -} - -void -otp_print_hex (OtpKey key, char *str, size_t sz) -{ - snprintf (str, sz, - "%02x%02x%02x%02x%02x%02x%02x%02x", - key[0], key[1], key[2], key[3], - key[4], key[5], key[6], key[7]); -} - -void -otp_print_hex_extended (OtpKey key, char *str, size_t sz) -{ - strlcpy (str, OTP_HEXPREFIX, sz); - otp_print_hex (key, - str + strlen(OTP_HEXPREFIX), - sz - strlen(OTP_HEXPREFIX)); -} - -void -otp_print_stddict_extended (OtpKey key, char *str, size_t sz) -{ - strlcpy (str, OTP_WORDPREFIX, sz); - otp_print_stddict (key, - str + strlen(OTP_WORDPREFIX), - sz - strlen(OTP_WORDPREFIX)); -} diff --git a/crypto/heimdal/lib/otp/otp_verify.c b/crypto/heimdal/lib/otp/otp_verify.c deleted file mode 100644 index 5fec82e2b669..000000000000 --- a/crypto/heimdal/lib/otp/otp_verify.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otp_verify.c,v 1.7 2000/07/01 13:58:38 assar Exp $"); -#endif - -#include "otp_locl.h" - -int -otp_verify_user_1 (OtpContext *ctx, const char *passwd) -{ - OtpKey key1, key2; - - if (otp_parse (key1, passwd, ctx->alg)) { - ctx->err = "Syntax error in reply"; - return -1; - } - memcpy (key2, key1, sizeof(key1)); - ctx->alg->next (key2); - if (memcmp (ctx->key, key2, sizeof(key2)) == 0) { - --ctx->n; - memcpy (ctx->key, key1, sizeof(key1)); - return 0; - } else - return -1; -} - -int -otp_verify_user (OtpContext *ctx, const char *passwd) -{ - void *dbm; - int ret; - - if (!ctx->challengep) - return -1; - ret = otp_verify_user_1 (ctx, passwd); - dbm = otp_db_open (); - if (dbm == NULL) { - free(ctx->user); - return -1; - } - otp_put (dbm, ctx); - free(ctx->user); - otp_db_close (dbm); - return ret; -} diff --git a/crypto/heimdal/lib/otp/otptest.c b/crypto/heimdal/lib/otp/otptest.c deleted file mode 100644 index 4eb342c797eb..000000000000 --- a/crypto/heimdal/lib/otp/otptest.c +++ /dev/null @@ -1,145 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -RCSID("$Id: otptest.c,v 1.6 1999/12/02 16:58:45 joda Exp $"); -#endif - -#include -#include -#include - -static int -test_one(OtpKey key1, char *name, char *val, - void (*print)(OtpKey,char*, size_t), - OtpAlgorithm *alg) -{ - char buf[256]; - OtpKey key2; - - (*print)(key1, buf, sizeof(buf)); - printf ("%s: %s, ", name, buf); - if (strcmp (buf, val) != 0) { - printf ("failed(*%s* != *%s*)\n", buf, val); - return 1; - } - if (otp_parse (key2, buf, alg)) { - printf ("parse of %s failed\n", name); - return 1; - } - if (memcmp (key1, key2, OTPKEYSIZE) != 0) { - printf ("key1 != key2, "); - } - printf ("success\n"); - return 0; -} - -static int -test (void) -{ - struct test { - char *alg; - char *passphrase; - char *seed; - int count; - char *hex; - char *word; - } tests[] = { - - /* md4 */ - {"md4", "This is a test.", "TeSt", 0, "d1854218ebbb0b51", "ROME MUG FRED SCAN LIVE LACE"}, - {"md4", "This is a test.", "TeSt", 1, "63473ef01cd0b444", "CARD SAD MINI RYE COL KIN"}, - {"md4", "This is a test.", "TeSt", 99, "c5e612776e6c237a", "NOTE OUT IBIS SINK NAVE MODE"}, - {"md4", "AbCdEfGhIjK", "alpha1", 0, "50076f47eb1ade4e", "AWAY SEN ROOK SALT LICE MAP"}, - {"md4", "AbCdEfGhIjK", "alpha1", 1, "65d20d1949b5f7ab", "CHEW GRIM WU HANG BUCK SAID"}, - {"md4", "AbCdEfGhIjK", "alpha1", 99, "d150c82cce6f62d1", "ROIL FREE COG HUNK WAIT COCA"}, - {"md4", "OTP's are good", "correct", 0, "849c79d4f6f55388", "FOOL STEM DONE TOOL BECK NILE"}, - {"md4", "OTP's are good", "correct", 1, "8c0992fb250847b1", "GIST AMOS MOOT AIDS FOOD SEEM"}, - {"md4", "OTP's are good", "correct",99, "3f3bf4b4145fd74b", "TAG SLOW NOV MIN WOOL KENO"}, - - - /* md5 */ - {"md5", "This is a test.", "TeSt", 0, "9e876134d90499dd", "INCH SEA ANNE LONG AHEM TOUR"}, - {"md5", "This is a test.", "TeSt", 1, "7965e05436f5029f", "EASE OIL FUM CURE AWRY AVIS"}, - {"md5", "This is a test.", "TeSt", 99, "50fe1962c4965880", "BAIL TUFT BITS GANG CHEF THY"}, - {"md5", "AbCdEfGhIjK", "alpha1", 0, "87066dd9644bf206", "FULL PEW DOWN ONCE MORT ARC"}, - {"md5", "AbCdEfGhIjK", "alpha1", 1, "7cd34c1040add14b", "FACT HOOF AT FIST SITE KENT"}, - {"md5", "AbCdEfGhIjK", "alpha1", 99, "5aa37a81f212146c", "BODE HOP JAKE STOW JUT RAP"}, - {"md5", "OTP's are good", "correct", 0, "f205753943de4cf9", "ULAN NEW ARMY FUSE SUIT EYED"}, - {"md5", "OTP's are good", "correct", 1, "ddcdac956f234937", "SKIM CULT LOB SLAM POE HOWL"}, - {"md5", "OTP's are good", "correct",99, "b203e28fa525be47", "LONG IVY JULY AJAR BOND LEE"}, - - /* sha */ - {"sha", "This is a test.", "TeSt", 0, "bb9e6ae1979d8ff4", "MILT VARY MAST OK SEES WENT"}, - {"sha", "This is a test.", "TeSt", 1, "63d936639734385b", "CART OTTO HIVE ODE VAT NUT"}, - {"sha", "This is a test.", "TeSt", 99, "87fec7768b73ccf9", "GAFF WAIT SKID GIG SKY EYED"}, - {"sha", "AbCdEfGhIjK", "alpha1", 0, "ad85f658ebe383c9", "LEST OR HEEL SCOT ROB SUIT"}, - {"sha", "AbCdEfGhIjK", "alpha1", 1, "d07ce229b5cf119b", "RITE TAKE GELD COST TUNE RECK"}, - {"sha", "AbCdEfGhIjK", "alpha1", 99, "27bc71035aaf3dc6", "MAY STAR TIN LYON VEDA STAN"}, - {"sha", "OTP's are good", "correct", 0, "d51f3e99bf8e6f0b", "RUST WELT KICK FELL TAIL FRAU"}, - {"sha", "OTP's are good", "correct", 1, "82aeb52d943774e4", "FLIT DOSE ALSO MEW DRUM DEFY"}, - {"sha", "OTP's are good", "correct", 99, "4f296a74fe1567ec", "AURA ALOE HURL WING BERG WAIT"}, - {NULL} - }; - - struct test *t; - int sum = 0; - - for(t = tests; t->alg; ++t) { - int i; - OtpAlgorithm *alg = otp_find_alg (t->alg); - OtpKey key; - - if (alg == NULL) { - printf ("Could not find alg %s\n", t->alg); - return 1; - } - if(alg->init (key, t->passphrase, t->seed)) - return 1; - for (i = 0; i < t->count; ++i) { - if (alg->next (key)) - return 1; - } - sum += test_one (key, "hexadecimal", t->hex, otp_print_hex, - alg) + - test_one (key, "standard_word", t->word, otp_print_stddict, alg); - } - return sum; -} - -int -main (void) -{ - return test (); -} diff --git a/crypto/heimdal/lib/otp/roken_rename.h b/crypto/heimdal/lib/otp/roken_rename.h deleted file mode 100644 index 202b9a68ceb6..000000000000 --- a/crypto/heimdal/lib/otp/roken_rename.h +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken_rename.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */ - -#ifndef __roken_rename_h__ -#define __roken_rename_h__ - -#ifndef HAVE_SNPRINTF -#define snprintf _otp_snprintf -#endif -#ifndef HAVE_ASPRINTF -#define asprintf _otp_asprintf -#endif -#ifndef HAVE_ASNPRINTF -#define asnprintf _otp_asnprintf -#endif -#ifndef HAVE_VASPRINTF -#define vasprintf _otp_vasprintf -#endif -#ifndef HAVE_VASNPRINTF -#define vasnprintf _otp_vasnprintf -#endif -#ifndef HAVE_VSNPRINTF -#define vsnprintf _otp_vsnprintf -#endif -#ifndef HAVE_STRCASECMP -#define strcasecmp _otp_strcasecmp -#endif -#ifndef HAVE_STRNCASECMP -#define strncasecmp _otp_strncasecmp -#endif -#ifndef HAVE_STRLWR -#define strlwr _otp_strlwr -#endif - -#endif /* __roken_rename_h__ */ diff --git a/crypto/heimdal/lib/roken/.libs/libroken.lai b/crypto/heimdal/lib/roken/.libs/libroken.lai deleted file mode 100644 index 6987bcdb53e3..000000000000 --- a/crypto/heimdal/lib/roken/.libs/libroken.lai +++ /dev/null @@ -1,32 +0,0 @@ -# libroken.la - a libtool library file -# Generated by ltmain.sh - GNU libtool 1.4.2 (1.922.2.53 2001/09/11 03:18:52) -# -# Please DO NOT delete this file! -# It is necessary for linking the library. - -# The name that we can dlopen(3). -dlname='libroken.so.16' - -# Names of this library. -library_names='libroken.so.16 libroken.so libroken.so' - -# The name of the static archive. -old_library='libroken.a' - -# Libraries that this one depends upon. -dependency_libs='' - -# Version information for libroken. -current=16 -age=7 -revision=0 - -# Is this an already installed library? -installed=yes - -# Files to dlopen/dlpreopen -dlopen='' -dlpreopen='' - -# Directory that this library needs to be installed in: -libdir='/usr/heimdal/lib' diff --git a/crypto/heimdal/lib/roken/.libs/libroken.so.16 b/crypto/heimdal/lib/roken/.libs/libroken.so.16 deleted file mode 100755 index 182647a2ca67..000000000000 Binary files a/crypto/heimdal/lib/roken/.libs/libroken.so.16 and /dev/null differ diff --git a/crypto/heimdal/lib/roken/.libs/libtest.al b/crypto/heimdal/lib/roken/.libs/libtest.al deleted file mode 100644 index db4f929f966d..000000000000 Binary files a/crypto/heimdal/lib/roken/.libs/libtest.al and /dev/null differ diff --git a/crypto/heimdal/lib/roken/.libs/snprintf-test b/crypto/heimdal/lib/roken/.libs/snprintf-test deleted file mode 100755 index b0df6107dc53..000000000000 Binary files a/crypto/heimdal/lib/roken/.libs/snprintf-test and /dev/null differ diff --git a/crypto/heimdal/lib/roken/Makefile b/crypto/heimdal/lib/roken/Makefile deleted file mode 100644 index b0e3c71fc961..000000000000 --- a/crypto/heimdal/lib/roken/Makefile +++ /dev/null @@ -1,1075 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/roken/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.120 2002/05/31 02:44:37 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .hin - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -ACLOCAL_AMFLAGS = -I ../../cf - -CLEANFILES = roken.h make-roken.c $(XHEADERS) - -lib_LTLIBRARIES = libroken.la -libroken_la_LDFLAGS = -version-info 16:0:7 - -noinst_PROGRAMS = make-roken snprintf-test - -nodist_make_roken_SOURCES = make-roken.c - -check_PROGRAMS = \ - base64-test \ - getaddrinfo-test \ - parse_bytes-test \ - snprintf-test \ - strpftime-test - - -TESTS = $(check_PROGRAMS) - -LDADD = libroken.la $(LIB_crypt) -make_roken_LDADD = - -noinst_LTLIBRARIES = libtest.la -libtest_la_SOURCES = strftime.c strptime.c snprintf.c -libtest_la_CFLAGS = -DTEST_SNPRINTF - -strpftime_test_SOURCES = strpftime-test.c -strpftime_test_LDADD = libtest.la $(LDADD) -snprintf_test_SOURCES = snprintf-test.c -snprintf_test_LDADD = libtest.la $(LDADD) -snprintf_test_CFLAGS = -DTEST_SNPRINTF - -libroken_la_SOURCES = \ - base64.c \ - bswap.c \ - concat.c \ - environment.c \ - eread.c \ - esetenv.c \ - ewrite.c \ - getaddrinfo_hostspec.c \ - get_default_username.c \ - get_window_size.c \ - getarg.c \ - getnameinfo_verified.c \ - getprogname.c \ - h_errno.c \ - hostent_find_fqdn.c \ - issuid.c \ - k_getpwnam.c \ - k_getpwuid.c \ - mini_inetd.c \ - net_read.c \ - net_write.c \ - parse_bytes.c \ - parse_time.c \ - parse_units.c \ - resolve.c \ - roken_gethostby.c \ - rtbl.c \ - rtbl.h \ - setprogname.c \ - signal.c \ - simple_exec.c \ - snprintf.c \ - socket.c \ - strcollect.c \ - timeval.c \ - tm2time.c \ - unvis.c \ - verify.c \ - vis.c \ - vis.h \ - warnerr.c \ - write_pid.c \ - xdbm.h - - -EXTRA_libroken_la_SOURCES = \ - chown.c \ - copyhostent.c \ - daemon.c \ - ecalloc.c \ - emalloc.c \ - erealloc.c \ - estrdup.c \ - err.c \ - err.hin \ - errx.c \ - fchown.c \ - flock.c \ - fnmatch.c \ - fnmatch.hin \ - freehostent.c \ - gai_strerror.c \ - getdtablesize.c \ - getegid.c \ - geteuid.c \ - getgid.c \ - gethostname.c \ - getifaddrs.c \ - getipnodebyaddr.c \ - getipnodebyname.c \ - getopt.c \ - gettimeofday.c \ - getuid.c \ - getusershell.c \ - glob.hin \ - hstrerror.c \ - ifaddrs.hin \ - inet_aton.c \ - inet_ntop.c \ - inet_pton.c \ - initgroups.c \ - innetgr.c \ - iruserok.c \ - lstat.c \ - memmove.c \ - mkstemp.c \ - putenv.c \ - rcmd.c \ - readv.c \ - recvmsg.c \ - sendmsg.c \ - setegid.c \ - setenv.c \ - seteuid.c \ - strcasecmp.c \ - strdup.c \ - strerror.c \ - strftime.c \ - strlcat.c \ - strlcpy.c \ - strlwr.c \ - strncasecmp.c \ - strndup.c \ - strnlen.c \ - strptime.c \ - strsep.c \ - strsep_copy.c \ - strtok_r.c \ - strupr.c \ - swab.c \ - unsetenv.c \ - verr.c \ - verrx.c \ - vis.hin \ - vsyslog.c \ - vwarn.c \ - vwarnx.c \ - warn.c \ - warnx.c \ - writev.c - - -EXTRA_DIST = roken.awk roken.h.in - -libroken_la_LIBADD = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo $(DBLIB) - -BUILT_SOURCES = make-roken.c roken.h - -err_h = -#err_h = err.h - -#fnmatch_h = -fnmatch_h = fnmatch.h - -glob_h = -#glob_h = glob.h - -ifaddrs_h = -#ifaddrs_h = ifaddrs.h - -vis_h = -#vis_h = vis.h - -XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h) - -include_HEADERS = \ - base64.h \ - getarg.h \ - parse_bytes.h \ - parse_time.h \ - parse_units.h \ - resolve.h \ - roken-common.h \ - rtbl.h \ - xdbm.h \ - $(XHEADERS) - - -nodist_include_HEADERS = roken.h - -man_MANS = getarg.3 -subdir = lib/roken -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) - -libroken_la_DEPENDENCIES = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -am_libroken_la_OBJECTS = base64.lo bswap.lo concat.lo environment.lo \ - eread.lo esetenv.lo ewrite.lo getaddrinfo_hostspec.lo \ - get_default_username.lo get_window_size.lo getarg.lo \ - getnameinfo_verified.lo getprogname.lo h_errno.lo \ - hostent_find_fqdn.lo issuid.lo k_getpwnam.lo k_getpwuid.lo \ - mini_inetd.lo net_read.lo net_write.lo parse_bytes.lo \ - parse_time.lo parse_units.lo resolve.lo roken_gethostby.lo \ - rtbl.lo setprogname.lo signal.lo simple_exec.lo snprintf.lo \ - socket.lo strcollect.lo timeval.lo tm2time.lo unvis.lo \ - verify.lo vis.lo warnerr.lo write_pid.lo -libroken_la_OBJECTS = $(am_libroken_la_OBJECTS) -libtest_la_LDFLAGS = -libtest_la_LIBADD = -am_libtest_la_OBJECTS = libtest_la-strftime.lo libtest_la-strptime.lo \ - libtest_la-snprintf.lo -libtest_la_OBJECTS = $(am_libtest_la_OBJECTS) -check_PROGRAMS = base64-test$(EXEEXT) getaddrinfo-test$(EXEEXT) \ - parse_bytes-test$(EXEEXT) snprintf-test$(EXEEXT) \ - strpftime-test$(EXEEXT) -noinst_PROGRAMS = make-roken$(EXEEXT) snprintf-test$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -base64_test_SOURCES = base64-test.c -base64_test_OBJECTS = base64-test.$(OBJEXT) -base64_test_LDADD = $(LDADD) -base64_test_DEPENDENCIES = libroken.la -base64_test_LDFLAGS = -getaddrinfo_test_SOURCES = getaddrinfo-test.c -getaddrinfo_test_OBJECTS = getaddrinfo-test.$(OBJEXT) -getaddrinfo_test_LDADD = $(LDADD) -getaddrinfo_test_DEPENDENCIES = libroken.la -getaddrinfo_test_LDFLAGS = -nodist_make_roken_OBJECTS = make-roken.$(OBJEXT) -make_roken_OBJECTS = $(nodist_make_roken_OBJECTS) -make_roken_DEPENDENCIES = -make_roken_LDFLAGS = -parse_bytes_test_SOURCES = parse_bytes-test.c -parse_bytes_test_OBJECTS = parse_bytes-test.$(OBJEXT) -parse_bytes_test_LDADD = $(LDADD) -parse_bytes_test_DEPENDENCIES = libroken.la -parse_bytes_test_LDFLAGS = -am_snprintf_test_OBJECTS = snprintf_test-snprintf-test.$(OBJEXT) -snprintf_test_OBJECTS = $(am_snprintf_test_OBJECTS) -snprintf_test_DEPENDENCIES = libtest.la libroken.la -snprintf_test_LDFLAGS = -am_strpftime_test_OBJECTS = strpftime-test.$(OBJEXT) -strpftime_test_OBJECTS = $(am_strpftime_test_OBJECTS) -strpftime_test_DEPENDENCIES = libtest.la libroken.la -strpftime_test_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) \ - $(libtest_la_SOURCES) base64-test.c getaddrinfo-test.c \ - parse_bytes-test.c $(snprintf_test_SOURCES) \ - $(strpftime_test_SOURCES) -MANS = $(man_MANS) -HEADERS = $(include_HEADERS) $(nodist_include_HEADERS) - -DIST_COMMON = $(include_HEADERS) ChangeLog Makefile.am Makefile.in \ - acinclude.m4 freeaddrinfo.c getaddrinfo.c getcap.c \ - getnameinfo.c glob.c install-sh missing mkinstalldirs -SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) $(libtest_la_SOURCES) base64-test.c getaddrinfo-test.c $(nodist_make_roken_SOURCES) parse_bytes-test.c $(snprintf_test_SOURCES) $(strpftime_test_SOURCES) - -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .hin .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/roken/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libroken.la: $(libroken_la_OBJECTS) $(libroken_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libroken_la_LDFLAGS) $(libroken_la_OBJECTS) $(libroken_la_LIBADD) $(LIBS) -libtest_la-strftime.lo: strftime.c -libtest_la-strptime.lo: strptime.c -libtest_la-snprintf.lo: snprintf.c -libtest.la: $(libtest_la_OBJECTS) $(libtest_la_DEPENDENCIES) - $(LINK) $(libtest_la_LDFLAGS) $(libtest_la_OBJECTS) $(libtest_la_LIBADD) $(LIBS) - -clean-checkPROGRAMS: - @list='$(check_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -base64-test$(EXEEXT): $(base64_test_OBJECTS) $(base64_test_DEPENDENCIES) - @rm -f base64-test$(EXEEXT) - $(LINK) $(base64_test_LDFLAGS) $(base64_test_OBJECTS) $(base64_test_LDADD) $(LIBS) -getaddrinfo-test$(EXEEXT): $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_DEPENDENCIES) - @rm -f getaddrinfo-test$(EXEEXT) - $(LINK) $(getaddrinfo_test_LDFLAGS) $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_LDADD) $(LIBS) -make-roken$(EXEEXT): $(make_roken_OBJECTS) $(make_roken_DEPENDENCIES) - @rm -f make-roken$(EXEEXT) - $(LINK) $(make_roken_LDFLAGS) $(make_roken_OBJECTS) $(make_roken_LDADD) $(LIBS) -parse_bytes-test$(EXEEXT): $(parse_bytes_test_OBJECTS) $(parse_bytes_test_DEPENDENCIES) - @rm -f parse_bytes-test$(EXEEXT) - $(LINK) $(parse_bytes_test_LDFLAGS) $(parse_bytes_test_OBJECTS) $(parse_bytes_test_LDADD) $(LIBS) -snprintf_test-snprintf-test.$(OBJEXT): snprintf-test.c -snprintf-test$(EXEEXT): $(snprintf_test_OBJECTS) $(snprintf_test_DEPENDENCIES) - @rm -f snprintf-test$(EXEEXT) - $(LINK) $(snprintf_test_LDFLAGS) $(snprintf_test_OBJECTS) $(snprintf_test_LDADD) $(LIBS) -strpftime-test$(EXEEXT): $(strpftime_test_OBJECTS) $(strpftime_test_DEPENDENCIES) - @rm -f strpftime-test$(EXEEXT) - $(LINK) $(strpftime_test_LDFLAGS) $(strpftime_test_OBJECTS) $(strpftime_test_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -libtest_la-strftime.o: strftime.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.o `test -f 'strftime.c' || echo '$(srcdir)/'`strftime.c - -libtest_la-strftime.obj: strftime.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.obj `cygpath -w strftime.c` - -libtest_la-strftime.lo: strftime.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.lo `test -f 'strftime.c' || echo '$(srcdir)/'`strftime.c - -libtest_la-strptime.o: strptime.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.o `test -f 'strptime.c' || echo '$(srcdir)/'`strptime.c - -libtest_la-strptime.obj: strptime.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.obj `cygpath -w strptime.c` - -libtest_la-strptime.lo: strptime.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.lo `test -f 'strptime.c' || echo '$(srcdir)/'`strptime.c - -libtest_la-snprintf.o: snprintf.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.o `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c - -libtest_la-snprintf.obj: snprintf.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.obj `cygpath -w snprintf.c` - -libtest_la-snprintf.lo: snprintf.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.lo `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c - -snprintf_test-snprintf-test.o: snprintf-test.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.o `test -f 'snprintf-test.c' || echo '$(srcdir)/'`snprintf-test.c - -snprintf_test-snprintf-test.obj: snprintf-test.c - $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.obj `cygpath -w snprintf-test.c` - -snprintf_test-snprintf-test.lo: snprintf-test.c - $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.lo `test -f 'snprintf-test.c' || echo '$(srcdir)/'`snprintf-test.c - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man3dir = $(mandir)/man3 -install-man3: $(man3_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man3dir) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \ - done -uninstall-man3: - @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \ - rm -f $(DESTDIR)$(man3dir)/$$inst; \ - done -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done -nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-nodist_includeHEADERS: $(nodist_include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(nodist_include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(nodist_includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(nodist_includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-nodist_includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(nodist_include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH - -check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; \ - srcdir=$(srcdir); export srcdir; \ - list='$(TESTS)'; \ - if test -n "$$list"; then \ - for tst in $$list; do \ - if test -f ./$$tst; then dir=./; \ - elif test -f $$tst; then dir=; \ - else dir="$(srcdir)/"; fi; \ - if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xpass=`expr $$xpass + 1`; \ - failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ - ;; \ - *) \ - echo "PASS: $$tst"; \ - ;; \ - esac; \ - elif test $$? -ne 77; then \ - all=`expr $$all + 1`; \ - case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ - xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ - ;; \ - *) \ - failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ - ;; \ - esac; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ - fi; \ - else \ - if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ - else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ - fi; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - else :; fi -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) - $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(man3dir) $(DESTDIR)$(includedir) $(DESTDIR)$(includedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -clean: clean-am - -clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \ - mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS install-man \ - install-nodist_includeHEADERS - -install-exec-am: install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man3 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man \ - uninstall-nodist_includeHEADERS - -uninstall-man: uninstall-man3 - -.PHONY: GTAGS all all-am all-local check check-TESTS check-am \ - check-local clean clean-checkPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-noinstLTLIBRARIES \ - clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-man3 \ - install-nodist_includeHEADERS install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man uninstall-man3 \ - uninstall-nodist_includeHEADERS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(LTLIBOBJS) $(libroken_la_OBJECTS): $(include_HEADERS) roken.h $(XHEADERS) -.hin.h: - cp $< $@ - -roken.h: make-roken$(EXEEXT) - @./make-roken$(EXEEXT) > tmp.h ;\ - if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \ - else rm -f roken.h; mv tmp.h roken.h; fi - -make-roken.c: roken.h.in roken.awk - $(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/roken/base64.lo b/crypto/heimdal/lib/roken/base64.lo deleted file mode 100644 index 365de5980c7a..000000000000 Binary files a/crypto/heimdal/lib/roken/base64.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/bswap.lo b/crypto/heimdal/lib/roken/bswap.lo deleted file mode 100644 index dc6617e085a9..000000000000 Binary files a/crypto/heimdal/lib/roken/bswap.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/concat.lo b/crypto/heimdal/lib/roken/concat.lo deleted file mode 100644 index 7450dd57d7f5..000000000000 Binary files a/crypto/heimdal/lib/roken/concat.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/config.h.in b/crypto/heimdal/lib/roken/config.h.in deleted file mode 100644 index b3df98912148..000000000000 --- a/crypto/heimdal/lib/roken/config.h.in +++ /dev/null @@ -1 +0,0 @@ -/*autoheader*/ diff --git a/crypto/heimdal/lib/roken/copyhostent.lo b/crypto/heimdal/lib/roken/copyhostent.lo deleted file mode 100644 index 500605864b5a..000000000000 Binary files a/crypto/heimdal/lib/roken/copyhostent.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/ecalloc.lo b/crypto/heimdal/lib/roken/ecalloc.lo deleted file mode 100644 index ab53ebf243d6..000000000000 Binary files a/crypto/heimdal/lib/roken/ecalloc.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/emalloc.lo b/crypto/heimdal/lib/roken/emalloc.lo deleted file mode 100644 index 6a312f8fb6f2..000000000000 Binary files a/crypto/heimdal/lib/roken/emalloc.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/environment.lo b/crypto/heimdal/lib/roken/environment.lo deleted file mode 100644 index 00c57ae99cb8..000000000000 Binary files a/crypto/heimdal/lib/roken/environment.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/eread.lo b/crypto/heimdal/lib/roken/eread.lo deleted file mode 100644 index 92723d7b4cad..000000000000 Binary files a/crypto/heimdal/lib/roken/eread.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/erealloc.lo b/crypto/heimdal/lib/roken/erealloc.lo deleted file mode 100644 index c670bacb3bbf..000000000000 Binary files a/crypto/heimdal/lib/roken/erealloc.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/err.h b/crypto/heimdal/lib/roken/err.h deleted file mode 100644 index b0b649f92b46..000000000000 --- a/crypto/heimdal/lib/roken/err.h +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: err.h,v 1.15 1999/12/02 16:58:45 joda Exp $ */ - -#ifndef __ERR_H__ -#define __ERR_H__ - -#include -#include -#include -#include -#include - -extern const char *__progname; - -#if !defined(__GNUC__) && !defined(__attribute__) -#define __attribute__(x) -#endif - -void warnerr(int doerrno, const char *fmt, va_list ap) - __attribute__ ((format (printf, 2, 0))); - -void verr(int eval, const char *fmt, va_list ap) - __attribute__ ((noreturn, format (printf, 2, 0))); -void err(int eval, const char *fmt, ...) - __attribute__ ((noreturn, format (printf, 2, 3))); -void verrx(int eval, const char *fmt, va_list ap) - __attribute__ ((noreturn, format (printf, 2, 0))); -void errx(int eval, const char *fmt, ...) - __attribute__ ((noreturn, format (printf, 2, 3))); -void vwarn(const char *fmt, va_list ap) - __attribute__ ((format (printf, 1, 0))); -void warn(const char *fmt, ...) - __attribute__ ((format (printf, 1, 2))); -void vwarnx(const char *fmt, va_list ap) - __attribute__ ((format (printf, 1, 0))); -void warnx(const char *fmt, ...) - __attribute__ ((format (printf, 1, 2))); - -#endif /* __ERR_H__ */ diff --git a/crypto/heimdal/lib/roken/esetenv.lo b/crypto/heimdal/lib/roken/esetenv.lo deleted file mode 100644 index e41d544bc30f..000000000000 Binary files a/crypto/heimdal/lib/roken/esetenv.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/estrdup.lo b/crypto/heimdal/lib/roken/estrdup.lo deleted file mode 100644 index 6a75b9cf8e0d..000000000000 Binary files a/crypto/heimdal/lib/roken/estrdup.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/ewrite.lo b/crypto/heimdal/lib/roken/ewrite.lo deleted file mode 100644 index 12806ce46014..000000000000 Binary files a/crypto/heimdal/lib/roken/ewrite.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/fnmatch.h b/crypto/heimdal/lib/roken/fnmatch.h deleted file mode 100644 index 95c91d600b64..000000000000 --- a/crypto/heimdal/lib/roken/fnmatch.h +++ /dev/null @@ -1,49 +0,0 @@ -/* $NetBSD: fnmatch.h,v 1.5 1994/10/26 00:55:53 cgd Exp $ */ - -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)fnmatch.h 8.1 (Berkeley) 6/2/93 - */ - -#ifndef _FNMATCH_H_ -#define _FNMATCH_H_ - -#define FNM_NOMATCH 1 /* Match failed. */ - -#define FNM_NOESCAPE 0x01 /* Disable backslash escaping. */ -#define FNM_PATHNAME 0x02 /* Slash must be matched by slash. */ -#define FNM_PERIOD 0x04 /* Period must be matched by period. */ - -int fnmatch (const char *, const char *, int); - -#endif /* !_FNMATCH_H_ */ diff --git a/crypto/heimdal/lib/roken/get_default_username.lo b/crypto/heimdal/lib/roken/get_default_username.lo deleted file mode 100644 index 1e584ea64fb3..000000000000 Binary files a/crypto/heimdal/lib/roken/get_default_username.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/get_window_size.lo b/crypto/heimdal/lib/roken/get_window_size.lo deleted file mode 100644 index 547580055f80..000000000000 Binary files a/crypto/heimdal/lib/roken/get_window_size.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/getaddrinfo_hostspec.lo b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.lo deleted file mode 100644 index 9bbeaeeb5d99..000000000000 Binary files a/crypto/heimdal/lib/roken/getaddrinfo_hostspec.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/getarg.lo b/crypto/heimdal/lib/roken/getarg.lo deleted file mode 100644 index 9c5352a1636d..000000000000 Binary files a/crypto/heimdal/lib/roken/getarg.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/getnameinfo_verified.lo b/crypto/heimdal/lib/roken/getnameinfo_verified.lo deleted file mode 100644 index 9deac6cbfd7b..000000000000 Binary files a/crypto/heimdal/lib/roken/getnameinfo_verified.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/getprogname.lo b/crypto/heimdal/lib/roken/getprogname.lo deleted file mode 100644 index 52a2ade023d5..000000000000 Binary files a/crypto/heimdal/lib/roken/getprogname.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/glob.h b/crypto/heimdal/lib/roken/glob.h deleted file mode 100644 index bece48a89cd7..000000000000 --- a/crypto/heimdal/lib/roken/glob.h +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Guido van Rossum. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)glob.h 8.1 (Berkeley) 6/2/93 - */ - -#ifndef _GLOB_H_ -#define _GLOB_H_ - -struct stat; -typedef struct { - int gl_pathc; /* Count of total paths so far. */ - int gl_matchc; /* Count of paths matching pattern. */ - int gl_offs; /* Reserved at beginning of gl_pathv. */ - int gl_flags; /* Copy of flags parameter to glob. */ - char **gl_pathv; /* List of paths matching pattern. */ - /* Copy of errfunc parameter to glob. */ - int (*gl_errfunc) (const char *, int); - - /* - * Alternate filesystem access methods for glob; replacement - * versions of closedir(3), readdir(3), opendir(3), stat(2) - * and lstat(2). - */ - void (*gl_closedir) (void *); - struct dirent *(*gl_readdir) (void *); - void *(*gl_opendir) (const char *); - int (*gl_lstat) (const char *, struct stat *); - int (*gl_stat) (const char *, struct stat *); -} glob_t; - -#define GLOB_APPEND 0x0001 /* Append to output from previous call. */ -#define GLOB_DOOFFS 0x0002 /* Use gl_offs. */ -#define GLOB_ERR 0x0004 /* Return on error. */ -#define GLOB_MARK 0x0008 /* Append / to matching directories. */ -#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */ -#define GLOB_NOSORT 0x0020 /* Don't sort. */ - -#define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */ -#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */ -#define GLOB_MAGCHAR 0x0100 /* Pattern had globbing characters. */ -#define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */ -#define GLOB_QUOTE 0x0400 /* Quote special chars with \. */ -#define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */ - -#define GLOB_NOSPACE (-1) /* Malloc call failed. */ -#define GLOB_ABEND (-2) /* Unignored error. */ - -int glob (const char *, int, int (*)(const char *, int), glob_t *); -void globfree (glob_t *); - -#endif /* !_GLOB_H_ */ diff --git a/crypto/heimdal/lib/roken/h_errno.lo b/crypto/heimdal/lib/roken/h_errno.lo deleted file mode 100644 index a5f25f7bcc14..000000000000 Binary files a/crypto/heimdal/lib/roken/h_errno.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/hostent_find_fqdn.lo b/crypto/heimdal/lib/roken/hostent_find_fqdn.lo deleted file mode 100644 index 0ee94eae796d..000000000000 Binary files a/crypto/heimdal/lib/roken/hostent_find_fqdn.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/issuid.lo b/crypto/heimdal/lib/roken/issuid.lo deleted file mode 100644 index 51908b74fa04..000000000000 Binary files a/crypto/heimdal/lib/roken/issuid.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/k_getpwnam.lo b/crypto/heimdal/lib/roken/k_getpwnam.lo deleted file mode 100644 index 18d7a3a272b2..000000000000 Binary files a/crypto/heimdal/lib/roken/k_getpwnam.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/k_getpwuid.lo b/crypto/heimdal/lib/roken/k_getpwuid.lo deleted file mode 100644 index 7c0179088a62..000000000000 Binary files a/crypto/heimdal/lib/roken/k_getpwuid.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/libroken.la b/crypto/heimdal/lib/roken/libroken.la deleted file mode 100644 index 8551dda5a252..000000000000 --- a/crypto/heimdal/lib/roken/libroken.la +++ /dev/null @@ -1,32 +0,0 @@ -# libroken.la - a libtool library file -# Generated by ltmain.sh - GNU libtool 1.4.2 (1.922.2.53 2001/09/11 03:18:52) -# -# Please DO NOT delete this file! -# It is necessary for linking the library. - -# The name that we can dlopen(3). -dlname='libroken.so.16' - -# Names of this library. -library_names='libroken.so.16 libroken.so libroken.so' - -# The name of the static archive. -old_library='libroken.a' - -# Libraries that this one depends upon. -dependency_libs='' - -# Version information for libroken. -current=16 -age=7 -revision=0 - -# Is this an already installed library? -installed=no - -# Files to dlopen/dlpreopen -dlopen='' -dlpreopen='' - -# Directory that this library needs to be installed in: -libdir='/usr/heimdal/lib' diff --git a/crypto/heimdal/lib/roken/libtest.la b/crypto/heimdal/lib/roken/libtest.la deleted file mode 100644 index 2206a0e7d446..000000000000 --- a/crypto/heimdal/lib/roken/libtest.la +++ /dev/null @@ -1,32 +0,0 @@ -# libtest.la - a libtool library file -# Generated by ltmain.sh - GNU libtool 1.4.2 (1.922.2.53 2001/09/11 03:18:52) -# -# Please DO NOT delete this file! -# It is necessary for linking the library. - -# The name that we can dlopen(3). -dlname='' - -# Names of this library. -library_names='' - -# The name of the static archive. -old_library='libtest.al' - -# Libraries that this one depends upon. -dependency_libs='' - -# Version information for libtest. -current= -age= -revision= - -# Is this an already installed library? -installed=no - -# Files to dlopen/dlpreopen -dlopen='' -dlpreopen='' - -# Directory that this library needs to be installed in: -libdir='' diff --git a/crypto/heimdal/lib/roken/libtest_la-snprintf.lo b/crypto/heimdal/lib/roken/libtest_la-snprintf.lo deleted file mode 100644 index fd9d5940cbae..000000000000 Binary files a/crypto/heimdal/lib/roken/libtest_la-snprintf.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/libtest_la-strftime.lo b/crypto/heimdal/lib/roken/libtest_la-strftime.lo deleted file mode 100644 index be49eaeb6b8d..000000000000 Binary files a/crypto/heimdal/lib/roken/libtest_la-strftime.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/libtest_la-strptime.lo b/crypto/heimdal/lib/roken/libtest_la-strptime.lo deleted file mode 100644 index 0f2ba79aceae..000000000000 Binary files a/crypto/heimdal/lib/roken/libtest_la-strptime.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/make-print-version.c b/crypto/heimdal/lib/roken/make-print-version.c deleted file mode 100644 index b29cf3134064..000000000000 --- a/crypto/heimdal/lib/roken/make-print-version.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include -RCSID("$Id: make-print-version.c,v 1.3 2000/08/16 11:30:04 assar Exp $"); -#endif - -#include - -#ifdef KRB5 -extern const char *heimdal_version; -#endif -#ifdef KRB4 -extern char *krb4_version; -#endif -#include - -int -main(int argc, char **argv) -{ - FILE *f; - if(argc != 2) - return 1; - f = fopen(argv[1], "w"); - if(f == NULL) - return 1; - fprintf(f, "#define VERSIONLIST { "); -#ifdef KRB5 - fprintf(f, "\"%s\", ", heimdal_version); -#endif -#ifdef KRB4 - fprintf(f, "\"%s\", ", krb4_version); -#endif - fprintf(f, "}\n"); - fclose(f); - return 0; -} diff --git a/crypto/heimdal/lib/roken/make-roken b/crypto/heimdal/lib/roken/make-roken deleted file mode 100755 index d4eb7f3b573b..000000000000 Binary files a/crypto/heimdal/lib/roken/make-roken and /dev/null differ diff --git a/crypto/heimdal/lib/roken/make-roken.c b/crypto/heimdal/lib/roken/make-roken.c deleted file mode 100644 index a6a8f1e7a0f4..000000000000 --- a/crypto/heimdal/lib/roken/make-roken.c +++ /dev/null @@ -1,699 +0,0 @@ -#include -#ifdef HAVE_CONFIG_H -#include -#endif - -int main() -{ -puts("/* This is an OS dependent, generated file */"); -puts("\n"); -puts("#ifndef __ROKEN_H__"); -puts("#define __ROKEN_H__"); -puts(""); -puts("/* -*- C -*- */"); -puts("/*"); -puts(" * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan"); -puts(" * (Royal Institute of Technology, Stockholm, Sweden)."); -puts(" * All rights reserved."); -puts(" * "); -puts(" * Redistribution and use in source and binary forms, with or without"); -puts(" * modification, are permitted provided that the following conditions"); -puts(" * are met:"); -puts(" * "); -puts(" * 1. Redistributions of source code must retain the above copyright"); -puts(" * notice, this list of conditions and the following disclaimer."); -puts(" * "); -puts(" * 2. Redistributions in binary form must reproduce the above copyright"); -puts(" * notice, this list of conditions and the following disclaimer in the"); -puts(" * documentation and/or other materials provided with the distribution."); -puts(" * "); -puts(" * 3. Neither the name of the Institute nor the names of its contributors"); -puts(" * may be used to endorse or promote products derived from this software"); -puts(" * without specific prior written permission."); -puts(" * "); -puts(" * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND"); -puts(" * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE"); -puts(" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE"); -puts(" * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE"); -puts(" * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL"); -puts(" * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS"); -puts(" * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)"); -puts(" * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT"); -puts(" * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY"); -puts(" * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF"); -puts(" * SUCH DAMAGE."); -puts(" */"); -puts(""); -puts("/* $Id: roken.h.in,v 1.169 2002/08/26 21:43:38 assar Exp $ */"); -puts(""); -puts("#include "); -puts("#include "); -puts("#include "); -puts("#include "); -puts("#include "); -puts(""); -#ifdef _AIX -puts("struct ether_addr;"); -puts("struct sockaddr_dl;"); -#endif -#ifdef HAVE_SYS_PARAM_H -puts("#include "); -#endif -#ifdef HAVE_INTTYPES_H -puts("#include "); -#endif -#ifdef HAVE_SYS_TYPES_H -puts("#include "); -#endif -#ifdef HAVE_SYS_BITYPES_H -puts("#include "); -#endif -#ifdef HAVE_BIND_BITYPES_H -puts("#include "); -#endif -#ifdef HAVE_NETINET_IN6_MACHTYPES_H -puts("#include "); -#endif -#ifdef HAVE_UNISTD_H -puts("#include "); -#endif -#ifdef HAVE_SYS_SOCKET_H -puts("#include "); -#endif -#ifdef HAVE_SYS_UIO_H -puts("#include "); -#endif -#ifdef HAVE_GRP_H -puts("#include "); -#endif -#ifdef HAVE_SYS_STAT_H -puts("#include "); -#endif -#ifdef HAVE_NETINET_IN_H -puts("#include "); -#endif -#ifdef HAVE_NETINET_IN6_H -puts("#include "); -#endif -#ifdef HAVE_NETINET6_IN6_H -puts("#include "); -#endif -#ifdef HAVE_ARPA_INET_H -puts("#include "); -#endif -#ifdef HAVE_NETDB_H -puts("#include "); -#endif -#ifdef HAVE_ARPA_NAMESER_H -puts("#include "); -#endif -#ifdef HAVE_RESOLV_H -puts("#include "); -#endif -#ifdef HAVE_SYSLOG_H -puts("#include "); -#endif -#ifdef HAVE_FCNTL_H -puts("#include "); -#endif -#ifdef HAVE_ERRNO_H -puts("#include "); -#endif -#ifdef HAVE_ERR_H -puts("#include "); -#endif -#ifdef HAVE_TERMIOS_H -puts("#include "); -#endif -#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 -puts("#include "); -#endif -#ifdef TIME_WITH_SYS_TIME -puts("#include "); -puts("#include "); -#elif defined(HAVE_SYS_TIME_H) -puts("#include "); -#else -puts("#include "); -#endif -puts(""); -#ifdef HAVE_PATHS_H -puts("#include "); -#endif -puts(""); -puts(""); -#ifndef ROKEN_LIB_FUNCTION -#if defined(__BORLANDC__) -puts("#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet */"); -#elif defined(_MSC_VER) -puts("#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet2 */"); -#else -puts("#define ROKEN_LIB_FUNCTION"); -#endif -#endif -puts(""); -#ifndef HAVE_SSIZE_T -puts("typedef int ssize_t;"); -#endif -puts(""); -puts("#include "); -puts(""); -puts("ROKEN_CPP_START"); -puts(""); -#if !defined(HAVE_SETSID) && defined(HAVE__SETSID) -puts("#define setsid _setsid"); -#endif -puts(""); -#ifndef HAVE_PUTENV -puts("int putenv(const char *string);"); -#endif -puts(""); -#if !defined(HAVE_SETENV) || defined(NEED_SETENV_PROTO) -puts("int setenv(const char *var, const char *val, int rewrite);"); -#endif -puts(""); -#if !defined(HAVE_UNSETENV) || defined(NEED_UNSETENV_PROTO) -puts("void unsetenv(const char *name);"); -#endif -puts(""); -#if !defined(HAVE_GETUSERSHELL) || defined(NEED_GETUSERSHELL_PROTO) -puts("char *getusershell(void);"); -puts("void endusershell(void);"); -#endif -puts(""); -#if !defined(HAVE_SNPRINTF) || defined(NEED_SNPRINTF_PROTO) -puts("int snprintf (char *str, size_t sz, const char *format, ...)"); -puts(" __attribute__ ((format (printf, 3, 4)));"); -#endif -puts(""); -#if !defined(HAVE_VSNPRINTF) || defined(NEED_VSNPRINTF_PROTO) -puts("int vsnprintf (char *str, size_t sz, const char *format, va_list ap)"); -puts(" __attribute__((format (printf, 3, 0)));"); -#endif -puts(""); -#if !defined(HAVE_ASPRINTF) || defined(NEED_ASPRINTF_PROTO) -puts("int asprintf (char **ret, const char *format, ...)"); -puts(" __attribute__ ((format (printf, 2, 3)));"); -#endif -puts(""); -#if !defined(HAVE_VASPRINTF) || defined(NEED_VASPRINTF_PROTO) -puts("int vasprintf (char **ret, const char *format, va_list ap)"); -puts(" __attribute__((format (printf, 2, 0)));"); -#endif -puts(""); -#if !defined(HAVE_ASNPRINTF) || defined(NEED_ASNPRINTF_PROTO) -puts("int asnprintf (char **ret, size_t max_sz, const char *format, ...)"); -puts(" __attribute__ ((format (printf, 3, 4)));"); -#endif -puts(""); -#if !defined(HAVE_VASNPRINTF) || defined(NEED_VASNPRINTF_PROTO) -puts("int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap)"); -puts(" __attribute__((format (printf, 3, 0)));"); -#endif -puts(""); -#ifndef HAVE_STRDUP -puts("char * strdup(const char *old);"); -#endif -puts(""); -#if !defined(HAVE_STRNDUP) || defined(NEED_STRNDUP_PROTO) -puts("char * strndup(const char *old, size_t sz);"); -#endif -puts(""); -#ifndef HAVE_STRLWR -puts("char * strlwr(char *);"); -#endif -puts(""); -#ifndef HAVE_STRNLEN -puts("size_t strnlen(const char*, size_t);"); -#endif -puts(""); -#if !defined(HAVE_STRSEP) || defined(NEED_STRSEP_PROTO) -puts("char *strsep(char**, const char*);"); -#endif -puts(""); -#if !defined(HAVE_STRSEP_COPY) || defined(NEED_STRSEP_COPY_PROTO) -puts("ssize_t strsep_copy(const char**, const char*, char*, size_t);"); -#endif -puts(""); -#ifndef HAVE_STRCASECMP -puts("int strcasecmp(const char *s1, const char *s2);"); -#endif -puts(""); -#ifdef NEED_FCLOSE_PROTO -puts("int fclose(FILE *);"); -#endif -puts(""); -#ifdef NEED_STRTOK_R_PROTO -puts("char *strtok_r(char *s1, const char *s2, char **lasts);"); -#endif -puts(""); -#ifndef HAVE_STRUPR -puts("char * strupr(char *);"); -#endif -puts(""); -#ifndef HAVE_STRLCPY -puts("size_t strlcpy (char *dst, const char *src, size_t dst_sz);"); -#endif -puts(""); -#ifndef HAVE_STRLCAT -puts("size_t strlcat (char *dst, const char *src, size_t dst_sz);"); -#endif -puts(""); -#ifndef HAVE_GETDTABLESIZE -puts("int getdtablesize(void);"); -#endif -puts(""); -#if !defined(HAVE_STRERROR) && !defined(strerror) -puts("char *strerror(int eno);"); -#endif -puts(""); -#if !defined(HAVE_HSTRERROR) || defined(NEED_HSTRERROR_PROTO) -puts("/* This causes a fatal error under Psoriasis */"); -#if !(defined(SunOS) && (SunOS >= 50)) -puts("const char *hstrerror(int herr);"); -#endif -#endif -puts(""); -#ifndef HAVE_H_ERRNO_DECLARATION -puts("extern int h_errno;"); -#endif -puts(""); -#if !defined(HAVE_INET_ATON) || defined(NEED_INET_ATON_PROTO) -puts("int inet_aton(const char *cp, struct in_addr *adr);"); -#endif -puts(""); -#ifndef HAVE_INET_NTOP -puts("const char *"); -puts("inet_ntop(int af, const void *src, char *dst, size_t size);"); -#endif -puts(""); -#ifndef HAVE_INET_PTON -puts("int"); -puts("inet_pton(int af, const char *src, void *dst);"); -#endif -puts(""); -#if !defined(HAVE_GETCWD) -puts("char* getcwd(char *path, size_t size);"); -#endif -puts(""); -#ifdef HAVE_PWD_H -puts("#include "); -puts("struct passwd *k_getpwnam (const char *user);"); -puts("struct passwd *k_getpwuid (uid_t uid);"); -#endif -puts(""); -puts("const char *get_default_username (void);"); -puts(""); -#ifndef HAVE_SETEUID -puts("int seteuid(uid_t euid);"); -#endif -puts(""); -#ifndef HAVE_SETEGID -puts("int setegid(gid_t egid);"); -#endif -puts(""); -#ifndef HAVE_LSTAT -puts("int lstat(const char *path, struct stat *buf);"); -#endif -puts(""); -#if !defined(HAVE_MKSTEMP) || defined(NEED_MKSTEMP_PROTO) -puts("int mkstemp(char *);"); -#endif -puts(""); -#ifndef HAVE_CGETENT -puts("int cgetent(char **buf, char **db_array, const char *name);"); -puts("int cgetstr(char *buf, const char *cap, char **str);"); -#endif -puts(""); -#ifndef HAVE_INITGROUPS -puts("int initgroups(const char *name, gid_t basegid);"); -#endif -puts(""); -#ifndef HAVE_FCHOWN -puts("int fchown(int fd, uid_t owner, gid_t group);"); -#endif -puts(""); -#ifndef HAVE_DAEMON -puts("int daemon(int nochdir, int noclose);"); -#endif -puts(""); -#ifndef HAVE_INNETGR -puts("int innetgr(const char *netgroup, const char *machine, "); -puts(" const char *user, const char *domain);"); -#endif -puts(""); -#ifndef HAVE_CHOWN -puts("int chown(const char *path, uid_t owner, gid_t group);"); -#endif -puts(""); -#ifndef HAVE_RCMD -puts("int rcmd(char **ahost, unsigned short inport, const char *locuser,"); -puts(" const char *remuser, const char *cmd, int *fd2p);"); -#endif -puts(""); -#if !defined(HAVE_INNETGR) || defined(NEED_INNETGR_PROTO) -puts("int innetgr(const char*, const char*, const char*, const char*);"); -#endif -puts(""); -#ifndef HAVE_IRUSEROK -puts("int iruserok(unsigned raddr, int superuser, const char *ruser,"); -puts(" const char *luser);"); -#endif -puts(""); -#if !defined(HAVE_GETHOSTNAME) || defined(NEED_GETHOSTNAME_PROTO) -puts("int gethostname(char *name, int namelen);"); -#endif -puts(""); -#ifndef HAVE_WRITEV -puts("ssize_t"); -puts("writev(int d, const struct iovec *iov, int iovcnt);"); -#endif -puts(""); -#ifndef HAVE_READV -puts("ssize_t"); -puts("readv(int d, const struct iovec *iov, int iovcnt);"); -#endif -puts(""); -#ifndef HAVE_MKSTEMP -puts("int"); -puts("mkstemp(char *template);"); -#endif -puts(""); -#ifndef HAVE_PIDFILE -puts("void pidfile (const char*);"); -#endif -puts(""); -#ifndef HAVE_BSWAP32 -puts("unsigned int bswap32(unsigned int);"); -#endif -puts(""); -#ifndef HAVE_BSWAP16 -puts("unsigned short bswap16(unsigned short);"); -#endif -puts(""); -#ifndef HAVE_FLOCK -#ifndef LOCK_SH -puts("#define LOCK_SH 1 /* Shared lock */"); -#endif -#ifndef LOCK_EX -puts("#define LOCK_EX 2 /* Exclusive lock */"); -#endif -#ifndef LOCK_NB -puts("#define LOCK_NB 4 /* Don't block when locking */"); -#endif -#ifndef LOCK_UN -puts("#define LOCK_UN 8 /* Unlock */"); -#endif -puts(""); -puts("int flock(int fd, int operation);"); -#endif /* HAVE_FLOCK */ -puts(""); -puts("time_t tm2time (struct tm tm, int local);"); -puts(""); -puts("int unix_verify_user(char *user, char *password);"); -puts(""); -puts("int roken_concat (char *s, size_t len, ...);"); -puts(""); -puts("size_t roken_mconcat (char **s, size_t max_len, ...);"); -puts(""); -puts("int roken_vconcat (char *s, size_t len, va_list args);"); -puts(""); -puts("size_t roken_vmconcat (char **s, size_t max_len, va_list args);"); -puts(""); -puts("ssize_t net_write (int fd, const void *buf, size_t nbytes);"); -puts(""); -puts("ssize_t net_read (int fd, void *buf, size_t nbytes);"); -puts(""); -puts("int issuid(void);"); -puts(""); -#ifndef HAVE_STRUCT_WINSIZE -puts("struct winsize {"); -puts(" unsigned short ws_row, ws_col;"); -puts(" unsigned short ws_xpixel, ws_ypixel;"); -puts("};"); -#endif -puts(""); -puts("int get_window_size(int fd, struct winsize *);"); -puts(""); -#ifndef HAVE_VSYSLOG -puts("void vsyslog(int pri, const char *fmt, va_list ap);"); -#endif -puts(""); -#ifndef HAVE_OPTARG_DECLARATION -puts("extern char *optarg;"); -#endif -#ifndef HAVE_OPTIND_DECLARATION -puts("extern int optind;"); -#endif -#ifndef HAVE_OPTERR_DECLARATION -puts("extern int opterr;"); -#endif -puts(""); -#ifndef HAVE___PROGNAME_DECLARATION -puts("extern const char *__progname;"); -#endif -puts(""); -#ifndef HAVE_ENVIRON_DECLARATION -puts("extern char **environ;"); -#endif -puts(""); -#ifndef HAVE_GETIPNODEBYNAME -puts("struct hostent *"); -puts("getipnodebyname (const char *name, int af, int flags, int *error_num);"); -#endif -puts(""); -#ifndef HAVE_GETIPNODEBYADDR -puts("struct hostent *"); -puts("getipnodebyaddr (const void *src, size_t len, int af, int *error_num);"); -#endif -puts(""); -#ifndef HAVE_FREEHOSTENT -puts("void"); -puts("freehostent (struct hostent *h);"); -#endif -puts(""); -#ifndef HAVE_COPYHOSTENT -puts("struct hostent *"); -puts("copyhostent (const struct hostent *h);"); -#endif -puts(""); -#ifndef HAVE_SOCKLEN_T -puts("typedef int socklen_t;"); -#endif -puts(""); -#ifndef HAVE_STRUCT_SOCKADDR_STORAGE -puts(""); -#ifndef HAVE_SA_FAMILY_T -puts("typedef unsigned short sa_family_t;"); -#endif -puts(""); -#ifdef HAVE_IPV6 -puts("#define _SS_MAXSIZE sizeof(struct sockaddr_in6)"); -#else -puts("#define _SS_MAXSIZE sizeof(struct sockaddr_in)"); -#endif -puts(""); -puts("#define _SS_ALIGNSIZE sizeof(unsigned long)"); -puts(""); -#if HAVE_STRUCT_SOCKADDR_SA_LEN -puts(""); -puts("typedef unsigned char roken_sa_family_t;"); -puts(""); -puts("#define _SS_PAD1SIZE ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t) - sizeof(unsigned char)) % _SS_ALIGNSIZE)"); -puts("#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + sizeof(unsigned char) + _SS_PAD1SIZE + _SS_ALIGNSIZE))"); -puts(""); -puts("struct sockaddr_storage {"); -puts(" unsigned char ss_len;"); -puts(" roken_sa_family_t ss_family;"); -puts(" char __ss_pad1[_SS_PAD1SIZE];"); -puts(" unsigned long __ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1];"); -puts("};"); -puts(""); -#else /* !HAVE_STRUCT_SOCKADDR_SA_LEN */ -puts(""); -puts("typedef unsigned short roken_sa_family_t;"); -puts(""); -puts("#define _SS_PAD1SIZE ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t)) % _SS_ALIGNSIZE)"); -puts("#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + _SS_PAD1SIZE + _SS_ALIGNSIZE))"); -puts(""); -puts("struct sockaddr_storage {"); -puts(" roken_sa_family_t ss_family;"); -puts(" char __ss_pad1[_SS_PAD1SIZE];"); -puts(" unsigned long __ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1];"); -puts("};"); -puts(""); -#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */ -puts(""); -#endif /* HAVE_STRUCT_SOCKADDR_STORAGE */ -puts(""); -#ifndef HAVE_STRUCT_ADDRINFO -puts("struct addrinfo {"); -puts(" int ai_flags;"); -puts(" int ai_family;"); -puts(" int ai_socktype;"); -puts(" int ai_protocol;"); -puts(" size_t ai_addrlen;"); -puts(" char *ai_canonname;"); -puts(" struct sockaddr *ai_addr;"); -puts(" struct addrinfo *ai_next;"); -puts("};"); -#endif -puts(""); -#ifndef HAVE_GETADDRINFO -puts("int"); -puts("getaddrinfo(const char *nodename,"); -puts(" const char *servname,"); -puts(" const struct addrinfo *hints,"); -puts(" struct addrinfo **res);"); -#endif -puts(""); -#ifndef HAVE_GETNAMEINFO -puts("int getnameinfo(const struct sockaddr *sa, socklen_t salen,"); -puts(" char *host, size_t hostlen,"); -puts(" char *serv, size_t servlen,"); -puts(" int flags);"); -#endif -puts(""); -#ifndef HAVE_FREEADDRINFO -puts("void"); -puts("freeaddrinfo(struct addrinfo *ai);"); -#endif -puts(""); -#ifndef HAVE_GAI_STRERROR -puts("char *"); -puts("gai_strerror(int ecode);"); -#endif -puts(""); -puts("int"); -puts("getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,"); -puts(" char *host, size_t hostlen,"); -puts(" char *serv, size_t servlen,"); -puts(" int flags);"); -puts(""); -puts("int roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); "); -puts("int roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **);"); -puts(""); -#ifndef HAVE_STRFTIME -puts("size_t"); -puts("strftime (char *buf, size_t maxsize, const char *format,"); -puts(" const struct tm *tm);"); -#endif -puts(""); -#ifndef HAVE_STRPTIME -puts("char *"); -puts("strptime (const char *buf, const char *format, struct tm *timeptr);"); -#endif -puts(""); -#ifndef HAVE_EMALLOC -puts("void *emalloc (size_t);"); -#endif -#ifndef HAVE_ECALLOC -puts("void *ecalloc(size_t num, size_t sz);"); -#endif -#ifndef HAVE_EREALLOC -puts("void *erealloc (void *, size_t);"); -#endif -#ifndef HAVE_ESTRDUP -puts("char *estrdup (const char *);"); -#endif -puts(""); -puts("/*"); -puts(" * kludges and such"); -puts(" */"); -puts(""); -#if 1 -puts("int roken_gethostby_setup(const char*, const char*);"); -puts("struct hostent* roken_gethostbyname(const char*);"); -puts("struct hostent* roken_gethostbyaddr(const void*, size_t, int);"); -#else -#ifdef GETHOSTBYNAME_PROTO_COMPATIBLE -puts("#define roken_gethostbyname(x) gethostbyname(x)"); -#else -puts("#define roken_gethostbyname(x) gethostbyname((char *)x)"); -#endif -puts(""); -#ifdef GETHOSTBYADDR_PROTO_COMPATIBLE -puts("#define roken_gethostbyaddr(a, l, t) gethostbyaddr(a, l, t)"); -#else -puts("#define roken_gethostbyaddr(a, l, t) gethostbyaddr((char *)a, l, t)"); -#endif -#endif -puts(""); -#ifdef GETSERVBYNAME_PROTO_COMPATIBLE -puts("#define roken_getservbyname(x,y) getservbyname(x,y)"); -#else -puts("#define roken_getservbyname(x,y) getservbyname((char *)x, (char *)y)"); -#endif -puts(""); -#ifdef OPENLOG_PROTO_COMPATIBLE -puts("#define roken_openlog(a,b,c) openlog(a,b,c)"); -#else -puts("#define roken_openlog(a,b,c) openlog((char *)a,b,c)"); -#endif -puts(""); -#ifdef GETSOCKNAME_PROTO_COMPATIBLE -puts("#define roken_getsockname(a,b,c) getsockname(a,b,c)"); -#else -puts("#define roken_getsockname(a,b,c) getsockname(a, b, (void*)c)"); -#endif -puts(""); -#ifndef HAVE_SETPROGNAME -puts("void setprogname(const char *argv0);"); -#endif -puts(""); -#ifndef HAVE_GETPROGNAME -puts("const char *getprogname(void);"); -#endif -puts(""); -puts("void mini_inetd_addrinfo (struct addrinfo*);"); -puts("void mini_inetd (int port);"); -puts(""); -puts("void set_progname(char *argv0);"); -puts("const char *get_progname(void);"); -puts(""); -#ifndef HAVE_LOCALTIME_R -puts("struct tm *"); -puts("localtime_r(const time_t *timer, struct tm *result);"); -#endif -puts(""); -#if !defined(HAVE_STRSVIS) || defined(NEED_STRSVIS_PROTO) -puts("int"); -puts("strsvis(char *dst, const char *src, int flag, const char *extra);"); -#endif -puts(""); -#if !defined(HAVE_STRUNVIS) || defined(NEED_STRUNVIS_PROTO) -puts("int"); -puts("strunvis(char *dst, const char *src);"); -#endif -puts(""); -#if !defined(HAVE_STRVIS) || defined(NEED_STRVIS_PROTO) -puts("int"); -puts("strvis(char *dst, const char *src, int flag);"); -#endif -puts(""); -#if !defined(HAVE_STRVISX) || defined(NEED_STRVISX_PROTO) -puts("int"); -puts("strvisx(char *dst, const char *src, size_t len, int flag);"); -#endif -puts(""); -#if !defined(HAVE_SVIS) || defined(NEED_SVIS_PROTO) -puts("char *"); -puts("svis(char *dst, int c, int flag, int nextc, const char *extra);"); -#endif -puts(""); -#if !defined(HAVE_UNVIS) || defined(NEED_UNVIS_PROTO) -puts("int"); -puts("unvis(char *cp, int c, int *astate, int flag);"); -#endif -puts(""); -#if !defined(HAVE_VIS) || defined(NEED_VIS_PROTO) -puts("char *"); -puts("vis(char *dst, int c, int flag, int nextc);"); -#endif -puts(""); -puts("ROKEN_CPP_END"); -puts("#define ROKEN_VERSION " VERSION ); -puts(""); -puts("#endif /* __ROKEN_H__ */"); -return 0; -} diff --git a/crypto/heimdal/lib/roken/mini_inetd.lo b/crypto/heimdal/lib/roken/mini_inetd.lo deleted file mode 100644 index f2f233fded14..000000000000 Binary files a/crypto/heimdal/lib/roken/mini_inetd.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/net_read.lo b/crypto/heimdal/lib/roken/net_read.lo deleted file mode 100644 index c89ace989f66..000000000000 Binary files a/crypto/heimdal/lib/roken/net_read.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/net_write.lo b/crypto/heimdal/lib/roken/net_write.lo deleted file mode 100644 index baba57ffc4b3..000000000000 Binary files a/crypto/heimdal/lib/roken/net_write.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/parse_bytes.lo b/crypto/heimdal/lib/roken/parse_bytes.lo deleted file mode 100644 index 3722d32c1c98..000000000000 Binary files a/crypto/heimdal/lib/roken/parse_bytes.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/parse_time.lo b/crypto/heimdal/lib/roken/parse_time.lo deleted file mode 100644 index aa0e5e0791c2..000000000000 Binary files a/crypto/heimdal/lib/roken/parse_time.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/parse_units.lo b/crypto/heimdal/lib/roken/parse_units.lo deleted file mode 100644 index e0108577341f..000000000000 Binary files a/crypto/heimdal/lib/roken/parse_units.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/resolve.lo b/crypto/heimdal/lib/roken/resolve.lo deleted file mode 100644 index 3a8b01a3fbb9..000000000000 Binary files a/crypto/heimdal/lib/roken/resolve.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/roken.def b/crypto/heimdal/lib/roken/roken.def deleted file mode 100644 index f9b0369dd1dd..000000000000 --- a/crypto/heimdal/lib/roken/roken.def +++ /dev/null @@ -1,17 +0,0 @@ -LIBRARY roken BASE=0x68f0000 -EXPORTS - gettimeofday - strcasecmp - strtok_r - snprintf - asprintf - vsnprintf - base64_decode - base64_encode - roken_concat - roken_vconcat - roken_vmconcat - roken_mconcat - getuid - dns_free_data - dns_lookup diff --git a/crypto/heimdal/lib/roken/roken.dsp b/crypto/heimdal/lib/roken/roken.dsp deleted file mode 100644 index d84854e3d30d..000000000000 --- a/crypto/heimdal/lib/roken/roken.dsp +++ /dev/null @@ -1,156 +0,0 @@ -# Microsoft Developer Studio Project File - Name="roken" - Package Owner=<4> -# Microsoft Developer Studio Generated Build File, Format Version 5.00 -# ** DO NOT EDIT ** - -# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 - -CFG=roken - Win32 Release -!MESSAGE This is not a valid makefile. To build this project using NMAKE, -!MESSAGE use the Export Makefile command and run -!MESSAGE -!MESSAGE NMAKE /f "roken.mak". -!MESSAGE -!MESSAGE You can specify a configuration when running NMAKE -!MESSAGE by defining the macro CFG on the command line. For example: -!MESSAGE -!MESSAGE NMAKE /f "roken.mak" CFG="roken - Win32 Release" -!MESSAGE -!MESSAGE Possible choices for configuration are: -!MESSAGE -!MESSAGE "roken - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "roken - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE - -# Begin Project -# PROP Scc_ProjName "" -# PROP Scc_LocalPath "" -CPP=cl.exe -MTL=midl.exe -RSC=rc.exe - -!IF "$(CFG)" == "roken - Win32 Release" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 0 -# PROP BASE Output_Dir ".\Release" -# PROP BASE Intermediate_Dir ".\Release" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 0 -# PROP Output_Dir ".\Release" -# PROP Intermediate_Dir ".\Release" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c -# ADD CPP /nologo /MT /GX /O2 /I "..\krb" /I "..\des" /I "..\..\include" /I "..\..\include\win32" /I "." /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c -# ADD BASE MTL /nologo /D "NDEBUG" /win32 -# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386 -# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /base:"0x68e7780" /subsystem:windows /dll /machine:I386 - -!ELSEIF "$(CFG)" == "roken - Win32 Debug" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 1 -# PROP BASE Output_Dir ".\Debug" -# PROP BASE Intermediate_Dir ".\Debug" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 1 -# PROP Output_Dir ".\Debug" -# PROP Intermediate_Dir ".\Debug" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c -# ADD CPP /nologo /MDd /Gm /GX /Zi /Od /I "..\krb" /I "..\des" /I "..\..\include" /I "..\..\include\win32" /I "." /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c -# ADD BASE MTL /nologo /D "_DEBUG" /win32 -# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386 -# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll /debug /machine:I386 /def:".\roken.def" -# SUBTRACT LINK32 /pdb:none - -!ENDIF - -# Begin Target - -# Name "roken - Win32 Release" -# Name "roken - Win32 Debug" -# Begin Group "Source Files" - -# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;hpj;bat;for;f90" -# Begin Source File - -SOURCE=.\base64.c -# End Source File -# Begin Source File - -SOURCE=.\concat.c -# End Source File -# Begin Source File - -SOURCE=.\gettimeofday.c -# End Source File -# Begin Source File - -SOURCE=.\getuid.c -# End Source File -# Begin Source File - -SOURCE=.\resolve.c -# End Source File -# Begin Source File - -SOURCE=.\roken.def - -!IF "$(CFG)" == "roken - Win32 Release" - -!ELSEIF "$(CFG)" == "roken - Win32 Debug" - -# PROP Exclude_From_Build 1 - -!ENDIF - -# End Source File -# Begin Source File - -SOURCE=.\snprintf.c -# End Source File -# Begin Source File - -SOURCE=.\strcasecmp.c -# End Source File -# Begin Source File - -SOURCE=.\strtok_r.c -# End Source File -# End Group -# Begin Group "Header Files" - -# PROP Default_Filter "h;hpp;hxx;hm;inl;fi;fd" -# Begin Source File - -SOURCE=.\resolve.h -# End Source File -# End Group -# Begin Group "Resource Files" - -# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;cnt;rtf;gif;jpg;jpeg;jpe" -# Begin Source File - -SOURCE=.\roken.rc -# End Source File -# End Group -# End Target -# End Project diff --git a/crypto/heimdal/lib/roken/roken.h b/crypto/heimdal/lib/roken/roken.h deleted file mode 100644 index 4be5be54f06b..000000000000 --- a/crypto/heimdal/lib/roken/roken.h +++ /dev/null @@ -1,244 +0,0 @@ -/* This is an OS dependent, generated file */ - - -#ifndef __ROKEN_H__ -#define __ROKEN_H__ - -/* -*- C -*- */ -/* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: roken.h.in,v 1.169 2002/08/26 21:43:38 assar Exp $ */ - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - - -#define ROKEN_LIB_FUNCTION - - -#include - -ROKEN_CPP_START - - - - - - - - - - -int asnprintf (char **ret, size_t max_sz, const char *format, ...) - __attribute__ ((format (printf, 3, 4))); - -int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap) - __attribute__((format (printf, 3, 0))); - - -char * strndup(const char *old, size_t sz); - -char * strlwr(char *); - -size_t strnlen(const char*, size_t); - - -ssize_t strsep_copy(const char**, const char*, char*, size_t); - - - - -char * strupr(char *); - - - - - - - - - - - -#include -struct passwd *k_getpwnam (const char *user); -struct passwd *k_getpwuid (uid_t uid); - -const char *get_default_username (void); - - - - - - - - - - - - - - - - - - -void pidfile (const char*); - -unsigned int bswap32(unsigned int); - -unsigned short bswap16(unsigned short); - - -time_t tm2time (struct tm tm, int local); - -int unix_verify_user(char *user, char *password); - -int roken_concat (char *s, size_t len, ...); - -size_t roken_mconcat (char **s, size_t max_len, ...); - -int roken_vconcat (char *s, size_t len, va_list args); - -size_t roken_vmconcat (char **s, size_t max_len, va_list args); - -ssize_t net_write (int fd, const void *buf, size_t nbytes); - -ssize_t net_read (int fd, void *buf, size_t nbytes); - -int issuid(void); - - -int get_window_size(int fd, struct winsize *); - - - -extern const char *__progname; - -extern char **environ; - - - - -struct hostent * -copyhostent (const struct hostent *h); - - - - - - - - -int -getnameinfo_verified(const struct sockaddr *sa, socklen_t salen, - char *host, size_t hostlen, - char *serv, size_t servlen, - int flags); - -int roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); -int roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **); - - - -void *emalloc (size_t); -void *ecalloc(size_t num, size_t sz); -void *erealloc (void *, size_t); -char *estrdup (const char *); - -/* - * kludges and such - */ - -int roken_gethostby_setup(const char*, const char*); -struct hostent* roken_gethostbyname(const char*); -struct hostent* roken_gethostbyaddr(const void*, size_t, int); - -#define roken_getservbyname(x,y) getservbyname(x,y) - -#define roken_openlog(a,b,c) openlog(a,b,c) - -#define roken_getsockname(a,b,c) getsockname(a,b,c) - - - -void mini_inetd_addrinfo (struct addrinfo*); -void mini_inetd (int port); - -void set_progname(char *argv0); -const char *get_progname(void); - - -int -strsvis(char *dst, const char *src, int flag, const char *extra); - - - - -char * -svis(char *dst, int c, int flag, int nextc, const char *extra); - - - -ROKEN_CPP_END -#define ROKEN_VERSION 0.4f - -#endif /* __ROKEN_H__ */ diff --git a/crypto/heimdal/lib/roken/roken.mak b/crypto/heimdal/lib/roken/roken.mak deleted file mode 100644 index da9a834e5551..000000000000 --- a/crypto/heimdal/lib/roken/roken.mak +++ /dev/null @@ -1,316 +0,0 @@ -# Microsoft Developer Studio Generated NMAKE File, Based on roken.dsp -!IF "$(CFG)" == "" -CFG=roken - Win32 Release -!MESSAGE No configuration specified. Defaulting to roken - Win32 Release. -!ENDIF - -!IF "$(CFG)" != "roken - Win32 Release" && "$(CFG)" != "roken - Win32 Debug" -!MESSAGE Invalid configuration "$(CFG)" specified. -!MESSAGE You can specify a configuration when running NMAKE -!MESSAGE by defining the macro CFG on the command line. For example: -!MESSAGE -!MESSAGE NMAKE /f "roken.mak" CFG="roken - Win32 Release" -!MESSAGE -!MESSAGE Possible choices for configuration are: -!MESSAGE -!MESSAGE "roken - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "roken - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE -!ERROR An invalid configuration is specified. -!ENDIF - -!IF "$(OS)" == "Windows_NT" -NULL= -!ELSE -NULL=nul -!ENDIF - -CPP=cl.exe -MTL=midl.exe -RSC=rc.exe - -!IF "$(CFG)" == "roken - Win32 Release" - -OUTDIR=.\Release -INTDIR=.\Release -# Begin Custom Macros -OutDir=.\.\Release -# End Custom Macros - -!IF "$(RECURSE)" == "0" - -ALL : "$(OUTDIR)\roken.dll" - -!ELSE - -ALL : "$(OUTDIR)\roken.dll" - -!ENDIF - -CLEAN : - -@erase "$(INTDIR)\base64.obj" - -@erase "$(INTDIR)\concat.obj" - -@erase "$(INTDIR)\gettimeofday.obj" - -@erase "$(INTDIR)\getuid.obj" - -@erase "$(INTDIR)\resolve.obj" - -@erase "$(INTDIR)\roken.res" - -@erase "$(INTDIR)\snprintf.obj" - -@erase "$(INTDIR)\strcasecmp.obj" - -@erase "$(INTDIR)\strtok_r.obj" - -@erase "$(INTDIR)\vc50.idb" - -@erase "$(OUTDIR)\roken.dll" - -@erase "$(OUTDIR)\roken.exp" - -@erase "$(OUTDIR)\roken.lib" - -"$(OUTDIR)" : - if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" - -CPP_PROJ=/nologo /MT /GX /O2 /I "..\krb" /I "..\des" /I "..\..\include" /I\ - "..\..\include\win32" /I "." /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D\ - "HAVE_CONFIG_H" /Fp"$(INTDIR)\roken.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\"\ - /FD /c -CPP_OBJS=.\Release/ -CPP_SBRS=. -MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 -RSC_PROJ=/l 0x409 /fo"$(INTDIR)\roken.res" /d "NDEBUG" -BSC32=bscmake.exe -BSC32_FLAGS=/nologo /o"$(OUTDIR)\roken.bsc" -BSC32_SBRS= \ - -LINK32=link.exe -LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\ - advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo\ - /base:"0x68e7780" /subsystem:windows /dll /incremental:no\ - /pdb:"$(OUTDIR)\roken.pdb" /machine:I386 /def:".\roken.def"\ - /out:"$(OUTDIR)\roken.dll" /implib:"$(OUTDIR)\roken.lib" -DEF_FILE= \ - ".\roken.def" -LINK32_OBJS= \ - "$(INTDIR)\base64.obj" \ - "$(INTDIR)\concat.obj" \ - "$(INTDIR)\gettimeofday.obj" \ - "$(INTDIR)\getuid.obj" \ - "$(INTDIR)\resolve.obj" \ - "$(INTDIR)\roken.res" \ - "$(INTDIR)\snprintf.obj" \ - "$(INTDIR)\strcasecmp.obj" \ - "$(INTDIR)\strtok_r.obj" - -"$(OUTDIR)\roken.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS) - $(LINK32) @<< - $(LINK32_FLAGS) $(LINK32_OBJS) -<< - -!ELSEIF "$(CFG)" == "roken - Win32 Debug" - -OUTDIR=.\Debug -INTDIR=.\Debug -# Begin Custom Macros -OutDir=.\.\Debug -# End Custom Macros - -!IF "$(RECURSE)" == "0" - -ALL : "$(OUTDIR)\roken.dll" - -!ELSE - -ALL : "$(OUTDIR)\roken.dll" - -!ENDIF - -CLEAN : - -@erase "$(INTDIR)\base64.obj" - -@erase "$(INTDIR)\concat.obj" - -@erase "$(INTDIR)\gettimeofday.obj" - -@erase "$(INTDIR)\getuid.obj" - -@erase "$(INTDIR)\resolve.obj" - -@erase "$(INTDIR)\roken.res" - -@erase "$(INTDIR)\snprintf.obj" - -@erase "$(INTDIR)\strcasecmp.obj" - -@erase "$(INTDIR)\strtok_r.obj" - -@erase "$(INTDIR)\vc50.idb" - -@erase "$(INTDIR)\vc50.pdb" - -@erase "$(OUTDIR)\roken.dll" - -@erase "$(OUTDIR)\roken.exp" - -@erase "$(OUTDIR)\roken.ilk" - -@erase "$(OUTDIR)\roken.lib" - -@erase "$(OUTDIR)\roken.pdb" - -"$(OUTDIR)" : - if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" - -CPP_PROJ=/nologo /MDd /Gm /GX /Zi /Od /I "..\krb" /I "..\des" /I\ - "..\..\include" /I "..\..\include\win32" /I "." /D "_DEBUG" /D "WIN32" /D\ - "_WINDOWS" /D "HAVE_CONFIG_H" /Fp"$(INTDIR)\roken.pch" /YX /Fo"$(INTDIR)\\"\ - /Fd"$(INTDIR)\\" /FD /c -CPP_OBJS=.\Debug/ -CPP_SBRS=. -MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 -RSC_PROJ=/l 0x409 /fo"$(INTDIR)\roken.res" /d "_DEBUG" -BSC32=bscmake.exe -BSC32_FLAGS=/nologo /o"$(OUTDIR)\roken.bsc" -BSC32_SBRS= \ - -LINK32=link.exe -LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\ - advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo\ - /subsystem:windows /dll /incremental:yes /pdb:"$(OUTDIR)\roken.pdb" /debug\ - /machine:I386 /def:".\roken.def" /out:"$(OUTDIR)\roken.dll"\ - /implib:"$(OUTDIR)\roken.lib" -LINK32_OBJS= \ - "$(INTDIR)\base64.obj" \ - "$(INTDIR)\concat.obj" \ - "$(INTDIR)\gettimeofday.obj" \ - "$(INTDIR)\getuid.obj" \ - "$(INTDIR)\resolve.obj" \ - "$(INTDIR)\roken.res" \ - "$(INTDIR)\snprintf.obj" \ - "$(INTDIR)\strcasecmp.obj" \ - "$(INTDIR)\strtok_r.obj" - -"$(OUTDIR)\roken.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS) - $(LINK32) @<< - $(LINK32_FLAGS) $(LINK32_OBJS) -<< - -!ENDIF - -.c{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cpp{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cxx{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.c{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cpp{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cxx{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - - -!IF "$(CFG)" == "roken - Win32 Release" || "$(CFG)" == "roken - Win32 Debug" -SOURCE=.\base64.c -DEP_CPP_BASE6=\ - "..\..\include\win32\config.h"\ - ".\base64.h"\ - - -"$(INTDIR)\base64.obj" : $(SOURCE) $(DEP_CPP_BASE6) "$(INTDIR)" - - -SOURCE=.\concat.c -DEP_CPP_CONCA=\ - "..\..\include\win32\config.h"\ - "..\..\include\win32\roken.h"\ - ".\err.h"\ - ".\roken-common.h"\ - {$(INCLUDE)}"sys\stat.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\concat.obj" : $(SOURCE) $(DEP_CPP_CONCA) "$(INTDIR)" - - -SOURCE=.\gettimeofday.c -DEP_CPP_GETTI=\ - "..\..\include\win32\config.h"\ - "..\..\include\win32\roken.h"\ - ".\err.h"\ - ".\roken-common.h"\ - {$(INCLUDE)}"sys\stat.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\gettimeofday.obj" : $(SOURCE) $(DEP_CPP_GETTI) "$(INTDIR)" - - -SOURCE=.\getuid.c -DEP_CPP_GETUI=\ - "..\..\include\win32\config.h"\ - "..\..\include\win32\roken.h"\ - ".\err.h"\ - ".\roken-common.h"\ - {$(INCLUDE)}"sys\stat.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\getuid.obj" : $(SOURCE) $(DEP_CPP_GETUI) "$(INTDIR)" - - -SOURCE=.\resolve.c -DEP_CPP_RESOL=\ - "..\..\include\win32\config.h"\ - "..\..\include\win32\roken.h"\ - ".\err.h"\ - ".\resolve.h"\ - ".\roken-common.h"\ - {$(INCLUDE)}"sys\stat.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\resolve.obj" : $(SOURCE) $(DEP_CPP_RESOL) "$(INTDIR)" - - -SOURCE=.\snprintf.c -DEP_CPP_SNPRI=\ - "..\..\include\win32\config.h"\ - "..\..\include\win32\roken.h"\ - ".\err.h"\ - ".\roken-common.h"\ - {$(INCLUDE)}"sys\stat.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\snprintf.obj" : $(SOURCE) $(DEP_CPP_SNPRI) "$(INTDIR)" - - -SOURCE=.\strcasecmp.c -DEP_CPP_STRCA=\ - "..\..\include\win32\config.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\strcasecmp.obj" : $(SOURCE) $(DEP_CPP_STRCA) "$(INTDIR)" - - -SOURCE=.\strtok_r.c -DEP_CPP_STRTO=\ - "..\..\include\win32\config.h"\ - "..\..\include\win32\roken.h"\ - ".\err.h"\ - ".\roken-common.h"\ - {$(INCLUDE)}"sys\stat.h"\ - {$(INCLUDE)}"sys\types.h"\ - - -"$(INTDIR)\strtok_r.obj" : $(SOURCE) $(DEP_CPP_STRTO) "$(INTDIR)" - - -SOURCE=.\roken.rc - -"$(INTDIR)\roken.res" : $(SOURCE) "$(INTDIR)" - $(RSC) $(RSC_PROJ) $(SOURCE) - - - -!ENDIF - diff --git a/crypto/heimdal/lib/roken/roken.rc b/crypto/heimdal/lib/roken/roken.rc deleted file mode 100644 index e7e2f3e499ca..000000000000 --- a/crypto/heimdal/lib/roken/roken.rc +++ /dev/null @@ -1,105 +0,0 @@ -//Microsoft Developer Studio generated resource script. -// -#include "resource.h" - -#define APSTUDIO_READONLY_SYMBOLS -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 2 resource. -// -#include "afxres.h" - -///////////////////////////////////////////////////////////////////////////// -#undef APSTUDIO_READONLY_SYMBOLS - -///////////////////////////////////////////////////////////////////////////// -// Swedish resources - -#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_SVE) -#ifdef _WIN32 -LANGUAGE LANG_SWEDISH, SUBLANG_DEFAULT -#pragma code_page(1252) -#endif //_WIN32 - -#ifdef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// TEXTINCLUDE -// - -1 TEXTINCLUDE DISCARDABLE -BEGIN - "resource.h\0" -END - -2 TEXTINCLUDE DISCARDABLE -BEGIN - "#include ""afxres.h""\r\n" - "\0" -END - -3 TEXTINCLUDE DISCARDABLE -BEGIN - "\r\n" - "\0" -END - -#endif // APSTUDIO_INVOKED - - -#ifndef _MAC -///////////////////////////////////////////////////////////////////////////// -// -// Version -// - -VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,0,0,1 - PRODUCTVERSION 1,0,0,1 - FILEFLAGSMASK 0x3fL -#ifdef _DEBUG - FILEFLAGS 0x1L -#else - FILEFLAGS 0x0L -#endif - FILEOS 0x40004L - FILETYPE 0x2L - FILESUBTYPE 0x0L -BEGIN - BLOCK "StringFileInfo" - BEGIN - BLOCK "040904b0" - BEGIN - VALUE "CompanyName", "Royal Institute of Technology (KTH)\0" - VALUE "FileDescription", "roken\0" - VALUE "FileVersion", "4, 0, 9, 9\0" - VALUE "InternalName", "roken\0" - VALUE "LegalCopyright", "Copyright © 1996 - 1998 Royal Institute of Technology (KTH)\0" - VALUE "OriginalFilename", "roken.dll\0" - VALUE "ProductName", "KTH Kerberos\0" - VALUE "ProductVersion", "4,0,9,9\0" - END - END - BLOCK "VarFileInfo" - BEGIN - VALUE "Translation", 0x409, 1200 - END -END - -#endif // !_MAC - -#endif // Swedish resources -///////////////////////////////////////////////////////////////////////////// - - - -#ifndef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 3 resource. -// - - -///////////////////////////////////////////////////////////////////////////// -#endif // not APSTUDIO_INVOKED - diff --git a/crypto/heimdal/lib/roken/roken_gethostby.lo b/crypto/heimdal/lib/roken/roken_gethostby.lo deleted file mode 100644 index b5387c42a15a..000000000000 Binary files a/crypto/heimdal/lib/roken/roken_gethostby.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/rtbl.lo b/crypto/heimdal/lib/roken/rtbl.lo deleted file mode 100644 index f5659918b99d..000000000000 Binary files a/crypto/heimdal/lib/roken/rtbl.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/setprogname.lo b/crypto/heimdal/lib/roken/setprogname.lo deleted file mode 100644 index 7429f1f8bcef..000000000000 Binary files a/crypto/heimdal/lib/roken/setprogname.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/signal.lo b/crypto/heimdal/lib/roken/signal.lo deleted file mode 100644 index d5a1dd4d11e2..000000000000 Binary files a/crypto/heimdal/lib/roken/signal.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/simple_exec.lo b/crypto/heimdal/lib/roken/simple_exec.lo deleted file mode 100644 index 340cba674bf0..000000000000 Binary files a/crypto/heimdal/lib/roken/simple_exec.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/snprintf-test b/crypto/heimdal/lib/roken/snprintf-test deleted file mode 100755 index 393a7119d199..000000000000 --- a/crypto/heimdal/lib/roken/snprintf-test +++ /dev/null @@ -1,121 +0,0 @@ -#! /bin/sh - -# snprintf-test - temporary wrapper script for .libs/snprintf-test -# Generated by ltmain.sh - GNU libtool 1.4.2 (1.922.2.53 2001/09/11 03:18:52) -# -# The snprintf-test program cannot be directly executed until all the libtool -# libraries that it depends on are installed. -# -# This wrapper script should never be moved out of the build directory. -# If it is, it will not operate correctly. - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='sed -e 1s/^X//' -sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g' - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test "${CDPATH+set}" = set; then CDPATH=:; export CDPATH; fi - -relink_command="cd /usr/home/nectar/devel/heimdal/lib/roken; { test -z \"\${LIBRARY_PATH+set}\" || unset LIBRARY_PATH || { LIBRARY_PATH=; export LIBRARY_PATH; }; }; { test -z \"\${COMPILER_PATH+set}\" || unset COMPILER_PATH || { COMPILER_PATH=; export COMPILER_PATH; }; }; { test -z \"\${GCC_EXEC_PREFIX+set}\" || unset GCC_EXEC_PREFIX || { GCC_EXEC_PREFIX=; export GCC_EXEC_PREFIX; }; }; { test -z \"\${LD_RUN_PATH+set}\" || unset LD_RUN_PATH || { LD_RUN_PATH=; export LD_RUN_PATH; }; }; { test -z \"\${LD_LIBRARY_PATH+set}\" || unset LD_LIBRARY_PATH || { LD_LIBRARY_PATH=; export LD_LIBRARY_PATH; }; }; PATH=\"/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:/usr/X11R6/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/games:/home/nectar/bin\"; export PATH; gcc -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -DINET6 -g -O2 -o \$progdir/\$file snprintf_test-snprintf-test.o ./.libs/libtest.al ./.libs/libroken.so -lcrypt -Wl,--rpath -Wl,/usr/home/nectar/devel/heimdal/lib/roken/.libs -Wl,--rpath -Wl,/usr/heimdal/lib" - -# This environment variable determines our operation mode. -if test "$libtool_install_magic" = "%%%MAGIC variable%%%"; then - # install mode needs the following variable: - notinst_deplibs=' libroken.la' -else - # When we are sourced in execute mode, $file and $echo are already set. - if test "$libtool_execute_magic" != "%%%MAGIC variable%%%"; then - echo="echo" - file="$0" - # Make sure echo works. - if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift - elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then - # Yippee, $echo works! - : - else - # Restart under the correct shell, and then maybe $echo will work. - exec /bin/sh "$0" --no-reexec ${1+"$@"} - fi - fi - - # Find the directory that this script lives in. - thisdir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - test "x$thisdir" = "x$file" && thisdir=. - - # Follow symbolic links until we get to the real thisdir. - file=`ls -ld "$file" | sed -n 's/.*-> //p'` - while test -n "$file"; do - destdir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - - # If there was a directory component, then change thisdir. - if test "x$destdir" != "x$file"; then - case "$destdir" in - [\\/]* | [A-Za-z]:[\\/]*) thisdir="$destdir" ;; - *) thisdir="$thisdir/$destdir" ;; - esac - fi - - file=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - file=`ls -ld "$thisdir/$file" | sed -n 's/.*-> //p'` - done - - # Try to get the absolute directory name. - absdir=`cd "$thisdir" && pwd` - test -n "$absdir" && thisdir="$absdir" - - program=lt-'snprintf-test' - progdir="$thisdir/.libs" - - if test ! -f "$progdir/$program" || \ - { file=`ls -1dt "$progdir/$program" "$progdir/../$program" 2>/dev/null | sed 1q`; \ - test "X$file" != "X$progdir/$program"; }; then - - file="$$-$program" - - if test ! -d "$progdir"; then - mkdir "$progdir" - else - rm -f "$progdir/$file" - fi - - # relink executable if necessary - if test -n "$relink_command"; then - if relink_command_output=`eval $relink_command 2>&1`; then : - else - echo "$relink_command_output" >&2 - rm -f "$progdir/$file" - exit 1 - fi - fi - - mv -f "$progdir/$file" "$progdir/$program" 2>/dev/null || - { rm -f "$progdir/$program"; - mv -f "$progdir/$file" "$progdir/$program"; } - rm -f "$progdir/$file" - fi - - if test -f "$progdir/$program"; then - if test "$libtool_execute_magic" != "%%%MAGIC variable%%%"; then - # Run the actual program with our arguments. - - # Export the path to the program. - PATH="$progdir:$PATH" - export PATH - - exec $program ${1+"$@"} - - $echo "$0: cannot exec $program ${1+"$@"}" - exit 1 - fi - else - # The program doesn't exist. - $echo "$0: error: $progdir/$program does not exist" 1>&2 - $echo "This script is just a wrapper for $program." 1>&2 - echo "See the libtool documentation for more information." 1>&2 - exit 1 - fi -fi diff --git a/crypto/heimdal/lib/roken/snprintf.lo b/crypto/heimdal/lib/roken/snprintf.lo deleted file mode 100644 index ecaa7e7eaf9a..000000000000 Binary files a/crypto/heimdal/lib/roken/snprintf.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/socket.lo b/crypto/heimdal/lib/roken/socket.lo deleted file mode 100644 index 69d71e725871..000000000000 Binary files a/crypto/heimdal/lib/roken/socket.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/strcollect.lo b/crypto/heimdal/lib/roken/strcollect.lo deleted file mode 100644 index befd266ab581..000000000000 Binary files a/crypto/heimdal/lib/roken/strcollect.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/strlwr.lo b/crypto/heimdal/lib/roken/strlwr.lo deleted file mode 100644 index 3b3ab2d38603..000000000000 Binary files a/crypto/heimdal/lib/roken/strlwr.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/strndup.lo b/crypto/heimdal/lib/roken/strndup.lo deleted file mode 100644 index 38d1424f07ba..000000000000 Binary files a/crypto/heimdal/lib/roken/strndup.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/strnlen.lo b/crypto/heimdal/lib/roken/strnlen.lo deleted file mode 100644 index 2ebb7566a581..000000000000 Binary files a/crypto/heimdal/lib/roken/strnlen.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/strsep_copy.lo b/crypto/heimdal/lib/roken/strsep_copy.lo deleted file mode 100644 index 8263576dee7e..000000000000 Binary files a/crypto/heimdal/lib/roken/strsep_copy.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/strupr.lo b/crypto/heimdal/lib/roken/strupr.lo deleted file mode 100644 index e602c16f5d45..000000000000 Binary files a/crypto/heimdal/lib/roken/strupr.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/timeval.lo b/crypto/heimdal/lib/roken/timeval.lo deleted file mode 100644 index a0d462480ff4..000000000000 Binary files a/crypto/heimdal/lib/roken/timeval.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/tm2time.lo b/crypto/heimdal/lib/roken/tm2time.lo deleted file mode 100644 index c889ad21038a..000000000000 Binary files a/crypto/heimdal/lib/roken/tm2time.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/unvis.lo b/crypto/heimdal/lib/roken/unvis.lo deleted file mode 100644 index 7202b351c426..000000000000 Binary files a/crypto/heimdal/lib/roken/unvis.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/verify.lo b/crypto/heimdal/lib/roken/verify.lo deleted file mode 100644 index b250d56b1759..000000000000 Binary files a/crypto/heimdal/lib/roken/verify.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/vis.lo b/crypto/heimdal/lib/roken/vis.lo deleted file mode 100644 index 03df67a92c84..000000000000 Binary files a/crypto/heimdal/lib/roken/vis.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/warnerr.lo b/crypto/heimdal/lib/roken/warnerr.lo deleted file mode 100644 index 953d3637753f..000000000000 Binary files a/crypto/heimdal/lib/roken/warnerr.lo and /dev/null differ diff --git a/crypto/heimdal/lib/roken/write_pid.lo b/crypto/heimdal/lib/roken/write_pid.lo deleted file mode 100644 index 0c1b65211271..000000000000 Binary files a/crypto/heimdal/lib/roken/write_pid.lo and /dev/null differ diff --git a/crypto/heimdal/lib/sl/Makefile b/crypto/heimdal/lib/sl/Makefile deleted file mode 100644 index 7b812a170e91..000000000000 --- a/crypto/heimdal/lib/sl/Makefile +++ /dev/null @@ -1,756 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/sl/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.29 2002/08/13 13:48:17 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(ROKEN_RENAME) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -ES = strtok_r.c snprintf.c strdup.c strupr.c getprogname.c - -YFLAGS = -d - -include_HEADERS = sl.h - -lib_LTLIBRARIES = libsl.la libss.la -libsl_la_LDFLAGS = -version-info 1:2:1 -libss_la_LDFLAGS = -version-info 1:4:1 - -libsl_la_LIBADD = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) -libss_la_LIBADD = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) -lcom_err - -libsl_la_SOURCES = sl_locl.h sl.c $(ES) -libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h - - -# install these? -bin_PROGRAMS = mk_cmds - -mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l -mk_cmds_LDADD = libsl.la $(LDADD) - -ssincludedir = $(includedir)/ss -ssinclude_HEADERS = ss.h - -CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c strdup.c strupr.c getprogname.c - -LDADD = \ - $(LIB_roken) \ - $(LEXLIB) - -subdir = lib/sl -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(lib_LTLIBRARIES) - -libsl_la_DEPENDENCIES = -am__objects_1 = strtok_r.lo snprintf.lo strdup.lo \ - strupr.lo getprogname.lo -am_libsl_la_OBJECTS = sl.lo $(am__objects_1) -libsl_la_OBJECTS = $(am_libsl_la_OBJECTS) -libss_la_DEPENDENCIES = -am__objects_2 = sl.lo $(am__objects_1) -am_libss_la_OBJECTS = $(am__objects_2) ss.lo -libss_la_OBJECTS = $(am_libss_la_OBJECTS) -bin_PROGRAMS = mk_cmds$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) - -am_mk_cmds_OBJECTS = make_cmds.$(OBJEXT) parse.$(OBJEXT) lex.$(OBJEXT) -mk_cmds_OBJECTS = $(am_mk_cmds_OBJECTS) -mk_cmds_DEPENDENCIES = libsl.la -mk_cmds_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS) -LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS) -YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) -LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS) -DIST_SOURCES = $(libsl_la_SOURCES) $(libss_la_SOURCES) \ - $(mk_cmds_SOURCES) -HEADERS = $(include_HEADERS) $(ssinclude_HEADERS) - -DIST_COMMON = $(include_HEADERS) $(ssinclude_HEADERS) ChangeLog \ - Makefile.am Makefile.in lex.c parse.c parse.h -SOURCES = $(libsl_la_SOURCES) $(libss_la_SOURCES) $(mk_cmds_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/sl/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -libLTLIBRARIES_INSTALL = $(INSTALL) -install-libLTLIBRARIES: $(lib_LTLIBRARIES) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libdir) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$f; \ - else :; fi; \ - done - -uninstall-libLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ - done - -clean-libLTLIBRARIES: - -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libsl.la: $(libsl_la_OBJECTS) $(libsl_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libsl_la_LDFLAGS) $(libsl_la_OBJECTS) $(libsl_la_LIBADD) $(LIBS) -libss.la: $(libss_la_OBJECTS) $(libss_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libss_la_LDFLAGS) $(libss_la_OBJECTS) $(libss_la_LIBADD) $(LIBS) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -parse.h: parse.c - @if test ! -f $@; then \ - rm -f parse.c; \ - $(MAKE) parse.c; \ - else :; fi -mk_cmds$(EXEEXT): $(mk_cmds_OBJECTS) $(mk_cmds_DEPENDENCIES) - @rm -f mk_cmds$(EXEEXT) - $(LINK) $(mk_cmds_LDFLAGS) $(mk_cmds_OBJECTS) $(mk_cmds_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -.l.c: - $(LEXCOMPILE) `test -f $< || echo '$(srcdir)/'`$< - sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@ - rm -f $(LEX_OUTPUT_ROOT).c - -.y.c: - $(YACCCOMPILE) `test -f '$<' || echo '$(srcdir)/'`$< - sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@ - rm -f y.tab.c - if test -f y.tab.h; then \ - to=`echo "$*_H" | sed \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ - -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \ - sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \ - rm -f y.tab.h; \ - if cmp -s $*.ht $*.h; then \ - rm -f $*.ht ;\ - else \ - mv $*.ht $*.h; \ - fi; \ - fi - if test -f y.output; then \ - mv y.output $*.output; \ - fi - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -includeHEADERS_INSTALL = $(INSTALL_HEADER) -install-includeHEADERS: $(include_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(includedir) - @list='$(include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ - $(includeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(includedir)/$$f; \ - done - -uninstall-includeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ - rm -f $(DESTDIR)$(includedir)/$$f; \ - done -ssincludeHEADERS_INSTALL = $(INSTALL_HEADER) -install-ssincludeHEADERS: $(ssinclude_HEADERS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(ssincludedir) - @list='$(ssinclude_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(ssincludeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(ssincludedir)/$$f"; \ - $(ssincludeHEADERS_INSTALL) $$d$$p $(DESTDIR)$(ssincludedir)/$$f; \ - done - -uninstall-ssincludeHEADERS: - @$(NORMAL_UNINSTALL) - @list='$(ssinclude_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " rm -f $(DESTDIR)$(ssincludedir)/$$f"; \ - rm -f $(DESTDIR)$(ssincludedir)/$$f; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local -install-binPROGRAMS: install-libLTLIBRARIES - - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) $(DESTDIR)$(includedir) $(DESTDIR)$(ssincludedir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." - -test -z "parse.hparse.clex.c" || rm -f parse.h parse.c lex.c -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-includeHEADERS \ - install-ssincludeHEADERS - -install-exec-am: install-binPROGRAMS install-libLTLIBRARIES - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES \ - uninstall-ssincludeHEADERS - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am info \ - info-am install install-am install-binPROGRAMS install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-includeHEADERS install-info install-info-am \ - install-libLTLIBRARIES install-man install-ssincludeHEADERS \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-ssincludeHEADERS - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -$(mk_cmds_OBJECTS): parse.h parse.c - -strtok_r.c: - $(LN_S) $(srcdir)/../roken/strtok_r.c . -snprintf.c: - $(LN_S) $(srcdir)/../roken/snprintf.c . -strdup.c: - $(LN_S) $(srcdir)/../roken/strdup.c . -strupr.c: - $(LN_S) $(srcdir)/../roken/strupr.c . -getprogname.c: - $(LN_S) $(srcdir)/../roken/getprogname.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/lib/vers/Makefile b/crypto/heimdal/lib/vers/Makefile deleted file mode 100644 index 16a4a28c5be5..000000000000 --- a/crypto/heimdal/lib/vers/Makefile +++ /dev/null @@ -1,600 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# lib/vers/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.5 2002/08/28 22:57:42 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = ../.. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = ../.. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -CLEANFILES = print_version.h - -noinst_LTLIBRARIES = libvers.la - -build_HEADERZ = vers.h - -noinst_PROGRAMS = make-print-version - -#make_print_version_LDADD = $(LIB_krb4) $(LIB_des) - -libvers_la_SOURCES = print_version.c -subdir = lib/vers -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -LTLIBRARIES = $(noinst_LTLIBRARIES) - -libvers_la_LDFLAGS = -libvers_la_LIBADD = -am_libvers_la_OBJECTS = print_version.lo -libvers_la_OBJECTS = $(am_libvers_la_OBJECTS) -noinst_PROGRAMS = make-print-version$(EXEEXT) -PROGRAMS = $(noinst_PROGRAMS) - -make_print_version_SOURCES = make-print-version.c -make_print_version_OBJECTS = make-print-version.$(OBJEXT) -make_print_version_DEPENDENCIES = -#make_print_version_DEPENDENCIES = -#make_print_version_DEPENDENCIES = -##make_print_version_DEPENDENCIES = -make_print_version_LDFLAGS = - -DEFS = -DHAVE_CONFIG_H -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = -LDFLAGS = -LIBS = -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = -DINET6 -g -O2 -DIST_SOURCES = $(libvers_la_SOURCES) make-print-version.c -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(libvers_la_SOURCES) make-print-version.c - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign lib/vers/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test -z "$dir" && dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libvers.la: $(libvers_la_OBJECTS) $(libvers_la_DEPENDENCIES) - $(LINK) $(libvers_la_LDFLAGS) $(libvers_la_OBJECTS) $(libvers_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -make-print-version$(EXEEXT): $(make_print_version_OBJECTS) $(make_print_version_DEPENDENCIES) - @rm -f make-print-version$(EXEEXT) - $(LINK) $(make_print_version_LDFLAGS) $(make_print_version_OBJECTS) $(make_print_version_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) all-local - -installdirs: - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-noinstPROGRAMS mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local - -install-exec-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-info-am - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-noinstPROGRAMS distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am info info-am install install-am install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-info install-info-am install-man install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-info-am - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -print_version.lo: print_version.h - -print_version.h: make-print-version$(EXEEXT) - ./make-print-version$(EXEEXT) print_version.h - -make-print-version.o: $(top_builddir)/include/version.h -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/libtool b/crypto/heimdal/libtool deleted file mode 100755 index cc649310e964..000000000000 --- a/crypto/heimdal/libtool +++ /dev/null @@ -1,5270 +0,0 @@ -#! /bin/sh - -# libtool - Provide generalized library-building support services. -# Generated automatically by (GNU heimdal 0.4f) -# NOTE: Changes made to this file will be lost: look at ltmain.sh. -# -# Copyright (C) 1996-2000 Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Sed that helps us avoid accidentally triggering echo(1) options like -n. -Xsed="sed -e s/^X//" - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi - -# ### BEGIN LIBTOOL CONFIG - -# Libtool was configured on host shade.nectar.cc: - -# Shell to use when invoking shell scripts. -SHELL="/bin/sh" - -# Whether or not to build shared libraries. -build_libtool_libs=yes - -# Whether or not to build static libraries. -build_old_libs=yes - -# Whether or not to add -lc for building shared libraries. -build_libtool_need_lc=yes - -# Whether or not to optimize for fast installation. -fast_install=yes - -# The host system. -host_alias= -host=i386-unknown-freebsd5.0 - -# An echo program that does not interpret backslashes. -echo="echo" - -# The archiver. -AR="ar" -AR_FLAGS="cru" - -# The default C compiler. -CC="gcc " - -# Is the compiler the GNU C compiler? -with_gcc=yes - -# The linker used to build libraries. -LD="/usr/libexec/elf/ld" - -# Whether we need hard or soft links. -LN_S="ln -s" - -# A BSD-compatible nm program. -NM="/usr/bin/nm -B" - -# A symbol stripping program -STRIP=strip - -# Used to examine libraries when file_magic_cmd begins "file" -MAGIC_CMD=file - -# Used on cygwin: DLL creation program. -DLLTOOL="dlltool" - -# Used on cygwin: object dumper. -OBJDUMP="objdump" - -# Used on cygwin: assembler. -AS="as" - -# The name of the directory that contains temporary libtool files. -objdir=.libs - -# How to create reloadable object files. -reload_flag=" -r" -reload_cmds="\$LD\$reload_flag -o \$output\$reload_objs" - -# How to pass a linker flag through the compiler. -wl="-Wl," - -# Object file suffix (normally "o"). -objext="o" - -# Old archive suffix (normally "a"). -libext="a" - -# Executable file suffix (normally ""). -exeext="" - -# Additional compiler flags for building library objects. -pic_flag=" -fPIC" -pic_mode=default - -# Does compiler simultaneously support -c and -o options? -compiler_c_o="yes" - -# Can we write directly to a .lo ? -compiler_o_lo="yes" - -# Must we lock files when doing compilation ? -need_locks="no" - -# Do we need the lib prefix for modules? -need_lib_prefix=no - -# Do we need a version for libraries? -need_version=no - -# Whether dlopen is supported. -dlopen_support=unknown - -# Whether dlopen of programs is supported. -dlopen_self=unknown - -# Whether dlopen of statically linked programs is supported. -dlopen_self_static=unknown - -# Compiler flag to prevent dynamic linking. -link_static_flag="-static" - -# Compiler flag to turn off builtin functions. -no_builtin_flag=" -fno-builtin -fno-rtti -fno-exceptions" - -# Compiler flag to allow reflexive dlopens. -export_dynamic_flag_spec="\${wl}--export-dynamic" - -# Compiler flag to generate shared objects directly from archives. -whole_archive_flag_spec="\${wl}--whole-archive\$convenience \${wl}--no-whole-archive" - -# Compiler flag to generate thread-safe objects. -thread_safe_flag_spec="" - -# Library versioning type. -version_type=freebsd-elf - -# Format of library name prefix. -libname_spec="lib\$name" - -# List of archive names. First name is the real one, the rest are links. -# The last name is the one that the linker finds with -lNAME. -library_names_spec="\${libname}\${release}.so\$versuffix \${libname}\${release}.so \$libname.so" - -# The coded name of the library, if different from the real name. -soname_spec="" - -# Commands used to build and install an old-style archive. -RANLIB="ranlib" -old_archive_cmds="\$AR \$AR_FLAGS \$oldlib\$oldobjs\$old_deplibs~\$RANLIB \$oldlib" -old_postinstall_cmds="\$RANLIB \$oldlib~chmod 644 \$oldlib" -old_postuninstall_cmds="" - -# Create an old-style archive from a shared archive. -old_archive_from_new_cmds="" - -# Create a temporary old-style archive to link instead of a shared archive. -old_archive_from_expsyms_cmds="" - -# Commands used to build and install a shared archive. -archive_cmds="\$CC -shared \$libobjs \$deplibs \$compiler_flags \${wl}-soname \$wl\$soname -o \$lib" -archive_expsym_cmds="\$CC -shared \$libobjs \$deplibs \$compiler_flags \${wl}-soname \$wl\$soname \${wl}-retain-symbols-file \$wl\$export_symbols -o \$lib" -postinstall_cmds="" -postuninstall_cmds="" - -# Commands to strip libraries. -old_striplib="strip --strip-debug" -striplib="strip --strip-unneeded" - -# Method to check whether dependent libraries are shared objects. -deplibs_check_method="pass_all" - -# Command to use when deplibs_check_method == file_magic. -file_magic_cmd="\$MAGIC_CMD" - -# Flag that allows shared libraries with undefined symbols to be built. -allow_undefined_flag="" - -# Flag that forces no undefined symbols. -no_undefined_flag="" - -# Commands used to finish a libtool library installation in a directory. -finish_cmds="" - -# Same as above, but a single script fragment to be evaled but not shown. -finish_eval="" - -# Take the output of nm and produce a listing of raw symbols and C names. -global_symbol_pipe="sed -n -e 's/^.*[ ]\\([ABCDGISTW][ABCDGISTW]*\\)[ ][ ]*\\(\\)\\([_A-Za-z][_A-Za-z0-9]*\\)\$/\\1 \\2\\3 \\3/p'" - -# Transform the output of nm in a proper C declaration -global_symbol_to_cdecl="sed -n -e 's/^. .* \\(.*\\)\$/extern char \\1;/p'" - -# Transform the output of nm in a C name address pair -global_symbol_to_c_name_address="sed -n -e 's/^: \\([^ ]*\\) \$/ {\\\"\\1\\\", (lt_ptr) 0},/p' -e 's/^[BCDEGRST] \\([^ ]*\\) \\([^ ]*\\)\$/ {\"\\2\", (lt_ptr) \\&\\2},/p'" - -# This is the shared library runtime path variable. -runpath_var=LD_RUN_PATH - -# This is the shared library path variable. -shlibpath_var=LD_LIBRARY_PATH - -# Is shlibpath searched before the hard-coded library search path? -shlibpath_overrides_runpath=no - -# How to hardcode a shared library path into an executable. -hardcode_action=immediate - -# Whether we should hardcode library paths into libraries. -hardcode_into_libs=yes - -# Flag to hardcode $libdir into a binary during linking. -# This must work even if $libdir does not exist. -hardcode_libdir_flag_spec="\${wl}--rpath \${wl}\$libdir" - -# Whether we need a single -rpath flag with a separated argument. -hardcode_libdir_separator="" - -# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the -# resulting binary. -hardcode_direct=no - -# Set to yes if using the -LDIR flag during linking hardcodes DIR into the -# resulting binary. -hardcode_minus_L=no - -# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into -# the resulting binary. -hardcode_shlibpath_var=unsupported - -# Variables whose values should be saved in libtool wrapper scripts and -# restored at relink time. -variables_saved_for_relink="PATH LD_LIBRARY_PATH LD_RUN_PATH GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" - -# Whether libtool must link a program against all its dependency libraries. -link_all_deplibs=unknown - -# Compile-time system search path for libraries -sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" - -# Run-time system search path for libraries -sys_lib_dlsearch_path_spec="/lib /usr/lib" - -# Fix the shell variable $srcfile for the compiler. -fix_srcfile_path="" - -# Set to yes if exported symbols are required. -always_export_symbols=no - -# The commands to list exported symbols. -export_symbols_cmds="\$NM \$libobjs \$convenience | \$global_symbol_pipe | sed 's/.* //' | sort | uniq > \$export_symbols" - -# The commands to extract the exported symbol list from a shared archive. -extract_expsyms_cmds="" - -# Symbols that should not be listed in the preloaded symbols. -exclude_expsyms="_GLOBAL_OFFSET_TABLE_" - -# Symbols that must always be exported. -include_expsyms="" - -# ### END LIBTOOL CONFIG - -# ltmain.sh - Provide generalized library-building support services. -# NOTE: Changing this file will not affect anything until you rerun configure. -# -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. -# Originally by Gordon Matzigkeit , 1996 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Check that we have a working $echo. -if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X$1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then - # Yippee, $echo works! - : -else - # Restart under the correct shell, and then maybe $echo will work. - exec $SHELL "$0" --no-reexec ${1+"$@"} -fi - -if test "X$1" = X--fallback-echo; then - # used as fallback echo - shift - cat <&2 - echo "Fatal configuration error. See the $PACKAGE docs for more information." 1>&2 - exit 1 -fi - -# Global variables. -mode=$default_mode -nonopt= -prev= -prevopt= -run= -show="$echo" -show_help= -execute_dlfiles= -lo2o="s/\\.lo\$/.${objext}/" -o2lo="s/\\.${objext}\$/.lo/" - -# Parse our command line options once, thoroughly. -while test $# -gt 0 -do - arg="$1" - shift - - case $arg in - -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;; - *) optarg= ;; - esac - - # If the previous option needs an argument, assign it. - if test -n "$prev"; then - case $prev in - execute_dlfiles) - execute_dlfiles="$execute_dlfiles $arg" - ;; - *) - eval "$prev=\$arg" - ;; - esac - - prev= - prevopt= - continue - fi - - # Have we seen a non-optional argument yet? - case $arg in - --help) - show_help=yes - ;; - - --version) - echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP" - exit 0 - ;; - - --config) - sed -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $0 - exit 0 - ;; - - --debug) - echo "$progname: enabling shell trace mode" - set -x - ;; - - --dry-run | -n) - run=: - ;; - - --features) - echo "host: $host" - if test "$build_libtool_libs" = yes; then - echo "enable shared libraries" - else - echo "disable shared libraries" - fi - if test "$build_old_libs" = yes; then - echo "enable static libraries" - else - echo "disable static libraries" - fi - exit 0 - ;; - - --finish) mode="finish" ;; - - --mode) prevopt="--mode" prev=mode ;; - --mode=*) mode="$optarg" ;; - - --quiet | --silent) - show=: - ;; - - -dlopen) - prevopt="-dlopen" - prev=execute_dlfiles - ;; - - -*) - $echo "$modename: unrecognized option \`$arg'" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; - - *) - nonopt="$arg" - break - ;; - esac -done - -if test -n "$prevopt"; then - $echo "$modename: option \`$prevopt' requires an argument" 1>&2 - $echo "$help" 1>&2 - exit 1 -fi - -# If this variable is set in any of the actions, the command in it -# will be execed at the end. This prevents here-documents from being -# left over by shells. -exec_cmd= - -if test -z "$show_help"; then - - # Infer the operation mode. - if test -z "$mode"; then - case $nonopt in - *cc | *++ | gcc* | *-gcc*) - mode=link - for arg - do - case $arg in - -c) - mode=compile - break - ;; - esac - done - ;; - *db | *dbx | *strace | *truss) - mode=execute - ;; - *install*|cp|mv) - mode=install - ;; - *rm) - mode=uninstall - ;; - *) - # If we have no mode, but dlfiles were specified, then do execute mode. - test -n "$execute_dlfiles" && mode=execute - - # Just use the default operation mode. - if test -z "$mode"; then - if test -n "$nonopt"; then - $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2 - else - $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2 - fi - fi - ;; - esac - fi - - # Only execute mode is allowed to have -dlopen flags. - if test -n "$execute_dlfiles" && test "$mode" != execute; then - $echo "$modename: unrecognized option \`-dlopen'" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - # Change the help message to a mode-specific one. - generic_help="$help" - help="Try \`$modename --help --mode=$mode' for more information." - - # These modes are in order of execution frequency so that they run quickly. - case $mode in - # libtool compile mode - compile) - modename="$modename: compile" - # Get the compilation command and the source file. - base_compile= - prev= - lastarg= - srcfile="$nonopt" - suppress_output= - - user_target=no - for arg - do - case $prev in - "") ;; - xcompiler) - # Aesthetically quote the previous argument. - prev= - lastarg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - - case $arg in - # Double-quote args containing other shell metacharacters. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - - # Add the previous argument to base_compile. - if test -z "$base_compile"; then - base_compile="$lastarg" - else - base_compile="$base_compile $lastarg" - fi - continue - ;; - esac - - # Accept any command-line options. - case $arg in - -o) - if test "$user_target" != "no"; then - $echo "$modename: you cannot specify \`-o' more than once" 1>&2 - exit 1 - fi - user_target=next - ;; - - -static) - build_old_libs=yes - continue - ;; - - -prefer-pic) - pic_mode=yes - continue - ;; - - -prefer-non-pic) - pic_mode=no - continue - ;; - - -Xcompiler) - prev=xcompiler - continue - ;; - - -Wc,*) - args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"` - lastarg= - save_ifs="$IFS"; IFS=',' - for arg in $args; do - IFS="$save_ifs" - - # Double-quote args containing other shell metacharacters. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - lastarg="$lastarg $arg" - done - IFS="$save_ifs" - lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"` - - # Add the arguments to base_compile. - if test -z "$base_compile"; then - base_compile="$lastarg" - else - base_compile="$base_compile $lastarg" - fi - continue - ;; - esac - - case $user_target in - next) - # The next one is the -o target name - user_target=yes - continue - ;; - yes) - # We got the output file - user_target=set - libobj="$arg" - continue - ;; - esac - - # Accept the current argument as the source file. - lastarg="$srcfile" - srcfile="$arg" - - # Aesthetically quote the previous argument. - - # Backslashify any backslashes, double quotes, and dollar signs. - # These are the only characters that are still specially - # interpreted inside of double-quoted scrings. - lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"` - - # Double-quote args containing other shell metacharacters. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - case $lastarg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - lastarg="\"$lastarg\"" - ;; - esac - - # Add the previous argument to base_compile. - if test -z "$base_compile"; then - base_compile="$lastarg" - else - base_compile="$base_compile $lastarg" - fi - done - - case $user_target in - set) - ;; - no) - # Get the name of the library object. - libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'` - ;; - *) - $echo "$modename: you must specify a target with \`-o'" 1>&2 - exit 1 - ;; - esac - - # Recognize several different file suffixes. - # If the user specifies -o file.o, it is replaced with file.lo - xform='[cCFSfmso]' - case $libobj in - *.ada) xform=ada ;; - *.adb) xform=adb ;; - *.ads) xform=ads ;; - *.asm) xform=asm ;; - *.c++) xform=c++ ;; - *.cc) xform=cc ;; - *.cpp) xform=cpp ;; - *.cxx) xform=cxx ;; - *.f90) xform=f90 ;; - *.for) xform=for ;; - esac - - libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"` - - case $libobj in - *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;; - *) - $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2 - exit 1 - ;; - esac - - if test -z "$base_compile"; then - $echo "$modename: you must specify a compilation command" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - # Delete any leftover library objects. - if test "$build_old_libs" = yes; then - removelist="$obj $libobj" - else - removelist="$libobj" - fi - - $run $rm $removelist - trap "$run $rm $removelist; exit 1" 1 2 15 - - # On Cygwin there's no "real" PIC flag so we must build both object types - case $host_os in - cygwin* | mingw* | pw32* | os2*) - pic_mode=default - ;; - esac - if test $pic_mode = no && test "$deplibs_check_method" != pass_all; then - # non-PIC code in shared libraries is not supported - pic_mode=default - fi - - # Calculate the filename of the output object if compiler does - # not support -o with -c - if test "$compiler_c_o" = no; then - output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext} - lockfile="$output_obj.lock" - removelist="$removelist $output_obj $lockfile" - trap "$run $rm $removelist; exit 1" 1 2 15 - else - need_locks=no - lockfile= - fi - - # Lock this critical section if it is needed - # We use this script file to make the link, it avoids creating a new file - if test "$need_locks" = yes; then - until $run ln "$0" "$lockfile" 2>/dev/null; do - $show "Waiting for $lockfile to be removed" - sleep 2 - done - elif test "$need_locks" = warn; then - if test -f "$lockfile"; then - echo "\ -*** ERROR, $lockfile exists and contains: -`cat $lockfile 2>/dev/null` - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $run $rm $removelist - exit 1 - fi - echo $srcfile > "$lockfile" - fi - - if test -n "$fix_srcfile_path"; then - eval srcfile=\"$fix_srcfile_path\" - fi - - # Only build a PIC object if we are building libtool libraries. - if test "$build_libtool_libs" = yes; then - # Without this assignment, base_compile gets emptied. - fbsd_hideous_sh_bug=$base_compile - - if test "$pic_mode" != no; then - # All platforms use -DPIC, to notify preprocessed assembler code. - command="$base_compile $srcfile $pic_flag -DPIC" - else - # Don't build PIC code - command="$base_compile $srcfile" - fi - if test "$build_old_libs" = yes; then - lo_libobj="$libobj" - dir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$dir" = "X$libobj"; then - dir="$objdir" - else - dir="$dir/$objdir" - fi - libobj="$dir/"`$echo "X$libobj" | $Xsed -e 's%^.*/%%'` - - if test -d "$dir"; then - $show "$rm $libobj" - $run $rm $libobj - else - $show "$mkdir $dir" - $run $mkdir $dir - status=$? - if test $status -ne 0 && test ! -d $dir; then - exit $status - fi - fi - fi - if test "$compiler_o_lo" = yes; then - output_obj="$libobj" - command="$command -o $output_obj" - elif test "$compiler_c_o" = yes; then - output_obj="$obj" - command="$command -o $output_obj" - fi - - $run $rm "$output_obj" - $show "$command" - if $run eval "$command"; then : - else - test -n "$output_obj" && $run $rm $removelist - exit 1 - fi - - if test "$need_locks" = warn && - test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then - echo "\ -*** ERROR, $lockfile contains: -`cat $lockfile 2>/dev/null` - -but it should contain: -$srcfile - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $run $rm $removelist - exit 1 - fi - - # Just move the object if needed, then go on to compile the next one - if test x"$output_obj" != x"$libobj"; then - $show "$mv $output_obj $libobj" - if $run $mv $output_obj $libobj; then : - else - error=$? - $run $rm $removelist - exit $error - fi - fi - - # If we have no pic_flag, then copy the object into place and finish. - if (test -z "$pic_flag" || test "$pic_mode" != default) && - test "$build_old_libs" = yes; then - # Rename the .lo from within objdir to obj - if test -f $obj; then - $show $rm $obj - $run $rm $obj - fi - - $show "$mv $libobj $obj" - if $run $mv $libobj $obj; then : - else - error=$? - $run $rm $removelist - exit $error - fi - - xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$obj"; then - xdir="." - else - xdir="$xdir" - fi - baseobj=`$echo "X$obj" | $Xsed -e "s%.*/%%"` - libobj=`$echo "X$baseobj" | $Xsed -e "$o2lo"` - # Now arrange that obj and lo_libobj become the same file - $show "(cd $xdir && $LN_S $baseobj $libobj)" - if $run eval '(cd $xdir && $LN_S $baseobj $libobj)'; then - # Unlock the critical section if it was locked - if test "$need_locks" != no; then - $run $rm "$lockfile" - fi - exit 0 - else - error=$? - $run $rm $removelist - exit $error - fi - fi - - # Allow error messages only from the first compilation. - suppress_output=' >/dev/null 2>&1' - fi - - # Only build a position-dependent object if we build old libraries. - if test "$build_old_libs" = yes; then - if test "$pic_mode" != yes; then - # Don't build PIC code - command="$base_compile $srcfile" - else - # All platforms use -DPIC, to notify preprocessed assembler code. - command="$base_compile $srcfile $pic_flag -DPIC" - fi - if test "$compiler_c_o" = yes; then - command="$command -o $obj" - output_obj="$obj" - fi - - # Suppress compiler output if we already did a PIC compilation. - command="$command$suppress_output" - $run $rm "$output_obj" - $show "$command" - if $run eval "$command"; then : - else - $run $rm $removelist - exit 1 - fi - - if test "$need_locks" = warn && - test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then - echo "\ -*** ERROR, $lockfile contains: -`cat $lockfile 2>/dev/null` - -but it should contain: -$srcfile - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $run $rm $removelist - exit 1 - fi - - # Just move the object if needed - if test x"$output_obj" != x"$obj"; then - $show "$mv $output_obj $obj" - if $run $mv $output_obj $obj; then : - else - error=$? - $run $rm $removelist - exit $error - fi - fi - - # Create an invalid libtool object if no PIC, so that we do not - # accidentally link it into a program. - if test "$build_libtool_libs" != yes; then - $show "echo timestamp > $libobj" - $run eval "echo timestamp > \$libobj" || exit $? - else - # Move the .lo from within objdir - $show "$mv $libobj $lo_libobj" - if $run $mv $libobj $lo_libobj; then : - else - error=$? - $run $rm $removelist - exit $error - fi - fi - fi - - # Unlock the critical section if it was locked - if test "$need_locks" != no; then - $run $rm "$lockfile" - fi - - exit 0 - ;; - - # libtool link mode - link | relink) - modename="$modename: link" - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - # It is impossible to link a dll without this setting, and - # we shouldn't force the makefile maintainer to figure out - # which system we are compiling for in order to pass an extra - # flag for every libtool invokation. - # allow_undefined=no - - # FIXME: Unfortunately, there are problems with the above when trying - # to make a dll which has undefined symbols, in which case not - # even a static library is built. For now, we need to specify - # -no-undefined on the libtool link line when we can be certain - # that all symbols are satisfied, otherwise we get a static library. - allow_undefined=yes - ;; - *) - allow_undefined=yes - ;; - esac - libtool_args="$nonopt" - compile_command="$nonopt" - finalize_command="$nonopt" - - compile_rpath= - finalize_rpath= - compile_shlibpath= - finalize_shlibpath= - convenience= - old_convenience= - deplibs= - old_deplibs= - compiler_flags= - linker_flags= - dllsearchpath= - lib_search_path=`pwd` - - avoid_version=no - dlfiles= - dlprefiles= - dlself=no - export_dynamic=no - export_symbols= - export_symbols_regex= - generated= - libobjs= - ltlibs= - module=no - no_install=no - objs= - prefer_static_libs=no - preload=no - prev= - prevarg= - release= - rpath= - xrpath= - perm_rpath= - temp_rpath= - thread_safe=no - vinfo= - - # We need to know -static, to get the right output filenames. - for arg - do - case $arg in - -all-static | -static) - if test "X$arg" = "X-all-static"; then - if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then - $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2 - fi - if test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - else - if test -z "$pic_flag" && test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - fi - build_libtool_libs=no - build_old_libs=yes - prefer_static_libs=yes - break - ;; - esac - done - - # See if our shared archives depend on static archives. - test -n "$old_archive_from_new_cmds" && build_old_libs=yes - - # Go through the arguments, transforming them on the way. - while test $# -gt 0; do - arg="$1" - shift - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test - ;; - *) qarg=$arg ;; - esac - libtool_args="$libtool_args $qarg" - - # If the previous option needs an argument, assign it. - if test -n "$prev"; then - case $prev in - output) - compile_command="$compile_command @OUTPUT@" - finalize_command="$finalize_command @OUTPUT@" - ;; - esac - - case $prev in - dlfiles|dlprefiles) - if test "$preload" = no; then - # Add the symbol object into the linking commands. - compile_command="$compile_command @SYMFILE@" - finalize_command="$finalize_command @SYMFILE@" - preload=yes - fi - case $arg in - *.la | *.lo) ;; # We handle these cases below. - force) - if test "$dlself" = no; then - dlself=needless - export_dynamic=yes - fi - prev= - continue - ;; - self) - if test "$prev" = dlprefiles; then - dlself=yes - elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then - dlself=yes - else - dlself=needless - export_dynamic=yes - fi - prev= - continue - ;; - *) - if test "$prev" = dlfiles; then - dlfiles="$dlfiles $arg" - else - dlprefiles="$dlprefiles $arg" - fi - prev= - continue - ;; - esac - ;; - expsyms) - export_symbols="$arg" - if test ! -f "$arg"; then - $echo "$modename: symbol file \`$arg' does not exist" - exit 1 - fi - prev= - continue - ;; - expsyms_regex) - export_symbols_regex="$arg" - prev= - continue - ;; - release) - release="-$arg" - prev= - continue - ;; - rpath | xrpath) - # We need an absolute path. - case $arg in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - $echo "$modename: only absolute run-paths are allowed" 1>&2 - exit 1 - ;; - esac - if test "$prev" = rpath; then - case "$rpath " in - *" $arg "*) ;; - *) rpath="$rpath $arg" ;; - esac - else - case "$xrpath " in - *" $arg "*) ;; - *) xrpath="$xrpath $arg" ;; - esac - fi - prev= - continue - ;; - xcompiler) - compiler_flags="$compiler_flags $qarg" - prev= - compile_command="$compile_command $qarg" - finalize_command="$finalize_command $qarg" - continue - ;; - xlinker) - linker_flags="$linker_flags $qarg" - compiler_flags="$compiler_flags $wl$qarg" - prev= - compile_command="$compile_command $wl$qarg" - finalize_command="$finalize_command $wl$qarg" - continue - ;; - *) - eval "$prev=\"\$arg\"" - prev= - continue - ;; - esac - fi # test -n $prev - - prevarg="$arg" - - case $arg in - -all-static) - if test -n "$link_static_flag"; then - compile_command="$compile_command $link_static_flag" - finalize_command="$finalize_command $link_static_flag" - fi - continue - ;; - - -allow-undefined) - # FIXME: remove this flag sometime in the future. - $echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2 - continue - ;; - - -avoid-version) - avoid_version=yes - continue - ;; - - -dlopen) - prev=dlfiles - continue - ;; - - -dlpreopen) - prev=dlprefiles - continue - ;; - - -export-dynamic) - export_dynamic=yes - continue - ;; - - -export-symbols | -export-symbols-regex) - if test -n "$export_symbols" || test -n "$export_symbols_regex"; then - $echo "$modename: more than one -exported-symbols argument is not allowed" - exit 1 - fi - if test "X$arg" = "X-export-symbols"; then - prev=expsyms - else - prev=expsyms_regex - fi - continue - ;; - - # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:* - # so, if we see these flags be careful not to treat them like -L - -L[A-Z][A-Z]*:*) - case $with_gcc/$host in - no/*-*-irix*) - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - ;; - esac - continue - ;; - - -L*) - dir=`$echo "X$arg" | $Xsed -e 's/^-L//'` - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then - $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2 - exit 1 - fi - dir="$absdir" - ;; - esac - case "$deplibs " in - *" -L$dir "*) ;; - *) - deplibs="$deplibs -L$dir" - lib_search_path="$lib_search_path $dir" - ;; - esac - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - case :$dllsearchpath: in - *":$dir:"*) ;; - *) dllsearchpath="$dllsearchpath:$dir";; - esac - ;; - esac - continue - ;; - - -l*) - if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then - case $host in - *-*-cygwin* | *-*-pw32* | *-*-beos*) - # These systems don't actually have a C or math library (as such) - continue - ;; - *-*-mingw* | *-*-os2*) - # These systems don't actually have a C library (as such) - test "X$arg" = "X-lc" && continue - ;; - *-*-openbsd*) - # Do not include libc due to us having libc/libc_r. - test "X$arg" = "X-lc" && continue - ;; - esac - elif test "X$arg" = "X-lc_r"; then - case $host in - *-*-openbsd*) - # Do not include libc_r directly, use -pthread flag. - continue - ;; - esac - fi - deplibs="$deplibs $arg" - continue - ;; - - -module) - module=yes - continue - ;; - - -no-fast-install) - fast_install=no - continue - ;; - - -no-install) - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - # The PATH hackery in wrapper scripts is required on Windows - # in order for the loader to find any dlls it needs. - $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2 - $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2 - fast_install=no - ;; - *) no_install=yes ;; - esac - continue - ;; - - -no-undefined) - allow_undefined=no - continue - ;; - - -o) prev=output ;; - - -release) - prev=release - continue - ;; - - -rpath) - prev=rpath - continue - ;; - - -R) - prev=xrpath - continue - ;; - - -R*) - dir=`$echo "X$arg" | $Xsed -e 's/^-R//'` - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - $echo "$modename: only absolute run-paths are allowed" 1>&2 - exit 1 - ;; - esac - case "$xrpath " in - *" $dir "*) ;; - *) xrpath="$xrpath $dir" ;; - esac - continue - ;; - - -static) - # The effects of -static are defined in a previous loop. - # We used to do the same as -all-static on platforms that - # didn't have a PIC flag, but the assumption that the effects - # would be equivalent was wrong. It would break on at least - # Digital Unix and AIX. - continue - ;; - - -thread-safe) - thread_safe=yes - continue - ;; - - -version-info) - prev=vinfo - continue - ;; - - -Wc,*) - args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'` - arg= - save_ifs="$IFS"; IFS=',' - for flag in $args; do - IFS="$save_ifs" - case $flag in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - flag="\"$flag\"" - ;; - esac - arg="$arg $wl$flag" - compiler_flags="$compiler_flags $flag" - done - IFS="$save_ifs" - arg=`$echo "X$arg" | $Xsed -e "s/^ //"` - ;; - - -Wl,*) - args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'` - arg= - save_ifs="$IFS"; IFS=',' - for flag in $args; do - IFS="$save_ifs" - case $flag in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - flag="\"$flag\"" - ;; - esac - arg="$arg $wl$flag" - compiler_flags="$compiler_flags $wl$flag" - linker_flags="$linker_flags $flag" - done - IFS="$save_ifs" - arg=`$echo "X$arg" | $Xsed -e "s/^ //"` - ;; - - -Xcompiler) - prev=xcompiler - continue - ;; - - -Xlinker) - prev=xlinker - continue - ;; - - # Some other compiler flag. - -* | +*) - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - ;; - - *.lo | *.$objext) - # A library or standard object. - if test "$prev" = dlfiles; then - # This file was specified with -dlopen. - if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - dlfiles="$dlfiles $arg" - prev= - continue - else - # If libtool objects are unsupported, then we need to preload. - prev=dlprefiles - fi - fi - - if test "$prev" = dlprefiles; then - # Preload the old-style object. - dlprefiles="$dlprefiles "`$echo "X$arg" | $Xsed -e "$lo2o"` - prev= - else - case $arg in - *.lo) libobjs="$libobjs $arg" ;; - *) objs="$objs $arg" ;; - esac - fi - ;; - - *.$libext) - # An archive. - deplibs="$deplibs $arg" - old_deplibs="$old_deplibs $arg" - continue - ;; - - *.la) - # A libtool-controlled library. - - if test "$prev" = dlfiles; then - # This library was specified with -dlopen. - dlfiles="$dlfiles $arg" - prev= - elif test "$prev" = dlprefiles; then - # The library was specified with -dlpreopen. - dlprefiles="$dlprefiles $arg" - prev= - else - deplibs="$deplibs $arg" - fi - continue - ;; - - # Some other compiler argument. - *) - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - arg="\"$arg\"" - ;; - esac - ;; - esac # arg - - # Now actually substitute the argument into the commands. - if test -n "$arg"; then - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - fi - done # argument parsing loop - - if test -n "$prev"; then - $echo "$modename: the \`$prevarg' option requires an argument" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then - eval arg=\"$export_dynamic_flag_spec\" - compile_command="$compile_command $arg" - finalize_command="$finalize_command $arg" - fi - - # calculate the name of the file, without its directory - outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'` - libobjs_save="$libobjs" - - if test -n "$shlibpath_var"; then - # get the directories listed in $shlibpath_var - eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\` - else - shlib_search_path= - fi - eval sys_lib_search_path=\"$sys_lib_search_path_spec\" - eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\" - - output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'` - if test "X$output_objdir" = "X$output"; then - output_objdir="$objdir" - else - output_objdir="$output_objdir/$objdir" - fi - # Create the object directory. - if test ! -d $output_objdir; then - $show "$mkdir $output_objdir" - $run $mkdir $output_objdir - status=$? - if test $status -ne 0 && test ! -d $output_objdir; then - exit $status - fi - fi - - # Determine the type of output - case $output in - "") - $echo "$modename: you must specify an output file" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; - *.$libext) linkmode=oldlib ;; - *.lo | *.$objext) linkmode=obj ;; - *.la) linkmode=lib ;; - *) linkmode=prog ;; # Anything else should be a program. - esac - - specialdeplibs= - libs= - # Find all interdependent deplibs by searching for libraries - # that are linked more than once (e.g. -la -lb -la) - for deplib in $deplibs; do - case "$libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - libs="$libs $deplib" - done - deplibs= - newdependency_libs= - newlib_search_path= - need_relink=no # whether we're linking any uninstalled libtool libraries - notinst_deplibs= # not-installed libtool libraries - notinst_path= # paths that contain not-installed libtool libraries - case $linkmode in - lib) - passes="conv link" - for file in $dlfiles $dlprefiles; do - case $file in - *.la) ;; - *) - $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2 - exit 1 - ;; - esac - done - ;; - prog) - compile_deplibs= - finalize_deplibs= - alldeplibs=no - newdlfiles= - newdlprefiles= - passes="conv scan dlopen dlpreopen link" - ;; - *) passes="conv" - ;; - esac - for pass in $passes; do - if test $linkmode = prog; then - # Determine which files to process - case $pass in - dlopen) - libs="$dlfiles" - save_deplibs="$deplibs" # Collect dlpreopened libraries - deplibs= - ;; - dlpreopen) libs="$dlprefiles" ;; - link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; - esac - fi - for deplib in $libs; do - lib= - found=no - case $deplib in - -l*) - if test $linkmode = oldlib && test $linkmode = obj; then - $echo "$modename: warning: \`-l' is ignored for archives/objects: $deplib" 1>&2 - continue - fi - if test $pass = conv; then - deplibs="$deplib $deplibs" - continue - fi - name=`$echo "X$deplib" | $Xsed -e 's/^-l//'` - for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do - # Search the libtool library - lib="$searchdir/lib${name}.la" - if test -f "$lib"; then - found=yes - break - fi - done - if test "$found" != yes; then - # deplib doesn't seem to be a libtool library - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - test $linkmode = lib && newdependency_libs="$deplib $newdependency_libs" - fi - continue - fi - ;; # -l - -L*) - case $linkmode in - lib) - deplibs="$deplib $deplibs" - test $pass = conv && continue - newdependency_libs="$deplib $newdependency_libs" - newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'` - ;; - prog) - if test $pass = conv; then - deplibs="$deplib $deplibs" - continue - fi - if test $pass = scan; then - deplibs="$deplib $deplibs" - newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'` - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - fi - ;; - *) - $echo "$modename: warning: \`-L' is ignored for archives/objects: $deplib" 1>&2 - ;; - esac # linkmode - continue - ;; # -L - -R*) - if test $pass = link; then - dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'` - # Make sure the xrpath contains only unique directories. - case "$xrpath " in - *" $dir "*) ;; - *) xrpath="$xrpath $dir" ;; - esac - fi - deplibs="$deplib $deplibs" - continue - ;; - *.la) lib="$deplib" ;; - *.$libext) - if test $pass = conv; then - deplibs="$deplib $deplibs" - continue - fi - case $linkmode in - lib) - if test "$deplibs_check_method" != pass_all; then - echo - echo "*** Warning: This library needs some functionality provided by $deplib." - echo "*** I have the capability to make that library automatically link in when" - echo "*** you link to this library. But I can only do this if you have a" - echo "*** shared version of the library, which you do not appear to have." - else - echo - echo "*** Warning: Linking the shared library $output against the" - echo "*** static library $deplib is not portable!" - deplibs="$deplib $deplibs" - fi - continue - ;; - prog) - if test $pass != link; then - deplibs="$deplib $deplibs" - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - fi - continue - ;; - esac # linkmode - ;; # *.$libext - *.lo | *.$objext) - if test $pass = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then - # If there is no dlopen support or we're linking statically, - # we need to preload. - newdlprefiles="$newdlprefiles $deplib" - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - newdlfiles="$newdlfiles $deplib" - fi - continue - ;; - %DEPLIBS%) - alldeplibs=yes - continue - ;; - esac # case $deplib - if test $found = yes || test -f "$lib"; then : - else - $echo "$modename: cannot find the library \`$lib'" 1>&2 - exit 1 - fi - - # Check to see that this really is a libtool archive. - if (sed -e '2q' $lib | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : - else - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit 1 - fi - - ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'` - test "X$ladir" = "X$lib" && ladir="." - - dlname= - dlopen= - dlpreopen= - libdir= - library_names= - old_library= - # If the library was installed with an old release of libtool, - # it will not redefine variable installed. - installed=yes - - # Read the .la file - case $lib in - */* | *\\*) . $lib ;; - *) . ./$lib ;; - esac - - if test "$linkmode,$pass" = "lib,link" || - test "$linkmode,$pass" = "prog,scan" || - { test $linkmode = oldlib && test $linkmode = obj; }; then - # Add dl[pre]opened files of deplib - test -n "$dlopen" && dlfiles="$dlfiles $dlopen" - test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen" - fi - - if test $pass = conv; then - # Only check for convenience libraries - deplibs="$lib $deplibs" - if test -z "$libdir"; then - if test -z "$old_library"; then - $echo "$modename: cannot find name of link library for \`$lib'" 1>&2 - exit 1 - fi - # It is a libtool convenience library, so add in its objects. - convenience="$convenience $ladir/$objdir/$old_library" - old_convenience="$old_convenience $ladir/$objdir/$old_library" - tmp_libs= - for deplib in $dependency_libs; do - deplibs="$deplib $deplibs" - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - tmp_libs="$tmp_libs $deplib" - done - elif test $linkmode != prog && test $linkmode != lib; then - $echo "$modename: \`$lib' is not a convenience library" 1>&2 - exit 1 - fi - continue - fi # $pass = conv - - # Get the name of the library we link against. - linklib= - for l in $old_library $library_names; do - linklib="$l" - done - if test -z "$linklib"; then - $echo "$modename: cannot find name of link library for \`$lib'" 1>&2 - exit 1 - fi - - # This library was specified with -dlopen. - if test $pass = dlopen; then - if test -z "$libdir"; then - $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2 - exit 1 - fi - if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then - # If there is no dlname, no dlopen support or we're linking - # statically, we need to preload. - dlprefiles="$dlprefiles $lib" - else - newdlfiles="$newdlfiles $lib" - fi - continue - fi # $pass = dlopen - - # We need an absolute path. - case $ladir in - [\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;; - *) - abs_ladir=`cd "$ladir" && pwd` - if test -z "$abs_ladir"; then - $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2 - $echo "$modename: passing it literally to the linker, although it might fail" 1>&2 - abs_ladir="$ladir" - fi - ;; - esac - laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` - - # Find the relevant object directory and library name. - if test "X$installed" = Xyes; then - if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then - $echo "$modename: warning: library \`$lib' was moved." 1>&2 - dir="$ladir" - absdir="$abs_ladir" - libdir="$abs_ladir" - else - dir="$libdir" - absdir="$libdir" - fi - else - dir="$ladir/$objdir" - absdir="$abs_ladir/$objdir" - # Remove this search path later - notinst_path="$notinst_path $abs_ladir" - fi # $installed = yes - name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'` - - # This library was specified with -dlpreopen. - if test $pass = dlpreopen; then - if test -z "$libdir"; then - $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2 - exit 1 - fi - # Prefer using a static library (so that no silly _DYNAMIC symbols - # are required to link). - if test -n "$old_library"; then - newdlprefiles="$newdlprefiles $dir/$old_library" - # Otherwise, use the dlname, so that lt_dlopen finds it. - elif test -n "$dlname"; then - newdlprefiles="$newdlprefiles $dir/$dlname" - else - newdlprefiles="$newdlprefiles $dir/$linklib" - fi - fi # $pass = dlpreopen - - if test -z "$libdir"; then - # Link the convenience library - if test $linkmode = lib; then - deplibs="$dir/$old_library $deplibs" - elif test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$dir/$old_library $compile_deplibs" - finalize_deplibs="$dir/$old_library $finalize_deplibs" - else - deplibs="$lib $deplibs" - fi - continue - fi - - if test $linkmode = prog && test $pass != link; then - newlib_search_path="$newlib_search_path $ladir" - deplibs="$lib $deplibs" - - linkalldeplibs=no - if test "$link_all_deplibs" != no || test -z "$library_names" || - test "$build_libtool_libs" = no; then - linkalldeplibs=yes - fi - - tmp_libs= - for deplib in $dependency_libs; do - case $deplib in - -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test - esac - # Need to link against all dependency_libs? - if test $linkalldeplibs = yes; then - deplibs="$deplib $deplibs" - else - # Need to hardcode shared library paths - # or/and link against static libraries - newdependency_libs="$deplib $newdependency_libs" - fi - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - tmp_libs="$tmp_libs $deplib" - done # for deplib - continue - fi # $linkmode = prog... - - link_static=no # Whether the deplib will be linked statically - if test -n "$library_names" && - { test "$prefer_static_libs" = no || test -z "$old_library"; }; then - # Link against this shared library - - if test "$linkmode,$pass" = "prog,link" || - { test $linkmode = lib && test $hardcode_into_libs = yes; }; then - # Hardcode the library path. - # Skip directories that are in the system default run-time - # search path. - case " $sys_lib_dlsearch_path " in - *" $absdir "*) ;; - *) - case "$compile_rpath " in - *" $absdir "*) ;; - *) compile_rpath="$compile_rpath $absdir" - esac - ;; - esac - case " $sys_lib_dlsearch_path " in - *" $libdir "*) ;; - *) - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" - esac - ;; - esac - if test $linkmode = prog; then - # We need to hardcode the library path - if test -n "$shlibpath_var"; then - # Make sure the rpath contains only unique directories. - case "$temp_rpath " in - *" $dir "*) ;; - *" $absdir "*) ;; - *) temp_rpath="$temp_rpath $dir" ;; - esac - fi - fi - fi # $linkmode,$pass = prog,link... - - if test "$alldeplibs" = yes && - { test "$deplibs_check_method" = pass_all || - { test "$build_libtool_libs" = yes && - test -n "$library_names"; }; }; then - # We only need to search for static libraries - continue - fi - - if test "$installed" = no; then - notinst_deplibs="$notinst_deplibs $lib" - need_relink=yes - fi - - if test -n "$old_archive_from_expsyms_cmds"; then - # figure out the soname - set dummy $library_names - realname="$2" - shift; shift - libname=`eval \\$echo \"$libname_spec\"` - # use dlname if we got it. it's perfectly good, no? - if test -n "$dlname"; then - soname="$dlname" - elif test -n "$soname_spec"; then - # bleh windows - case $host in - *cygwin*) - major=`expr $current - $age` - versuffix="-$major" - ;; - esac - eval soname=\"$soname_spec\" - else - soname="$realname" - fi - - # Make a new name for the extract_expsyms_cmds to use - soroot="$soname" - soname=`echo $soroot | sed -e 's/^.*\///'` - newlib="libimp-`echo $soname | sed 's/^lib//;s/\.dll$//'`.a" - - # If the library has no export list, then create one now - if test -f "$output_objdir/$soname-def"; then : - else - $show "extracting exported symbol list from \`$soname'" - save_ifs="$IFS"; IFS='~' - eval cmds=\"$extract_expsyms_cmds\" - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - - # Create $newlib - if test -f "$output_objdir/$newlib"; then :; else - $show "generating import library for \`$soname'" - save_ifs="$IFS"; IFS='~' - eval cmds=\"$old_archive_from_expsyms_cmds\" - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - # make sure the library variables are pointing to the new library - dir=$output_objdir - linklib=$newlib - fi # test -n $old_archive_from_expsyms_cmds - - if test $linkmode = prog || test "$mode" != relink; then - add_shlibpath= - add_dir= - add= - lib_linked=yes - case $hardcode_action in - immediate | unsupported) - if test "$hardcode_direct" = no; then - add="$dir/$linklib" - elif test "$hardcode_minus_L" = no; then - case $host in - *-*-sunos*) add_shlibpath="$dir" ;; - esac - add_dir="-L$dir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = no; then - add_shlibpath="$dir" - add="-l$name" - else - lib_linked=no - fi - ;; - relink) - if test "$hardcode_direct" = yes; then - add="$dir/$linklib" - elif test "$hardcode_minus_L" = yes; then - add_dir="-L$dir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = yes; then - add_shlibpath="$dir" - add="-l$name" - else - lib_linked=no - fi - ;; - *) lib_linked=no ;; - esac - - if test "$lib_linked" != yes; then - $echo "$modename: configuration error: unsupported hardcode properties" - exit 1 - fi - - if test -n "$add_shlibpath"; then - case :$compile_shlibpath: in - *":$add_shlibpath:"*) ;; - *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;; - esac - fi - if test $linkmode = prog; then - test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs" - test -n "$add" && compile_deplibs="$add $compile_deplibs" - else - test -n "$add_dir" && deplibs="$add_dir $deplibs" - test -n "$add" && deplibs="$add $deplibs" - if test "$hardcode_direct" != yes && \ - test "$hardcode_minus_L" != yes && \ - test "$hardcode_shlibpath_var" = yes; then - case :$finalize_shlibpath: in - *":$libdir:"*) ;; - *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; - esac - fi - fi - fi - - if test $linkmode = prog || test "$mode" = relink; then - add_shlibpath= - add_dir= - add= - # Finalize command for both is simple: just hardcode it. - if test "$hardcode_direct" = yes; then - add="$libdir/$linklib" - elif test "$hardcode_minus_L" = yes; then - add_dir="-L$libdir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = yes; then - case :$finalize_shlibpath: in - *":$libdir:"*) ;; - *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; - esac - add="-l$name" - else - # We cannot seem to hardcode it, guess we'll fake it. - add_dir="-L$libdir" - add="-l$name" - fi - - if test $linkmode = prog; then - test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs" - test -n "$add" && finalize_deplibs="$add $finalize_deplibs" - else - test -n "$add_dir" && deplibs="$add_dir $deplibs" - test -n "$add" && deplibs="$add $deplibs" - fi - fi - elif test $linkmode = prog; then - if test "$alldeplibs" = yes && - { test "$deplibs_check_method" = pass_all || - { test "$build_libtool_libs" = yes && - test -n "$library_names"; }; }; then - # We only need to search for static libraries - continue - fi - - # Try to link the static library - # Here we assume that one of hardcode_direct or hardcode_minus_L - # is not unsupported. This is valid on all known static and - # shared platforms. - if test "$hardcode_direct" != unsupported; then - test -n "$old_library" && linklib="$old_library" - compile_deplibs="$dir/$linklib $compile_deplibs" - finalize_deplibs="$dir/$linklib $finalize_deplibs" - else - compile_deplibs="-l$name -L$dir $compile_deplibs" - finalize_deplibs="-l$name -L$dir $finalize_deplibs" - fi - elif test "$build_libtool_libs" = yes; then - # Not a shared library - if test "$deplibs_check_method" != pass_all; then - # We're trying link a shared library against a static one - # but the system doesn't support it. - - # Just print a warning and add the library to dependency_libs so - # that the program can be linked against the static library. - echo - echo "*** Warning: This library needs some functionality provided by $lib." - echo "*** I have the capability to make that library automatically link in when" - echo "*** you link to this library. But I can only do this if you have a" - echo "*** shared version of the library, which you do not appear to have." - if test "$module" = yes; then - echo "*** Therefore, libtool will create a static module, that should work " - echo "*** as long as the dlopening application is linked with the -dlopen flag." - if test -z "$global_symbol_pipe"; then - echo - echo "*** However, this would only work if libtool was able to extract symbol" - echo "*** lists from a program, using \`nm' or equivalent, but libtool could" - echo "*** not find such a program. So, this module is probably useless." - echo "*** \`nm' from GNU binutils and a full rebuild may help." - fi - if test "$build_old_libs" = no; then - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - fi - else - convenience="$convenience $dir/$old_library" - old_convenience="$old_convenience $dir/$old_library" - deplibs="$dir/$old_library $deplibs" - link_static=yes - fi - fi # link shared/static library? - - if test $linkmode = lib; then - if test -n "$dependency_libs" && - { test $hardcode_into_libs != yes || test $build_old_libs = yes || - test $link_static = yes; }; then - # Extract -R from dependency_libs - temp_deplibs= - for libdir in $dependency_libs; do - case $libdir in - -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'` - case " $xrpath " in - *" $temp_xrpath "*) ;; - *) xrpath="$xrpath $temp_xrpath";; - esac;; - *) temp_deplibs="$temp_deplibs $libdir";; - esac - done - dependency_libs="$temp_deplibs" - fi - - newlib_search_path="$newlib_search_path $absdir" - # Link against this library - test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs" - # ... and its dependency_libs - tmp_libs= - for deplib in $dependency_libs; do - newdependency_libs="$deplib $newdependency_libs" - case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; - esac - tmp_libs="$tmp_libs $deplib" - done - - if test $link_all_deplibs != no; then - # Add the search paths of all dependency libraries - for deplib in $dependency_libs; do - case $deplib in - -L*) path="$deplib" ;; - *.la) - dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$deplib" && dir="." - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;; - *) - absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then - $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2 - absdir="$dir" - fi - ;; - esac - if grep "^installed=no" $deplib > /dev/null; then - path="-L$absdir/$objdir" - else - eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` - if test -z "$libdir"; then - $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2 - exit 1 - fi - if test "$absdir" != "$libdir"; then - $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2 - fi - path="-L$absdir" - fi - ;; - *) continue ;; - esac - case " $deplibs " in - *" $path "*) ;; - *) deplibs="$deplibs $path" ;; - esac - done - fi # link_all_deplibs != no - fi # linkmode = lib - done # for deplib in $libs - if test $pass = dlpreopen; then - # Link the dlpreopened libraries before other libraries - for deplib in $save_deplibs; do - deplibs="$deplib $deplibs" - done - fi - if test $pass != dlopen; then - test $pass != scan && dependency_libs="$newdependency_libs" - if test $pass != conv; then - # Make sure lib_search_path contains only unique directories. - lib_search_path= - for dir in $newlib_search_path; do - case "$lib_search_path " in - *" $dir "*) ;; - *) lib_search_path="$lib_search_path $dir" ;; - esac - done - newlib_search_path= - fi - - if test "$linkmode,$pass" != "prog,link"; then - vars="deplibs" - else - vars="compile_deplibs finalize_deplibs" - fi - for var in $vars dependency_libs; do - # Add libraries to $var in reverse order - eval tmp_libs=\"\$$var\" - new_libs= - for deplib in $tmp_libs; do - case $deplib in - -L*) new_libs="$deplib $new_libs" ;; - *) - case " $specialdeplibs " in - *" $deplib "*) new_libs="$deplib $new_libs" ;; - *) - case " $new_libs " in - *" $deplib "*) ;; - *) new_libs="$deplib $new_libs" ;; - esac - ;; - esac - ;; - esac - done - tmp_libs= - for deplib in $new_libs; do - case $deplib in - -L*) - case " $tmp_libs " in - *" $deplib "*) ;; - *) tmp_libs="$tmp_libs $deplib" ;; - esac - ;; - *) tmp_libs="$tmp_libs $deplib" ;; - esac - done - eval $var=\"$tmp_libs\" - done # for var - fi - if test "$pass" = "conv" && - { test "$linkmode" = "lib" || test "$linkmode" = "prog"; }; then - libs="$deplibs" # reset libs - deplibs= - fi - done # for pass - if test $linkmode = prog; then - dlfiles="$newdlfiles" - dlprefiles="$newdlprefiles" - fi - - case $linkmode in - oldlib) - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2 - fi - - if test -n "$rpath"; then - $echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2 - fi - - if test -n "$xrpath"; then - $echo "$modename: warning: \`-R' is ignored for archives" 1>&2 - fi - - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info' is ignored for archives" 1>&2 - fi - - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for archives" 1>&2 - fi - - if test -n "$export_symbols" || test -n "$export_symbols_regex"; then - $echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2 - fi - - # Now set the variables for building old libraries. - build_libtool_libs=no - oldlibs="$output" - objs="$objs$old_deplibs" - ;; - - lib) - # Make sure we only generate libraries of the form `libNAME.la'. - case $outputname in - lib*) - name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'` - eval libname=\"$libname_spec\" - ;; - *) - if test "$module" = no; then - $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - if test "$need_lib_prefix" != no; then - # Add the "lib" prefix for modules if required - name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'` - eval libname=\"$libname_spec\" - else - libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'` - fi - ;; - esac - - if test -n "$objs"; then - if test "$deplibs_check_method" != pass_all; then - $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1 - exit 1 - else - echo - echo "*** Warning: Linking the shared library $output against the non-libtool" - echo "*** objects $objs is not portable!" - libobjs="$libobjs $objs" - fi - fi - - if test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2 - fi - - set dummy $rpath - if test $# -gt 2; then - $echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2 - fi - install_libdir="$2" - - oldlibs= - if test -z "$rpath"; then - if test "$build_libtool_libs" = yes; then - # Building a libtool convenience library. - libext=al - oldlibs="$output_objdir/$libname.$libext $oldlibs" - build_libtool_libs=convenience - build_old_libs=yes - fi - - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info' is ignored for convenience libraries" 1>&2 - fi - - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2 - fi - else - - # Parse the version information argument. - save_ifs="$IFS"; IFS=':' - set dummy $vinfo 0 0 0 - IFS="$save_ifs" - - if test -n "$8"; then - $echo "$modename: too many parameters to \`-version-info'" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - current="$2" - revision="$3" - age="$4" - - # Check that each of the things are valid numbers. - case $current in - 0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;; - *) - $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit 1 - ;; - esac - - case $revision in - 0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;; - *) - $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit 1 - ;; - esac - - case $age in - 0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;; - *) - $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit 1 - ;; - esac - - if test $age -gt $current; then - $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2 - $echo "$modename: \`$vinfo' is not valid version information" 1>&2 - exit 1 - fi - - # Calculate the version variables. - major= - versuffix= - verstring= - case $version_type in - none) ;; - - darwin) - # Like Linux, but with the current version available in - # verstring for coding it into the library header - major=.`expr $current - $age` - versuffix="$major.$age.$revision" - # Darwin ld doesn't like 0 for these options... - minor_current=`expr $current + 1` - verstring="-compatibility_version $minor_current -current_version $minor_current.$revision" - ;; - - freebsd-aout) - major=".$current" - versuffix=".$current.$revision"; - ;; - - freebsd-elf) - major=".$current" - versuffix=".$current"; - ;; - - irix) - major=`expr $current - $age + 1` - verstring="sgi$major.$revision" - - # Add in all the interfaces that we are compatible with. - loop=$revision - while test $loop != 0; do - iface=`expr $revision - $loop` - loop=`expr $loop - 1` - verstring="sgi$major.$iface:$verstring" - done - - # Before this point, $major must not contain `.'. - major=.$major - versuffix="$major.$revision" - ;; - - linux) - major=.`expr $current - $age` - versuffix="$major.$age.$revision" - ;; - - osf) - major=`expr $current - $age` - versuffix=".$current.$age.$revision" - verstring="$current.$age.$revision" - - # Add in all the interfaces that we are compatible with. - loop=$age - while test $loop != 0; do - iface=`expr $current - $loop` - loop=`expr $loop - 1` - verstring="$verstring:${iface}.0" - done - - # Make executables depend on our current version. - verstring="$verstring:${current}.0" - ;; - - sunos) - major=".$current" - versuffix=".$current.$revision" - ;; - - windows) - # Use '-' rather than '.', since we only want one - # extension on DOS 8.3 filesystems. - major=`expr $current - $age` - versuffix="-$major" - ;; - - *) - $echo "$modename: unknown library version type \`$version_type'" 1>&2 - echo "Fatal configuration error. See the $PACKAGE docs for more information." 1>&2 - exit 1 - ;; - esac - - # Clear the version info if we defaulted, and they specified a release. - if test -z "$vinfo" && test -n "$release"; then - major= - verstring="0.0" - case $version_type in - darwin) - # we can't check for "0.0" in archive_cmds due to quoting - # problems, so we reset it completely - verstring="" - ;; - *) - verstring="0.0" - ;; - esac - if test "$need_version" = no; then - versuffix= - else - versuffix=".0.0" - fi - fi - - # Remove version info from name if versioning should be avoided - if test "$avoid_version" = yes && test "$need_version" = no; then - major= - versuffix= - verstring="" - fi - - # Check to see if the archive will have undefined symbols. - if test "$allow_undefined" = yes; then - if test "$allow_undefined_flag" = unsupported; then - $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2 - build_libtool_libs=no - build_old_libs=yes - fi - else - # Don't allow undefined symbols. - allow_undefined_flag="$no_undefined_flag" - fi - fi - - if test "$mode" != relink; then - # Remove our outputs. - $show "${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*" - $run ${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.* - fi - - # Now set the variables for building old libraries. - if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then - oldlibs="$oldlibs $output_objdir/$libname.$libext" - - # Transform .lo files to .o files. - oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP` - fi - - # Eliminate all temporary directories. - for path in $notinst_path; do - lib_search_path=`echo "$lib_search_path " | sed -e 's% $path % %g'` - deplibs=`echo "$deplibs " | sed -e 's% -L$path % %g'` - dependency_libs=`echo "$dependency_libs " | sed -e 's% -L$path % %g'` - done - - if test -n "$xrpath"; then - # If the user specified any rpath flags, then add them. - temp_xrpath= - for libdir in $xrpath; do - temp_xrpath="$temp_xrpath -R$libdir" - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" ;; - esac - done - if test $hardcode_into_libs != yes || test $build_old_libs = yes; then - dependency_libs="$temp_xrpath $dependency_libs" - fi - fi - - # Make sure dlfiles contains only unique files that won't be dlpreopened - old_dlfiles="$dlfiles" - dlfiles= - for lib in $old_dlfiles; do - case " $dlprefiles $dlfiles " in - *" $lib "*) ;; - *) dlfiles="$dlfiles $lib" ;; - esac - done - - # Make sure dlprefiles contains only unique files - old_dlprefiles="$dlprefiles" - dlprefiles= - for lib in $old_dlprefiles; do - case "$dlprefiles " in - *" $lib "*) ;; - *) dlprefiles="$dlprefiles $lib" ;; - esac - done - - if test "$build_libtool_libs" = yes; then - if test -n "$rpath"; then - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*) - # these systems don't actually have a c library (as such)! - ;; - *-*-rhapsody* | *-*-darwin1.[012]) - # Rhapsody C library is in the System framework - deplibs="$deplibs -framework System" - ;; - *-*-netbsd*) - # Don't link with libc until the a.out ld.so is fixed. - ;; - *-*-openbsd*) - # Do not include libc due to us having libc/libc_r. - ;; - *) - # Add libc to deplibs on all other systems if necessary. - if test $build_libtool_need_lc = "yes"; then - deplibs="$deplibs -lc" - fi - ;; - esac - fi - - # Transform deplibs into only deplibs that can be linked in shared. - name_save=$name - libname_save=$libname - release_save=$release - versuffix_save=$versuffix - major_save=$major - # I'm not sure if I'm treating the release correctly. I think - # release should show up in the -l (ie -lgmp5) so we don't want to - # add it in twice. Is that correct? - release="" - versuffix="" - major="" - newdeplibs= - droppeddeps=no - case $deplibs_check_method in - pass_all) - # Don't check for shared/static. Everything works. - # This might be a little naive. We might want to check - # whether the library exists or not. But this is on - # osf3 & osf4 and I'm not really sure... Just - # implementing what was already the behaviour. - newdeplibs=$deplibs - ;; - test_compile) - # This code stresses the "libraries are programs" paradigm to its - # limits. Maybe even breaks it. We compile a program, linking it - # against the deplibs as a proxy for the library. Then we can check - # whether they linked in statically or dynamically with ldd. - $rm conftest.c - cat > conftest.c </dev/null` - for potent_lib in $potential_libs; do - # Follow soft links. - if ls -lLd "$potent_lib" 2>/dev/null \ - | grep " -> " >/dev/null; then - continue - fi - # The statement above tries to avoid entering an - # endless loop below, in case of cyclic links. - # We might still enter an endless loop, since a link - # loop can be closed while we follow links, - # but so what? - potlib="$potent_lib" - while test -h "$potlib" 2>/dev/null; do - potliblink=`ls -ld $potlib | sed 's/.* -> //'` - case $potliblink in - [\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";; - *) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";; - esac - done - if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \ - | sed 10q \ - | egrep "$file_magic_regex" > /dev/null; then - newdeplibs="$newdeplibs $a_deplib" - a_deplib="" - break 2 - fi - done - done - if test -n "$a_deplib" ; then - droppeddeps=yes - echo - echo "*** Warning: This library needs some functionality provided by $a_deplib." - echo "*** I have the capability to make that library automatically link in when" - echo "*** you link to this library. But I can only do this if you have a" - echo "*** shared version of the library, which you do not appear to have." - fi - else - # Add a -L argument. - newdeplibs="$newdeplibs $a_deplib" - fi - done # Gone through all deplibs. - ;; - match_pattern*) - set dummy $deplibs_check_method - match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"` - for a_deplib in $deplibs; do - name="`expr $a_deplib : '-l\(.*\)'`" - # If $name is empty we are operating on a -L argument. - if test -n "$name" && test "$name" != "0"; then - libname=`eval \\$echo \"$libname_spec\"` - for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do - potential_libs=`ls $i/$libname[.-]* 2>/dev/null` - for potent_lib in $potential_libs; do - if eval echo \"$potent_lib\" 2>/dev/null \ - | sed 10q \ - | egrep "$match_pattern_regex" > /dev/null; then - newdeplibs="$newdeplibs $a_deplib" - a_deplib="" - break 2 - fi - done - done - if test -n "$a_deplib" ; then - droppeddeps=yes - echo - echo "*** Warning: This library needs some functionality provided by $a_deplib." - echo "*** I have the capability to make that library automatically link in when" - echo "*** you link to this library. But I can only do this if you have a" - echo "*** shared version of the library, which you do not appear to have." - fi - else - # Add a -L argument. - newdeplibs="$newdeplibs $a_deplib" - fi - done # Gone through all deplibs. - ;; - none | unknown | *) - newdeplibs="" - if $echo "X $deplibs" | $Xsed -e 's/ -lc$//' \ - -e 's/ -[LR][^ ]*//g' -e 's/[ ]//g' | - grep . >/dev/null; then - echo - if test "X$deplibs_check_method" = "Xnone"; then - echo "*** Warning: inter-library dependencies are not supported in this platform." - else - echo "*** Warning: inter-library dependencies are not known to be supported." - fi - echo "*** All declared inter-library dependencies are being dropped." - droppeddeps=yes - fi - ;; - esac - versuffix=$versuffix_save - major=$major_save - release=$release_save - libname=$libname_save - name=$name_save - - case $host in - *-*-rhapsody* | *-*-darwin1.[012]) - # On Rhapsody replace the C library is the System framework - newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'` - ;; - esac - - if test "$droppeddeps" = yes; then - if test "$module" = yes; then - echo - echo "*** Warning: libtool could not satisfy all declared inter-library" - echo "*** dependencies of module $libname. Therefore, libtool will create" - echo "*** a static module, that should work as long as the dlopening" - echo "*** application is linked with the -dlopen flag." - if test -z "$global_symbol_pipe"; then - echo - echo "*** However, this would only work if libtool was able to extract symbol" - echo "*** lists from a program, using \`nm' or equivalent, but libtool could" - echo "*** not find such a program. So, this module is probably useless." - echo "*** \`nm' from GNU binutils and a full rebuild may help." - fi - if test "$build_old_libs" = no; then - oldlibs="$output_objdir/$libname.$libext" - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - else - echo "*** The inter-library dependencies that have been dropped here will be" - echo "*** automatically added whenever a program is linked with this library" - echo "*** or is declared to -dlopen it." - - if test $allow_undefined = no; then - echo - echo "*** Since this library must not contain undefined symbols," - echo "*** because either the platform does not support them or" - echo "*** it was explicitly requested with -no-undefined," - echo "*** libtool will only create a static version of it." - if test "$build_old_libs" = no; then - oldlibs="$output_objdir/$libname.$libext" - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - fi - fi - fi - # Done checking deplibs! - deplibs=$newdeplibs - fi - - # All the library-specific variables (install_libdir is set above). - library_names= - old_library= - dlname= - - # Test again, we may have decided not to build it any more - if test "$build_libtool_libs" = yes; then - if test $hardcode_into_libs = yes; then - # Hardcode the library paths - hardcode_libdirs= - dep_rpath= - rpath="$finalize_rpath" - test "$mode" != relink && rpath="$compile_rpath$rpath" - for libdir in $rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - dep_rpath="$dep_rpath $flag" - fi - elif test -n "$runpath_var"; then - case "$perm_rpath " in - *" $libdir "*) ;; - *) perm_rpath="$perm_rpath $libdir" ;; - esac - fi - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval dep_rpath=\"$hardcode_libdir_flag_spec\" - fi - if test -n "$runpath_var" && test -n "$perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $perm_rpath; do - rpath="$rpath$dir:" - done - eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var" - fi - test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs" - fi - - shlibpath="$finalize_shlibpath" - test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath" - if test -n "$shlibpath"; then - eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var" - fi - - # Get the real and link names of the library. - eval library_names=\"$library_names_spec\" - set dummy $library_names - realname="$2" - shift; shift - - if test -n "$soname_spec"; then - eval soname=\"$soname_spec\" - else - soname="$realname" - fi - test -z "$dlname" && dlname=$soname - - lib="$output_objdir/$realname" - for link - do - linknames="$linknames $link" - done - - # Ensure that we have .o objects for linkers which dislike .lo - # (e.g. aix) in case we are running --disable-static - for obj in $libobjs; do - xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$obj"; then - xdir="." - else - xdir="$xdir" - fi - baseobj=`$echo "X$obj" | $Xsed -e 's%^.*/%%'` - oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"` - if test ! -f $xdir/$oldobj; then - $show "(cd $xdir && ${LN_S} $baseobj $oldobj)" - $run eval '(cd $xdir && ${LN_S} $baseobj $oldobj)' || exit $? - fi - done - - # Use standard objects if they are pic - test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - - # Prepare the list of exported symbols - if test -z "$export_symbols"; then - if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then - $show "generating symbol list for \`$libname.la'" - export_symbols="$output_objdir/$libname.exp" - $run $rm $export_symbols - eval cmds=\"$export_symbols_cmds\" - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - if test -n "$export_symbols_regex"; then - $show "egrep -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\"" - $run eval 'egrep -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' - $show "$mv \"${export_symbols}T\" \"$export_symbols\"" - $run eval '$mv "${export_symbols}T" "$export_symbols"' - fi - fi - fi - - if test -n "$export_symbols" && test -n "$include_expsyms"; then - $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"' - fi - - if test -n "$convenience"; then - if test -n "$whole_archive_flag_spec"; then - eval libobjs=\"\$libobjs $whole_archive_flag_spec\" - else - gentop="$output_objdir/${outputname}x" - $show "${rm}r $gentop" - $run ${rm}r "$gentop" - $show "mkdir $gentop" - $run mkdir "$gentop" - status=$? - if test $status -ne 0 && test ! -d "$gentop"; then - exit $status - fi - generated="$generated $gentop" - - for xlib in $convenience; do - # Extract the objects. - case $xlib in - [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;; - *) xabs=`pwd`"/$xlib" ;; - esac - xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'` - xdir="$gentop/$xlib" - - $show "${rm}r $xdir" - $run ${rm}r "$xdir" - $show "mkdir $xdir" - $run mkdir "$xdir" - status=$? - if test $status -ne 0 && test ! -d "$xdir"; then - exit $status - fi - $show "(cd $xdir && $AR x $xabs)" - $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - - libobjs="$libobjs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP` - done - fi - fi - - if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then - eval flag=\"$thread_safe_flag_spec\" - linker_flags="$linker_flags $flag" - fi - - # Make a backup of the uninstalled library when relinking - if test "$mode" = relink; then - $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $? - fi - - # Do each of the archive commands. - if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then - eval cmds=\"$archive_expsym_cmds\" - else - eval cmds=\"$archive_cmds\" - fi - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - - # Restore the uninstalled library and exit - if test "$mode" = relink; then - $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $? - exit 0 - fi - - # Create links to the real library. - for linkname in $linknames; do - if test "$realname" != "$linkname"; then - $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)" - $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $? - fi - done - - # If -module or -export-dynamic was specified, set the dlname. - if test "$module" = yes || test "$export_dynamic" = yes; then - # On all known operating systems, these are identical. - dlname="$soname" - fi - fi - ;; - - obj) - if test -n "$deplibs"; then - $echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2 - fi - - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - $echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2 - fi - - if test -n "$rpath"; then - $echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2 - fi - - if test -n "$xrpath"; then - $echo "$modename: warning: \`-R' is ignored for objects" 1>&2 - fi - - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2 - fi - - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for objects" 1>&2 - fi - - case $output in - *.lo) - if test -n "$objs$old_deplibs"; then - $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2 - exit 1 - fi - libobj="$output" - obj=`$echo "X$output" | $Xsed -e "$lo2o"` - ;; - *) - libobj= - obj="$output" - ;; - esac - - # Delete the old objects. - $run $rm $obj $libobj - - # Objects from convenience libraries. This assumes - # single-version convenience libraries. Whenever we create - # different ones for PIC/non-PIC, this we'll have to duplicate - # the extraction. - reload_conv_objs= - gentop= - # reload_cmds runs $LD directly, so let us get rid of - # -Wl from whole_archive_flag_spec - wl= - - if test -n "$convenience"; then - if test -n "$whole_archive_flag_spec"; then - eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\" - else - gentop="$output_objdir/${obj}x" - $show "${rm}r $gentop" - $run ${rm}r "$gentop" - $show "mkdir $gentop" - $run mkdir "$gentop" - status=$? - if test $status -ne 0 && test ! -d "$gentop"; then - exit $status - fi - generated="$generated $gentop" - - for xlib in $convenience; do - # Extract the objects. - case $xlib in - [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;; - *) xabs=`pwd`"/$xlib" ;; - esac - xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'` - xdir="$gentop/$xlib" - - $show "${rm}r $xdir" - $run ${rm}r "$xdir" - $show "mkdir $xdir" - $run mkdir "$xdir" - status=$? - if test $status -ne 0 && test ! -d "$xdir"; then - exit $status - fi - $show "(cd $xdir && $AR x $xabs)" - $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - - reload_conv_objs="$reload_objs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP` - done - fi - fi - - # Create the old-style object. - reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test - - output="$obj" - eval cmds=\"$reload_cmds\" - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - - # Exit if we aren't doing a library object file. - if test -z "$libobj"; then - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi - - exit 0 - fi - - if test "$build_libtool_libs" != yes; then - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi - - # Create an invalid libtool object if no PIC, so that we don't - # accidentally link it into a program. - $show "echo timestamp > $libobj" - $run eval "echo timestamp > $libobj" || exit $? - exit 0 - fi - - if test -n "$pic_flag" || test "$pic_mode" != default; then - # Only do commands if we really have different PIC objects. - reload_objs="$libobjs $reload_conv_objs" - output="$libobj" - eval cmds=\"$reload_cmds\" - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - else - # Just create a symlink. - $show $rm $libobj - $run $rm $libobj - xdir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$libobj"; then - xdir="." - else - xdir="$xdir" - fi - baseobj=`$echo "X$libobj" | $Xsed -e 's%^.*/%%'` - oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"` - $show "(cd $xdir && $LN_S $oldobj $baseobj)" - $run eval '(cd $xdir && $LN_S $oldobj $baseobj)' || exit $? - fi - - if test -n "$gentop"; then - $show "${rm}r $gentop" - $run ${rm}r $gentop - fi - - exit 0 - ;; - - prog) - case $host in - *cygwin*) output=`echo $output | sed -e 's,.exe$,,;s,$,.exe,'` ;; - esac - if test -n "$vinfo"; then - $echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2 - fi - - if test -n "$release"; then - $echo "$modename: warning: \`-release' is ignored for programs" 1>&2 - fi - - if test "$preload" = yes; then - if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown && - test "$dlopen_self_static" = unknown; then - $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support." - fi - fi - - case $host in - *-*-rhapsody* | *-*-darwin1.[012]) - # On Rhapsody replace the C library is the System framework - compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'` - finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'` - ;; - esac - - compile_command="$compile_command $compile_deplibs" - finalize_command="$finalize_command $finalize_deplibs" - - if test -n "$rpath$xrpath"; then - # If the user specified any rpath flags, then add them. - for libdir in $rpath $xrpath; do - # This is the magic to use -rpath. - case "$finalize_rpath " in - *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" ;; - esac - done - fi - - # Now hardcode the library paths - rpath= - hardcode_libdirs= - for libdir in $compile_rpath $finalize_rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - rpath="$rpath $flag" - fi - elif test -n "$runpath_var"; then - case "$perm_rpath " in - *" $libdir "*) ;; - *) perm_rpath="$perm_rpath $libdir" ;; - esac - fi - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) - case :$dllsearchpath: in - *":$libdir:"*) ;; - *) dllsearchpath="$dllsearchpath:$libdir";; - esac - ;; - esac - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval rpath=\" $hardcode_libdir_flag_spec\" - fi - compile_rpath="$rpath" - - rpath= - hardcode_libdirs= - for libdir in $finalize_rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - rpath="$rpath $flag" - fi - elif test -n "$runpath_var"; then - case "$finalize_perm_rpath " in - *" $libdir "*) ;; - *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;; - esac - fi - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval rpath=\" $hardcode_libdir_flag_spec\" - fi - finalize_rpath="$rpath" - - if test -n "$libobjs" && test "$build_old_libs" = yes; then - # Transform all the library objects into standard objects. - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - fi - - dlsyms= - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - if test -n "$NM" && test -n "$global_symbol_pipe"; then - dlsyms="${outputname}S.c" - else - $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2 - fi - fi - - if test -n "$dlsyms"; then - case $dlsyms in - "") ;; - *.c) - # Discover the nlist of each of the dlfiles. - nlist="$output_objdir/${outputname}.nm" - - $show "$rm $nlist ${nlist}S ${nlist}T" - $run $rm "$nlist" "${nlist}S" "${nlist}T" - - # Parse the name list into a source file. - $show "creating $output_objdir/$dlsyms" - - test -z "$run" && $echo > "$output_objdir/$dlsyms" "\ -/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */ -/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */ - -#ifdef __cplusplus -extern \"C\" { -#endif - -/* Prevent the only kind of declaration conflicts we can make. */ -#define lt_preloaded_symbols some_other_symbol - -/* External symbol declarations for the compiler. */\ -" - - if test "$dlself" = yes; then - $show "generating symbol list for \`$output'" - - test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist" - - # Add our own program objects to the symbol list. - progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - for arg in $progfiles; do - $show "extracting global C symbols from \`$arg'" - $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'" - done - - if test -n "$exclude_expsyms"; then - $run eval 'egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T' - $run eval '$mv "$nlist"T "$nlist"' - fi - - if test -n "$export_symbols_regex"; then - $run eval 'egrep -e "$export_symbols_regex" "$nlist" > "$nlist"T' - $run eval '$mv "$nlist"T "$nlist"' - fi - - # Prepare the list of exported symbols - if test -z "$export_symbols"; then - export_symbols="$output_objdir/$output.exp" - $run $rm $export_symbols - $run eval "sed -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"' - else - $run eval "sed -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"' - $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T' - $run eval 'mv "$nlist"T "$nlist"' - fi - fi - - for arg in $dlprefiles; do - $show "extracting global C symbols from \`$arg'" - name=`echo "$arg" | sed -e 's%^.*/%%'` - $run eval 'echo ": $name " >> "$nlist"' - $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'" - done - - if test -z "$run"; then - # Make sure we have at least an empty file. - test -f "$nlist" || : > "$nlist" - - if test -n "$exclude_expsyms"; then - egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T - $mv "$nlist"T "$nlist" - fi - - # Try sorting and uniquifying the output. - if grep -v "^: " < "$nlist" | sort +2 | uniq > "$nlist"S; then - : - else - grep -v "^: " < "$nlist" > "$nlist"S - fi - - if test -f "$nlist"S; then - eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"' - else - echo '/* NONE */' >> "$output_objdir/$dlsyms" - fi - - $echo >> "$output_objdir/$dlsyms" "\ - -#undef lt_preloaded_symbols - -#if defined (__STDC__) && __STDC__ -# define lt_ptr void * -#else -# define lt_ptr char * -# define const -#endif - -/* The mapping between symbol names and symbols. */ -const struct { - const char *name; - lt_ptr address; -} -lt_preloaded_symbols[] = -{\ -" - - eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms" - - $echo >> "$output_objdir/$dlsyms" "\ - {0, (lt_ptr) 0} -}; - -/* This works around a problem in FreeBSD linker */ -#ifdef FREEBSD_WORKAROUND -static const void *lt_preloaded_setup() { - return lt_preloaded_symbols; -} -#endif - -#ifdef __cplusplus -} -#endif\ -" - fi - - pic_flag_for_symtable= - case $host in - # compiling the symbol table file with pic_flag works around - # a FreeBSD bug that causes programs to crash when -lm is - # linked before any other PIC object. But we must not use - # pic_flag when linking with -static. The problem exists in - # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. - *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) - case "$compile_command " in - *" -static "*) ;; - *) pic_flag_for_symtable=" $pic_flag -DPIC -DFREEBSD_WORKAROUND";; - esac;; - *-*-hpux*) - case "$compile_command " in - *" -static "*) ;; - *) pic_flag_for_symtable=" $pic_flag -DPIC";; - esac - esac - - # Now compile the dynamic symbol file. - $show "(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")" - $run eval '(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $? - - # Clean up the generated files. - $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T" - $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T" - - # Transform the symbol file into the correct name. - compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"` - finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"` - ;; - *) - $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2 - exit 1 - ;; - esac - else - # We keep going just in case the user didn't refer to - # lt_preloaded_symbols. The linker will fail if global_symbol_pipe - # really was required. - - # Nullify the symbol file. - compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"` - finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"` - fi - - if test $need_relink = no || test "$build_libtool_libs" != yes; then - # Replace the output file specification. - compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` - link_command="$compile_command$compile_rpath" - - # We have no uninstalled library dependencies, so finalize right now. - $show "$link_command" - $run eval "$link_command" - status=$? - - # Delete the generated files. - if test -n "$dlsyms"; then - $show "$rm $output_objdir/${outputname}S.${objext}" - $run $rm "$output_objdir/${outputname}S.${objext}" - fi - - exit $status - fi - - if test -n "$shlibpath_var"; then - # We should set the shlibpath_var - rpath= - for dir in $temp_rpath; do - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) - # Absolute path. - rpath="$rpath$dir:" - ;; - *) - # Relative path: add a thisdir entry. - rpath="$rpath\$thisdir/$dir:" - ;; - esac - done - temp_rpath="$rpath" - fi - - if test -n "$compile_shlibpath$finalize_shlibpath"; then - compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command" - fi - if test -n "$finalize_shlibpath"; then - finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command" - fi - - compile_var= - finalize_var= - if test -n "$runpath_var"; then - if test -n "$perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $perm_rpath; do - rpath="$rpath$dir:" - done - compile_var="$runpath_var=\"$rpath\$$runpath_var\" " - fi - if test -n "$finalize_perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $finalize_perm_rpath; do - rpath="$rpath$dir:" - done - finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " - fi - fi - - if test "$no_install" = yes; then - # We don't need to create a wrapper script. - link_command="$compile_var$compile_command$compile_rpath" - # Replace the output file specification. - link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` - # Delete the old output file. - $run $rm $output - # Link the executable and exit - $show "$link_command" - $run eval "$link_command" || exit $? - exit 0 - fi - - if test "$hardcode_action" = relink; then - # Fast installation is not supported - link_command="$compile_var$compile_command$compile_rpath" - relink_command="$finalize_var$finalize_command$finalize_rpath" - - $echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2 - $echo "$modename: \`$output' will be relinked during installation" 1>&2 - else - if test "$fast_install" != no; then - link_command="$finalize_var$compile_command$finalize_rpath" - if test "$fast_install" = yes; then - relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'` - else - # fast_install is set to needless - relink_command= - fi - else - link_command="$compile_var$compile_command$compile_rpath" - relink_command="$finalize_var$finalize_command$finalize_rpath" - fi - fi - - # Replace the output file specification. - link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` - - # Delete the old output files. - $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname - - $show "$link_command" - $run eval "$link_command" || exit $? - - # Now create the wrapper script. - $show "creating $output" - - # Quote the relink command for shipping. - if test -n "$relink_command"; then - # Preserve any variables that may affect compiler behavior - for var in $variables_saved_for_relink; do - if eval test -z \"\${$var+set}\"; then - relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command" - elif eval var_value=\$$var; test -z "$var_value"; then - relink_command="$var=; export $var; $relink_command" - else - var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"` - relink_command="$var=\"$var_value\"; export $var; $relink_command" - fi - done - relink_command="cd `pwd`; $relink_command" - relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"` - fi - - # Quote $echo for shipping. - if test "X$echo" = "X$SHELL $0 --fallback-echo"; then - case $0 in - [\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";; - *) qecho="$SHELL `pwd`/$0 --fallback-echo";; - esac - qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"` - else - qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"` - fi - - # Only actually do things if our run command is non-null. - if test -z "$run"; then - # win32 will think the script is a binary if it has - # a .exe suffix, so we strip it off here. - case $output in - *.exe) output=`echo $output|sed 's,.exe$,,'` ;; - esac - # test for cygwin because mv fails w/o .exe extensions - case $host in - *cygwin*) exeext=.exe ;; - *) exeext= ;; - esac - $rm $output - trap "$rm $output; exit 1" 1 2 15 - - $echo > $output "\ -#! $SHELL - -# $output - temporary wrapper script for $objdir/$outputname -# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP -# -# The $output program cannot be directly executed until all the libtool -# libraries that it depends on are installed. -# -# This wrapper script should never be moved out of the build directory. -# If it is, it will not operate correctly. - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed='sed -e 1s/^X//' -sed_quote_subst='$sed_quote_subst' - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi - -relink_command=\"$relink_command\" - -# This environment variable determines our operation mode. -if test \"\$libtool_install_magic\" = \"$magic\"; then - # install mode needs the following variable: - notinst_deplibs='$notinst_deplibs' -else - # When we are sourced in execute mode, \$file and \$echo are already set. - if test \"\$libtool_execute_magic\" != \"$magic\"; then - echo=\"$qecho\" - file=\"\$0\" - # Make sure echo works. - if test \"X\$1\" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift - elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then - # Yippee, \$echo works! - : - else - # Restart under the correct shell, and then maybe \$echo will work. - exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"} - fi - fi\ -" - $echo >> $output "\ - - # Find the directory that this script lives in. - thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\` - test \"x\$thisdir\" = \"x\$file\" && thisdir=. - - # Follow symbolic links until we get to the real thisdir. - file=\`ls -ld \"\$file\" | sed -n 's/.*-> //p'\` - while test -n \"\$file\"; do - destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\` - - # If there was a directory component, then change thisdir. - if test \"x\$destdir\" != \"x\$file\"; then - case \"\$destdir\" in - [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;; - *) thisdir=\"\$thisdir/\$destdir\" ;; - esac - fi - - file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\` - file=\`ls -ld \"\$thisdir/\$file\" | sed -n 's/.*-> //p'\` - done - - # Try to get the absolute directory name. - absdir=\`cd \"\$thisdir\" && pwd\` - test -n \"\$absdir\" && thisdir=\"\$absdir\" -" - - if test "$fast_install" = yes; then - echo >> $output "\ - program=lt-'$outputname'$exeext - progdir=\"\$thisdir/$objdir\" - - if test ! -f \"\$progdir/\$program\" || \\ - { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | sed 1q\`; \\ - test \"X\$file\" != \"X\$progdir/\$program\"; }; then - - file=\"\$\$-\$program\" - - if test ! -d \"\$progdir\"; then - $mkdir \"\$progdir\" - else - $rm \"\$progdir/\$file\" - fi" - - echo >> $output "\ - - # relink executable if necessary - if test -n \"\$relink_command\"; then - if relink_command_output=\`eval \$relink_command 2>&1\`; then : - else - $echo \"\$relink_command_output\" >&2 - $rm \"\$progdir/\$file\" - exit 1 - fi - fi - - $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null || - { $rm \"\$progdir/\$program\"; - $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; } - $rm \"\$progdir/\$file\" - fi" - else - echo >> $output "\ - program='$outputname' - progdir=\"\$thisdir/$objdir\" -" - fi - - echo >> $output "\ - - if test -f \"\$progdir/\$program\"; then" - - # Export our shlibpath_var if we have one. - if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then - $echo >> $output "\ - # Add our own library path to $shlibpath_var - $shlibpath_var=\"$temp_rpath\$$shlibpath_var\" - - # Some systems cannot cope with colon-terminated $shlibpath_var - # The second colon is a workaround for a bug in BeOS R4 sed - $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\` - - export $shlibpath_var -" - fi - - # fixup the dll searchpath if we need to. - if test -n "$dllsearchpath"; then - $echo >> $output "\ - # Add the dll search path components to the executable PATH - PATH=$dllsearchpath:\$PATH -" - fi - - $echo >> $output "\ - if test \"\$libtool_execute_magic\" != \"$magic\"; then - # Run the actual program with our arguments. -" - case $host in - # win32 systems need to use the prog path for dll - # lookup to work - *-*-cygwin* | *-*-pw32*) - $echo >> $output "\ - exec \$progdir/\$program \${1+\"\$@\"} -" - ;; - - # Backslashes separate directories on plain windows - *-*-mingw | *-*-os2*) - $echo >> $output "\ - exec \$progdir\\\\\$program \${1+\"\$@\"} -" - ;; - - *) - $echo >> $output "\ - # Export the path to the program. - PATH=\"\$progdir:\$PATH\" - export PATH - - exec \$program \${1+\"\$@\"} -" - ;; - esac - $echo >> $output "\ - \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\" - exit 1 - fi - else - # The program doesn't exist. - \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2 - \$echo \"This script is just a wrapper for \$program.\" 1>&2 - echo \"See the $PACKAGE documentation for more information.\" 1>&2 - exit 1 - fi -fi\ -" - chmod +x $output - fi - exit 0 - ;; - esac - - # See if we need to build an old-fashioned archive. - for oldlib in $oldlibs; do - - if test "$build_libtool_libs" = convenience; then - oldobjs="$libobjs_save" - addlibs="$convenience" - build_libtool_libs=no - else - if test "$build_libtool_libs" = module; then - oldobjs="$libobjs_save" - build_libtool_libs=no - else - oldobjs="$objs$old_deplibs "`$echo "X$libobjs_save" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP` - fi - addlibs="$old_convenience" - fi - - if test -n "$addlibs"; then - gentop="$output_objdir/${outputname}x" - $show "${rm}r $gentop" - $run ${rm}r "$gentop" - $show "mkdir $gentop" - $run mkdir "$gentop" - status=$? - if test $status -ne 0 && test ! -d "$gentop"; then - exit $status - fi - generated="$generated $gentop" - - # Add in members from convenience archives. - for xlib in $addlibs; do - # Extract the objects. - case $xlib in - [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;; - *) xabs=`pwd`"/$xlib" ;; - esac - xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'` - xdir="$gentop/$xlib" - - $show "${rm}r $xdir" - $run ${rm}r "$xdir" - $show "mkdir $xdir" - $run mkdir "$xdir" - status=$? - if test $status -ne 0 && test ! -d "$xdir"; then - exit $status - fi - $show "(cd $xdir && $AR x $xabs)" - $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - - oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP` - done - fi - - # Do each command in the archive commands. - if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then - eval cmds=\"$old_archive_from_new_cmds\" - else - # Ensure that we have .o objects in place in case we decided - # not to build a shared library, and have fallen back to building - # static libs even though --disable-static was passed! - for oldobj in $oldobjs; do - if test ! -f $oldobj; then - xdir=`$echo "X$oldobj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$oldobj"; then - xdir="." - else - xdir="$xdir" - fi - baseobj=`$echo "X$oldobj" | $Xsed -e 's%^.*/%%'` - obj=`$echo "X$baseobj" | $Xsed -e "$o2lo"` - $show "(cd $xdir && ${LN_S} $obj $baseobj)" - $run eval '(cd $xdir && ${LN_S} $obj $baseobj)' || exit $? - fi - done - - eval cmds=\"$old_archive_cmds\" - fi - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - done - - if test -n "$generated"; then - $show "${rm}r$generated" - $run ${rm}r$generated - fi - - # Now create the libtool archive. - case $output in - *.la) - old_library= - test "$build_old_libs" = yes && old_library="$libname.$libext" - $show "creating $output" - - # Preserve any variables that may affect compiler behavior - for var in $variables_saved_for_relink; do - if eval test -z \"\${$var+set}\"; then - relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command" - elif eval var_value=\$$var; test -z "$var_value"; then - relink_command="$var=; export $var; $relink_command" - else - var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"` - relink_command="$var=\"$var_value\"; export $var; $relink_command" - fi - done - # Quote the link command for shipping. - relink_command="cd `pwd`; $SHELL $0 --mode=relink $libtool_args" - relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"` - - # Only create the output if not a dry run. - if test -z "$run"; then - for installed in no yes; do - if test "$installed" = yes; then - if test -z "$install_libdir"; then - break - fi - output="$output_objdir/$outputname"i - # Replace all uninstalled libtool libraries with the installed ones - newdependency_libs= - for deplib in $dependency_libs; do - case $deplib in - *.la) - name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'` - eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` - if test -z "$libdir"; then - $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2 - exit 1 - fi - newdependency_libs="$newdependency_libs $libdir/$name" - ;; - *) newdependency_libs="$newdependency_libs $deplib" ;; - esac - done - dependency_libs="$newdependency_libs" - newdlfiles= - for lib in $dlfiles; do - name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` - eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib` - if test -z "$libdir"; then - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit 1 - fi - newdlfiles="$newdlfiles $libdir/$name" - done - dlfiles="$newdlfiles" - newdlprefiles= - for lib in $dlprefiles; do - name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'` - eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib` - if test -z "$libdir"; then - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - exit 1 - fi - newdlprefiles="$newdlprefiles $libdir/$name" - done - dlprefiles="$newdlprefiles" - fi - $rm $output - # place dlname in correct position for cygwin - tdlname=$dlname - case $host,$output,$installed,$module,$dlname in - *cygwin*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;; - esac - $echo > $output "\ -# $outputname - a libtool library file -# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP -# -# Please DO NOT delete this file! -# It is necessary for linking the library. - -# The name that we can dlopen(3). -dlname='$tdlname' - -# Names of this library. -library_names='$library_names' - -# The name of the static archive. -old_library='$old_library' - -# Libraries that this one depends upon. -dependency_libs='$dependency_libs' - -# Version information for $libname. -current=$current -age=$age -revision=$revision - -# Is this an already installed library? -installed=$installed - -# Files to dlopen/dlpreopen -dlopen='$dlfiles' -dlpreopen='$dlprefiles' - -# Directory that this library needs to be installed in: -libdir='$install_libdir'" - if test "$installed" = no && test $need_relink = yes; then - $echo >> $output "\ -relink_command=\"$relink_command\"" - fi - done - fi - - # Do a symbolic link so that the libtool archive can be found in - # LD_LIBRARY_PATH before the program is installed. - $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)" - $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $? - ;; - esac - exit 0 - ;; - - # libtool install mode - install) - modename="$modename: install" - - # There may be an optional sh(1) argument at the beginning of - # install_prog (especially on Windows NT). - if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh || - # Allow the use of GNU shtool's install command. - $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then - # Aesthetically quote it. - arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*) - arg="\"$arg\"" - ;; - esac - install_prog="$arg " - arg="$1" - shift - else - install_prog= - arg="$nonopt" - fi - - # The real first argument should be the name of the installation program. - # Aesthetically quote it. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*) - arg="\"$arg\"" - ;; - esac - install_prog="$install_prog$arg" - - # We need to accept at least all the BSD install flags. - dest= - files= - opts= - prev= - install_type= - isdir=no - stripme= - for arg - do - if test -n "$dest"; then - files="$files $dest" - dest="$arg" - continue - fi - - case $arg in - -d) isdir=yes ;; - -f) prev="-f" ;; - -g) prev="-g" ;; - -m) prev="-m" ;; - -o) prev="-o" ;; - -s) - stripme=" -s" - continue - ;; - -*) ;; - - *) - # If the previous option needed an argument, then skip it. - if test -n "$prev"; then - prev= - else - dest="$arg" - continue - fi - ;; - esac - - # Aesthetically quote the argument. - arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` - case $arg in - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*) - arg="\"$arg\"" - ;; - esac - install_prog="$install_prog $arg" - done - - if test -z "$install_prog"; then - $echo "$modename: you must specify an install program" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - if test -n "$prev"; then - $echo "$modename: the \`$prev' option requires an argument" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - if test -z "$files"; then - if test -z "$dest"; then - $echo "$modename: no file or destination specified" 1>&2 - else - $echo "$modename: you must specify a destination" 1>&2 - fi - $echo "$help" 1>&2 - exit 1 - fi - - # Strip any trailing slash from the destination. - dest=`$echo "X$dest" | $Xsed -e 's%/$%%'` - - # Check to see that the destination is a directory. - test -d "$dest" && isdir=yes - if test "$isdir" = yes; then - destdir="$dest" - destname= - else - destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'` - test "X$destdir" = "X$dest" && destdir=. - destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'` - - # Not a directory, so check to see that there is only one file specified. - set dummy $files - if test $# -gt 2; then - $echo "$modename: \`$dest' is not a directory" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - fi - case $destdir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - for file in $files; do - case $file in - *.lo) ;; - *) - $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; - esac - done - ;; - esac - - # This variable tells wrapper scripts just to set variables rather - # than running their programs. - libtool_install_magic="$magic" - - staticlibs= - future_libdirs= - current_libdirs= - for file in $files; do - - # Do each installation. - case $file in - *.$libext) - # Do the static libraries later. - staticlibs="$staticlibs $file" - ;; - - *.la) - # Check to see that this really is a libtool archive. - if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : - else - $echo "$modename: \`$file' is not a valid libtool archive" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - library_names= - old_library= - relink_command= - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - - # Add the libdir to current_libdirs if it is the destination. - if test "X$destdir" = "X$libdir"; then - case "$current_libdirs " in - *" $libdir "*) ;; - *) current_libdirs="$current_libdirs $libdir" ;; - esac - else - # Note the libdir as a future libdir. - case "$future_libdirs " in - *" $libdir "*) ;; - *) future_libdirs="$future_libdirs $libdir" ;; - esac - fi - - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/ - test "X$dir" = "X$file/" && dir= - dir="$dir$objdir" - - if test -n "$relink_command"; then - $echo "$modename: warning: relinking \`$file'" 1>&2 - $show "$relink_command" - if $run eval "$relink_command"; then : - else - $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2 - continue - fi - fi - - # See the names of the shared library. - set dummy $library_names - if test -n "$2"; then - realname="$2" - shift - shift - - srcname="$realname" - test -n "$relink_command" && srcname="$realname"T - - # Install the shared library and build the symlinks. - $show "$install_prog $dir/$srcname $destdir/$realname" - $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $? - if test -n "$stripme" && test -n "$striplib"; then - $show "$striplib $destdir/$realname" - $run eval "$striplib $destdir/$realname" || exit $? - fi - - if test $# -gt 0; then - # Delete the old symlinks, and create new ones. - for linkname - do - if test "$linkname" != "$realname"; then - $show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)" - $run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)" - fi - done - fi - - # Do each command in the postinstall commands. - lib="$destdir/$realname" - eval cmds=\"$postinstall_cmds\" - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - fi - - # Install the pseudo-library for information purposes. - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - instname="$dir/$name"i - $show "$install_prog $instname $destdir/$name" - $run eval "$install_prog $instname $destdir/$name" || exit $? - - # Maybe install the static library, too. - test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library" - ;; - - *.lo) - # Install (i.e. copy) a libtool object. - - # Figure out destination file name, if it wasn't already specified. - if test -n "$destname"; then - destfile="$destdir/$destname" - else - destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - destfile="$destdir/$destfile" - fi - - # Deduce the name of the destination old-style object file. - case $destfile in - *.lo) - staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"` - ;; - *.$objext) - staticdest="$destfile" - destfile= - ;; - *) - $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; - esac - - # Install the libtool object if requested. - if test -n "$destfile"; then - $show "$install_prog $file $destfile" - $run eval "$install_prog $file $destfile" || exit $? - fi - - # Install the old object if enabled. - if test "$build_old_libs" = yes; then - # Deduce the name of the old-style object file. - staticobj=`$echo "X$file" | $Xsed -e "$lo2o"` - - $show "$install_prog $staticobj $staticdest" - $run eval "$install_prog \$staticobj \$staticdest" || exit $? - fi - exit 0 - ;; - - *) - # Figure out destination file name, if it wasn't already specified. - if test -n "$destname"; then - destfile="$destdir/$destname" - else - destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - destfile="$destdir/$destfile" - fi - - # Do a test to see if this is really a libtool program. - if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - notinst_deplibs= - relink_command= - - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - - # Check the variables that should have been set. - if test -z "$notinst_deplibs"; then - $echo "$modename: invalid libtool wrapper script \`$file'" 1>&2 - exit 1 - fi - - finalize=yes - for lib in $notinst_deplibs; do - # Check to see that each library is installed. - libdir= - if test -f "$lib"; then - # If there is no directory component, then add one. - case $lib in - */* | *\\*) . $lib ;; - *) . ./$lib ;; - esac - fi - libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test - if test -n "$libdir" && test ! -f "$libfile"; then - $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2 - finalize=no - fi - done - - relink_command= - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - - outputname= - if test "$fast_install" = no && test -n "$relink_command"; then - if test "$finalize" = yes && test -z "$run"; then - tmpdir="/tmp" - test -n "$TMPDIR" && tmpdir="$TMPDIR" - tmpdir="$tmpdir/libtool-$$" - if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then : - else - $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2 - continue - fi - file=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - outputname="$tmpdir/$file" - # Replace the output file specification. - relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'` - - $show "$relink_command" - if $run eval "$relink_command"; then : - else - $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2 - ${rm}r "$tmpdir" - continue - fi - file="$outputname" - else - $echo "$modename: warning: cannot relink \`$file'" 1>&2 - fi - else - # Install the binary that we compiled earlier. - file=`$echo "X$file" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"` - fi - fi - - # remove .exe since cygwin /usr/bin/install will append another - # one anyways - case $install_prog,$host in - /usr/bin/install*,*cygwin*) - case $file:$destfile in - *.exe:*.exe) - # this is ok - ;; - *.exe:*) - destfile=$destfile.exe - ;; - *:*.exe) - destfile=`echo $destfile | sed -e 's,.exe$,,'` - ;; - esac - ;; - esac - $show "$install_prog$stripme $file $destfile" - $run eval "$install_prog\$stripme \$file \$destfile" || exit $? - test -n "$outputname" && ${rm}r "$tmpdir" - ;; - esac - done - - for file in $staticlibs; do - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - - # Set up the ranlib parameters. - oldlib="$destdir/$name" - - $show "$install_prog $file $oldlib" - $run eval "$install_prog \$file \$oldlib" || exit $? - - if test -n "$stripme" && test -n "$striplib"; then - $show "$old_striplib $oldlib" - $run eval "$old_striplib $oldlib" || exit $? - fi - - # Do each command in the postinstall commands. - eval cmds=\"$old_postinstall_cmds\" - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" - done - - if test -n "$future_libdirs"; then - $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2 - fi - - if test -n "$current_libdirs"; then - # Maybe just do a dry run. - test -n "$run" && current_libdirs=" -n$current_libdirs" - exec_cmd='$SHELL $0 --finish$current_libdirs' - else - exit 0 - fi - ;; - - # libtool finish mode - finish) - modename="$modename: finish" - libdirs="$nonopt" - admincmds= - - if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then - for dir - do - libdirs="$libdirs $dir" - done - - for libdir in $libdirs; do - if test -n "$finish_cmds"; then - # Do each command in the finish commands. - eval cmds=\"$finish_cmds\" - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || admincmds="$admincmds - $cmd" - done - IFS="$save_ifs" - fi - if test -n "$finish_eval"; then - # Do the single finish_eval. - eval cmds=\"$finish_eval\" - $run eval "$cmds" || admincmds="$admincmds - $cmds" - fi - done - fi - - # Exit here if they wanted silent mode. - test "$show" = ":" && exit 0 - - echo "----------------------------------------------------------------------" - echo "Libraries have been installed in:" - for libdir in $libdirs; do - echo " $libdir" - done - echo - echo "If you ever happen to want to link against installed libraries" - echo "in a given directory, LIBDIR, you must either use libtool, and" - echo "specify the full pathname of the library, or use the \`-LLIBDIR'" - echo "flag during linking and do at least one of the following:" - if test -n "$shlibpath_var"; then - echo " - add LIBDIR to the \`$shlibpath_var' environment variable" - echo " during execution" - fi - if test -n "$runpath_var"; then - echo " - add LIBDIR to the \`$runpath_var' environment variable" - echo " during linking" - fi - if test -n "$hardcode_libdir_flag_spec"; then - libdir=LIBDIR - eval flag=\"$hardcode_libdir_flag_spec\" - - echo " - use the \`$flag' linker flag" - fi - if test -n "$admincmds"; then - echo " - have your system administrator run these commands:$admincmds" - fi - if test -f /etc/ld.so.conf; then - echo " - have your system administrator add LIBDIR to \`/etc/ld.so.conf'" - fi - echo - echo "See any operating system documentation about shared libraries for" - echo "more information, such as the ld(1) and ld.so(8) manual pages." - echo "----------------------------------------------------------------------" - exit 0 - ;; - - # libtool execute mode - execute) - modename="$modename: execute" - - # The first argument is the command name. - cmd="$nonopt" - if test -z "$cmd"; then - $echo "$modename: you must specify a COMMAND" 1>&2 - $echo "$help" - exit 1 - fi - - # Handle -dlopen flags immediately. - for file in $execute_dlfiles; do - if test ! -f "$file"; then - $echo "$modename: \`$file' is not a file" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - dir= - case $file in - *.la) - # Check to see that this really is a libtool archive. - if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then : - else - $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - # Read the libtool library. - dlname= - library_names= - - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - - # Skip this library if it cannot be dlopened. - if test -z "$dlname"; then - # Warn if it was a shared library. - test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'" - continue - fi - - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$file" && dir=. - - if test -f "$dir/$objdir/$dlname"; then - dir="$dir/$objdir" - else - $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2 - exit 1 - fi - ;; - - *.lo) - # Just add the directory containing the .lo file. - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - test "X$dir" = "X$file" && dir=. - ;; - - *) - $echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2 - continue - ;; - esac - - # Get the absolute pathname. - absdir=`cd "$dir" && pwd` - test -n "$absdir" && dir="$absdir" - - # Now add the directory to shlibpath_var. - if eval "test -z \"\$$shlibpath_var\""; then - eval "$shlibpath_var=\"\$dir\"" - else - eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\"" - fi - done - - # This variable tells wrapper scripts just to set shlibpath_var - # rather than running their programs. - libtool_execute_magic="$magic" - - # Check if any of the arguments is a wrapper script. - args= - for file - do - case $file in - -*) ;; - *) - # Do a test to see if this is really a libtool program. - if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - # If there is no directory component, then add one. - case $file in - */* | *\\*) . $file ;; - *) . ./$file ;; - esac - - # Transform arg to wrapped name. - file="$progdir/$program" - fi - ;; - esac - # Quote arguments (to preserve shell metacharacters). - file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"` - args="$args \"$file\"" - done - - if test -z "$run"; then - if test -n "$shlibpath_var"; then - # Export the shlibpath_var. - eval "export $shlibpath_var" - fi - - # Restore saved enviroment variables - if test "${save_LC_ALL+set}" = set; then - LC_ALL="$save_LC_ALL"; export LC_ALL - fi - if test "${save_LANG+set}" = set; then - LANG="$save_LANG"; export LANG - fi - - # Now prepare to actually exec the command. - exec_cmd='"$cmd"$args' - else - # Display what would be done. - if test -n "$shlibpath_var"; then - eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\"" - $echo "export $shlibpath_var" - fi - $echo "$cmd$args" - exit 0 - fi - ;; - - # libtool clean and uninstall mode - clean | uninstall) - modename="$modename: $mode" - rm="$nonopt" - files= - rmforce= - exit_status=0 - - # This variable tells wrapper scripts just to set variables rather - # than running their programs. - libtool_install_magic="$magic" - - for arg - do - case $arg in - -f) rm="$rm $arg"; rmforce=yes ;; - -*) rm="$rm $arg" ;; - *) files="$files $arg" ;; - esac - done - - if test -z "$rm"; then - $echo "$modename: you must specify an RM program" 1>&2 - $echo "$help" 1>&2 - exit 1 - fi - - rmdirs= - - for file in $files; do - dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'` - if test "X$dir" = "X$file"; then - dir=. - objdir="$objdir" - else - objdir="$dir/$objdir" - fi - name=`$echo "X$file" | $Xsed -e 's%^.*/%%'` - test $mode = uninstall && objdir="$dir" - - # Remember objdir for removal later, being careful to avoid duplicates - if test $mode = clean; then - case " $rmdirs " in - *" $objdir "*) ;; - *) rmdirs="$rmdirs $objdir" ;; - esac - fi - - # Don't error if the file doesn't exist and rm -f was used. - if (test -L "$file") >/dev/null 2>&1 \ - || (test -h "$file") >/dev/null 2>&1 \ - || test -f "$file"; then - : - elif test -d "$file"; then - exit_status=1 - continue - elif test "$rmforce" = yes; then - continue - fi - - rmfiles="$file" - - case $name in - *.la) - # Possibly a libtool archive, so verify it. - if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - . $dir/$name - - # Delete the libtool libraries and symlinks. - for n in $library_names; do - rmfiles="$rmfiles $objdir/$n" - done - test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library" - test $mode = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i" - - if test $mode = uninstall; then - if test -n "$library_names"; then - # Do each command in the postuninstall commands. - eval cmds=\"$postuninstall_cmds\" - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" - if test $? != 0 && test "$rmforce" != yes; then - exit_status=1 - fi - done - IFS="$save_ifs" - fi - - if test -n "$old_library"; then - # Do each command in the old_postuninstall commands. - eval cmds=\"$old_postuninstall_cmds\" - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" - if test $? != 0 && test "$rmforce" != yes; then - exit_status=1 - fi - done - IFS="$save_ifs" - fi - # FIXME: should reinstall the best remaining shared library. - fi - fi - ;; - - *.lo) - if test "$build_old_libs" = yes; then - oldobj=`$echo "X$name" | $Xsed -e "$lo2o"` - rmfiles="$rmfiles $dir/$oldobj" - fi - ;; - - *) - # Do a test to see if this is a libtool program. - if test $mode = clean && - (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then - relink_command= - . $dir/$file - - rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}" - if test "$fast_install" = yes && test -n "$relink_command"; then - rmfiles="$rmfiles $objdir/lt-$name" - fi - fi - ;; - esac - $show "$rm $rmfiles" - $run $rm $rmfiles || exit_status=1 - done - - # Try to remove the ${objdir}s in the directories where we deleted files - for dir in $rmdirs; do - if test -d "$dir"; then - $show "rmdir $dir" - $run rmdir $dir >/dev/null 2>&1 - fi - done - - exit $exit_status - ;; - - "") - $echo "$modename: you must specify a MODE" 1>&2 - $echo "$generic_help" 1>&2 - exit 1 - ;; - esac - - if test -z "$exec_cmd"; then - $echo "$modename: invalid operation mode \`$mode'" 1>&2 - $echo "$generic_help" 1>&2 - exit 1 - fi -fi # test -z "$show_help" - -if test -n "$exec_cmd"; then - eval exec $exec_cmd - exit 1 -fi - -# We need to display help for each of the modes. -case $mode in -"") $echo \ -"Usage: $modename [OPTION]... [MODE-ARG]... - -Provide generalized library-building support services. - - --config show all configuration variables - --debug enable verbose shell tracing --n, --dry-run display commands without modifying any files - --features display basic configuration information and exit - --finish same as \`--mode=finish' - --help display this help message and exit - --mode=MODE use operation mode MODE [default=inferred from MODE-ARGS] - --quiet same as \`--silent' - --silent don't print informational messages - --version print version information - -MODE must be one of the following: - - clean remove files from the build directory - compile compile a source file into a libtool object - execute automatically set library path, then run a program - finish complete the installation of libtool libraries - install install libraries or executables - link create a library or an executable - uninstall remove libraries from an installed directory - -MODE-ARGS vary depending on the MODE. Try \`$modename --help --mode=MODE' for -a more detailed description of MODE." - exit 0 - ;; - -clean) - $echo \ -"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE... - -Remove files from the build directory. - -RM is the name of the program to use to delete files associated with each FILE -(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed -to RM. - -If FILE is a libtool library, object or program, all the files associated -with it are deleted. Otherwise, only FILE itself is deleted using RM." - ;; - -compile) - $echo \ -"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE - -Compile a source file into a libtool library object. - -This mode accepts the following additional options: - - -o OUTPUT-FILE set the output file name to OUTPUT-FILE - -prefer-pic try to building PIC objects only - -prefer-non-pic try to building non-PIC objects only - -static always build a \`.o' file suitable for static linking - -COMPILE-COMMAND is a command to be used in creating a \`standard' object file -from the given SOURCEFILE. - -The output file name is determined by removing the directory component from -SOURCEFILE, then substituting the C source code suffix \`.c' with the -library object suffix, \`.lo'." - ;; - -execute) - $echo \ -"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]... - -Automatically set library path, then run a program. - -This mode accepts the following additional options: - - -dlopen FILE add the directory containing FILE to the library path - -This mode sets the library path environment variable according to \`-dlopen' -flags. - -If any of the ARGS are libtool executable wrappers, then they are translated -into their corresponding uninstalled binary, and any of their required library -directories are added to the library path. - -Then, COMMAND is executed, with ARGS as arguments." - ;; - -finish) - $echo \ -"Usage: $modename [OPTION]... --mode=finish [LIBDIR]... - -Complete the installation of libtool libraries. - -Each LIBDIR is a directory that contains libtool libraries. - -The commands that this mode executes may require superuser privileges. Use -the \`--dry-run' option if you just want to see what would be executed." - ;; - -install) - $echo \ -"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND... - -Install executables or libraries. - -INSTALL-COMMAND is the installation command. The first component should be -either the \`install' or \`cp' program. - -The rest of the components are interpreted as arguments to that command (only -BSD-compatible install options are recognized)." - ;; - -link) - $echo \ -"Usage: $modename [OPTION]... --mode=link LINK-COMMAND... - -Link object files or libraries together to form another library, or to -create an executable program. - -LINK-COMMAND is a command using the C compiler that you would use to create -a program from several object files. - -The following components of LINK-COMMAND are treated specially: - - -all-static do not do any dynamic linking at all - -avoid-version do not add a version suffix if possible - -dlopen FILE \`-dlpreopen' FILE if it cannot be dlopened at runtime - -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols - -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) - -export-symbols SYMFILE - try to export only the symbols listed in SYMFILE - -export-symbols-regex REGEX - try to export only the symbols matching REGEX - -LLIBDIR search LIBDIR for required installed libraries - -lNAME OUTPUT-FILE requires the installed library libNAME - -module build a library that can dlopened - -no-fast-install disable the fast-install mode - -no-install link a not-installable executable - -no-undefined declare that a library does not refer to external symbols - -o OUTPUT-FILE create OUTPUT-FILE from the specified objects - -release RELEASE specify package release information - -rpath LIBDIR the created library will eventually be installed in LIBDIR - -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries - -static do not do any dynamic linking of libtool libraries - -version-info CURRENT[:REVISION[:AGE]] - specify library version info [each variable defaults to 0] - -All other options (arguments beginning with \`-') are ignored. - -Every other argument is treated as a filename. Files ending in \`.la' are -treated as uninstalled libtool libraries, other files are standard or library -object files. - -If the OUTPUT-FILE ends in \`.la', then a libtool library is created, -only library objects (\`.lo' files) may be specified, and \`-rpath' is -required, except when creating a convenience library. - -If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created -using \`ar' and \`ranlib', or on Windows using \`lib'. - -If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file -is created, otherwise an executable program is created." - ;; - -uninstall) - $echo \ -"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE... - -Remove libraries from an installation directory. - -RM is the name of the program to use to delete files associated with each FILE -(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed -to RM. - -If FILE is a libtool library, all the files associated with it are deleted. -Otherwise, only FILE itself is deleted using RM." - ;; - -*) - $echo "$modename: invalid operation mode \`$mode'" 1>&2 - $echo "$help" 1>&2 - exit 1 - ;; -esac - -echo -$echo "Try \`$modename --help' for more information about other modes." - -exit 0 - -# Local Variables: -# mode:shell-script -# sh-indentation:2 -# End: diff --git a/crypto/heimdal/tools/Makefile b/crypto/heimdal/tools/Makefile deleted file mode 100644 index af60c0aa8fd9..000000000000 --- a/crypto/heimdal/tools/Makefile +++ /dev/null @@ -1,575 +0,0 @@ -# Makefile.in generated by automake 1.6.3 from Makefile.am. -# tools/Makefile. Generated from Makefile.in by configure. - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - - - -# $Id: Makefile.am,v 1.5 2001/01/29 06:56:33 assar Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = /bin/sh - -srcdir = . -top_srcdir = .. - -prefix = /usr/heimdal -exec_prefix = ${prefix} - -bindir = ${exec_prefix}/bin -sbindir = ${exec_prefix}/sbin -libexecdir = ${exec_prefix}/libexec -datadir = ${prefix}/share -sysconfdir = /etc -sharedstatedir = ${prefix}/com -localstatedir = /var/heimdal -libdir = ${exec_prefix}/lib -infodir = ${prefix}/info -mandir = ${prefix}/man -includedir = ${prefix}/include -oldincludedir = /usr/include -pkgdatadir = $(datadir)/heimdal -pkglibdir = $(libdir)/heimdal -pkgincludedir = $(includedir)/heimdal -top_builddir = .. - -ACLOCAL = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run aclocal-1.6 -AUTOCONF = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoconf -AUTOMAKE = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run automake-1.6 -AUTOHEADER = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run autoheader - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = /usr/bin/install -c -INSTALL_PROGRAM = ${INSTALL} -INSTALL_DATA = ${INSTALL} -m 644 -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_SCRIPT = ${INSTALL} -INSTALL_HEADER = $(INSTALL_DATA) -transform = s,x,x, -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = -host_triplet = i386-unknown-freebsd5.0 - -EXEEXT = -OBJEXT = o -PATH_SEPARATOR = : -AIX_EXTRA_KAFS = -AMTAR = ${SHELL} /usr/home/nectar/devel/heimdal/missing --run tar -AS = @AS@ -AWK = gawk -CANONICAL_HOST = i386-unknown-freebsd5.0 -CATMAN = /usr/bin/nroff -mdoc $< > $@ -CATMANEXT = $$section -CC = gcc -COMPILE_ET = compile_et -CPP = gcc -E -DBLIB = -DEPDIR = .deps -DIR_com_err = -DIR_des = -DIR_roken = roken -DLLTOOL = @DLLTOOL@ -ECHO = echo -EXTRA_LIB45 = -GROFF = /usr/bin/groff -INCLUDES_roken = -I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = -INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s -LEX = flex - -LEXLIB = -lfl -LEX_OUTPUT_ROOT = lex.yy -LIBTOOL = $(SHELL) $(top_builddir)/libtool -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = -LIB_NDBM = -LIB_com_err = -lcom_err -LIB_com_err_a = -LIB_com_err_so = -LIB_des = -lcrypto -LIB_des_a = -lcrypto -LIB_des_appl = -lcrypto -LIB_des_so = -lcrypto -LIB_kdb = -LIB_otp = $(top_builddir)/lib/otp/libotp.la -LIB_roken = $(top_builddir)/lib/vers/libvers.la $(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen) -LIB_security = -LN_S = ln -s -LTLIBOBJS = copyhostent.lo ecalloc.lo emalloc.lo erealloc.lo estrdup.lo strlwr.lo strndup.lo strnlen.lo strsep_copy.lo strupr.lo -NEED_WRITEAUTH_FALSE = -NEED_WRITEAUTH_TRUE = # -NROFF = /usr/bin/nroff -OBJDUMP = @OBJDUMP@ -PACKAGE = heimdal -RANLIB = ranlib -STRIP = strip -VERSION = 0.4f -VOID_RETSIGTYPE = -WFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -WFLAGS_NOIMPLICITINT = -WFLAGS_NOUNUSED = -X_CFLAGS = -I/usr/X11R6/include -X_EXTRA_LIBS = -X_LIBS = -L/usr/X11R6/lib -X_PRE_LIBS = -lSM -lICE -YACC = bison -y -am__include = include -am__quote = -dpagaix_cflags = -D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce -dpagaix_ldadd = -L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r -dpagaix_ldflags = -Wl,-bI:dfspag.exp -install_sh = /usr/home/nectar/devel/heimdal/install-sh - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) - -ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = -lXau -LIB_crypt = -lcrypt -LIB_dbm_firstkey = -LIB_dbopen = -LIB_dlopen = -LIB_dn_expand = -LIB_el_init = -ledit -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = -LIB_getsockopt = -LIB_logout = -lutil -LIB_logwtmp = -lutil -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = -lutil -LIB_pidfile = -LIB_res_search = -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = -LIB_socket = -LIB_syslog = -LIB_tgetent = -ltermcap - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = -LIB_hesiod = - -INCLUDE_krb4 = -LIB_krb4 = - -INCLUDE_openldap = -LIB_openldap = - -INCLUDE_readline = -LIB_readline = $(top_builddir)/lib/editline/libel_compat.la $(LIB_el_init) $(LIB_tgetent) - -NROFF_MAN = groff -mandoc -Tascii - -#LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ - $(top_builddir)/lib/asn1/libasn1.la - -LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -#LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -EXTRA_DIST = krb5-config.1 - -CLEANFILES = krb5-config - -bin_SCRIPTS = krb5-config - -man_MANS = krb5-config.1 -subdir = tools -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -SCRIPTS = $(bin_SCRIPTS) - -depcomp = -am__depfiles_maybe = -CFLAGS = -DINET6 -g -O2 -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -DIST_SOURCES = -MANS = $(man_MANS) -DIST_COMMON = Makefile.am Makefile.in -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign tools/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binSCRIPT_INSTALL = $(INSTALL_SCRIPT) -install-binSCRIPTS: $(bin_SCRIPTS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f $$d$$p; then \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " $(binSCRIPT_INSTALL) $$d$$p $(DESTDIR)$(bindir)/$$f"; \ - $(binSCRIPT_INSTALL) $$d$$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(bin_SCRIPTS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 1*) ;; \ - *) ext='1' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done -tags: TAGS -TAGS: - -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = .. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @list='$(DISTFILES)'; for file in $$list; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(SCRIPTS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(man1dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-generic distclean-libtool - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binSCRIPTS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -uninstall-am: uninstall-binSCRIPTS uninstall-info-am uninstall-man - -uninstall-man: uninstall-man1 - -.PHONY: all all-am all-local check check-am check-local clean \ - clean-generic clean-libtool distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am info info-am install \ - install-am install-binSCRIPTS install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-man1 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool uninstall uninstall-am uninstall-binSCRIPTS \ - uninstall-info-am uninstall-man uninstall-man1 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -krb5-config: krb5-config.in - sed -e "s,@PACKAGE\@,$(PACKAGE),g" \ - -e "s,@VERSION\@,$(VERSION),g" \ - -e "s,@prefix\@,$(prefix),g" \ - -e "s,@exec_prefix\@,$(exec_prefix),g" \ - -e "s,@libdir\@,$(libdir),g" \ - -e "s,@includedir\@,$(includedir),g" \ - -e "s,@LIB_crypt\@,$(LIB_crypt),g" \ - -e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \ - -e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \ - -e "s,@LIBS\@,$(LIBS),g" \ - $(srcdir)/krb5-config.in > $@ - chmod +x $@ -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/tools/krb5-config.cat1 b/crypto/heimdal/tools/krb5-config.cat1 deleted file mode 100644 index 461e8ca4366a..000000000000 --- a/crypto/heimdal/tools/krb5-config.cat1 +++ /dev/null @@ -1,51 +0,0 @@ -KRB5-CONFIG(1) NetBSD Reference Manual KRB5-CONFIG(1) - -NNAAMMEE - kkrrbb55--ccoonnffiigg - give information on how to link code against Heimdal li- - braries - -SSYYNNOOPPSSIISS - kkrrbb55--ccoonnffiigg [----pprreeffiixx[=_d_i_r]] [----eexxeecc--pprreeffiixx[=_d_i_r]] [----lliibbss] [----ccffllaaggss] - [_l_i_b_r_a_r_i_e_s] - -DDEESSCCRRIIPPTTIIOONN - kkrrbb55--ccoonnffiigg tells the application programmer what special flags to use to - compile and link programs against the libraries installed by Heimdal. - - Options supported: - - ----pprreeffiixx[=_d_i_r] - Print the prefix if no _d_i_r is specified, otherwise set prefix to - _d_i_r. - - ----eexxeecc--pprreeffiixx[=_d_i_r] - Print the exec-prefix if no _d_i_r is specified, otherwise set exec- - prefix to _d_i_r. - - ----lliibbss Output the set of libraries that should be linked against. - - ----ccffllaaggss - Output the set of flags to give to the C compiler when using the - Heimdal libraries. - - By default kkrrbb55--ccoonnffiigg will output the set of flags and libraries to be - used by a normal program using the krb5 API. The user can also supply a - library to be used, the supported ones are: - - krb5 (the default) - - gssapi use the krb5 gssapi mechanism - - kadm-client - use the client-side kadmin libraries - - kadm-server - use the server-side kadmin libraries - -SSEEEE AALLSSOO - cc(1) - -HHIISSTTOORRYY - kkrrbb55--ccoonnffiigg appeared in Heimdal 0.3d. - - HEIMDAL November 30, 2000 1 diff --git a/crypto/heimdal/ylwrap b/crypto/heimdal/ylwrap deleted file mode 100755 index 5ea68e4fcd33..000000000000 --- a/crypto/heimdal/ylwrap +++ /dev/null @@ -1,143 +0,0 @@ -#! /bin/sh -# ylwrap - wrapper for lex/yacc invocations. -# Copyright 1996, 1997, 1998, 1999 Free Software Foundation, Inc. -# Written by Tom Tromey . -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Usage: -# ylwrap INPUT [OUTPUT DESIRED]... -- PROGRAM [ARGS]... -# * INPUT is the input file -# * OUTPUT is file PROG generates -# * DESIRED is file we actually want -# * PROGRAM is program to run -# * ARGS are passed to PROG -# Any number of OUTPUT,DESIRED pairs may be used. - -# The input. -input="$1" -shift -case "$input" in - [\\/]* | ?:[\\/]*) - # Absolute path; do nothing. - ;; - *) - # Relative path. Make it absolute. - input="`pwd`/$input" - ;; -esac - -# The directory holding the input. -input_dir=`echo "$input" | sed -e 's,\([\\/]\)[^\\/]*$,\1,'` -# Quote $INPUT_DIR so we can use it in a regexp. -# FIXME: really we should care about more than `.' and `\'. -input_rx=`echo "$input_dir" | sed -e 's,\\\\,\\\\\\\\,g' -e 's,\\.,\\\\.,g'` - -echo "got $input_rx" - -pairlist= -while test "$#" -ne 0; do - if test "$1" = "--"; then - shift - break - fi - pairlist="$pairlist $1" - shift -done - -# The program to run. -prog="$1" -shift -# Make any relative path in $prog absolute. -case "$prog" in - [\\/]* | ?:[\\/]*) ;; - *[\\/]*) prog="`pwd`/$prog" ;; -esac - -# FIXME: add hostname here for parallel makes that run commands on -# other machines. But that might take us over the 14-char limit. -dirname=ylwrap$$ -trap "cd `pwd`; rm -rf $dirname > /dev/null 2>&1" 1 2 3 15 -mkdir $dirname || exit 1 - -cd $dirname - -$prog ${1+"$@"} "$input" -status=$? - -if test $status -eq 0; then - set X $pairlist - shift - first=yes - # Since DOS filename conventions don't allow two dots, - # the DOS version of Bison writes out y_tab.c instead of y.tab.c - # and y_tab.h instead of y.tab.h. Test to see if this is the case. - y_tab_nodot="no" - if test -f y_tab.c || test -f y_tab.h; then - y_tab_nodot="yes" - fi - - while test "$#" -ne 0; do - from="$1" - # Handle y_tab.c and y_tab.h output by DOS - if test $y_tab_nodot = "yes"; then - if test $from = "y.tab.c"; then - from="y_tab.c" - else - if test $from = "y.tab.h"; then - from="y_tab.h" - fi - fi - fi - if test -f "$from"; then - # If $2 is an absolute path name, then just use that, - # otherwise prepend `../'. - case "$2" in - [\\/]* | ?:[\\/]*) target="$2";; - *) target="../$2";; - esac - - # Edit out `#line' or `#' directives. We don't want the - # resulting debug information to point at an absolute srcdir; - # it is better for it to just mention the .y file with no - # path. - sed -e "/^#/ s,$input_rx,," "$from" > "$target" || status=$? - else - # A missing file is only an error for the first file. This - # is a blatant hack to let us support using "yacc -d". If -d - # is not specified, we don't want an error when the header - # file is "missing". - if test $first = yes; then - status=1 - fi - fi - shift - shift - first=no - done -else - status=$? -fi - -# Remove the directory. -cd .. -rm -rf $dirname - -exit $status